Hi,
I"d like my OpnSense to connect to a Server with a Passphrase-protected Key.
Is there a way to specify that Passphrase (to be passed to OpenVPN with the --askpass-Option)?
I didn"t find a way to specify, using OPNsense 16.1.13-i386.
Would be cool if there was a way.
Cheers,
_ralf_
Go VPN: OpenVPN: Client Export
and check Certificate Export Options -> Use a password to protect the pkcs12 file contents or key in Viscosity bundle.
Hi,
thanks for the reply! However, it sems I did not ask correctly :(
There is a "foreign" OpenVPN-Server, not operated by me, that I'd like to connect to from my OpnSense-System. From that "foreign" OpenVPN-Servers-Operator I got a Client-Certificate that's Key-Protected.
So, I created a Client in VPN/OpenVPN/Clients. However, I didn't find a way to configure the Passphrase for the Cert. Now, upn starting the VPN Client I get
openvpn[36396]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
in the Log.
On my Desktop-System I'd put that passphrase into a file and use the --askpass Command Line Option to OpenVPN. However, in OpnSense I did not find any option that would resemble that "askpass".
Is there a way to configure that in OpnSense?
MTIA, cheers,
_ralf_
Hi _ralf_,
Can't you remove the password with openssl before adding it to OPNsense?
I guess something like this should do the trick:
openssl rsa -in privateKey.pem -out newPrivateKey.pem
Regards,
Ad
Hi Ad,
regarding to https://www.openssl.org/docs/manmaster/apps/rsa.html you are right.
Quote from: AdSchellevis on May 14, 2016, 04:32:00 PM
Hi _ralf_,
Can't you remove the password with openssl before adding it to OPNsense?
I guess something like this should do the trick:
openssl rsa -in privateKey.pem -out newPrivateKey.pem
Hi Ad,
wow - I must admit that I did not think of that!
Just removed the Passphrase - worked 1a! Now, I can connect...
Thanks a lot!
Cheers,
_ralf_
Hi Ralf,
You can also add the --askpass primitive to the advanced configuration text box, e.g.:
askpass /path/to/user/certificate_password.txt
We should, however, add a text box for this in order to be able to do this automatically in the future.
https://github.com/opnsense/core/issues/944
Cheers,
Franco
Well, not really. It doesn't matter if you use a key with password and safe the key in plain text on the router or if you just remove the passphrase. But one could add a short how to remove a passphrase in the docs. Just my 2 cents..
You're right, the ticket has already been changed to reflect this... show a warning that this will lower security, allow to remove protection via GUI prompt anyway. No need for a doc page then. :)