OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: rfolkerts on May 11, 2016, 08:39:33 pm

Title: [SOLVED] use OpenVPN-Client with Passphrase-potected-Key
Post by: rfolkerts on May 11, 2016, 08:39:33 pm

Hi,

I"d like my OpnSense to connect to a Server with a Passphrase-protected Key.

Is there a way to specify that Passphrase (to be passed to OpenVPN with the --askpass-Option)?
I didn"t find a way to specify, using OPNsense 16.1.13-i386.

Would be cool if there was a way.

Cheers,
_ralf_

Title: Re: use OpenVPN-Client with Passphrase-potected-Key
Post by: Zeitkind on May 12, 2016, 02:41:23 am

Go VPN: OpenVPN: Client Export

and check Certificate Export Options -> Use a password to protect the pkcs12 file contents or key in Viscosity bundle.

Title: Re: use OpenVPN-Client with Passphrase-potected-Key
Post by: rfolkerts on May 13, 2016, 09:24:17 pm

Hi,

thanks for the reply! However, it sems I did not ask correctly :(

There is a "foreign" OpenVPN-Server, not operated by me, that I'd like to connect to from my OpnSense-System. From that "foreign" OpenVPN-Servers-Operator I got a Client-Certificate that's Key-Protected.

So, I created a Client in VPN/OpenVPN/Clients. However, I didn't find a way to configure the Passphrase for the Cert. Now, upn starting the VPN Client I get

openvpn[36396]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.

in the Log.

On my Desktop-System I'd put that passphrase into a file and use the --askpass Command Line Option to OpenVPN. However, in OpnSense I did not find any option that would resemble that "askpass".

Is there a way to configure that in OpnSense?

MTIA, cheers,
_ralf_

Title: Re: use OpenVPN-Client with Passphrase-potected-Key
Post by: AdSchellevis on May 14, 2016, 04:32:00 pm

Hi _ralf_,

Can't you remove the password with openssl before adding it to OPNsense?
I guess something like this should do the trick:

Code: [Select]

openssl rsa -in privateKey.pem -out newPrivateKey.pem

Regards,

Ad

Title: Re: use OpenVPN-Client with Passphrase-potected-Key
Post by: fabian on May 14, 2016, 07:32:18 pm

Hi Ad,

regarding to https://www.openssl.org/docs/manmaster/apps/rsa.html you are right.

Title: Re: use OpenVPN-Client with Passphrase-potected-Key
Post by: rfolkerts on May 14, 2016, 09:21:36 pm

Quote from: AdSchellevis on May 14, 2016, 04:32:00 pm

Hi _ralf_,

Can't you remove the password with openssl before adding it to OPNsense?
I guess something like this should do the trick:

Code: [Select]

openssl rsa -in privateKey.pem -out newPrivateKey.pem


Hi Ad,

wow - I must admit that I did not think of that!

Just removed the Passphrase - worked 1a! Now, I can connect...

Thanks a lot!

Cheers,
_ralf_

Title: Re: use OpenVPN-Client with Passphrase-potected-Key
Post by: franco on May 17, 2016, 10:28:03 am

Hi Ralf,

You can also add the --askpass primitive to the advanced configuration text box, e.g.:

Code: [Select]

askpass /path/to/user/certificate_password.txt
We should, however, add a text box for this in order to be able to do this automatically in the future.

https://github.com/opnsense/core/issues/944


Cheers,
Franco

Title: Re: [SOLVED] use OpenVPN-Client with Passphrase-potected-Key
Post by: Zeitkind on May 18, 2016, 11:06:21 pm

Well, not really. It doesn't matter if you use a key with password and safe the key in plain text on the router or if you just remove the passphrase. But one could add a short how to remove a passphrase in the docs. Just my 2 cents..

Title: Re: [SOLVED] use OpenVPN-Client with Passphrase-potected-Key
Post by: franco on May 18, 2016, 11:37:48 pm

You're right, the ticket has already been changed to reflect this... show a warning that this will lower security, allow to remove protection via GUI prompt anyway. No need for a doc page then. :)