OPNsense Forum
English Forums => Virtual private networks => Topic started by: llamprec on September 09, 2022, 09:03:31 pm
-
I have exported my archived file from the VPN portal, but when I try to Add a VPN by importing the .ovpn file into the config I get the following error
Cannot import VPN connection
The file "office.ovpn" could not be read or does not contain recognised VPN connection information
Error: the plugin does not support import capability
when I try to import the .ovpn file on the commandline, I get the following error.
nmcli connection import type openvpn file office.ovpn
Error: failed to import 'office.ovpn': The file to import wasn't a valid OpenVPN configuration (--ca cannot be PKCS#12 format).
Any help would be appreciated.
Lawrence
-
Make sure that you ovpn file has the <ca></ca> <cert></cert> <key></key> stanzas and that the blocks are PEM encoded. You can't use PKCS#12 or pfx files in OpenVPN configs.
Open office.ovpn in a text editor and confirm it looks like this:
<header lines like dev cipher remote etc>
<cert>
</cert>
<ca>
</ca>
<key>
</key>
Paste the contents of the relevant text files between the tags - e.g. for the cert and ca blocks something like:
-----BEGIN CERTIFICATE-----
MII................
................
.............
-----END CERTIFICATE-----
Bart...
-
Bart,
Thanks for the response but the issue that I am facing is as follows. Within the Opnsense portal I have added a user under the VPN config. If I look at the username, on the right hand side there is a link for me to download the ovpn file to use for this user.
If I click to download the archived file. The contents of the file has 3 files.
office.key
office.p12
office.ovpn
I do not have the option to view the ca file.
I have tried to extract a .pem file but cannot seem to find what the error I get means.
How can it be so complicated to use the .ovpn file that is downloaded from the portal.
Any dvice would be much appreciated.
Thanks
Lawrence
-
Hi Lawrence, not sure how you are left with just the p12 stuff but I can help you recover from it ;)
Open a shell prompt in OPNsense or another unix box with OpenSSL installed, copy the office.p12 file to it and run:
openssl pkcs12 -in office.p12 -out cert.pem -clcerts -nokeys
openssl pkcs12 -in office.p12 -out key.pem -nocerts -nodes
This gives you everything but the CA certificate file. The CA file is static and you can download the PEM in the OPNsense web GUI with System, Trust, Authorities. Click the 'export CA cert' icon to the right of the CA certificate line.
Copy the contents of the PEM files with the directives from office.ovpn as I indicated earlier.
Good luck!
Bart...
-
Bart
Thanks for your input, it seems that the certificates were generated with/without a password. The guy that created the config cannot remember. so when I try what you suggested I get a VERIFY FAILED error. Seems that the file is password encoded and he cannot remember what it was. So I feel we will have to create new files.
Thanks in any how.
Lawrence
-
Bart,
I have managed to import the office.ovpn file into windows, but no matter what I try I cannot get it imported into Linux.
I just downloaded a new zip file and when I try the following.
openssl pkcs12 -in tech_staff_lawrence.p12 -out cert.pem -clcerts -nokeys
ERROR:
openssl pkcs12 -in tech_staff_lawrence.p12 -out cert.pem -clcerts -nokeys
Enter Import Password:
Error outputting keys and certificates
401795A0507F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
Doing some reading, I get no clear answers, I understand it could be related to nodejs, but when I try to resolve. Nothing seems to work.
Any ideas?
Lawrence
-
Can you copy the office.ovpn to linux and run it in the foreground?
openvpn office.ovpn
That will show any errors in the console
Bart...
-
Bart,
I took the office.ovpn file and imported that into openvpn on a windows machine and that worked without a hassle.
After speaking to my colleague, he asked me if I have looked at the certificates on the opnsense server. So I did this but it causes me a little more confusion. I am new to the company and am trying to get the VPN working so that I have remove access for support reasons.
Let me explain. Not really sure how much I can say here without sharing too much secure information.
I will change the username and details for security reasons but the logic is the same.
I have a user called lsl, then looking under System / Trust / Certificates, I do see a listing with certificates for the user lsl. Under the username, I see the following. "CA: No, Server: No"
Does this mean that there is No CA certificate linked to this user?
Looking on the right hand side of the page I see the following 4 download links.
1. Certificate Information
2. Export User Certificate
3. Export User key (I guess this is the private key)
4. Export ca+user cert+user key in p12 format
Looking at the info, I see the following that concerns me.
CN = internal-ca
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
The user lsl has been added to a group tech_staff. The VPN is set up with the group tech_staff.
Each time I try anything I an told that the ca certificate is missing. I also understand that this is a self signed ca certificate.
If I look at VPN / OpenVPN / Client Export
I see the user lsl listed within the config, then at the right hand side I have the option to save the tech_staff.p12 certificate zipped up.
If I open the archive, I see 3 files.
tech_staff_lsl.ovpn
tech_staff_lsl.p12
tech_staff_lsl-tls.key
If I look at the .ovpn file. It does not have any of the tags you mentioned before. What it does have which does not work with openvpn is two lines related to auth.
### .ovpn file contents. # # #
dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx 1194 udp
lport 0
verify-x509-name "C=NL, ST=GLD, L=Ede, O=ENEM BV, emailAddress=test@test.test, CN=vpnserver" subject
remote-cert-tls server
auth-user-pass
pkcs12 tech_staff_lsl.p12
tls-auth tech_staff_lsl-tls.key 1
If I try what you suggested "openvpn tech_staff_lsl.ovpn
I get the below error.
2022-09-29 23:17:15 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2022-09-29 23:17:15 WARNING: file 'tech_staff_lsl.p12' is group or others accessible
2022-09-29 23:17:15 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-09-29 23:17:15 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
How do I get around this issue. Why is there no ca certificate delivered from the VPN config?
Thanks
Lawrence
-
Are you trying to use network manager, or all by cli? I imagine yes because of the first error "plugin..".
The problem is that the ovpn network manager plugin doesn't support importing pkcs#12 files, which the export from OPN does.
So you end up not using that file and let the plugin create it by providing what it needs: a ca.crt, a user.crt and a user.key. The tricky part is to match the cypher and hmac auth settings. It might take a few tries.
Can you confirm?
-
I have tried both user the GUI network manager to import the .ovpn file and I have tried with the commandline. Neither work.
I do not understand what you mean the export from OPN does work.
What I find confusing is if I run the following command
keytool -list -v -keystore tech_staff_lsl.p12
I see the following.
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: 1
Creation date: 30 Sept 2022
Entry type: PrivateKeyEntry
Certificate chain length: 0
*******************************************
*******************************************
Why does it say that the Certificate chain length = 0
Also, I saw the message that the key has not been verified, something to do with the password.
If I try a different password which is the incorrect password I get the following error.
Enter keystore password:
keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2158)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:226)
at java.base/java.security.KeyStore.load(KeyStore.java:1503)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1101)
at java.base/sun.security.tools.keytool.Main.run(Main.java:416)
at java.base/sun.security.tools.keytool.Main.main(Main.java:409)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is u
So the password I am using is correct. Why is it saying that it is not verified
Lawrence
-
Hi Lawrence,
You don't need to store your private key in a keystore - it is part of the ovpn file in the <key> </key> stanza. You don't need to (re)import the config file, just copy it from a working machine - it is self-contained.
The errors you're seeing are caused by the store not having a trust path to a known CA. You'd need to import the OPNsense CA cert into your OS CA store. But as mentioned, you don't need to use the OS PKI since OpenVPN can override it.
On any unix implementation of the OpenVPN client, you can run it with the ovpn file as an argument and it will give you foreground diagnostics.
Do those steps give you a connection?
Bart...