Messages

I have tried both user the GUI network manager to import the .ovpn file and I have tried with the commandline. Neither work.

I do not understand what you mean the export from OPN does work.

What I find confusing is if I run the following command

keytool -list -v -keystore tech_staff_lsl.p12

I see the following.

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: 30 Sept 2022
Entry type: PrivateKeyEntry
Certificate chain length: 0


*******************************************
*******************************************

Why does it say that the Certificate chain length = 0

Also, I saw the message that the key has not been verified, something to do with the password.
If I try a different password which is the incorrect password I get the following error.

Enter keystore password: 
keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
   at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2158)
   at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:226)
   at java.base/java.security.KeyStore.load(KeyStore.java:1503)
   at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1101)
   at java.base/sun.security.tools.keytool.Main.run(Main.java:416)
   at java.base/sun.security.tools.keytool.Main.main(Main.java:409)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is u

So the password I am using is correct. Why is it saying that it is not verified

Lawrence

Bart,

I took the office.ovpn file and imported that into openvpn on a windows machine and that worked without a hassle.

After speaking to my colleague, he asked me if I have looked at the certificates on the opnsense server. So I did this but it causes me a little more confusion. I am new to the company and am trying to get the VPN working so that I have remove access for support reasons.

Let me explain. Not really sure how much I can say here without sharing too much secure information.
I will change the username and details for security reasons but the logic is the same.

I have a user called lsl, then looking under System / Trust / Certificates, I do see a listing with certificates for the user lsl. Under the username, I see the following. "CA: No, Server: No"
Does this mean that there is No CA certificate linked to this user?

Looking on the right hand side of the page I see the following 4 download links.
1. Certificate Information
2. Export User Certificate
3. Export User key (I guess this is the private key)
4. Export ca+user cert+user key in p12 format

Looking at the info, I see the following that concerns me.
CN = internal-ca
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE

The user lsl has been added to a group tech_staff. The VPN is set up with the group tech_staff.
Each time I try anything I an told that the ca certificate is missing. I also understand that this is a self signed ca certificate.

If I look at VPN / OpenVPN / Client Export

I see the user lsl listed within the config, then at the right hand side I have the option to save the tech_staff.p12 certificate zipped up.

If I open the archive, I see  3 files.
tech_staff_lsl.ovpn
tech_staff_lsl.p12
tech_staff_lsl-tls.key

If I look at the .ovpn file. It does not have any of the tags you mentioned before. What it does have which does not work with openvpn is two lines related to auth.
### .ovpn file contents. # # #
dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx 1194 udp
lport 0
verify-x509-name "C=NL, ST=GLD, L=Ede, O=ENEM BV, emailAddress=test@test.test, CN=vpnserver" subject
remote-cert-tls server
auth-user-pass
pkcs12 tech_staff_lsl.p12
tls-auth tech_staff_lsl-tls.key 1

If I try what you suggested "openvpn tech_staff_lsl.ovpn

I get the below error.
2022-09-29 23:17:15 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2022-09-29 23:17:15 WARNING: file 'tech_staff_lsl.p12' is group or others accessible
2022-09-29 23:17:15 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-09-29 23:17:15 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10

How do I get around this issue. Why is there no ca certificate delivered from the VPN config?

Thanks
Lawrence

Bart,

I have managed to import the office.ovpn file into windows, but no matter what I try I cannot get it imported into Linux.
I just downloaded a new zip file and when I try the following.

openssl pkcs12 -in tech_staff_lawrence.p12 -out cert.pem -clcerts -nokeys

ERROR:
openssl pkcs12 -in tech_staff_lawrence.p12 -out cert.pem -clcerts -nokeys
Enter Import Password:
Error outputting keys and certificates
401795A0507F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

Doing some reading, I get no clear answers, I understand it could be related to nodejs, but when I try to resolve. Nothing seems to work.

Any ideas?

Lawrence

Bart

Thanks for your input, it seems that the certificates were generated with/without a password. The guy that created the config cannot remember. so when I try what you suggested I get a VERIFY FAILED error. Seems that the file is password encoded and he cannot remember what it was. So I feel we will have to create new files.

Thanks in any how.

Lawrence

Bart,

Thanks for the response but the issue that I am facing is as follows. Within the Opnsense portal I have added a user under the VPN config. If I look at the username, on the right hand side there is a link for me to download the ovpn file to use for this user.

If I click to download the archived file. The contents of the file has 3 files.
office.key
office.p12
office.ovpn

I do not have the option to view the ca file.

I have tried to extract a .pem file but cannot seem to find what the error I get means.

How can it be so complicated to use the .ovpn file that is downloaded from the portal.

Any dvice would be much appreciated.

Thanks
Lawrence

I have exported my archived file from the VPN portal, but when I try to Add a VPN by importing the .ovpn file into the config I get the following error
Cannot import VPN connection
The file "office.ovpn" could not be read or does not contain recognised VPN connection information

Error: the plugin does not support import capability

when I try to import the .ovpn file on the commandline, I get the following error.

nmcli connection import type openvpn file office.ovpn
Error: failed to import 'office.ovpn': The file to import wasn't a valid OpenVPN configuration (--ca cannot be PKCS#12 format).

Any help would be appreciated.
Lawrence