[SOLVED] use OpenVPN-Client with Passphrase-potected-Key

Started by rfolkerts, May 11, 2016, 08:39:33 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 11, 2016, 08:39:33 PM Last Edit: May 17, 2016, 10:28:13 AM by franco
Hi,

I"d like my OpnSense to connect to a Server with a Passphrase-protected Key.

Is there a way to specify that Passphrase (to be passed to OpenVPN with the --askpass-Option)?
I didn"t find a way to specify, using OPNsense 16.1.13-i386.

Would be cool if there was a way.

Cheers,
_ralf_
May 12, 2016, 02:41:23 AM #1
Go VPN: OpenVPN: Client Export

and check Certificate Export Options -> Use a password to protect the pkcs12 file contents or key in Viscosity bundle.
May 13, 2016, 09:24:17 PM #2
Hi,

thanks for the reply! However, it sems I did not ask correctly :(

There is a "foreign" OpenVPN-Server, not operated by me, that I'd like to connect to from my OpnSense-System. From that "foreign" OpenVPN-Servers-Operator I got a Client-Certificate that's Key-Protected.

So, I created a Client in VPN/OpenVPN/Clients. However, I didn't find a way to configure the Passphrase for the Cert. Now, upn starting the VPN Client I get

openvpn[36396]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.

in the Log.

On my Desktop-System I'd put that passphrase into a file and use the --askpass Command Line Option to OpenVPN. However, in OpnSense I did not find any option that would resemble that "askpass".

Is there a way to configure that in OpnSense?

MTIA, cheers,
_ralf_
May 14, 2016, 04:32:00 PM #3
Hi _ralf_,

Can't you remove the password with openssl before adding it to OPNsense?
I guess something like this should do the trick:

Code Select
openssl rsa -in privateKey.pem -out newPrivateKey.pem


Regards,

Ad
May 14, 2016, 07:32:18 PM #4
Hi Ad,

regarding to https://www.openssl.org/docs/manmaster/apps/rsa.html you are right.
May 14, 2016, 09:21:36 PM #5
Quote from: AdSchellevis on May 14, 2016, 04:32:00 PM
Hi _ralf_,

Can't you remove the password with openssl before adding it to OPNsense?
I guess something like this should do the trick:

Code Select
openssl rsa -in privateKey.pem -out newPrivateKey.pem



Hi Ad,

wow - I must admit that I did not think of that!

Just removed the Passphrase - worked 1a! Now, I can connect...

Thanks a lot!

Cheers,
_ralf_
May 17, 2016, 10:28:03 AM #6
Hi Ralf,

You can also add the --askpass primitive to the advanced configuration text box, e.g.:

Code Select
askpass /path/to/user/certificate_password.txt

We should, however, add a text box for this in order to be able to do this automatically in the future.

https://github.com/opnsense/core/issues/944


Cheers,
Franco
May 18, 2016, 11:06:21 PM #7
Well, not really. It doesn't matter if you use a key with password and safe the key in plain text on the router or if you just remove the passphrase. But one could add a short how to remove a passphrase in the docs. Just my 2 cents..
May 18, 2016, 11:37:48 PM #8
You're right, the ticket has already been changed to reflect this... show a warning that this will lower security, allow to remove protection via GUI prompt anyway. No need for a doc page then. :)
Print
Go Up Pages1
User actions