English Forums > Virtual private networks

OpnSense .ovpn export fails to import into Ubuntu 22.04 OpenVPN

<< < (2/3) > >>

llamprec:
Bart,

I have managed to import the office.ovpn file into windows, but no matter what I try I cannot get it imported into Linux.
I just downloaded a new zip file and when I try the following.

openssl pkcs12 -in tech_staff_lawrence.p12 -out cert.pem -clcerts -nokeys

ERROR:
openssl pkcs12 -in tech_staff_lawrence.p12 -out cert.pem -clcerts -nokeys
Enter Import Password:
Error outputting keys and certificates
401795A0507F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

Doing some reading, I get no clear answers, I understand it could be related to nodejs, but when I try to resolve. Nothing seems to work.

Any ideas?

Lawrence

bartjsmit:
Can you copy the office.ovpn to linux and run it in the foreground?

openvpn office.ovpn

That will show any errors in the console

Bart...

llamprec:
Bart,

I took the office.ovpn file and imported that into openvpn on a windows machine and that worked without a hassle.

After speaking to my colleague, he asked me if I have looked at the certificates on the opnsense server. So I did this but it causes me a little more confusion. I am new to the company and am trying to get the VPN working so that I have remove access for support reasons.

Let me explain. Not really sure how much I can say here without sharing too much secure information.
I will change the username and details for security reasons but the logic is the same.

I have a user called lsl, then looking under System / Trust / Certificates, I do see a listing with certificates for the user lsl. Under the username, I see the following. "CA: No, Server: No"
Does this mean that there is No CA certificate linked to this user?

Looking on the right hand side of the page I see the following 4 download links.
1. Certificate Information
2. Export User Certificate
3. Export User key (I guess this is the private key)
4. Export ca+user cert+user key in p12 format

Looking at the info, I see the following that concerns me.
CN = internal-ca
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE

The user lsl has been added to a group tech_staff. The VPN is set up with the group tech_staff.
Each time I try anything I an told that the ca certificate is missing. I also understand that this is a self signed ca certificate.

If I look at VPN / OpenVPN / Client Export

I see the user lsl listed within the config, then at the right hand side I have the option to save the tech_staff.p12 certificate zipped up.

If I open the archive, I see  3 files.
tech_staff_lsl.ovpn
tech_staff_lsl.p12
tech_staff_lsl-tls.key

If I look at the .ovpn file. It does not have any of the tags you mentioned before. What it does have which does not work with openvpn is two lines related to auth.
### .ovpn file contents. # # #
dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx 1194 udp
lport 0
verify-x509-name "C=NL, ST=GLD, L=Ede, O=ENEM BV, emailAddress=test@test.test, CN=vpnserver" subject
remote-cert-tls server
auth-user-pass
pkcs12 tech_staff_lsl.p12
tls-auth tech_staff_lsl-tls.key 1

If I try what you suggested "openvpn tech_staff_lsl.ovpn

I get the below error.
2022-09-29 23:17:15 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2022-09-29 23:17:15 WARNING: file 'tech_staff_lsl.p12' is group or others accessible
2022-09-29 23:17:15 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-09-29 23:17:15 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10

How do I get around this issue. Why is there no ca certificate delivered from the VPN config?

Thanks
Lawrence

cookiemonster:
Are you trying to use network manager, or all by cli? I imagine yes because of the first error "plugin..".
The problem is that the ovpn network manager plugin doesn't support importing pkcs#12 files,  which the export from OPN does.
So you end up not using that file and let the plugin create it by providing what it needs: a ca.crt, a user.crt and a user.key. The tricky part is to match the cypher and hmac auth settings. It might take a few tries.
Can you confirm?

llamprec:
I have tried both user the GUI network manager to import the .ovpn file and I have tried with the commandline. Neither work.

I do not understand what you mean the export from OPN does work.

What I find confusing is if I run the following command

keytool -list -v -keystore tech_staff_lsl.p12

I see the following.

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: 30 Sept 2022
Entry type: PrivateKeyEntry
Certificate chain length: 0


*******************************************
*******************************************

Why does it say that the Certificate chain length = 0

Also, I saw the message that the key has not been verified, something to do with the password.
If I try a different password which is the incorrect password I get the following error.

Enter keystore password: 
keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
   at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2158)
   at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:226)
   at java.base/java.security.KeyStore.load(KeyStore.java:1503)
   at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1101)
   at java.base/sun.security.tools.keytool.Main.run(Main.java:416)
   at java.base/sun.security.tools.keytool.Main.main(Main.java:409)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is u

So the password I am using is correct. Why is it saying that it is not verified

Lawrence

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version