Can't get into openvpn

[jphilipfry]

Hi all, I have setup the openvpn configs with my 3 files already which are the opvn file itself, the registration entries and personal info file. Everything was going well until I downloaded latest version of openvpn and tried to connect, then it prompted me the password which I thought was for the user password I thought I made for the profile on my opnsense firewall. down below are the logs, any help please?



2024-01-12 00:25:53 OpenVPN 2.6.8 [git:v2.6.8/3b0d9489cc423da3] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Nov 17 2023
2024-01-12 00:25:53 Windows version 10.0 (Windows 10 or greater), amd64 executable
2024-01-12 00:25:53 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024-01-12 00:25:53 DCO version: 1.0.0
2024-01-12 00:25:59 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-01-12 00:25:59 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
2024-01-12 00:25:59 OpenSSL: error:11800071:PKCS12 routines::mac verify failure:
2024-01-12 00:25:59 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2024-01-12 00:25:59 SIGUSR1[soft,private-key-password-failure] received, process restarting
2024-01-12 00:26:06 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
2024-01-12 00:26:06 OpenSSL: error:11800071:PKCS12 routines::mac verify failure:
2024-01-12 00:26:06 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2024-01-12 00:26:06 SIGUSR1[soft,private-key-password-failure] received, process restarting
2024-01-12 00:26:23 ERROR: could not read Private Key username/password/ok/string from management interface
2024-01-12 00:26:23 Exiting due to fatal error

[JamesFrisch]

I currently have exactly the same problem.

[JamesFrisch]

I tried using the older OpenVPN connect versions, changing the certs to SHA512, encrypt p12 but nothing helped.

Will do an upgrade on the weekend from Business to Community, hopefully it works there with OpenSLL 3.0

[newsense]

...
2024-01-12 00:25:59 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
2024-01-12 00:25:59 OpenSSL: error:11800071:PKCS12 routines::mac verify failure:
2024-01-12 00:25:59 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2024-01-12 00:25:59 SIGUSR1[soft,private-key-password-failure] received, process restarting
2024-01-12 00:26:06 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
2024-01-12 00:26:06 OpenSSL: error:11800071:PKCS12 routines::mac verify failure:
2024-01-12 00:26:06 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2024-01-12 00:26:06 SIGUSR1[soft,private-key-password-failure] received, process restarting
2024-01-12 00:26:23 ERROR: could not read Private Key username/password/ok/string from management interface
2024-01-12 00:26:23 Exiting due to fatal error

You need the legacy provider for RC2-40-CBC in OpenSSL.

On the iOS OpenVPN app under Advanced Settings there's a Legacy option but I'd recommend fixing your configuration instead if possible to use modern ciphers.

[JamesFrisch]

Thank you for your answer. Not sure if I can follow though.

I created an OpenVPN instance and left the settings to default.
I assumed that the default settings should work with OpenVPN connect.

So by just setting "Data ciphers" to AES-256-GCM" it should work?

[JamesFrisch]

Not sure what the root problem was here, but I found a way to make it work.

Will leave this here, maybe this helps someone else.

1. You should not export the Archive but the file only! Archive will use unsupported .p12. I don't think this is ideal from OPNsense. In my opinion, OPNsense should offer a client export that works out of the box. pfSense not only will get you the right files but even add a compatible OpenVPN connect client installer on top.

2. For some reasons I don't understand, there was a DNS problem. Instead of resolving mydomain.hopto.org (no-ip) to my WAN, it resolved to a random IP in Turkey. Not sure why, nslookup on the same host resolved to the right ip.

3. By clicking advanced and setting Ciphers to 256 GCM even the warnings did go away.