What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

OpenVPN, no password?

Henric Rosvall

Henric Rosvall

New Around Here
Hi !

I connect to work through OpenVPN, and now that I have a new router I thought that the router could do the connection instead of OpenVPN GUI.

But it has proven difficult to get the connection working.

Every time I connect with OPenVPN GUI I need to input a password (to be able to decrypt the certificates?). And then it works like it should.
OPenVPNGUI.PNG


But in the router config there doesn't seem to be an option to input a password to unlock the encryption and connect. So the connection fails with the message:
Feb 20 18:19:45 openvpn[6057]: Error: private key password verification failed
Feb 20 18:19:45 openvpn[6057]: Exiting due to fatal error

Any idea what is wrong and how I could fix it?

The current ovpn-config that works fine in OpenVPN GUI if I just input my password:
Code: 
#OpenVPN Server conf
tls-client
client
dev tun
proto udp
tun-mtu 1500
remote [IP TO THE FIREWALL AT WORK] 1194
ca [inline]
<ca>
-----BEGIN CERTIFICATE-----
[THE CA CERTIFICATE]
-----END CERTIFICATE-----
</ca>
cert [inline]
<cert>
-----BEGIN CERTIFICATE-----
[THE USER CERTIFICATE]
-----END CERTIFICATE-----
</cert>
key [inline]
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
[THE KEY CERTIFICATE]
-----END ENCRYPTED PRIVATE KEY-----
</key>
cipher BF-CBC
comp-lzo
verb 3
ns-cert-type server
 
Last edited:
Never mind. I managed to solve it myself (after hours and hours of tinkering, I was just one small step from succeeding).
A description of how to solve it will be posted shortly
 
Solution:

I needed to connect to OpenVPN with the router, as a road warrior.
The server was using IPCop with an OpenVPN plugin.

So I had a .p12 file and a .ovpn config file collected from IPCop.
But those files doesn't work very well with the Asus router. So there are a few steps to get it working.

First of all, we want to include all the certificates in the ovpn-file (to make things a bit easier)

I started out with this ovpn-file:
Code: 
#OpenVPN Server conf
tls-client
client
dev tun
proto udp
tun-mtu 1500
remote [IP to the server] 1194
pkcs12 Henric.p12
cipher BF-CBC
comp-lzo
verb 3
ns-cert-type server

The router doesn't seem to like pkcs12-certificates. So we need to convert it into separate certificates.

So what I did, was to run this command in the command prompt:
Code: 
openssl pkcs12 -in c:\Temp\Henric.p12 -out c:\Temp\Henric.pem

This converts the pkcs12-certificate into a file containing the separate certificates that we'll need.
IMPORTANT: You'll need to supply both an import password AND an export password when asked. If you don't supply it with an export password, it won't generate a user key, and you'll be pretty much f*cked.
Just write the same password for both.

Now we have a pem-file with three keys
  • one CA certificate for the server
  • one sertificate for your user
  • one key for your user.
But the user key have a password, and that's not something the Asus router can handle.
So we need to create a new user key based on the old one, without the password.

So we open the generated .pem-file.
It should contain three certificates (eache certificate starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----).
The hird (bottom) one is your user key.
Copy it (including the begin and end lines) and paste it into a new file, that we will name HenricKey.key in this example.

Then run the following command
Code: 
openssl rsa -in c:\Temp\HenricKey.key -out c:\Temp\HenricKey_NoPass.key



Now we have all the data we need. All that is left is to modify the .ovpn-file.

Open the old .ovpn-file and delete the line that starts with pkcs12.

We now need to add the three certificates, one ca certificate, one user certificate, and the user key that has no password. In the end it will look like this:
Code: 
#OpenVPN Server conf
tls-client
client
dev tun
proto udp
tun-mtu 1500
remote [IP to the server] 1194
ca [inline]
<ca>
-----BEGIN CERTIFICATE-----
<A bunch of characters and numbers>
-----END CERTIFICATE-----
</ca>
cert [inline]
<cert>
-----BEGIN CERTIFICATE-----
<A bunch of characters and numbers>
-----END CERTIFICATE-----
</cert>
key [inline]
<key>
-----BEGIN RSA PRIVATE KEY-----
<A bunch of characters and numbers>
-----END RSA PRIVATE KEY-----
</key>
cipher BF-CBC
comp-lzo
verb 3
ns-cert-type server

The "ca" is the second certificate in Henric.pem, the "cert" is the first certificate in Henric.pem, and the "key" is the certificate found in HenricKey_NoPass.key

Just upload the .ovpn-file to the router, and everything should work out perfectly


[Many Bothans died to deliver this message]
(or at least many ours of trial and error :) )
 
Last edited:
You must log in or register to reply here.

Similar threads

F
Extra Autoryzacja HMAC (TLS -Auth) - what I do wrong?
Replies
2
Views
228
forum_dyskusyjne
F
M
ovpn-client5[3561]: Connection reset, restarting [0]
Replies
0
Views
227
mustafejen
M
D
ASUS RT-AX86U OpenVPN Server Error - Key Too Small
Replies
6
Views
2K
jamaassen
J
Sergyk
VPN client
Replies
6
Views
1K
eibgrad
eibgrad
hartacus
Import own certificate from step-ca
Replies
1
Views
536
porktomatoes
P
Similar threads
Thread starter Title Forum Replies Date
X OpenVPN on computer - howto change pw (client1 ask for pw) ASUS AC Routers & Adapters (Wi-Fi 5) 1
D Issue with openVPN port forward in ASUS ac88u ASUS AC Routers & Adapters (Wi-Fi 5) 4
B Openvpn AC87VG ASUS AC Routers & Adapters (Wi-Fi 5) 4

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 675 (members: 24, guests: 651)
Back
Top