Openvpn client .ovpn file import fail

D

dw07

Hi,

I have configured openvpn/easy-rsa and started the server.

I created a client.conf profile and amended it as instructed. I appended the ca.crt/client1.crt/client1.key/ta.key to the file in the following format as per the official guide. (only ca had ------END CERT---- in the guide example, however I have tried including it on all of them but it still fails)

<ca>
------------BEGIN CERTIFICATE------------
XYZ
------------END CERTIFICATE--------------
</ca>

<cert>
------------BEGIN CERTIFICATE------------
XYZ
</cert>

<key>
------------BEGIN ENCRYPTED PRIVATE KEY----------
XYZ
</key>
key-direction 1

<tls-auth>
----------BEGIN OpenVPN Static key V1------------
XYZ
</tls-auth>


I changed to file from .conf to .ovpn and emailed the file to myself. I tried to add the profile to openvpn client on my iphone and I receive an error

'selected file has incorrect profile configuration'
error message: ca.crt, client1.crt, client1.key, ta.key

I have checked against the sample client.conf and can not see any typos.

Is there any way to debug the client1.conf file?
 
jbo said:
You e-mailed a private key?!
Click to expand...
not sure,

when i created the cert and key for the client only x1 key and 1x cert are generated for the client.

the ca is in /usr/local/etc/openvpn/pki/ca.crt
the key is in /usr/local/etc/openvpn/pki/private/client1.key
the cert is in /usr/local/etc/openvpn/pki/issued/client1.crt
the ta is in /usr/local/etc/openvpn/ta.key

ca.crt, ta.key and client1.key only have one cert defined in the file with ----BEGIN--- ----END----.
client1.crt has information before ----BEGIN--- ---END----, but only x1 ---BEGIN--- ---END----

I just opened the files with vi, copy pasted the cert info from ------BEGIN----- into notepad, put it in the XML format, then copy pasted into client1.conf at the bottom of the file.

All this copy pasting is error prone but i have doubled checked for typos and empty spaces etc. Is there not a facility to append the key/cert files to the client1.conf for you?
 
covacat said:
you probably have the certs/key inline AND as file names
remove the lines like cert
foo/file.crt
ca foo/blah.crt
key foo/key.priv
Click to expand...
Hi,

I did not change the format of those lines, just edited the name, they are in client1.conf as follows

ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1

i am not sure what inline means with regards to this config?

If I remove the line cert how will the client obtain its cert?
 
covacat said:
inline is
<cert>
begin blah
asdfsadfsd
</cert>

ie the cert is defined "Inline" not as a file reference
Click to expand...
ok

so basically its being defined twice?

I think I was focused on the client needing to know the names of the cert and key files.

So should I just remove these lines from client1.conf?

ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1

and just let it process these lines, and it will know what to do with them?

<ca>
------------BEGIN CERTIFICATE------------
XYZ
------------END CERTIFICATE--------------
</ca>

<cert>
------------BEGIN CERTIFICATE------------
XYZ
</cert>

<key>
------------BEGIN ENCRYPTED PRIVATE KEY----------
XYZ
</key>
key-direction 1

<tls-auth>
----------BEGIN OpenVPN Static key V1------------
XYZ
</tls-auth>
 
covacat said:
yes
i used that method on asus wifi/consumer routers and it worked very well
Click to expand...
OK, commented out the lines.

and i now have a new error

'selected file has incorrect profile configuration'
error message: static_key_parse_error
 
covacat said:
i never used static keys, but do you really need it ?
pki (certs) should work without static key
Click to expand...

According to the server.conf comments it protects against DoS attack and UDP flooding, so is preferable.

According to the comments its used to create a HMAC firewall with this command
openvpn --genkey tls-auth ta.key

Now as I have implemented this command on the server is there an active firewall? do I need to disable it? or is it just a case of commenting out the line because there is not really a firewall?

Sorry if these questions are stupid my background is Cisco, openvpn seems to a have redefined everything. When it says firewall is this a firewall or just a shared ta.key?

i would like to keep the static if possible if it protects against attacks.

I have tried re copying the key into the client1.conf but still get the same error. The only thing I can think is to add the -----end cert----- line. The guide I used only included the ----end cert--- line for the <ca></ca>

Its the exact same ta.key the server is using and the server starts with it


The other issue I have is because Im not familiar with FreeBSD and vi, I dont know how to remove empty lines, I saw some grep command with every symbol on the keyboard looked like this grep !"££$$%%^&""!!$£%%£%£!?:??<><:< lol. Is this the only way to remove an empty line? what happened to using delete or backspace?
 
Use nano instead of vim. Figure out this one first. Only then, you shall walk the steep path that ascents to the light of the almighty VIM ?
 
covacat said:
there is no way the static key will protect against ddos and flooding
it's just a simpler auth method
Click to expand...
I got it working ;-)

it needs the ----end cert--- for all sections, and a space between <key></key> and key-direction 1 line, and x5 ----- as follows.

<ca>
-----BEGIN CERTIFICATE-----
XYZ
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
XYZ
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
XYZ
-----END ENCRYPTED PRIVATE KEY-----
</key>

key-direction 1

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
XYZ
-----END OpenVPN Static key V1-----
</tls-auth>
 
covacat said:
there is no way the static key will protect against ddos and flooding
it's just a simpler auth method
Click to expand...

I have not looked at whats under the hood yet, I was just configuring it for the first time, so just accepted what the notes advised for now.

Its up and running so if it doesn't impact on any performance might as well use it. I like the client side app interface, needs something similar on the server side. Is there a web GUI for the server? or a performance monitor where you can see connected clients and stats on a dashboard?
 
SKull said:
Use nano instead of vim. Figure out this one first. Only then, you shall walk the steep path that ascents to the light of the almighty VIM ?
Click to expand...

jump off and build your wings on the way down ;-)

I will give nano a go
 
covacat said:
there is no way the static key will protect against ddos and flooding
it's just a simpler auth method
Click to expand...

Thanks for all your help its appreciated.

I now have a new problem the sever is not forwarding traffic.

I can ping the tunnel ips between client and server 10.10..200.1-srv 10.10.200.2-clinet, in both directions
i can ping the server LAN ip from the client 10.10.200.2-client 192.168.10.250-srv-LANip
I CAN NOT ping my ip radio 192.168.10.100-ipradio from the client 10.10.200.2-client

I can ping the ip radio from the server

the LANip was pushed by openvpn server to client
All routing and access policy are in place to allow the traffic locally for the VPN subnet.

The server is on a Vmware workstation17 guest, hosted on windows 10 in bridged mode. (I cant find a way to port forwrd traffic to the guest in NAT mode, which is what i prefer but from what Ive read it doesnt seem possible). so the VM controls the Ethernet port and has bidirectional connectivity to the LAN, it can ping and be pinged.

For some reason the server is not forwarding the traffic
 
You must log in or register to reply here.
Back
Top