Where to put information from `key` entry of OpenVPN config file in pfSense?
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I have the following config file which works well with native OpenVPN client
client
dev tap
proto udp
port 1198
remote myhost.com 1194
persist-key
persist-tun
tls-client
ca my-ca.crt
cert my-client.crt
key my-client.key
verb 3
Now I want to configure pfSense OpenVPN client with the same info.
I don't understand, where to put key file content? I put crt files into appropriate section from System/Certificate Manager.
In client config page I see Cryptographic Settings/Key section with subnote Paste the shared key here. This section doesn't exist initially, but appears only after config saved once. When it appears, it contain some key. If I paste content of key file there, I get an error
The field 'TLS Authentication Key' does not appear to be valid
How to enter this file information?
UPDATE
If I make autogeneration, it creates
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
... small amount of HEX symbols ...
-----END OpenVPN Static key V1-----
while my own key is
-----BEGIN PRIVATE KEY-----
... large amount of random chars...
-----END PRIVATE KEY-----
I have checked my own key with openssl and it said it is 2048 bit. How it can be larger than autogenerated key, which is also entitled 2048 bit?
UPDATE 2
If I leave autogenerated key, it saves, but I have the following messages in log
TLS Error: cannot locate HMAC in incoming packet from
If I disable TLS authentication - Enable authentication of TLS packets then it also saves, but I have
Mar 16 22:25:39 openvpn 47325 Exiting due to fatal error
Mar 16 22:25:39 openvpn 47325 FreeBSD ifconfig failed: external program exited with error status: 1
Mar 16 22:25:39 openvpn 47325 /sbin/ifconfig ovpnc5 XX.XX.XX.XX netmask 255.255.255.0 mtu 1500 up
Mar 16 22:25:39 openvpn 47325 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mar 16 22:25:39 openvpn 47325 TUN/TAP device /dev/tap5 opened
In both case key file remain unused.
UPDATE 3
If I prepend the my key with the same
-----BEGIN OpenVPN Static key V1-----
line (and end with same), then GUI accepts the key, while in log I get the following error
Non-Hex character ('M') found at line 2 in key file '/var/etc/openvpn/client5.tls-auth' (0/128/256 bytes found/min/max)
so, it wants very specific key, but doesn't inform about it and document it.
freebsd openvpn ssl certificates pfsense
asked Mar 16 at 18:47
Dims
310525
 |Â
show 1 more comment
up vote
0
down vote
favorite
I have the following config file which works well with native OpenVPN client
client
dev tap
proto udp
port 1198
remote myhost.com 1194
persist-key
persist-tun
tls-client
ca my-ca.crt
cert my-client.crt
key my-client.key
verb 3
Now I want to configure pfSense OpenVPN client with the same info.
I don't understand, where to put key file content? I put crt files into appropriate section from System/Certificate Manager.
In client config page I see Cryptographic Settings/Key section with subnote Paste the shared key here. This section doesn't exist initially, but appears only after config saved once. When it appears, it contain some key. If I paste content of key file there, I get an error
The field 'TLS Authentication Key' does not appear to be valid
How to enter this file information?
UPDATE
If I make autogeneration, it creates
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
... small amount of HEX symbols ...
-----END OpenVPN Static key V1-----
while my own key is
-----BEGIN PRIVATE KEY-----
... large amount of random chars...
-----END PRIVATE KEY-----
I have checked my own key with openssl and it said it is 2048 bit. How it can be larger than autogenerated key, which is also entitled 2048 bit?
UPDATE 2
If I leave autogenerated key, it saves, but I have the following messages in log
TLS Error: cannot locate HMAC in incoming packet from
If I disable TLS authentication - Enable authentication of TLS packets then it also saves, but I have
Mar 16 22:25:39 openvpn 47325 Exiting due to fatal error
Mar 16 22:25:39 openvpn 47325 FreeBSD ifconfig failed: external program exited with error status: 1
Mar 16 22:25:39 openvpn 47325 /sbin/ifconfig ovpnc5 XX.XX.XX.XX netmask 255.255.255.0 mtu 1500 up
Mar 16 22:25:39 openvpn 47325 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mar 16 22:25:39 openvpn 47325 TUN/TAP device /dev/tap5 opened
In both case key file remain unused.
UPDATE 3
If I prepend the my key with the same
-----BEGIN OpenVPN Static key V1-----
line (and end with same), then GUI accepts the key, while in log I get the following error
Non-Hex character ('M') found at line 2 in key file '/var/etc/openvpn/client5.tls-auth' (0/128/256 bytes found/min/max)
so, it wants very specific key, but doesn't inform about it and document it.
freebsd openvpn ssl certificates pfsense
asked Mar 16 at 18:47
Dims
310525
You're in the correct place. Mine works. Check for any hidden additional characters and ensure your line endings are not Windows style CR/LF. Did you retain the-----BEGIN OpenVPN Static key V1-----and the equivalent closing line?
– garethTheRed
Mar 16 at 19:00
If it already contains the key, then maybe it's already set up, and you don't need to change it? Did you try without changing that one?
– Tomasz
Mar 16 at 19:19
@garethTheRed I tried to fix line endings, but probably failed
– Dims
Mar 16 at 19:20
@tomasz I can leave autogenerated key, but then I won't use all information I was given. Also connection doesn't happen this way.
– Dims
Mar 16 at 19:27
The keys at both ends have to be the same. How about copying the autogenerated key to the VPN client? I havekey-direction 1at the client end.
– garethTheRed
Mar 16 at 20:05
 |Â
show 1 more comment
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have the following config file which works well with native OpenVPN client
client
dev tap
proto udp
port 1198
remote myhost.com 1194
persist-key
persist-tun
tls-client
ca my-ca.crt
cert my-client.crt
key my-client.key
verb 3
Now I want to configure pfSense OpenVPN client with the same info.
I don't understand, where to put key file content? I put crt files into appropriate section from System/Certificate Manager.
In client config page I see Cryptographic Settings/Key section with subnote Paste the shared key here. This section doesn't exist initially, but appears only after config saved once. When it appears, it contain some key. If I paste content of key file there, I get an error
The field 'TLS Authentication Key' does not appear to be valid
How to enter this file information?
UPDATE
If I make autogeneration, it creates
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
... small amount of HEX symbols ...
-----END OpenVPN Static key V1-----
while my own key is
-----BEGIN PRIVATE KEY-----
... large amount of random chars...
-----END PRIVATE KEY-----
I have checked my own key with openssl and it said it is 2048 bit. How it can be larger than autogenerated key, which is also entitled 2048 bit?
UPDATE 2
If I leave autogenerated key, it saves, but I have the following messages in log
TLS Error: cannot locate HMAC in incoming packet from
If I disable TLS authentication - Enable authentication of TLS packets then it also saves, but I have
Mar 16 22:25:39 openvpn 47325 Exiting due to fatal error
Mar 16 22:25:39 openvpn 47325 FreeBSD ifconfig failed: external program exited with error status: 1
Mar 16 22:25:39 openvpn 47325 /sbin/ifconfig ovpnc5 XX.XX.XX.XX netmask 255.255.255.0 mtu 1500 up
Mar 16 22:25:39 openvpn 47325 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mar 16 22:25:39 openvpn 47325 TUN/TAP device /dev/tap5 opened
In both case key file remain unused.
UPDATE 3
If I prepend the my key with the same
-----BEGIN OpenVPN Static key V1-----
line (and end with same), then GUI accepts the key, while in log I get the following error
Non-Hex character ('M') found at line 2 in key file '/var/etc/openvpn/client5.tls-auth' (0/128/256 bytes found/min/max)
so, it wants very specific key, but doesn't inform about it and document it.
freebsd openvpn ssl certificates pfsense
asked Mar 16 at 18:47
Dims
310525
I have the following config file which works well with native OpenVPN client
client
dev tap
proto udp
port 1198
remote myhost.com 1194
persist-key
persist-tun
tls-client
ca my-ca.crt
cert my-client.crt
key my-client.key
verb 3
Now I want to configure pfSense OpenVPN client with the same info.
I don't understand, where to put key file content? I put crt files into appropriate section from System/Certificate Manager.
In client config page I see Cryptographic Settings/Key section with subnote Paste the shared key here. This section doesn't exist initially, but appears only after config saved once. When it appears, it contain some key. If I paste content of key file there, I get an error
The field 'TLS Authentication Key' does not appear to be valid
How to enter this file information?
UPDATE
If I make autogeneration, it creates
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
... small amount of HEX symbols ...
-----END OpenVPN Static key V1-----
while my own key is
-----BEGIN PRIVATE KEY-----
... large amount of random chars...
-----END PRIVATE KEY-----
I have checked my own key with openssl and it said it is 2048 bit. How it can be larger than autogenerated key, which is also entitled 2048 bit?
UPDATE 2
If I leave autogenerated key, it saves, but I have the following messages in log
TLS Error: cannot locate HMAC in incoming packet from
If I disable TLS authentication - Enable authentication of TLS packets then it also saves, but I have
Mar 16 22:25:39 openvpn 47325 Exiting due to fatal error
Mar 16 22:25:39 openvpn 47325 FreeBSD ifconfig failed: external program exited with error status: 1
Mar 16 22:25:39 openvpn 47325 /sbin/ifconfig ovpnc5 XX.XX.XX.XX netmask 255.255.255.0 mtu 1500 up
Mar 16 22:25:39 openvpn 47325 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mar 16 22:25:39 openvpn 47325 TUN/TAP device /dev/tap5 opened
In both case key file remain unused.
UPDATE 3
If I prepend the my key with the same
-----BEGIN OpenVPN Static key V1-----
line (and end with same), then GUI accepts the key, while in log I get the following error
Non-Hex character ('M') found at line 2 in key file '/var/etc/openvpn/client5.tls-auth' (0/128/256 bytes found/min/max)
so, it wants very specific key, but doesn't inform about it and document it.
freebsd openvpn ssl certificates pfsense
asked Mar 16 at 18:47
Dims
310525
edited Mar 16 at 20:20
asked Mar 16 at 18:47
Dims
310525
asked Mar 16 at 18:47
Dims
310525
asked Mar 16 at 18:47
Dims
310525
310525
You're in the correct place. Mine works. Check for any hidden additional characters and ensure your line endings are not Windows style CR/LF. Did you retain the-----BEGIN OpenVPN Static key V1-----and the equivalent closing line?
– garethTheRed
Mar 16 at 19:00
If it already contains the key, then maybe it's already set up, and you don't need to change it? Did you try without changing that one?
– Tomasz
Mar 16 at 19:19
@garethTheRed I tried to fix line endings, but probably failed
– Dims
Mar 16 at 19:20
@tomasz I can leave autogenerated key, but then I won't use all information I was given. Also connection doesn't happen this way.
– Dims
Mar 16 at 19:27
The keys at both ends have to be the same. How about copying the autogenerated key to the VPN client? I havekey-direction 1at the client end.
– garethTheRed
Mar 16 at 20:05
 |Â
show 1 more comment
You're in the correct place. Mine works. Check for any hidden additional characters and ensure your line endings are not Windows style CR/LF. Did you retain the-----BEGIN OpenVPN Static key V1-----and the equivalent closing line?
– garethTheRed
Mar 16 at 19:00
If it already contains the key, then maybe it's already set up, and you don't need to change it? Did you try without changing that one?
– Tomasz
Mar 16 at 19:19
@garethTheRed I tried to fix line endings, but probably failed
– Dims
Mar 16 at 19:20
@tomasz I can leave autogenerated key, but then I won't use all information I was given. Also connection doesn't happen this way.
– Dims
Mar 16 at 19:27
The keys at both ends have to be the same. How about copying the autogenerated key to the VPN client? I havekey-direction 1at the client end.
– garethTheRed
Mar 16 at 20:05
You're in the correct place. Mine works. Check for any hidden additional characters and ensure your line endings are not Windows style CR/LF. Did you retain the
-----BEGIN OpenVPN Static key V1----- and the equivalent closing line?– garethTheRed
Mar 16 at 19:00
You're in the correct place. Mine works. Check for any hidden additional characters and ensure your line endings are not Windows style CR/LF. Did you retain the
-----BEGIN OpenVPN Static key V1----- and the equivalent closing line?– garethTheRed
Mar 16 at 19:00
If it already contains the key, then maybe it's already set up, and you don't need to change it? Did you try without changing that one?
– Tomasz
Mar 16 at 19:19
If it already contains the key, then maybe it's already set up, and you don't need to change it? Did you try without changing that one?
– Tomasz
Mar 16 at 19:19
@garethTheRed I tried to fix line endings, but probably failed
– Dims
Mar 16 at 19:20
@garethTheRed I tried to fix line endings, but probably failed
– Dims
Mar 16 at 19:20
@tomasz I can leave autogenerated key, but then I won't use all information I was given. Also connection doesn't happen this way.
– Dims
Mar 16 at 19:27
@tomasz I can leave autogenerated key, but then I won't use all information I was given. Also connection doesn't happen this way.
– Dims
Mar 16 at 19:27
The keys at both ends have to be the same. How about copying the autogenerated key to the VPN client? I have
key-direction 1 at the client end.– garethTheRed
Mar 16 at 20:05
The keys at both ends have to be the same. How about copying the autogenerated key to the VPN client? I have
key-direction 1 at the client end.– garethTheRed
Mar 16 at 20:05
 |Â
show 1 more comment
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f430671%2fwhere-to-put-information-from-key-entry-of-openvpn-config-file-in-pfsense%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
You're in the correct place. Mine works. Check for any hidden additional characters and ensure your line endings are not Windows style CR/LF. Did you retain the
-----BEGIN OpenVPN Static key V1-----and the equivalent closing line?– garethTheRed
Mar 16 at 19:00
If it already contains the key, then maybe it's already set up, and you don't need to change it? Did you try without changing that one?
– Tomasz
Mar 16 at 19:19
@garethTheRed I tried to fix line endings, but probably failed
– Dims
Mar 16 at 19:20
@tomasz I can leave autogenerated key, but then I won't use all information I was given. Also connection doesn't happen this way.
– Dims
Mar 16 at 19:27
The keys at both ends have to be the same. How about copying the autogenerated key to the VPN client? I have
key-direction 1at the client end.– garethTheRed
Mar 16 at 20:05