OpenSense configuration

[kgursu 0]

Hi,

I'm trying to connect my newly OpenSense installed device to AirVPN. I'm stuck with configuring the connection properly.
First, I tried entering all lines manually, where possible.









My generated ovpn file is as follows:

client
dev tun
remote nl4.vpn.airdns.org 41185
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
verb 3
remote-cert-tls server
comp-lzo no
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC
proto tcp
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
AAAAAAA
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
BBBBBBB
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
CCCCCCC
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
DDDDDDD
-----END OpenVPN Static key V1-----
</tls-crypt>

I couldn't connect to AirVPN properly. Tried removing nobind as there is an incompatibility with local, which I didn't know exactly.

2022-11-22T10:06:35    Warning    openvpn     Use --help for more information.
2022-11-22T10:06:35    Error    openvpn     Options error: --local and --nobind don't make sense when used together
2022-11-22T10:06:24    Warning    openvpn     Use --help for more information.
2022-11-22T10:06:24    Error    openvpn     Options error: --local and --nobind don't make sense when used together
2022-11-22T09:38:15    Warning    openvpn     Use --help for more information.
2022-11-22T09:38:15    Error    openvpn     Options error: --local and --nobind don't make sense when used together
2022-11-22T09:38:05    Warning    openvpn     Use --help for more information.
2022-11-22T09:38:05    Error    openvpn     Options error: --local and --nobind don't make sense when used together
2022-11-22T09:37:53    Warning    openvpn     Use --help for more information.
2022-11-22T09:37:53    Error    openvpn     Options error: --local and --nobind don't make sense when used together
2022-11-22T09:35:47    Notice    openvpn     Exiting due to fatal error
2022-11-22T09:35:47    Error    openvpn     Error: private key password verification failed
2022-11-22T09:35:47    Warning    openvpn     Cannot load private key file /var/etc/openvpn/client1.key
2022-11-22T09:35:47    Warning    openvpn     OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
2022-11-22T09:35:47    Warning    openvpn     NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-11-22T09:35:47    Notice    openvpn     MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
2022-11-22T09:35:47    Notice    openvpn     library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
2022-11-22T09:35:47    Notice    openvpn     OpenVPN 2.5.8 amd64-portbld-freebsd13.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2022
2022-11-22T09:35:47    Warning    openvpn     WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible

Advanced settings contents:

nobind
persist-key
persist-tun
auth-nocache
verb 3
remote-cert-tls server
comp-lzo no
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC
proto tcp
auth SHA512

While removing some lines,

nobind
persist-key
persist-tun
auth-nocache
verb 3
remote-cert-tls server

the result is similar.
After removing nobind:

2022-11-22T10:51:11    Notice    openvpn     Exiting due to fatal error
2022-11-22T10:51:11    Error    openvpn     Error: private key password verification failed
2022-11-22T10:51:11    Warning    openvpn     Cannot load private key file /var/etc/openvpn/client1.key
2022-11-22T10:51:11    Warning    openvpn     OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
2022-11-22T10:51:11    Warning    openvpn     NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-11-22T10:51:11    Notice    openvpn     MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
2022-11-22T10:51:11    Notice    openvpn     library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
2022-11-22T10:51:11    Notice    openvpn     OpenVPN 2.5.8 amd64-portbld-freebsd13.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2022
2022-11-22T10:51:11    Warning    openvpn     WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible

Tried several things here, without luck:
- Using IP address instead of host.
- Disabling TLS auth and putting all the lines into Advanced section.
Can you help?
  Edited ... by kgursu

[Staff 9972]

Hello!

The critical error is here:
2022-11-22T10:51:11    Warning    openvpn     Cannot load private key file /var/etc/openvpn/client1.key

Please make sure that the file exists, that it can be accessed by openvpn (check ownership and permissions) and that it's indeed your AirVPN client key. In the Configuration Generator. if you have split the configuration from certificates and keys, the client key is user.key

As far as we see from the screenshots, you will also have to delete your username and password from the OpenVPN configuration panel, since Air VPN servers don't authenticate clients via username and password.

Kind regards
 

[kgursu 0]

It seems the file is there, but something is wrong with the client1.conf contents:

dev ovpnc1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp4-client
cipher AES-256-GCM
auth SHA512
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local 192.168.0.13
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote nl4.vpn.airdns.org 41185
ca /var/etc/openvpn/client1.ca 
cert /var/etc/openvpn/client1.cert 
key /var/etc/openvpn/client1.key 
tls-auth /var/etc/openvpn/client1.tls-auth 1
comp-lzo no
resolv-retry infinite
persist-key
persist-tun
auth-nocache
verb 3
remote-cert-tls server

Seems not to be correct to me. Shall I edit these lines manually? What will you recommend?

[kgursu 0]

So, nothing to add, @Staff?

[Staff 9972]

1 hour ago, kgursu said:

So, nothing to add, @Staff?

Hello!

Let's see the new OpenVPN log, after the previously mentioned changes, at your convenience.

Kind regards
 

[securvark 16]

I dont quite understand what that client1.conf is. Do you load that into OPNsense somehow?

This is what the openvpn client config in OPNsense looks like for me:


The private key should not be referenced on disk, it should be added under trust / certificates.

My Advanced configuration is empty. You shouldn't need to add anything there and only set the options that OPNsense GUI provides. It should work like that. Once that works, you can try adding Advanced configuration options, but they are not required.

If it still doesn't work, set logging to 6 or higher and provide the logging.

Edit: I would personally also check the option to Don't pull routes because you will most likely want to setup policy based routing in your firewall rules.

[kgursu 0]

10 hours ago, securvark said:

set logging to 6 or higher and provide the logging.

How could I set this?

[kgursu 0]

12 hours ago, Staff said:

Hello!

Let's see the new OpenVPN log, after the previously mentioned changes, at your convenience.

Kind regards
 

openvpn.log

[kgursu 0]

How could I translate these lines into OpnSense one-by-one please?

ca "ca.crt"
cert "user.crt"
key "user.key"
remote-cert-tls server
tls-crypt "tls-crypt.key"

[securvark 16]

8 hours ago, kgursu said:

How could I translate these lines into OpnSense one-by-one please?

ca "ca.crt"
cert "user.crt"
key "user.key"
remote-cert-tls server
tls-crypt "tls-crypt.key"

You dont have to. Import the certs at trusts by copy/pasting them into the fields. Include the private key as well (error in your logs). And then select them when creating your openvpn client.