Jump to content
Not connected, Your IP: 18.118.119.77

Recommended Posts

Posted ... (edited)

Hi,

I'm trying to connect my newly OpenSense installed device to AirVPN. I'm stuck with configuring the connection properly.
First, I tried entering all lines manually, where possible.1439122851_ScreenShot11-22-22at09_53AM.thumb.PNG.ee0d5564a7bc4eef052e7e0eb54cd696.PNG
1592849375_ScreenShot11-22-22at09_54AM.thumb.PNG.ca19393651e558943d6ffd6a4e523bd2.PNG
51846720_ScreenShot11-22-22at09.54AM001.thumb.PNG.a15465ae6722d2fcb2d6076e065452c5.PNG
2086469142_ScreenShot11-22-22at10_01AM.thumb.PNG.b4188dd739a6a2c4f634f30caf5e6c80.PNG
448295931_ScreenShot11-22-22at10.01AM001.thumb.PNG.dfaffcf101b2ab50feabb2e7082aac07.PNG
1532879969_ScreenShot11-22-22at10_03AM.thumb.PNG.e4f373d30ba97347d4704c98a60d448f.PNG
1230985801_ScreenShot11-22-22at10.03AM001.thumb.PNG.f363516f5aa66bd1e4cae8a91b050df2.PNG
1873598544_ScreenShot11-22-22at10_04AM.thumb.PNG.ea89b9dad446c9166667b97fc2bb36dc.PNG
1402951998_ScreenShot11-22-22at10.04AM001.thumb.PNG.9b8b2b2cd07d39f2cc4eb6917389851e.PNG
1652076948_ScreenShot11-22-22at10_06AM.thumb.PNG.e50447eada99268c99c2fa521d068d0f.PNG
My generated ovpn file is as follows:

client
dev tun
remote nl4.vpn.airdns.org 41185
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
verb 3
remote-cert-tls server
comp-lzo no
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC
proto tcp
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
AAAAAAA
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
BBBBBBB
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
CCCCCCC
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
DDDDDDD
-----END OpenVPN Static key V1-----
</tls-crypt>

I couldn't connect to AirVPN properly. Tried removing nobind as there is an incompatibility with local, which I didn't know exactly.

2022-11-22T10:06:35    Warning    openvpn     Use --help for more information.
2022-11-22T10:06:35    Error    openvpn     Options error: --local and --nobind don't make sense when used together
2022-11-22T10:06:24    Warning    openvpn     Use --help for more information.
2022-11-22T10:06:24    Error    openvpn     Options error: --local and --nobind don't make sense when used together
2022-11-22T09:38:15    Warning    openvpn     Use --help for more information.
2022-11-22T09:38:15    Error    openvpn     Options error: --local and --nobind don't make sense when used together
2022-11-22T09:38:05    Warning    openvpn     Use --help for more information.
2022-11-22T09:38:05    Error    openvpn     Options error: --local and --nobind don't make sense when used together
2022-11-22T09:37:53    Warning    openvpn     Use --help for more information.
2022-11-22T09:37:53    Error    openvpn     Options error: --local and --nobind don't make sense when used together
2022-11-22T09:35:47    Notice    openvpn     Exiting due to fatal error
2022-11-22T09:35:47    Error    openvpn     Error: private key password verification failed
2022-11-22T09:35:47    Warning    openvpn     Cannot load private key file /var/etc/openvpn/client1.key
2022-11-22T09:35:47    Warning    openvpn     OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
2022-11-22T09:35:47    Warning    openvpn     NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-11-22T09:35:47    Notice    openvpn     MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
2022-11-22T09:35:47    Notice    openvpn     library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
2022-11-22T09:35:47    Notice    openvpn     OpenVPN 2.5.8 amd64-portbld-freebsd13.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2022
2022-11-22T09:35:47    Warning    openvpn     WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible

Advanced settings contents:

nobind
persist-key
persist-tun
auth-nocache
verb 3
remote-cert-tls server
comp-lzo no
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC
proto tcp
auth SHA512

While removing some lines,

nobind
persist-key
persist-tun
auth-nocache
verb 3
remote-cert-tls server

the result is similar.
After removing nobind:

2022-11-22T10:51:11    Notice    openvpn     Exiting due to fatal error
2022-11-22T10:51:11    Error    openvpn     Error: private key password verification failed
2022-11-22T10:51:11    Warning    openvpn     Cannot load private key file /var/etc/openvpn/client1.key
2022-11-22T10:51:11    Warning    openvpn     OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
2022-11-22T10:51:11    Warning    openvpn     NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-11-22T10:51:11    Notice    openvpn     MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
2022-11-22T10:51:11    Notice    openvpn     library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
2022-11-22T10:51:11    Notice    openvpn     OpenVPN 2.5.8 amd64-portbld-freebsd13.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2022
2022-11-22T10:51:11    Warning    openvpn     WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible

Tried several things here, without luck:
- Using IP address instead of host.
- Disabling TLS auth and putting all the lines into Advanced section.
Can you help?
  Edited ... by kgursu

Share this post


Link to post

Hello!

The critical error is here:
2022-11-22T10:51:11    Warning    openvpn     Cannot load private key file /var/etc/openvpn/client1.key

Please make sure that the file exists, that it can be accessed by openvpn (check ownership and permissions) and that it's indeed your AirVPN client key. In the Configuration Generator. if you have split the configuration from certificates and keys, the client key is user.key

As far as we see from the screenshots, you will also have to delete your username and password from the OpenVPN configuration panel, since Air VPN servers don't authenticate clients via username and password.

Kind regards
 

Share this post


Link to post

It seems the file is there, but something is wrong with the client1.conf contents:

dev ovpnc1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp4-client
cipher AES-256-GCM
auth SHA512
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local 192.168.0.13
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote nl4.vpn.airdns.org 41185
ca /var/etc/openvpn/client1.ca 
cert /var/etc/openvpn/client1.cert 
key /var/etc/openvpn/client1.key 
tls-auth /var/etc/openvpn/client1.tls-auth 1
comp-lzo no
resolv-retry infinite
persist-key
persist-tun
auth-nocache
verb 3
remote-cert-tls server

Seems not to be correct to me. Shall I edit these lines manually? What will you recommend?

Share this post


Link to post
1 hour ago, kgursu said:

So, nothing to add, @Staff?


Hello!

Let's see the new OpenVPN log, after the previously mentioned changes, at your convenience.

Kind regards
 

Share this post


Link to post

I dont quite understand what that client1.conf is. Do you load that into OPNsense somehow?

This is what the openvpn client config in OPNsense looks like for me:
image.thumb.png.ce2082bf8a76e6f2541333db860b434d.png

The private key should not be referenced on disk, it should be added under trust / certificates.

My Advanced configuration is empty. You shouldn't need to add anything there and only set the options that OPNsense GUI provides. It should work like that. Once that works, you can try adding Advanced configuration options, but they are not required.

If it still doesn't work, set logging to 6 or higher and provide the logging.

Edit: I would personally also check the option to Don't pull routes because you will most likely want to setup policy based routing in your firewall rules.

Share this post


Link to post
10 hours ago, securvark said:

set logging to 6 or higher and provide the logging.

How could I set this?

Share this post


Link to post
12 hours ago, Staff said:

Hello!

Let's see the new OpenVPN log, after the previously mentioned changes, at your convenience.

Kind regards
 

openvpn.log

Share this post


Link to post

How could I translate these lines into OpnSense one-by-one please?

ca "ca.crt"
cert "user.crt"
key "user.key"
remote-cert-tls server
tls-crypt "tls-crypt.key"

Share this post


Link to post
8 hours ago, kgursu said:

How could I translate these lines into OpnSense one-by-one please?

ca "ca.crt"
cert "user.crt"
key "user.key"
remote-cert-tls server
tls-crypt "tls-crypt.key"

You dont have to. Import the certs at trusts by copy/pasting them into the fields. Include the private key as well (error in your logs). And then select them when creating your openvpn client.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...