kgursu 0 Posted ... (edited) Hi, I'm trying to connect my newly OpenSense installed device to AirVPN. I'm stuck with configuring the connection properly. First, I tried entering all lines manually, where possible. My generated ovpn file is as follows: client dev tun remote nl4.vpn.airdns.org 41185 resolv-retry infinite nobind persist-key persist-tun auth-nocache verb 3 remote-cert-tls server comp-lzo no data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC data-ciphers-fallback AES-256-CBC proto tcp auth SHA512 <ca> -----BEGIN CERTIFICATE----- AAAAAAA -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- BBBBBBB -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- CCCCCCC -----END PRIVATE KEY----- </key> <tls-crypt> -----BEGIN OpenVPN Static key V1----- DDDDDDD -----END OpenVPN Static key V1----- </tls-crypt> I couldn't connect to AirVPN properly. Tried removing nobind as there is an incompatibility with local, which I didn't know exactly. 2022-11-22T10:06:35 Warning openvpn Use --help for more information. 2022-11-22T10:06:35 Error openvpn Options error: --local and --nobind don't make sense when used together 2022-11-22T10:06:24 Warning openvpn Use --help for more information. 2022-11-22T10:06:24 Error openvpn Options error: --local and --nobind don't make sense when used together 2022-11-22T09:38:15 Warning openvpn Use --help for more information. 2022-11-22T09:38:15 Error openvpn Options error: --local and --nobind don't make sense when used together 2022-11-22T09:38:05 Warning openvpn Use --help for more information. 2022-11-22T09:38:05 Error openvpn Options error: --local and --nobind don't make sense when used together 2022-11-22T09:37:53 Warning openvpn Use --help for more information. 2022-11-22T09:37:53 Error openvpn Options error: --local and --nobind don't make sense when used together 2022-11-22T09:35:47 Notice openvpn Exiting due to fatal error 2022-11-22T09:35:47 Error openvpn Error: private key password verification failed 2022-11-22T09:35:47 Warning openvpn Cannot load private key file /var/etc/openvpn/client1.key 2022-11-22T09:35:47 Warning openvpn OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch 2022-11-22T09:35:47 Warning openvpn NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2022-11-22T09:35:47 Notice openvpn MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock 2022-11-22T09:35:47 Notice openvpn library versions: OpenSSL 1.1.1s 1 Nov 2022, LZO 2.10 2022-11-22T09:35:47 Notice openvpn OpenVPN 2.5.8 amd64-portbld-freebsd13.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2022 2022-11-22T09:35:47 Warning openvpn WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible Advanced settings contents: nobind persist-key persist-tun auth-nocache verb 3 remote-cert-tls server comp-lzo no data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC data-ciphers-fallback AES-256-CBC proto tcp auth SHA512 While removing some lines, nobind persist-key persist-tun auth-nocache verb 3 remote-cert-tls server the result is similar. After removing nobind: 2022-11-22T10:51:11 Notice openvpn Exiting due to fatal error 2022-11-22T10:51:11 Error openvpn Error: private key password verification failed 2022-11-22T10:51:11 Warning openvpn Cannot load private key file /var/etc/openvpn/client1.key 2022-11-22T10:51:11 Warning openvpn OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch 2022-11-22T10:51:11 Warning openvpn NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2022-11-22T10:51:11 Notice openvpn MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock 2022-11-22T10:51:11 Notice openvpn library versions: OpenSSL 1.1.1s 1 Nov 2022, LZO 2.10 2022-11-22T10:51:11 Notice openvpn OpenVPN 2.5.8 amd64-portbld-freebsd13.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2022 2022-11-22T10:51:11 Warning openvpn WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible Tried several things here, without luck: - Using IP address instead of host. - Disabling TLS auth and putting all the lines into Advanced section. Can you help? Edited ... by kgursu Quote Share this post Link to post
Staff 10014 Posted ... Hello! The critical error is here: 2022-11-22T10:51:11 Warning openvpn Cannot load private key file /var/etc/openvpn/client1.key Please make sure that the file exists, that it can be accessed by openvpn (check ownership and permissions) and that it's indeed your AirVPN client key. In the Configuration Generator. if you have split the configuration from certificates and keys, the client key is user.key As far as we see from the screenshots, you will also have to delete your username and password from the OpenVPN configuration panel, since Air VPN servers don't authenticate clients via username and password. Kind regards Quote Share this post Link to post
kgursu 0 Posted ... It seems the file is there, but something is wrong with the client1.conf contents: dev ovpnc1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto tcp4-client cipher AES-256-GCM auth SHA512 up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown local 192.168.0.13 tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote nl4.vpn.airdns.org 41185 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key tls-auth /var/etc/openvpn/client1.tls-auth 1 comp-lzo no resolv-retry infinite persist-key persist-tun auth-nocache verb 3 remote-cert-tls server Seems not to be correct to me. Shall I edit these lines manually? What will you recommend? Quote Share this post Link to post
Staff 10014 Posted ... 1 hour ago, kgursu said: So, nothing to add, @Staff? Hello! Let's see the new OpenVPN log, after the previously mentioned changes, at your convenience. Kind regards Quote Share this post Link to post
securvark 16 Posted ... I dont quite understand what that client1.conf is. Do you load that into OPNsense somehow? This is what the openvpn client config in OPNsense looks like for me: The private key should not be referenced on disk, it should be added under trust / certificates. My Advanced configuration is empty. You shouldn't need to add anything there and only set the options that OPNsense GUI provides. It should work like that. Once that works, you can try adding Advanced configuration options, but they are not required. If it still doesn't work, set logging to 6 or higher and provide the logging. Edit: I would personally also check the option to Don't pull routes because you will most likely want to setup policy based routing in your firewall rules. Quote Share this post Link to post
kgursu 0 Posted ... 10 hours ago, securvark said: set logging to 6 or higher and provide the logging. How could I set this? Quote Share this post Link to post
kgursu 0 Posted ... 12 hours ago, Staff said: Hello! Let's see the new OpenVPN log, after the previously mentioned changes, at your convenience. Kind regards openvpn.log Quote Share this post Link to post
kgursu 0 Posted ... How could I translate these lines into OpnSense one-by-one please? ca "ca.crt" cert "user.crt" key "user.key" remote-cert-tls server tls-crypt "tls-crypt.key" Quote Share this post Link to post
securvark 16 Posted ... 8 hours ago, kgursu said: How could I translate these lines into OpnSense one-by-one please? ca "ca.crt" cert "user.crt" key "user.key" remote-cert-tls server tls-crypt "tls-crypt.key" You dont have to. Import the certs at trusts by copy/pasting them into the fields. Include the private key as well (error in your logs). And then select them when creating your openvpn client. Quote Share this post Link to post