OpenVPN connect

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
tsanders
OpenVpn Newbie
Posts: 3
Joined: Sun Jul 19, 2020 6:07 am

OpenVPN connect

Post by tsanders » Sun Jul 19, 2020 6:31 am

Hi,

Learning OpenVPN with OpnSense today.
I have a Microsoft PKI, setup Opnsense as SubCA, and setup OpenVPN server to use LDAP w/ TLS + User Auth.

I am able to successfully connect on Android OpenVPN connect.

Windows OpenVPN connect giving issues. If I export my config as .p12 and import certs to client I get log errors:

OpenSSLContext: CA not Defined

Or

If I export config with opnsense "Windows Certificate System Store" option (cryptoapicert "SUBJ:CertCN" inserted to config)
Then import chain Microsoft store.

I get error

BIO_read failed: cap-2576 Status=-1 error 0406B07A:rsa
routines:RSA_padding_add_none:data too small for key size / error:141F0006:SSL

If I export out a Viscosity VPN client config from Opnsense using same cert / chain Viscosity connects just fine.

Here's what Opnsense config export is feeding client:
Client Config generated by opnsense

dev tun
persist-tun
persist-key
cipher AES-256-GCM
auth SHA512
client
resolv-retry infinite
remote mydomain.com 16454 udp
lport 0
verify-x509-name "C=US, ST=CA, L=CA, O=CA, emailAddress=admin@mydomain.com, CN=vpn.mydomain.com" subject
remote-cert-tls server
auth-user-pass
auth-nocache
comp-lzo adaptive
pkcs12 VPN_User.p12
tls-auth VPN_User-tls.key 1

Any idea why Windows OpnVPN connect client dislikes my cert? Thanks!

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7584
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN connect

Post by TinCanTech » Sun Jul 19, 2020 10:25 am

We support EasyRSA.

tsanders
OpenVpn Newbie
Posts: 3
Joined: Sun Jul 19, 2020 6:07 am

Re: OpenVPN connect

Post by tsanders » Tue Jul 21, 2020 11:25 pm

Had to look that up. I see its a Open CA Tool that I need to checkout.
Are you implying that OpenVPN connect will not work with client cert auth when using Microsoft root CA?
Thanks.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7584
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN connect

Post by TinCanTech » Tue Jul 21, 2020 11:35 pm

We support EasyRSA .. if you need help with Microsoft tooling then ask them.


For further help here you may want to read this:
viewtopic.php?f=30&t=22603

All the way to the end .. :geek:

tsanders
OpenVpn Newbie
Posts: 3
Joined: Sun Jul 19, 2020 6:07 am

Re: OpenVPN connect

Post by tsanders » Wed Jul 22, 2020 12:15 am

Lol. No I will not be speaking with Microsoft.

I shared my entire environment / config export works perfect on Android OpenConnect 3.2.2 but will not work on Windows 3.2.0. I know the Cert / Microsoft CA fine. Same config.

Thx for link. I'll review it to manually build config defining certs.

adamprato
OpenVpn Newbie
Posts: 2
Joined: Mon May 18, 2020 4:23 am

Re: OpenVPN connect

Post by adamprato » Fri Jul 24, 2020 12:01 am

tsanders wrote:
Sun Jul 19, 2020 6:31 am
...
I am able to successfully connect on Android OpenVPN connect.

Windows OpenVPN connect giving issues. If I export my config as .p12 and import certs to client I get log errors:

OpenSSLContext: CA not Defined

...
Any idea why Windows OpnVPN connect client dislikes my cert? Thanks!
I have the same situation:
* OpenVPN server on debian (2.4.7-1) with easy-rsa (3.0.6-1), self-signed CA and client certs.
* openvpn config works fine on android and ios
* On MacOS and Windows I get: 7/23/2020, 6:53:24 PM EVENT: ssl_context_error: OpenSSLContext: CA not defined

EDIT: SHOOT ME. I pasted the cert outside of the ca-/ca tags.

adamprato
OpenVpn Newbie
Posts: 2
Joined: Mon May 18, 2020 4:23 am

Re: OpenVPN connect

Post by adamprato » Fri Jul 24, 2020 1:50 am

tsanders wrote:
Wed Jul 22, 2020 12:15 am
Lol. No I will not be speaking with Microsoft.

I shared my entire environment / config export works perfect on Android OpenConnect 3.2.2 but will not work on Windows 3.2.0. I know the Cert / Microsoft CA fine. Same config.

Thx for link. I'll review it to manually build config defining certs.
Try exporting your subca cert chain as .pem then adding it to your config enclosed in a <ca></ca> block.

Post Reply