OpenVPN Support Forum

Posted: **Sun Jul 19, 2020 6:31 am**

Hi,

Learning OpenVPN with OpnSense today.
I have a Microsoft PKI, setup Opnsense as SubCA, and setup OpenVPN server to use LDAP w/ TLS + User Auth.

I am able to successfully connect on Android OpenVPN connect.

Windows OpenVPN connect giving issues. If I export my config as .p12 and import certs to client I get log errors:

OpenSSLContext: CA not Defined

Or

If I export config with opnsense "Windows Certificate System Store" option (cryptoapicert "SUBJ:CertCN" inserted to config)
Then import chain Microsoft store.

I get error

BIO_read failed: cap-2576 Status=-1 error 0406B07A:rsa
routines:RSA_padding_add_none:data too small for key size / error:141F0006:SSL

If I export out a Viscosity VPN client config from Opnsense using same cert / chain Viscosity connects just fine.

Here's what Opnsense config export is feeding client:

Client Config generated by opnsense

dev tun
persist-tun
persist-key
cipher AES-256-GCM
auth SHA512
client
resolv-retry infinite
remote mydomain.com 16454 udp
lport 0
verify-x509-name "C=US, ST=CA, L=CA, O=CA, emailAddress=admin@mydomain.com, CN=vpn.mydomain.com" subject
remote-cert-tls server
auth-user-pass
auth-nocache
comp-lzo adaptive
pkcs12 VPN_User.p12
tls-auth VPN_User-tls.key 1

Any idea why Windows OpnVPN connect client dislikes my cert? Thanks!

Posted: **Sun Jul 19, 2020 10:25 am**

We support EasyRSA.

Posted: **Tue Jul 21, 2020 11:25 pm**

Had to look that up. I see its a Open CA Tool that I need to checkout.
Are you implying that OpenVPN connect will not work with client cert auth when using Microsoft root CA?
Thanks.

Posted: **Tue Jul 21, 2020 11:35 pm**

We support EasyRSA .. if you need help with Microsoft tooling then ask them.

For further help here you may want to read this:
viewtopic.php?f=30&t=22603

All the way to the end ..

Posted: **Wed Jul 22, 2020 12:15 am**

Lol. No I will not be speaking with Microsoft.

I shared my entire environment / config export works perfect on Android OpenConnect 3.2.2 but will not work on Windows 3.2.0. I know the Cert / Microsoft CA fine. Same config.

Thx for link. I'll review it to manually build config defining certs.

Posted: **Fri Jul 24, 2020 12:01 am**

tsanders wrote: ↑
Sun Jul 19, 2020 6:31 am
...
I am able to successfully connect on Android OpenVPN connect.

Windows OpenVPN connect giving issues. If I export my config as .p12 and import certs to client I get log errors:

OpenSSLContext: CA not Defined

...
Any idea why Windows OpnVPN connect client dislikes my cert? Thanks!

I have the same situation:
* OpenVPN server on debian (2.4.7-1) with easy-rsa (3.0.6-1), self-signed CA and client certs.
* openvpn config works fine on android and ios
* On MacOS and Windows I get: 7/23/2020, 6:53:24 PM EVENT: ssl_context_error: OpenSSLContext: CA not defined

EDIT: SHOOT ME. I pasted the cert outside of the ca-/ca tags.

Posted: **Fri Jul 24, 2020 1:50 am**

tsanders wrote: ↑
Wed Jul 22, 2020 12:15 am
Lol. No I will not be speaking with Microsoft.

I shared my entire environment / config export works perfect on Android OpenConnect 3.2.2 but will not work on Windows 3.2.0. I know the Cert / Microsoft CA fine. Same config.

Thx for link. I'll review it to manually build config defining certs.

Try exporting your subca cert chain as .pem then adding it to your config enclosed in a <ca></ca> block.

OpenVPN Support Forum

OpenVPN connect

OpenVPN connect

Re: OpenVPN connect

Re: OpenVPN connect

Re: OpenVPN connect

Re: OpenVPN connect

Re: OpenVPN connect

Re: OpenVPN connect