OpenVPN Support Forum

Ok newbie to the whole openVPN so please go easy.
I have a mikrotik which I have configured a openVPN server.

I have written all the certificates and the profile but I keep getting this error. Is anyone able to enlighten me as to what this error is and how I could possibly resolve? please click link for photo of error.
https://1drv.ms/u/s!AjD5e4FKd-WXhuo0rNL ... g?e=gdWtzJ

logs in OpenVPN Connect is not bringing anything up at all.

Using windows 11 and OpenVPN connect version 3.3.2

have exported certificates from Mikrotik (server). This is the CA and the client certificate along with the client key.
have configured a ovpn profile in the same folder. Used a template that I got off the internet (seems pretty basic).
added a secret file with the username and password for the vpn into the same folder as the certificates and the profile.

Hello boehamian,

Probably with Mikrotik you're better off using the OpenVPN GUI open source program that comes with OpenVPN 2.5.5 available in the community downloads on our website. But probably that won't work either given your particular error message. Mikrotik's OpenVPN implementation is a bit... interesting.

Regarding the error message, is it possible the private key you got is not in the format that follows this pattern?
-----BEGIN PRIVATE KEY-----
(lots of random text here)
-----END PRIVATE KEY-----

If it says -----BEGIN ENCRYPTED PRIVATE KEY----- (with the ENCRYPTED part in there) you might want to try decrypting that key first before using it.

Good luck,
Johan

openvpn_inc wrote: ↑

Fri Jan 07, 2022 5:59 pm

Hello boehamian,

Probably with Mikrotik you're better off using the OpenVPN GUI open source program that comes with OpenVPN 2.5.5 available in the community downloads on our website. But probably that won't work either given your particular error message. Mikrotik's OpenVPN implementation is a bit... interesting.

Regarding the error message, is it possible the private key you got is not in the format that follows this pattern?
-----BEGIN PRIVATE KEY-----
(lots of random text here)
-----END PRIVATE KEY-----

If it says -----BEGIN ENCRYPTED PRIVATE KEY----- (with the ENCRYPTED part in there) you might want to try decrypting that key first before using it.

Good luck,
Johan

thanks mate much appreciated. Had a look at the key file and it has that exact layout you speak of. Would it be worth not encrypting the client certificate? If so is there anything I have to put in the OVPN profile file that tells it not to look for an encryption key?

Have changed over to the other software as you suggested. Not sure where I connect the other version from.

This was the error log I got when I tried to connect
Sat Jan 8 11:34:11 2022 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Sat Jan 8 11:34:11 2022 Current Parameter Settings:
Sat Jan 8 11:34:11 2022 config = 'Client.ovpn'
Sat Jan 8 11:34:11 2022 mode = 0
Sat Jan 8 11:34:11 2022 show_ciphers = DISABLED
Sat Jan 8 11:34:11 2022 show_digests = DISABLED
Sat Jan 8 11:34:11 2022 show_engines = DISABLED
Sat Jan 8 11:34:11 2022 genkey = DISABLED
Sat Jan 8 11:34:11 2022 genkey_filename = '[UNDEF]'
Sat Jan 8 11:34:11 2022 key_pass_file = '[UNDEF]'
Sat Jan 8 11:34:11 2022 show_tls_ciphers = DISABLED
Sat Jan 8 11:34:11 2022 NOTE: --mute triggered...
Sat Jan 8 11:34:11 2022 292 variation(s) on previous 10 message(s) suppressed by --mute
Sat Jan 8 11:34:11 2022 OpenVPN 2.5.5 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 15 2021
Sat Jan 8 11:34:11 2022 Windows version 10.0 (Windows 10 or greater) 64bit
Sat Jan 8 11:34:11 2022 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
Sat Jan 8 11:34:11 2022 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Jan 8 11:34:11 2022 Need hold release from management interface, waiting...
Sat Jan 8 11:34:11 2022 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Jan 8 11:34:12 2022 MANAGEMENT: CMD 'state on'
Sat Jan 8 11:34:12 2022 MANAGEMENT: CMD 'log all on'
Sat Jan 8 11:34:12 2022 MANAGEMENT: CMD 'echo all on'
Sat Jan 8 11:34:12 2022 MANAGEMENT: CMD 'bytecount 5'
Sat Jan 8 11:34:12 2022 MANAGEMENT: CMD 'hold off'
Sat Jan 8 11:34:12 2022 MANAGEMENT: CMD 'hold release'
Sat Jan 8 11:34:16 2022 MANAGEMENT: CMD 'password [...]'
Sat Jan 8 11:34:16 2022 OpenSSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
Sat Jan 8 11:34:16 2022 OpenSSL: error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error
Sat Jan 8 11:34:16 2022 OpenSSL: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
Sat Jan 8 11:34:16 2022 OpenSSL: error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib
Sat Jan 8 11:34:16 2022 Cannot load private key file client.key
Sat Jan 8 11:34:16 2022 SIGUSR1[soft,private-key-password-failure] received, process restarting
Sat Jan 8 11:34:16 2022 MANAGEMENT: >STATE:1641607456,RECONNECTING,private-key-password-failure,,,,,
Sat Jan 8 11:34:16 2022 Restart pause, 5 second(s)
Sat Jan 8 11:34:29 2022 MANAGEMENT: CMD 'password [...]'
Sat Jan 8 11:34:29 2022 OpenSSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
Sat Jan 8 11:34:29 2022 OpenSSL: error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error
Sat Jan 8 11:34:29 2022 OpenSSL: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
Sat Jan 8 11:34:29 2022 OpenSSL: error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib
Sat Jan 8 11:34:29 2022 Cannot load private key file client.key
Sat Jan 8 11:34:29 2022 SIGUSR1[soft,private-key-password-failure] received, process restarting
Sat Jan 8 11:34:29 2022 MANAGEMENT: >STATE:1641607469,RECONNECTING,private-key-password-failure,,,,,
Sat Jan 8 11:34:29 2022 Restart pause, 5 second(s)


Again, like I said, a bit new to this so slowly working it out

thanks mate for your help. I have managed to rectify the issue. Stupid me and a few pbcak errors. Took some nutting out but got their in the end. Thanks again.

Hello, good morning, how are you? I would like to know how you solved it, I get the same error. Thanks

Hello tongavb,

In this particular case the issue was that the private key was encrypted. Decrypt it and then it should work just fine.

Kind regards,
Johan

Could you please describe how did you decrypt the key?

openssl rsa -passin pass:ClienKeyPassw0rd -in client.key -out client-decrypt.key

Hi
We utilized Docker to set up OpenVPN initially on Linux. After creating and sharing the VPN file with the client, we observed that it functions properly on Linux but encounters issues when used on Windows, even with the OpenVPN application on Windows.

Error message in Windows: pkey::parse_pem: error in private key::error:1c800064:provider routines::bad decrypt /error: 11800074:pkcs12 routines:: pkcs12 cipherfinal error / error:1c800074:provider routines::bad decrypt / error :11800074:pkcs12 routines::pkcs12 cipherfinal error.