AXT-1800 OpenVPN self gened cert issue

rickd · 2023-01-10T10:57:56.777Z

Hi
Im trying to config the OpenVPN on AXT 1800 with OPNsense firewall
The AXT 1800 is on kernel 4.460 with ARMv7 rev 4

Im using my self generated cert. However the error log on AXT 1800 showing :

Tue Jan 10 02:55:06 2023 daemon.err ovpnclient[9276]: Error opening file openvpn.p12
Tue Jan 10 02:55:06 2023 daemon.notice ovpnclient[9276]: Exiting due to fatal error

Please let me know what should I do
Thanks
Rick

yuxin.zou · 2023-01-11T01:44:03.922Z

I guess you set up the OpenVPN Server on OPNsense and then exported the client configuration to the AXT1800?
Is openvpn.p12 the file you exported from OPNsense?

I think you need to convert the .p12 file to CA certificate, client certificate and client private key.

rickd · 2023-01-14T20:24:22.949Z

Hi Zou

Yes the P12 file is exported from OPNSense along with open config and tls key file
Do you have a sample what they looks like ?
What kind of format is needed for CA cert and client cert ?
It would be really helpful if you make an insturction here.

I try use

openssl pkcs12 -in OpenVpn.p12 -out open.crt -nodes

to generate the certs in PEM format.
It follows the structure of

Bag Attributes
    localKeyID: C7 1D 05 DA 0E 3C 5A 06 BF 47 D2 9F E6

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
Bag Attributes: <No Attributes>

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
Bag Attributes
    localKeyID: C7 1D 05 DA 0E 3C 5A 06 BF 47 D2 9F E6
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----

Also in ovpn file I have changed from pkcs12 OpenVpn.p12 to pem open.crt

and this the error log:

Sat Jan 14 12:52:23 2023 daemon.notice netifd: Interface ‘ovpnclient’ is setting up now
Sat Jan 14 12:52:23 2023 daemon.err ovpnclient[5782]: Options error: Unrecognized option or missing or extra parameter(s) in /tmp/ovpnclient/ovpnclient:12: pem (2.5.3)
Sat Jan 14 12:52:23 2023 daemon.warn ovpnclient[5782]: Use --help for more information.

Thanks,
Rick

rickd · 2023-01-15T06:49:45.744Z

Okey I figured it out
it should be wrapped by

	<cert>
			-----BEGIN CERTIFICATE-----
			
			-----END CERTIFICATE-----
			</cert>
			<ca>
			-----BEGIN CERTIFICATE-----
			
			-----END CERTIFICATE-----
			</ca>
			<key>
			-----BEGIN PRIVATE KEY-----
			
			-----END PRIVATE KEY-----
			</key>

Now the OpenVPN is connected with tun
However, with tap, it shows connected but I can’t access to Internet

yuxin.zou · 2023-01-16T01:43:22.993Z

Can you check the connection status on the VPN server and view the logs of the OpenVPN client/server?

rickd · 2023-02-03T23:11:57.633Z

yuxin.zou:

Can you check the connection status on the VPN server and view the logs of the OpenVPN client

Yes the VPN Server showing connected and I will post the log later this weekend