pfSense Gold Subscription

Author Topic: Using MS cert on Linux  (Read 127 times)

0 Members and 1 Guest are viewing this topic.

Offline imrazor

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Using MS cert on Linux
« on: January 06, 2018, 04:17:16 pm »
I created a user and successfully exported the installer to two Windows laptops. Connects fine, no problem. However, when I try to use the "standard" export button and use them on a Linux laptop (Fedora 27) I get the following:

$ openvpn --config ./pfSense-udp-1365-<user>.ovpn
Options error: Unrecognized option or missing or extra parameter(s) in ./pfSense-udp-1365-<user>.ovpn:13: cryptoapicert (2.4.4)

From what I can gather, this is because I selected the MS certificate option when I set up the user. Is there anyway to get this to work from Linux, or do I need to create a whole new user just for Linux?

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1091
  • Karma: +43/-8
    • View Profile
Re: Using MS cert on Linux
« Reply #1 on: January 06, 2018, 04:33:31 pm »
As I recall, I exported the same key etc. twice.  Once for Windows and again with Inline.  I then imported it into the network manager in Linux.

Offline AndrewZ

  • Full Member
  • ***
  • Posts: 262
  • Karma: +19/-0
    • View Profile
Re: Using MS cert on Linux
« Reply #2 on: January 06, 2018, 04:35:29 pm »
cryptoapicert is purely Windows thing
For Linux I believe you can generate a new config (.tar) or manually remove cryptoapicert reference, then import, then manually select a cert (.p12) from the GUI.

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1091
  • Karma: +43/-8
    • View Profile
Re: Using MS cert on Linux
« Reply #3 on: January 06, 2018, 04:45:57 pm »
^^^
As I said, I just exported twice, once for Windows and once for Linux.  Works fine.  I use this on a notebook where I can boot into Linux or Windows 10, but only one at a time.  Same key used for both and it works fine.

Offline imrazor

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: Using MS cert on Linux
« Reply #4 on: January 06, 2018, 04:54:44 pm »
When I try to export with the "inline" option I get a message that MS certificates are not supported with Inline configurations.

If I remove the cryptoapicert line from the .ovpn config file, openvpn will start but never connect with the following errors:

Code: [Select]
Sat Jan  6 16:52:24 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan  6 16:52:24 2018 TLS Error: TLS handshake failed

If I attempt to import the "Standard" configuration I exported earlier into the Settings/VPN GUI, I get a message that

Error: Key file contains line "PK<weird symbol><weird symbol>" which is not a key-value pair, group or comment.

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1091
  • Karma: +43/-8
    • View Profile
Re: Using MS cert on Linux
« Reply #5 on: January 06, 2018, 08:55:15 pm »
^^^^
I just tried it again.  I clicked on the Inline - Most clients button and generated an ovpn file and then clicked on the Current Windows Installer and generated the exe file, just as I did when I first set up my VPN.  There were no errors.  The exe is used to install the OpenVPN client on Windows and the ovpn file is imported into the network manager in Linux.

Offline imrazor

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: Using MS cert on Linux
« Reply #6 on: January 06, 2018, 09:02:36 pm »
I got the Inline config to export by unchecking the MS certificate storage option. I then ran openvpn --config pfSense-blah-blah.ovpn from the command line as root, and it worked. I was afraid I'd kill my Windows clients' ability to connect by unchecking the MS cert option, but at least one still appears to be functioning.

My remaining difficulty involves configuring the Fedora 27 VPN GUI. Using it from the command line works, but requires a few extra steps and a root password to complete the connection. I've tried configuring the GUI several ways, but none of them seem to work. Probably need to post in a Fedora or OpenVPN forum, but if anyone here knows I'd appreciate your input.