- Openvpn Access Server Pricing
- Openvpn Access Server Certificate Authentication
- Openvpn Access Server Change Certificate
- Openvpn Access Server License
Cryptography is a complex matter to grasp, and SSL certificates, when never having heard of them before, can be a challenge to understand. While installing and managing an SSL certificate for your Access Server may seem overly complex, this article tries to cover all the basics so you can get your Access Server secured in a snap! It’s important to note that SSL certificates only work when you are using an FQDN name for your OpenVPN Access Server installation. FQDN stands for Fully Qualified Domain Name, and an example of this is docs.openvpn.net or openvpn.net. These are names that exist on the Internet and can be resolved with a DNS query. If you do not have such a name set up yet, then arrange that first and configure this properly. Then you can continue with this document and set up an SSL certificate on the FQDN name you have chosen for your server installation.
This article will cover the following:
This article will cover the following:
- An explanation why you should install an SSL certificate.
- How to generate a certificate signing request (CSR) for submission to a commercial certificate authority (CA).
- How to install a commercial SSL certificate in Access Server.
- Some common problems and solutions to these problems.
- How to extend the self-signed certificate validity or change the common name of the self-signed certificate.
- How to revert Access Server to a self-signed certificate (removing a commercial SSL certificate).
. The first time you configure the OpenVPN Server, you may need to Generate a certificate before you enable the VPN Server. Select the Service Type (communication protocol) for OpenVPN Server: UDP, TCP. Enter a VPN Service Port to which a VPN device connects, and the port number should be between 1024 and 65535. The EdgeRouter OpenVPN server provides access to the LAN (192.168.1.0/24) for authenticated OpenVPN clients. CLI: Access the Command Line Interface. You can do this using the CLI button in the Web UI or by using a program such as PuTTY. Configure OpenVPN Server Settings. Now we are at the point of configuring the OpenVPN Server settings themselves. Here you will set the VPN subnet for the OpenVPN clients, port number, protocol, encryption, etc. Be sure to choose a different subnet for this, not the same one that your NAS itself is on. Enroll and validate the VPN server certificate. On the VPN server's Start menu, type certlm.msc, and press Enter. Right-click Personal, select All Tasks and then select Request New Certificate to start the Certificate Enrollment Wizard. On the Before You Begin page, select Next. On the Select Certificate Enrollment Policy page, select Next.
You may have noticed when you started using the OpenVPN Access Server product, that you get warnings like warning: your connection is not private or could not verify identity of this server or such dire messages. It’s good that you get these messages as they alert you to the fact that the SSL certificate on this server isn’t valid. Or rather, it is valid as there is encrypting happening between your web browser and the web server, but it is not trusted. Only when an SSL certificate is trusted, will the green padlock icon show up in the address bar and will these messages disappear. It also gets rid of some warnings that you see in the OpenVPN Connect Client when you initially install it, also warning you that the server identity could not be verified.
So to answer the question why you should replace the SSL certificate, first and foremost is getting rid of the warnings. But one of the most important aspects really is that a verified and trusted SSL certificate is a guarantee that you are connected to the server that you think you are connecting to. The identity of the server, that it is the server you want to connect to, is guaranteed if an SSL certificate is properly signed. If you have things set up with a signed and verified SSL certificate, you will see the green padlock icon indicating that you are connected to your server and not to any other server pretending to be your server. If in some way someone succeeds in redirecting your traffic to another server, to try and steal credentials for example, will result in that big bad warnings you see when the SSL certificate is not trusted. Just like what happens initially when you install the Access Server and by necessity an untrusted self-signed certificate is used at first.
We also have some more information about what an SSL certificate is and how it works here.
To order to generate the proper keying materials for your Access Server software, you will need a machine with OpenSSL installed. This is most easily done on a Linux system, like for example the Linux operating system that your OpenVPN Access Server is running on. To see if you have OpenSSL already installed try logging on to your Linux server and obtain root privileges and then using the commands below. If you do not have OpenSSL installed, then use the indicated commands below to install it.
See if OpenSSL is installed:
If you get an error use this to install on Debian/Ubuntu systems:
Or on CentOS/Red Hat systems:
Now that OpenSSL is installed you can use it to create a private key and certificate signing request (4096 bits SHA256):
You will be asked a set of standardized questions. This is how we answered it in our example situation:
In the example above we didn’t specify a challenge password or optional company name. Some certificate authorities don’t let you specify an optional company name or know how to deal with a challenge password, so it’s our recommendation to leave those last two questions unanswered and just press enter on them to continue. With the steps followed as above we now have a server.key and a server.csr file.
The server.key file is the private key and it is vital that this key is kept safe and secure. You will need this file once your certificate signing request has been approved and a certificate has been issued to you. Also, it is the underpinning of the SSL certificate security model. This private key stays with you and does not go to any other party!
The server.csr file is the certificate signing request. In the questions above you were asked to provide a “Common Name'. That is where the FQDN name where your Access Server can be reached on the Internet is supposed to go. If for example your Access Server has been set up at the address https://vpn.exampletronix.com/ then the Common Name is vpn.exampletronix.com just like in our example. This means that in our example, our certificate signing request is going to be for the subdomain vpn.exampletronix.com on the domain exampletronix.com.
Now you can go to your chosen SSL certificate authority. There are a great many out there. Pick one you like and they will ask you for a certificate signing request and what type of server you are looking to get a certificate for. If asked, the type of certificate you will want is Apache or Apache2 compatible. We don’t actually use Apache software in our OpenVPN Access Server product, but we do use that same type of certificates.
Next copy and paste the contents of the file server.csr or upload it to them as a file. They will then look at it and see the answers you gave earlier. Now comes the part where they are going to try to verify that you are really the owner of the domain exampletronix.com. One way they can do this is to ask you to place a file on your web server, which they will then try to retrieve. Or they can send a verification email to a registered email address that is known at the domain registry for the domain exampletronix.com. These steps they do to ensure that they are dealing with the real owner of the domain exampletronix.com and not with someone pretending to be. Only the real owner would have access to the registered email address or the website running on the domain you are trying to get a certificate signed for.
Once they’ve verified your identity and received payment, they’ll sign a certificate and send it to you. They’ll also send you intermediary files, or they may have these available separately on their website. Intermediary files are their own certificates that complete the chain of trust between the certificate they’re just issued you, and a root certificate authority that is trusted by the majority of web browsers and SSL capable programs. Without the intermediary files it may not be possible to establish a chain of trust between your signed public certificate and a trusted certificate authority.
This guide shows you how to install a commercial SSL certificate in the Access Server via the Admin UI. But it can also be done via the command line. To be able to install the certificate on your Access Server installation, you will need these files:
- The signed certificate from your certificate authority.
- The CA bundle or intermediary files from your certificate authority.
- The private key you originally created when making the certificate signing request (CSR).
A few notes about these files. The format they should be in is Apache compatible format, also referred to as X509/Base64 or PEM/CER format. If you have mistakenly received files in .p12 or .pfx format or such, then those are of a type that are suitable for Windows platforms, but not for the Linux OpenVPN Access Server product. It is however possible to convert the certificates to the required format using for example the DigiCert Certificate Utility.
The CA (Certificate Authority) bundle, or also called intermediary files, are a set of certificates that complete the chain of trust between your signed certificate for your server, and a root certificate authority that is trusted by web browser and other SSL capable programs. Without these files the certificate may still show up as being untrusted or some errors may show up when trying to verify identity of the server certificate. Sometimes you receive one single file, but in other cases you may receive a number of separate files. You need them to be in one file. Fortunately this can be resolved by opening them up in a text editor like Wordpad or notepad and copying and pasting one after the other into a new file and saving and using that file as the CA bundle or intermediary file from here on in.
The private key must absolutely be the same private key that you originally created and used to create the certificate signing request. You cannot use any other private key with the signed certificate. They are inextricably linked. If you have made the mistake of losing the original private key, your signed certificate is useless and you will have to start over.
You may also want to click the Update Running Server button to effect your changes immediately. This may lead to you temporarily losing contact with the web services, but if you close your browser and open it again, it should now connect and show the green padlock if the certificate is installed correctly and trusted.
The files you have submitted to the Access Server are stored in the configuration database files of the Access Server. In rare cases people have lost these files and need to retrieve them from the Access Server configuration database files. In order to do so you can consult the document describing how to recover SSL web certificates from the config DB.
If you did not provide the necessary files correctly, you may experience some of the problems below.
Certificate doesn’t match private key
Your private key does not match the one you have used to sign the CSR that you have submitted to your certificate authority. Make sure you are using the same key file that was used to generate your CSR. If you lost this file, you will need to restart the certificate generation process and ask your certificate authority for a certificate replacement. The private key is unique and cannot be recreated. If you’ve lost it, the signed public certificate also becomes useless.
Your private key does not match the one you have used to sign the CSR that you have submitted to your certificate authority. Make sure you are using the same key file that was used to generate your CSR. If you lost this file, you will need to restart the certificate generation process and ask your certificate authority for a certificate replacement. The private key is unique and cannot be recreated. If you’ve lost it, the signed public certificate also becomes useless.
Problems getting password, bad password read
Your private key is encrypted with a passphrase and Access Server does not know how to decrypt the private key (i.e. it does not know what your passphrase is). Decrypt your private key by running the example command below on the command line with the OpenSSL program and then provide Access Server the decrypted private key file. The OpenVPN Access Server does not support using a private key for the web services that is additionally encrypted with a passphrase.
Your private key is encrypted with a passphrase and Access Server does not know how to decrypt the private key (i.e. it does not know what your passphrase is). Decrypt your private key by running the example command below on the command line with the OpenSSL program and then provide Access Server the decrypted private key file. The OpenVPN Access Server does not support using a private key for the web services that is additionally encrypted with a passphrase.
Decrypt a passphrase protected private key with OpenSSL:
You will be asked once for your passphrase. The resulting decrypted.key file can be loaded into the OpenVPN Access Server.
PEM_read_bio, no start line
This is usually part of an error message like this:
This is usually part of an error message like this:
This basically means that the private key you have provided is invalid in some way. Make sure that you have provided the correct file, and do not accidentally supply your public certificate as the private key, or vice-versa. The private key field in Access Server only accepts a valid private key.
If you are sure that the file is valid, and Access Server is not accepting the certificate file, it is most likely because of improper formatting of the private key file. For example without line breaks or with linebreaks using a different EOL (End-of-Line) standard that is not acceptable. You may try to manually fix this problem yourself with proper EOL conversion tools, or by contacting your certificate authority for assistance. We often see this problem with certain providers of SSL certificates that generate the private key for you. They may be providing it with Windows-type EOL characters and this can cause a problem. Usually they can help you to obtain a version that is compatible with Linux systems, or you can use a text editing tool to convert the file format to a type that doesn’t contain these additional characters.
Certificate doesn’t match private key, unsupported certificate purpose
The file supplied seems like valid keying material, although it doesn’t look like a server certificate was provided. It is possible that the CA bundle and the server certificate were accidentally swapped. Try to swap the order of the CA bundle and the certificate and try again. If this does not work, make sure you are providing the signed certificate you have received from your CA, and not the CSR you have generated on your own machine. The CSR is not needed or wanted by the OpenVPN Access Server, it is only used to do the certificate signing request with your certificate authority.
The file supplied seems like valid keying material, although it doesn’t look like a server certificate was provided. It is possible that the CA bundle and the server certificate were accidentally swapped. Try to swap the order of the CA bundle and the certificate and try again. If this does not work, make sure you are providing the signed certificate you have received from your CA, and not the CSR you have generated on your own machine. The CSR is not needed or wanted by the OpenVPN Access Server, it is only used to do the certificate signing request with your certificate authority.
Certificate Trust Warning: unable to get local issuer certificate
This message can occur in a variety of programs that try to verify the identity of a server using its public certificate. It can occur in the Connect Client but it can also occur in a web browser or a test program for SSL connections. The error occurs when the path from your server’s certificate to a trusted root authority certificate could not be established. Certificates are hierarchical and each certificate knows its direct parent above it using a unique fingerprint. Using this method a chain can be formed going from your server certificate, to the certificate issuer, and from there to a (trusted) root authority. Sometimes there are more steps. Sometimes the direct parent is the root authority. But in most cases there are steps in between and these are called intermediaries. If there is one, only one intermediate certificate needs to be added to your chain of certificates, and if there are more, you can copy-paste them into one file, just one after the other, to make an intermediary bundle file that contains all the intermediaries to complete the path of trust. Please note that if you already had a working certificate before, but now have a new one from a different issuer, you will need to update your intermediaries as well.
This message can occur in a variety of programs that try to verify the identity of a server using its public certificate. It can occur in the Connect Client but it can also occur in a web browser or a test program for SSL connections. The error occurs when the path from your server’s certificate to a trusted root authority certificate could not be established. Certificates are hierarchical and each certificate knows its direct parent above it using a unique fingerprint. Using this method a chain can be formed going from your server certificate, to the certificate issuer, and from there to a (trusted) root authority. Sometimes there are more steps. Sometimes the direct parent is the root authority. But in most cases there are steps in between and these are called intermediaries. If there is one, only one intermediate certificate needs to be added to your chain of certificates, and if there are more, you can copy-paste them into one file, just one after the other, to make an intermediary bundle file that contains all the intermediaries to complete the path of trust. Please note that if you already had a working certificate before, but now have a new one from a different issuer, you will need to update your intermediaries as well.
On the OpenVPN Connect v2 client, the intermediaries are stored on disk with the client and to update this you would need to update the OpenVPN Connect v2. It is therefore best to stick to the same issuer when you need to renew a certificate and your clients are using OpenVPN Connect v2 with server-locked profiles. For user-locked and auto-login it doesn’t make a difference as the web interface only gets called when using server-locked.
On the OpenVPN Connect v3 client, we use the certificate store in the operating system to determine a path of trust.
If you are using the self-signed certificate and want to keep using it but replace it with a new one, use these commands:
Please note that using a self-signed certificate is not as secure as using a valid signed certificate from a certificate authority. You cannot create such signed certificates yourself, you need an external authority that is trusted by default by web browsers and other SSL capable programs to make automatic trusting of your web server’s SSL certificate possible. No matter how you generate self-signed certificates, they will always by default not be trusted by any standard computer system. Only a commercial SSL certificate will make that possible.
The commands given above will have no effect if a commercial SSL certificate is installed on your Access Server as this is stored in the configuration database, and values in the configuration database take precedence over the files stored in the web-ssl directory. Likewise if you have a self-signed certificate, or any certificate, stored in the configuration database, then the files in the web-ssl directory are ignored. If you like you can use the commands in the section below to clear out the certificates from the configuration database. The Access Server will then revert to certificates stored in the web-ssl directory.
The commands given above will have no effect if a commercial SSL certificate is installed on your Access Server as this is stored in the configuration database, and values in the configuration database take precedence over the files stored in the web-ssl directory. Likewise if you have a self-signed certificate, or any certificate, stored in the configuration database, then the files in the web-ssl directory are ignored. If you like you can use the commands in the section below to clear out the certificates from the configuration database. The Access Server will then revert to certificates stored in the web-ssl directory.
If for any reasons you want to uninstall a commercial SSL certificate use the following commands:
You are very likely to receive SSL warnings after you revert to a self-signed SSL certificate, unless the self-signed certificate has been previously manually trusted in your system certificate store(s).
Important
Netgate is offering COVID-19 aid for pfSense software users, learn more.
Using OpenVPN for a remote access VPN is easy and secure. Clients areavailable for many different operating systems, including Windows, Mac,Linux, Android, iOS, and even ChromeOS. This document will walk throughthe basics of a remote access OpenVPN configuration.
This How-To article is designed to quickly show how to setup an OpenVPNremote access VPN on the pfSense® router, and is not meant to be complete.It should only be used to give a general idea of the functionality andwhat is possible. OpenVPN is much more advanced than the setup beingdemonstrated.
Warning
This guide is brief, and omits important considerations.Consult the OpenVPN chapter in the pfSense Book rather than relying onthis entirely.
If a Site-To-Site OpenVPN connection is desired instead, see one of thefollowing pages:
OpenVPN Wizard¶
An OpenVPN remote access VPN can easily be configured using the wizard,as follows:
Navigate to VPN > OpenVPN and Click the Wizards Tab to start thewizard.
Authentication¶
![Server Server](https://static.tp-link.com/image002_1560497024460w.png)
Choose the desired Authentication Settings. Most commonly this is set toLocal User Access.
- With Local User Access, users defined under System > UserManager
- RADIUS and LDAP are possible, with appropriately defined settings,as covered here: Authenticating OpenVPN Users with RADIUS via Active Directory.
Click Next
Certificate Authority¶
Fill in the fields to Create a new Certificate Authority
- Terni rifle serial numbers. Descriptive Name - Used as the Common Name (CN) for the CA. Donot spaces, punctuation or special characters (ex: ExampleCoVPNCA)
- Key Length - Default is OK, the higher the better but will usemore CPU.
- Lifetime - Default is OK, but can be lowered if it must bechanged out more often.
- Country Code, State/Province, City, Organization -Enter values for this location/company.
- E-mail - Used as a reference on the certificate, does not receiveany mail from the system.
Click Add New CA
Server Certificate¶
Openvpn Access Server Pricing
Fill in the fields to create a new Server Certificate. SimilarFields as CA entry, most of the fields carry over and do not needchanged.
Click Create new Certificate
OpenVPN Server Configuration¶
Now for the biggest part: Enter the configuration for the VPN server.
There are many options here, most explained on the page, but the keyitems to enter are:
- TLS Authentication – Leave this checked, along with the boxunderneath to generate a new key. Using a TLS key is technicallyoptional, but highly recommended. Some OpenSSL attacks such asHeartbleed have been mitigated by the use of a TLS key.
- Tunnel Network – Should be a new, unique network that does notexist anywhere in the current network or routing table.
- Local Network – The network here on the server that the clientswill need to reach, for example 192.168.1.0/24
Note
On pfSense software version 2.3, the Topology choice is alsopresent in the Wizard and it defaults to Subnet. Read theassociated text on the page in the unlikely case this option is notdesirable for a given deployment.
Other values can be set as desired and are a matter of preference.Settings such as compression, DNS, NetBIOS, and so on.
Click Next.
Firewall Rules¶
The next screen offers the choice to add firewall rules automatically.For convenience, check both unless the rules will be managed manually.
Click Next
End of the Wizard¶
Click Finish to exit the wizard and the new settings will be savedand applied automatically.
Verifying the Setup¶
Look at firewall rules (WAN and OpenVPN tabs)
- WAN tab rule should pass from any to the OpenVPN port on theWAN address
![Openvpn Openvpn](https://docs.microsoft.com/en-us/windows-server/remote/media/always-on-vpn/06.png)
- OpenVPN tab rule should allow anything from any/to any
Adjustments¶
Some settings are not presented in the wizard but might be a better fitfor some situations than the defaults chosen by the wizard.
Server Mode¶
The OpenVPN Server Mode allows selecting a choice between requiringCertificates, User Authentication, or both. The wizard defaults toRemote Access (SSL/TLS + User Auth). The possible values for thischoice and their advantages are:
- Remote Access (SSL/TLS + User Auth)
- Requires both certificates AND username/password
- Each user has a unique client configuration that includes theirpersonal certificate and key.
- Most secure as there are multiple factors of authentication (TLSKey and Certificate that the user has, and the username/passwordthey know)
- Remote Access (SSL/TLS)
- Certificates only, no auth
- Each user has a unique client configuration that includes theirpersonal certificate and key.
- Useful if clients should not be prompted to enter a username andpassword
- Less secure as it relies only on something the user has (TLS keyand certificate)
- Remote Access (User Auth)
- Authentication only, no certificates
- Useful if the clients should not have individual certificates
- Commonly used for external authentication (RADIUS, LDAP)
- All clients can use the same exported client configuration and/orsoftware package
- Less secure as it relies on a shared TLS key plus only somethingthe user knows (Username/password)
Certificate Revocation¶
Compromised certificates can be revoked by creating a CertificateRevocation List (CRL) in System > Cert Manager on the CertificateRevocation tab, adding the certificate to it, and then selecting thatCRL on the OpenVPN server settings.
Adding a User with a Certificate¶
If the mode has been left at the wizard’s default or on a mode thatincludes local user authentication, a user must be created in the usermanager.
- Navigate to System > User Manager
- Click To add a user
- Fill in Username
- Fill in Password / Confirm password
- Check Click to create a user certificate.
- Fill in the Descriptive Name as the username
- Choose the appropriate Certificate Authority
- Click Save
OpenVPN Client Export Package¶
The OpenVPN Client Export Package allows exporting configurationsformatted for a wide variety of platforms. It also allows exporting apre-packaged Windows installer executable which includes theconfiguration bundled inside for a painless client installation.
Installing the OpenVPN Client Export Package¶
To Install the OpenVPN Client Export Package
- Navigate to System > Packages, Available Packages tab
- Find OpenVPN Client Export Package in the list
- Click
- Click Confirm
The package will be installed and is now available under VPN >OpenVPN on the Client Export tab.
Openvpn Access Server Certificate Authentication
Exporting a Configuration¶
- Navigate to VPN > OpenVPN on the Client Export tab
- Choose the VPN from the Remote Access Server drop-down list
- Set any desired options in the upper section – The defaults aregenerally OK
- Find the user in the list at the bottom of the page and select theappropriate configuration type to export.
The Windows Installer choices are the most common. The “Inline”configuration choices are best when using a current client that isn’tlisted. Some older clients may not fully understand these, but olderclients should be upgraded as soon as possible.
Openvpn Access Server Change Certificate
There are links to many commonly used clients at the bottom of theClient Export package page
Openvpn Access Server License
Wrap Up¶
The VPN setup on the firewall is complete. Install the client and/orimport the new configuration into an existing client, connect and try itout.
Filtering OpenVPN Traffic¶
Firewall rules to strictly govern the traffic on this VPN may be addedunder Firewall > Rules on the OpenVPN tab.