Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

[VyOS] VyOS Complains That ca.crt Is Invalid

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)
User avatar

Topic Author
parityboy
Site Admin
Posts: 1264
Joined: Wed Feb 05, 2014 3:47 am

[VyOS] VyOS Complains That ca.crt Is Invalid

Postby parityboy » Wed Sep 19, 2018 11:20 pm

Background
I'm currently running pfSense 2.3.4 as a virtualised router on VirtualBox, however it seems to have issues when the number of connections it needs to maintain (e.g. for torrenting) goes past a certain limit. It's nothing to do with the state table and seems to be more to do with the interaction between the BSD networking stack and VirtualBox).

I could switch to KVM as a hypervisor, but there's a lot of uprooting involved in that process. I know that a GNU/Linux-based router such as LEDE/OpenWRT is stable on VirtualBox and doesn't exhibit those kind of issues (I've tested it), but I need something with more power, hence VyOS.

VyOS Issues
I've created an instance of VyOS 1.1.8 and got all of the basics up and running - interface assignment, DNS, DHCP servers and routing. Now i'm trying to get an OpenVPN client instance up and running.

Following this guide, I copied ca.crt from GitHub into the /config/auth/openvpn/cs directory, then executed the following commands in that directory.

Code: Select all

openssl genrsa -out host.key 2048
openssl req -new -key host.key -out csr.crt
openssl req -x509 -days 365 -key host.key -in csr.crt -out cert.crt
chmod 700 host.key


I also created an auth.txt file in that same directory which looks like this:

Code: Select all

<hashed token goes here>
rand0m5tr1ng0fcharact3r5


Now in configure mode in VyOS I executed the following commands

Code: Select all

set interfaces openvpn vtun0 mode 'client'
set interfaces openvpn vtun0 encryption 'aes256'
set interfaces openvpn vtun0 hash sha512
set interfaces openvpn vtun0 protocol 'udp'
set interfaces openvpn vtun0 remote-host 'linux-netherlands.cryptostorm.net'
set interfaces openvpn vtun0 remote-port 443
set interfaces openvpn vtun0 openvpn-option 'auth-user-pass /config/auth/openvpn/cs/auth.txt --persist-key --persist-tun --nobind --route-nopull --script-security 2'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/openvpn/cs/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/openvpn/cs/cert.crt'
set interfaces openvpn vtun0 tls key-file '/config/auth/openvpn/host.key'


However when I commit the changes, VyOS complains that the file /config/auth/openvpn/cs/ca.crt is not valid. Has anyone run into this issue and if so, how did you solve it?

Many thanks. :)

 ! Message from: parityboy
Corrected spelling and grammar.

User avatar

Topic Author
parityboy
Site Admin
Posts: 1264
Joined: Wed Feb 05, 2014 3:47 am

Re: [VyOS] VyOS Complains That ca.crt Is Invalid

Postby parityboy » Fri Sep 28, 2018 9:09 pm

OK, I've found two things:

1) PIA's ca.2048.crt file works perfectly well, while Cryptotsorm's ca.crt does not.

2) VyOS 1.1.8 actually uses OpenVPN 2.1.x, which doesn't connect even to PIA's network so it certainly won't connect to Cryptostorm's. The age of the OpenVPN build on VyOS 1.1.8 might be why it won't read Cryptostorm's certificate file. PIA's config file also specifies AES-128-CBC...

User avatar

Topic Author
parityboy
Site Admin
Posts: 1264
Joined: Wed Feb 05, 2014 3:47 am

Re: [VyOS] VyOS Complains That ca.crt Is Invalid

Postby parityboy » Fri Sep 28, 2018 10:52 pm

@thread

OK, quick update. I upgraded VyOS to 1.2.0, which runs OpenVPN 2.3.4 It will accept the CA cert for PIA, but NOT the one for Cryptostorm.

I have no idea why. df if you (or anyone else) can offer any ideas, it would be greatly appreciated. :)

User avatar

df
Site Admin
Posts: 376
Joined: Thu Jan 01, 1970 5:00 am

Re: [VyOS] VyOS Complains That ca.crt Is Invalid

Postby df » Sat Sep 29, 2018 5:23 am

OpenVPN 2.3.4 is from 2014, but it does work with our RSA/standard instances (i.e., anything but ECC).
I recently tested 2.3.2 and it works fine.

But I'm confused about how your setup is supposed to work.
With OpenVPN in client mode, the PKI only requires the CA certificate to be present client-side.
Client certificates (if used) are only for authentication, not for server verification.

Server verification happens when the server certificate is pushed by the server during connect, and then it's verified against the CA certificate included in the client config.
The server certificate is signed by the CA keypair, but in no sane setup would the client ever have the private CA or server key.

So if I'm understanding:

Code: Select all

set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/openvpn/cs/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/openvpn/cs/cert.crt'
set interfaces openvpn vtun0 tls key-file '/config/auth/openvpn/host.key'

It's trying to verify the cert.crt you just generated against our CA certificate, which would of course fail...
But then why would it work with PIA's CA...

heh, could be simply that you're using our ECC CA and not the RSA CA.

Code: Select all

cat ca.crt|openssl x509 -noout -text|grep 'Key Algo'

should return "Public Key Algorithm: rsaEncryption" if you're using the RSA CA, "Public Key Algorithm: id-ecPublicKey" if you've got the EC CA.

EDIT:
Eww, AES-128-CBC. Even OpenVPN 2.3.2 from 2013 could do AES-256-CBC.

User avatar

Topic Author
parityboy
Site Admin
Posts: 1264
Joined: Wed Feb 05, 2014 3:47 am

Re: [VyOS] VyOS Complains That ca.crt Is Invalid

Postby parityboy » Mon Oct 01, 2018 10:11 pm

@df

I checked using the method you described and yes, it's the RSA cert (1866 bytes long). As for the other certs and keys, seemingly the VyOS scripts expect them regardless of whether they are used or not.

Either way, even before I created them, VyOS was whining that Cryptostorm's ca.crt was not valid. I'll check a couple other providers to see if the issue exists with them too, but so far PIA's server certificate is accepted.

User avatar

Topic Author
parityboy
Site Admin
Posts: 1264
Joined: Wed Feb 05, 2014 3:47 am

Re: [VyOS] VyOS Complains That ca.crt Is Invalid

Postby parityboy » Mon Oct 01, 2018 10:41 pm

@df

OK, so I tried using NordVPN's certificate (extracted from one of their OpenVPN configuration files) and VyOS accepted it. For posterity, here it is.

Code: Select all

-----BEGIN CERTIFICATE-----
MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2
MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV
BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF
kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr
XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU
eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV
skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu
MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA
37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR
hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s
Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy
WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6
MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST
LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g
nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/
k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S
DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/
pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo
k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp
+RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd
NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa
wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC
VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S
PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==
-----END CERTIFICATE-----


So far then, PIA and NordVPN server certificates are accepted using this command:

Code: Select all

set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/openvpn/<provider>/ca.crt'
commit

but Cryptostorm's certificate isn't.

Code: Select all

vyos@vyos# commit
[ interfaces openvpn vtun0 ]
OpenVPN configuration error: Specified ca-cert-file "/config/auth/openvpn/cs/ca.crt" is not valid.

[[interfaces openvpn vtun0]] failed
Commit failed


Return to “member support & tech assistance”

Who is online

Users browsing this forum: ghgfdhfdgjhfg, Google [Bot] and 24 guests

Login