OpenVPN Client with PIA

panks21 · May 30, 2022, 3:55pm

I am new to OpenVPN on VYOS, please bear with me
I am trying to setup OpenVPN client with PIA but facing following issue and not sure how to get around it. Please help to get this going.
My VYOS Version is VyOS 1.4-rolling-202205280723

+openvpn vtun101 {
+    authentication {
+        password <password>
+        username <username>
+    }
+    description PIA_MANCHESTER
+    encryption {
+        cipher aes128
+    }
+    hash sha1
+    mode client
+    openvpn-option --fast-io
+    openvpn-option --route-nopull
+    openvpn-option "--ping-restart 60"
+    openvpn-option --persist-tun
+    openvpn-option --persist-key
+    openvpn-option "--ping 10"
+    openvpn-option "--proto udp4"
+    persistent-tunnel
+    protocol udp
+    remote-host uk-manchester.privacy.network
+    remote-port 1198
+    tls {
+        ca-certificate /config/auth/ca.rsa.2048.crt
+        crypt-key /config/auth/crl.rsa.2048.pem
+    }
+    use-lzo-compression
+}
[edit]
vyos@vyos-pghome# commit

PKI is not configured

[[interfaces openvpn vtun101]] failed
Commit failed

zsdc · May 30, 2022, 7:17pm

In new VyOS versions, you should use PKI instead direct paths to keys and certificates. Pay attention to the commands in the examples here: OpenVPN — VyOS 1.4.x (sagitta) documentation
More info about PKI: PKI — VyOS 1.4.x (sagitta) documentation

panks21 · May 31, 2022, 5:33pm

Thanks @zsdc
Since I have two files from PIA ca.rsa.2048.crt and crl.rsa.2048.pem
When I look at set pki commands, all it is asking for pem format files only. Do you know which file goes where??

zsdc · June 1, 2022, 11:43am

If you open files, you can see that one of them contains a private key and the other a certificate. Check headers:

-----BEGIN CERTIFICATE-----
-----BEGIN PRIVATE KEY-----

Use them according to the headers for:

set pki certificate XXX certificate 
set pki certificate XXX private key

panks21 · June 2, 2022, 5:26pm

Thanks. I tried what you suggested but it doesnt commit as the openvpn is expecting shared-secret.

vyos@vyos-pghome# commit

There are no openvpn shared-secrets in PKI configuration

[[interfaces openvpn vtun101]] failed

Following is the config which committed successfully

vyos@vyos-pghome# show pki
 ca PIA {
     certificate MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXDL1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzXlH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWpcdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB/5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RCOfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tLy8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZOsqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpMb3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2VzczEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5jb22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAna5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xUryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK37pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyCGohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUtYDQ8z9v+DMO6iwyIDRiU
 }
 openvpn {
     shared-secret PIA {
         key MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZaMCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EWB4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Reze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqyMR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
     }
 }

vyos@vyos-pghome# show interfaces openvpn
 openvpn vtun101 {
     authentication {
         password <password>
         username <username>
     }
     description PIA_MANCHESTER
     encryption {
         cipher aes128
     }
     hash sha1
     mode client
     openvpn-option --fast-io
     openvpn-option --route-nopull
     openvpn-option "--ping-restart 60"
     openvpn-option --persist-tun
     openvpn-option --persist-key
     openvpn-option "--ping 10"
     openvpn-option "--proto udp4"
     openvpn-option "--allow-compression yes"
     openvpn-option "--remote-cert-tls server"
     persistent-tunnel
     protocol udp
     remote-host uk-manchester.privacy.network
     remote-port 1198
     tls {
         ca-certificate PIA
         crypt-key PIA
     }
     use-lzo-compression
 }

However, the tunnel fails to come up stating following error in the log

Jun 02 22:43:45 systemd[1]: Started OpenVPN connection to vtun101.
Jun 02 22:43:45 openvpn-vtun101[76309]: DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
Jun 02 22:43:45 openvpn-vtun101[76309]: OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
Jun 02 22:43:45 openvpn-vtun101[76309]: library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
Jun 02 22:43:45 openvpn-vtun101[76309]: Non-Hex character ('M') found at line 2 in key file '[[INLINE]]' (0/128/256 bytes found/min/max)
Jun 02 22:43:45 openvpn-vtun101[76309]: Exiting due to fatal error
Jun 02 22:43:45 systemd[1]: openvpn@vtun101.service: Main process exited, code=exited, status=1/FAILURE
Jun 02 22:43:45 systemd[1]: openvpn@vtun101.service: Failed with result 'exit-code'.

It says “Non-Hex character (‘M’) found at line 2 in key file”. I have pasted this twice and this get the same error. I am not sure how to get this sorted