OpenVPN import failure from pfSense


#1

Hi everyone!

First post from completely VyOS newbie.
OK… so, after discovering that pfSense is plagued with bugs and problems when trying to use it as virtual router on complex virtual network environment (it works perfect with its nice GUI for hardware firewall/proxy and so) … so, it is the perfect oportunity to dive into VyOS.

Problem but arises after a promising start: OpenVPN
This is a critical feature… but, most exactly, it is imperative the ability to import current certs.
Actually, pfSense has a nice GUI to manage PKI… while easy-rsa script environment is somehow awkward

The problem is that, upon importing certs, VyOS complains:

[code][ interfaces openvpn vtun112 ]

OpenVPN configuration error: Specified ca-cert-file “/config/auth/ovpn/CAs/VLAN112/common_VPN_VLAN112_RA.pem” is not valid[/code]

The Certs actually work, I have tested them creating a config file with them, and running openvpn manually against conf file.

Then I set up a ‘dummy’ local CA and generated a set of ‘dummy’ certs as indicated on VyOS wiki just to make VyOS happy and commit the config.
In one ocasion, I managed to deceipt VyOS by replacing the contents of /opt/vyatta/config/active/interfaces/openvpn/vtun112/tls/XXXXX/node.val set of files, but normally it realizes the hack and the whole config vanishes.

To be completely sure that the config is trully feasible and works, after I realized that VyOS doesn’t use .conf/.ovpn config files, but instead it launches daemonized instances directly, with the whole set of params, I copied the whole command from a ‘ps -aux | grep openvpn’ , replaced --ca --cert and --key arguments with my certs and it works, clients with current certs from pfSense can connect and ping.

So, how can I circumvent the invalid CA cert check?
The CA cert file is a classic, well formed, .pem format file.
I tried renaming it to .crt or .pem to no avail.
I miss log or report on details why does this happens, no clue at all.

It is just an opinion, but, I think VyOs should provide an override option (in fact it already realizes it is impossible to handle all openvpn tweaks by means of ‘openvpn-option’ set subcommand) to ‘give up’ and read/use a user-defined classic .ovpn/.conf file.

Could anyone help somehow?

Thank you on advance.
Best regards.


#2

pfSense stores certificates in DOS-style line endings, VyOS expects them Linux-style. Please run ‘dos2unix’ on your .pem/.crt files and you should be good to go.