OpenVPN shared-secrets in PKI configuration

Hello, i did like described here: OpenVPN — VyOS 1.4.x (sagitta) documentation

run generate pki ca install InterCity # Follow the instructions to generate CA cert.

set pki ca InterCity certificate ‘generated_cert_string’
set pki ca InterCity private key ‘generated_private_key’

run generate pki certificate sign InterCity install brn.ru # Follow the instructions to generate server cert.
Configure mode commands to install:
set pki certificate brn.ru certificate ‘generated_server_cert’
set pki certificate brn.ru private key ‘generated_private_key’

run generate pki dh install InterCity-DH # Follow the instructions to generate set of
Diffie-Hellman parameters.
Generating parameters…
Configure mode commands to install DH parameters:
set pki dh InterCity-DH parameters ‘generated_dh_params_set’

set interfaces openvpn vtun10 tls ca-certificate InterCity
set interfaces openvpn vtun10 tls certificate brn.ru
set interfaces openvpn vtun10 tls crypt-key brn.ru
set interfaces openvpn vtun10 tls dh-params InterCity-DH

And i got:

vyos@r1-brn# commit
There are no openvpn shared-secrets in PKI configuration
[[interfaces openvpn vtun80]] failed

show interfaces openvpn 
+openvpn vtun80 {
+    device-type tap
+    local-port 9002
+    mode server
+    persistent-tunnel
+    protocol udp
+    server {
+        client r2.ru {
+            ip 11.0.0.2
+            subnet 11.0.0.2/32
+        }
+        client r3.ru {
+            ip 11.0.0.3
+            subnet 11.0.0.3/32
+        }
+        subnet 11.0.0.0/29
+        topology subnet
+    }
+    tls {
+        ca-certificate InterCity
+        certificate brn.ru
+        crypt-key brn.ru
+        dh-params InterCity-DH
+    }
+    use-lzo-compression
+}

What i did wrong?

Hi @hexes , you need to commit after adding each of generated cert to enable them under the system, and after that add OVPN config with separate commit. It’s quite annoying but mandatory in 1.4.x for now

No, it didn’t work… Same reply.

commit
There are no openvpn shared-secrets in PKI configuration
[[interfaces openvpn vtun80]] failed
Commit failed

First I added PKI, commit it, then added all OVPN commands…

can you share full configuration?
show configuration | stripe-private

and show version output as well

@hexes I’ve rechecked your first post and it seems that there is a small mistake in the instruction. Try to remove crypt-key brn.ru statement and everything should work fine. We’ll correct this in documentation and remove unnecessary command. Hope this will help.

You mean remove
set interfaces openvpn vtun10 tls crypt-key srv-1
?

yes correct, that one is not required in the current configuration and if you’ll try to autocomplete the command it will not show you any available completetion

:+1: It works now!!!

glad to hear that :slight_smile: corrections for the configuration procedure also applied and pending for commit. Thanks for sharing your issue and helping to identify the problem. Have a nice day!

And one more question about new cert. style: how to connect to new style EdgeRouters (old style config with files)?

     tls {
         ca-cert-file /config/auth/openvpn/intercity/ca.crt
         cert-file /config/auth/openvpn/intercity/r2.crt
         key-file /config/auth/openvpn/intercity/r2.key
     }

Copy cert text to file and send it to router?

yes, you need to manually create that files and paste the information in case if you’re generating certs on VyOS. Note that there is a specific file format such as the beginning of cert, lines length and end of cert. You can open one of the existing certs on the old-style system to ensure that the custom files have the same format.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.