OpenVPN Client Issue

nathan.p.george

Dabbler
Joined
Mar 29, 2020
Messages
12
Really sorry if this has already been posted before but I can't for the life of me find an answer to my problem. The image says it all :confused:
 

Attachments

  • Screenshot 2020-11-24 at 18.15.44.png
    Screenshot 2020-11-24 at 18.15.44.png
    116.4 KB · Views: 291

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
How did you generate your certificate? If you use the TrueNAS builtin CA, most probably all necessary extended attributes will be present.
 

nathan.p.george

Dabbler
Joined
Mar 29, 2020
Messages
12
How did you generate your certificate? If you use the TrueNAS builtin CA, most probably all necessary extended attributes will be present.
The Certificate is from the .ovpn that I downloaded from my ExpressVPN account.

I've created the CA and Certificate with all the appropriate info needed but just stuck with this error..
 

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
Are you sure that you created a USER certificate and not a SERVER certificate ?

As the error message says, the proper Key Usage is not listed in the certificate, so you got it wrong when you generated it.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
Make sure you copied the client cert and not the CA cert - all-in-one .ovpn files contain both. Other than that I am at a loss, sorry.
 

nathan.p.george

Dabbler
Joined
Mar 29, 2020
Messages
12
Are you sure that you created a USER certificate and not a SERVER certificate ?

As the error message says, the proper Key Usage is not listed in the certificate, so you got it wrong when you generated it.

I simply followed System > Certificates > (Type > Import Certificate) then entered the rest of the details..

If there's something obvious I'm doing wrong then correct me please!
 

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
I simply followed System > Certificates > (Type > Import Certificate) then entered the rest of the details..

That is how you IMPORTED the certificate. Not how you GENERATED the certificate.

Once a certificate has been generated, it can not be modified. It must be revoked and a new one must be produced.

So how did you GENERATED the certificate ? What tool ? What option ? What values ? ...
 

nathan.p.george

Dabbler
Joined
Mar 29, 2020
Messages
12
That is how you IMPORTED the certificate. Not how you GENERATED the certificate.

Once a certificate has been generated, it can not be modified. It must be revoked and a new one must be produced.

So how did you GENERATED the certificate ? What tool ? What option ? What values ? ...

Sorry my bad, read that completely wrong haha
As I said in previous message I just took it from the .ovpn file that I downloaded from my account at ExpressVPN, looks like this;
Code:
<cert>
-----BEGIN CERTIFICATE-----
cert code here...
-----END CERTIFICATE-----
</cert>
 

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
As an OpenVPN client, you need also the private key that goes with the cert... Did you extracted that one too ? How did you injected it ? As a separate field or did you merged the key and its certificate in a .p12 profile ?
 

nathan.p.george

Dabbler
Joined
Mar 29, 2020
Messages
12
As an OpenVPN client, you need also the private key that goes with the cert... Did you extracted that one too ? How did you injected it ? As a separate field or did you merged the key and its certificate in a .p12 profile ?
The private key is on the certificate as well, looks like this;
Code:
<key>
-----BEGIN RSA PRIVATE KEY-----
key code here...
-----END RSA PRIVATE KEY-----
</key>
 

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
Yes, the private key is also in the file. But again, how did you GENERATED that key pair ??? Whatever you did, you got it wrong. You are missing the proper key usage in your certificate.
 

nathan.p.george

Dabbler
Joined
Mar 29, 2020
Messages
12
Yes, the private key is also in the file. But again, how did you GENERATED that key pair ??? Whatever you did, you got it wrong. You are missing the proper key usage in your certificate.
I don't get where you're going, I got it the exact same way I got the rest, by downloading it from my account and inserting the code...
 

nathan.p.george

Dabbler
Joined
Mar 29, 2020
Messages
12
I've clearly given you the answer!

[mod note: edited for offensive language -JG]
 
Last edited by a moderator:

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
Hmm, you said you got it from the OVPN file. That is where you got it, but not how you generated it.

Can you please focus on providing the information on how you generated the certificate so that we can help?

[Edited by JoshDW19 for clarity]
 
Last edited by a moderator:

nathan.p.george

Dabbler
Joined
Mar 29, 2020
Messages
12
I didn't generate any codes, its was from the .OVPN file that I pressed download on from within my ExpressVPN account.
I don't get how that's so hard for you to understand. Either help or get lost!
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
I didn't generate any codes, its was from the .OVPN file that I pressed download on from within my ExpressVPN account.
I don't get how that's so hard for you to understand. Either help or get lost!

So there seems to be some confusion here as to what is going on.

How about you start over from the beginning, and tell us what you are trying to do.

A careful reading of what's transpired suggests that no one is really clear on what you are trying to do.

Are you trying to set up your FreeNAS as a client of ExpressVPN? That would be highly unusual and probably a bad idea, though it seems the most likely explanation behind what you've posted.

If that is the case, it appears that the certificate that ExpressVPN has issued you is defective in that it doesn't supply a client extended key usage (EKU). Locking certificates to certain roles with EKU's is best practice.

You can decode a certificate with the openssl command:

% openssl x509 -in mycertificate.crt -noout -text

and you should find a line such as

X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication

in there. If not, that's not particularly good, and is something that ExpressVPN would be in a position to fix. That was why Heracles kept asking you how you had generated this.

In any case, it is a bad idea to open up your NAS to the Internet. You may wish to reconsider this.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
I didn't generate any codes, its was from the .OVPN file that I pressed download on from within my ExpressVPN account.
I don't get how that's so hard for you to understand. Either help or get lost!
No need to get rude. What is "ExpressVPN"? How do you expect anyone but you to know what arbitrary service offers are and how they work? How does "ExpressVPN" generate the certificate? If you don't know, ask them, because they are doing it wrong. You cannot use a certificate without the Extended Key Usage attribute. Period.
The other things @jgreco wrote, apply as well ...
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
You cannot use a certificate without the Extended Key Usage attribute.

Well, that's not *strictly* true. It used to be that we didn't bother with these things because there were so many poorly-implemented, old, etc., versions of SSL out there that would be made unhappy by "newfangled" things. SSL has been supporting this very well for many years at this point, however, and any VPN service that isn't bothering with it ... well, it can be assumed that they do not give a crap about security, or are simply incompetent.

Part of the point of EKU is to prevent man-in-the-middle attacks.

If I want to compromise your VPN, and I can get in your transit path, then all I need to do is to sign up as an IncompetentVPN customer, and I get a certificate that isn't restricted to being a client. I then use my certificate to pretend to be a server facing you, crack open the SSL, and then use the same certificate as a client certificate into the IncompetentVPN service to relay the traffic. This is a very low cost attack.

All because someone was too lazy or incompetent to add a few bytes to a certificate.

Anyways, if this is the case, it is possible to tell OpenVPN to ignore EKU, but that's a really bad idea, and it isn't clear to me where the message quoted in the first post is originating. I suspect it is a FreeNAS middleware sanity check of the certificate, and because this is not only a best practice but also an important factor in SSL security, I wouldn't hold high hopes of the developers removing the check, and even if they did, OpenVPN would still need to be tweaked.

It would be better to prevail upon the VPN provider to secure their stuff properly, or find a better vendor.

And it's still a bad idea to expose your NAS to the Internet, so maybe you should be thanking them instead.
 

greysave

Cadet
Joined
Aug 26, 2020
Messages
9
@jgreco , Could you tell me why it would be bad practice to connect the NAS directly to a VPN services network? I ask because both Synology and QNAP offer this feature that we have to jump through hoops for.

I could get past the certificate exchange errors as the new update in truenas accepts the certificate from some of my VPN providers. Do you know how to pass the username and password as an OpenVPN parameter?
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
Most people who are using a "VPN service" are doing it to attach to the Internet in a misguided attempt to circumvent local legal restrictions on stuff like piracy, deep packet inspection by their ISP, etc.

So the question is, what's on the other end of your so-called "virtual private network"? Is it actually a private network of some sort, such as a company network, or are you accessing the Internet through it?

FreeNAS isn't designed to be connected to the Internet, whether "directly" through a ethernet interface (em0, bge0, etc) or indirectly through a VPN (tun0, etc).

It probably isn't particularly bright to connect a Synology or QNAP to the Internet, either. The amount of random port scanning and attacks against such devices, in conjunction with databases such as Shodan, mean that it is mostly a matter of time before you get victimized.
 
Top