[SOLVED] OpenVPN guide: Enter PEM pass phrase

I'm setting up an OpenVPN server on a standard OpenWRT 18.06.1 using the guide at https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic.

After starting create-certs I'm asked "Enter PEM pass phrase". I assumed that a pass phrase is not required (even unwanted) so I pressed the ENTER key after which the script continues, is this the correct thing to do?

I do get a non-blocking message "vpnclient.csr: No such file or directory", does that mean anything?

(Moved to the Installing and Using OpenWrt section - in hopes others may see and assist with your issue.)

@marcoblom Encrypting the client key is not required, but is highly recommended, and if it's a client key for an Android device, the key must me encrypted, as Android has a non-customizable 771 permission structure for user land storage.

I'm not sure why it wouldn't be creating the the CSR for the client, as the command that's being ran is:

# Generating Client Cert & Key
openssl req -batch -new -keyout "vpnclient.key" -out "vpnclient.csr" -subj "/CN=vpnclient" -config "$PKI_CONF"

# Signing Client Cert
openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "vpnclient.csr" -out "vpnclient.crt" -config "$PKI_CONF" -extensions "vpnclient"

Please run the following script, do not encrypt the first client cert, but do encrypt the second.

#!/bin/sh

CSR="/tmp/csr-output"
PKI_CONF="$PKI_DIR/openssl.cnf"
PKI_DIR="/tmp/ossl"

mkdir -p "$PKI_DIR"
chmod -R 600 "$PKI_DIR"
cd "$PKI_DIR"
touch index.txt index
echo 10000 > serial
cp -f /etc/openvpn/ssl/openssl.cnf "$PKI_DIR"

printf "\nCreating CA...\n"
openssl req -batch -nodes -new -keyout "ca.key" -out "ca.crt" -x509 -config "$PKI_CONF" -days "3650"

printf "\nCreating Unecnrypted Client Key...\n\n"
printf %b "    DO NOT ENCRYPT this client key...\n\n"
  openssl req -batch -new -keyout "vpnclient1.key" -out "vpnclient1.csr" -subj "/CN=vpnclient" -config "$PKI_CONF"
  openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "vpnclient1.csr" -out "vpnclient1.crt" -config "$PKI_CONF" -extensions "vpnclient"

printf "\nCreating Encrypted Client Key...\n\n"
printf %b "    DO ENCRYPT this client key...\n"
  openssl req -batch -new -keyout "vpnclient2.key" -out "vpnclien2.csr" -subj "/CN=vpnclient" -config "$PKI_CONF"
  openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "vpnclient2.csr" -out "vpnclient2.crt" -config "$PKI_CONF" -extensions "vpnclient"

printf "\nPlease post the output of /tmp/csr-output in forum reply IF receiving CSR error"

  printf %b"  # vpnclient1.csr #\n\n"
    openssl req -in vpnclient1.csr -noout -text > $CSR

  printf "\n\n\n" >> $CSR

  printf %b"  # vpnclient2.csr #\n\n"
    openssl req -in vpnclient2.csr -noout -text >> $CSR

1 Like

Thanks for the help.

I again tried the script create-certs.sh from https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic but this time I DID enter a pass phrase. That worked, it now creates the file vpnclient.csr and correctly creates other files in /etc/openvpn that were 0 bytes on my first try. The script create-ovpn.sh now also works (it didn't the first time). Perhaps it also helped that I rebooted my router between the first try yesterday and the second, successful try today.

I didn't try the alternate script provided in this topic.

Can you PM the openssl.cnf, as I utilize a custom one I created years ago, which is what the OpenSSL PKI wiki utilizes. My hunch is one of the req sections in the default openssl.cnf, likely req_attributes, is the cause of not generating a CSR if a passphrase is not provided when the command does not include -nodes.

Sure, thanks for checking it, PM sent.

It's due to the [ req_attributes ] section, which stipulates the minimum password length is 4 characters.

Unless the key is for a server, private keys should always be encrypted with a passphrase, else you're opening a massive hole in the security of the VPN and all data flowing through its tunnel.

Thanks! Can you perhaps update https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic with this information?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.