Solved openvpn ta.key preload fails

M

Mike White

Log Message: Cannot pre-load keyfile (ta.key)

Freebsd 12.2-RELEASE-p13
openvpn:
OpenVPN 2.5.7 i386-portbld-freebsd12.3 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Aug 12 2022

easyrsa:
Version: 3.1.0


Generated: Wed May 18 20:53:50 CDT 2022


SSL Lib: OpenSSL 1.1.1h-freebsd 24 Aug 2021

rc.conf:
openvpn_enable="YES"


openvpn_configfile="/usr/local/etc/openvpn/server/server.conf"

service.conf entry: tls-auth ta.key 0

ta.key location: /usr/local/etc/openvpn/server/ta.key [permissions 600]

ta.key generated using: openvpn --genkey --secret /usr/local/etc/openvpn/easy-rsa/pki/ta.key
then moved using: cp -r /usr/local/etc/openvpn/easy-rsa/pki/{ca.crt,dh.pem,ta.key,issued,private} /usr/local/etc/openvpn/server/

Have looked everywhere including this site and have been unable determine the issue. Looking for a good idea about why openvpn is unable to load the file. This is my first attempt at installing this package. I first updated to the latest packages and used pkg install openvpn to install the package. following instructions from https://kifarunix.com/install-and-configure-openvpn-server-freebsd-12/. easyrsa was installed as part of the openvpn package, at least I think so because it was there after openvpn was installed but I did not check before installing openvpn.

If more information is needed let me know.
 
Looking into ownership issues? ta.key ownership is root:wheel and openvpn is not in the wheel nor do I want it there? I can't change wheel to root, so have to understand that issue. Wondering is openvpn is enforcing ownership as there is a note about security associated with the config line. Any ideas there?
 
I commented out the TLS directive in the server.conf and openvpn started and everything looks good. That is a plus since now I have confirmed that the only issue is the ta.key file. maybe I'll rebuild and copy it again and see what happens because I want TLS in effect. I tried all kind of permissions except 777 I even used nobody as the owner but no change.
 
Ok, well I finally figure it out! Looks like a parser issue in openvpn when processing server.conf comments.

The sample server.conf distributed the tls directive as:

# what ever ...
tls-auth ta.key 0 # This file is secret

Then I commented the tls line like this:
;tls-auth ta.key 0 # This file is secret

and it had no effect so I moved the trailing comment above the tls line like this:

# what ever ...
# This file is secret
;tls-auth ta.key 0

and openvpn started as I stated above. So I uncommented the tls line and it still works but now with tls.

So I will be closing this issue knowing to put a comment on its own line in the server.conf file
 
You must log in or register to reply here.
Back
Top