OpenVPN Kali

markulousmarkulous Member Posts: 2,394 ■■■■■■■■□□
Has anyone had any experience setting up OpenVPN on a Kali client? Or any Linux client?

I searched the heck out of this issue and I'm not seeing a solution. I'm wondering if the config we have is just not compatible with Linux. It works great on Windows machines (although there's a nice msi for them too).

Basically, the way we have it configured on our firewall is to authenticate with a username/password, a static key, and a p12 cert that they have installed on their client. When I go to the client configuration, select to authenticate with a password and cert from the dropdown, and select the certificate, it won't let me select the private key also, it puts the certificate in that field. If I force the .key file in the key field then it clears out the certificates. The only way it accepts the key file is if I set the authentication as a static key, but then that won't work because I need a username/password. I've tried it with the .ovpn config file and setting it up manually and it does the same thing.

Any ideas?

Comments

  • wd40wd40 CISA, eJPT, MCP, MCTS, CompTIA x 6 Member Posts: 1,016 ■■■■□□□□□□
    I was trying to configure a VPN connection on kali and it kept failing.

    The solution was
    sudo apt-get install network-manager-openvpn
    sudo apt-get install network-manager-openvpn-gnome
    sudo service network-manager restart

    then try to configure the the vpn connection.

    declaimer: :D I am not really sure why this fixed my issue and can not guarantee that it will work for you.
  • markulousmarkulous Member Posts: 2,394 ■■■■■■■■□□
    I didn't do the restart of the service but I installed both of those packages. I just tried it now and it still does the same thing. It pulls the cert into that private key field and asks me for the certificate password. I'm thinking there's no way to do it unless I make it only authenticate by username/password or have a CA setup for asymmetric encryption.
  • wd40wd40 CISA, eJPT, MCP, MCTS, CompTIA x 6 Member Posts: 1,016 ■■■■□□□□□□
    I am using user / password + a CA Certificate - AES-256-CBC Cipher and SHA-1 Authentication + Additional TLS authentication with a key file.

    not sure if what I said is logical, I am just reading the configuration :D
  • markulousmarkulous Member Posts: 2,394 ■■■■■■■■□□
    No that makes sense. Here's my config. But as I mentioned, I tried doing it manually and it still wouldn't work so probably not the config file itself.

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA256
    tls-client
    client
    resolv-retry infinite
    remote x.x.x.x (port#) udp
    lport 0
    verify-x509-name "VPNSever" name
    auth-user-pass
    pkcs12 cert.p12
    tls-auth key.key 1
    ns-cert-type server
  • wd40wd40 CISA, eJPT, MCP, MCTS, CompTIA x 6 Member Posts: 1,016 ■■■■□□□□□□
    maybe the service restart part is mandatory?
  • markulousmarkulous Member Posts: 2,394 ■■■■■■■■□□
    Perhaps but like I said I did try that once you posted that and it still behaved that way. It's like it won't let me use a password and a static key at the same time.
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    Are all your clients using the same private key or are you issuing every client a key from a CA server in your net?

    Are you installing through terminal or using a GUI?
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    If you are comfortable using term here is a great setup you can use with advances authentication using passwords as well. Its written for ubu but Kali is deb based so it should be the same.
    This is for a server/CA setup so if you already have that you will have to change the c files to reflect the correct cert/path/etc...

    https://help.ubuntu.com/lts/serverguide/openvpn.html
  • markulousmarkulous Member Posts: 2,394 ■■■■■■■■□□
    We don't have an internal CA setup so I'm pretty sure it was setup for the PFsense FW we're using.

    I installed OpenVPN on my kali box through cli, but I'm trying to add the cert/key through the GUI.

    I can try modifying the config file on that per the document. It essentially says that but we have a few other options in there.
Sign In or Register to comment.