Can't connect to OpenVPN. private key password verification failed

[kimus....@gmail.com]

Hi,

I'm having trouble connecting to a OpenVPN network with Tunnelblick 3.4beta24 (build 3806).

Here is the log:

2014-04-24 15:47:48 *Tunnelblick: openvpnstart starting OpenVPN
2014-04-24 15:47:48 *Tunnelblick: Established communication with OpenVPN
2014-04-24 15:47:53 MANAGEMENT: CMD 'password [...]'
2014-04-24 15:47:53 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2014-04-24 15:47:53 OpenSSL ERROR code: 113
2014-04-24 15:47:53 MANAGEMENT: Client disconnected
2014-04-24 15:47:53 Error: private key password verification failed

I can verify that I'm using the right key:

$ openssl pkcs12 -in cert.p12 -nocerts -noout
Enter Import Password:
MAC verified OK

Config file (config.ovpn):

#OpenVPN Server conf
tls-client
client
dev tun
proto udp
tun-mtu 1400
remote <server> 4041
pkcs12 cert.p12
cipher BF-CBC
comp-lzo
verb 3
ns-cert-type server

So, can anyone help here?

[jkbull...gmail.com]

It would help if you posted the full Diagnostic Info; see Before You Post.

[Helder Rossa]

2014-04-24 18:38:08 *Tunnelblick: OS X 10.9.2; Tunnelblick 3.4beta24 (build 3806)
2014-04-24 18:38:08 *Tunnelblick: Attempting connection with ATX using shadow copy; Set nameserver = 1; monitoring connection
2014-04-24 18:38:08 *Tunnelblick: openvpnstart start ATX.tblk 1337 1 0 1 0 305 -ptADGNWradsgnw 2.2.1
2014-04-24 18:38:09 *Tunnelblick: openvpnstart log:
     Tunnelblick: Loading tun-signed.kext
     Tunnelblick:
     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
    
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn
          --daemon
          --log
          /Library/Application Support/Tunnelblick/Logs/-SUsers-Skimus-SLibrary-SApplication Support-STunnelblick-SConfigurations-SATX.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_305.1337.openvpn.log
          --cd
          /Library/Application Support/Tunnelblick/Users/kimus/ATX.tblk/Contents/Resources
          --config
          /Library/Application Support/Tunnelblick/Users/kimus/ATX.tblk/Contents/Resources/config.ovpn
          --cd
          /Library/Application Support/Tunnelblick/Users/kimus/ATX.tblk/Contents/Resources
          --management
          127.0.0.1
          1337
          --management-query-passwords
          --management-hold
          --script-security
          2
          --up
          /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -f -ptADGNWradsgnw
          --down
          /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -f -ptADGNWradsgnw

2014-04-24 18:38:09 *Tunnelblick: Established communication with OpenVPN
2014-04-24 18:38:09 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [SSL] [LZO2] [PKCS11] [eurephia] built on Apr 18 2014
2014-04-24 18:38:09 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2014-04-24 18:38:09 Need hold release from management interface, waiting...
2014-04-24 18:38:09 MANAGEMENT: Client connected from 127.0.0.1:1337
2014-04-24 18:38:09 MANAGEMENT: CMD 'pid'
2014-04-24 18:38:09 MANAGEMENT: CMD 'state on'
2014-04-24 18:38:09 MANAGEMENT: CMD 'state'
2014-04-24 18:38:09 MANAGEMENT: CMD 'bytecount 1'
2014-04-24 18:38:09 MANAGEMENT: CMD 'hold release'
2014-04-24 18:38:09 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2014-04-24 18:38:09 *Tunnelblick: openvpnstart starting OpenVPN
2014-04-24 18:38:12 MANAGEMENT: CMD 'password [...]'
2014-04-24 18:38:12 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2014-04-24 18:38:12 OpenSSL ERROR code: 113
2014-04-24 18:38:12 MANAGEMENT: Client disconnected
2014-04-24 18:38:12 Error: private key password verification failed
2014-04-24 18:38:12 Exiting
2014-04-24 18:38:13 *Tunnelblick: No 'post-disconnect.sh' script to execute
2014-04-24 18:38:13 *Tunnelblick: Expected disconnection occurred.

[Helder Rossa]

Diagnostic Info

[jkbull...gmail.com]

Thanks for supplying the diagnostic info.

I assume that Tunnelblick does ask you for the private key ("passphrase") and you enter it.

Does the private key have any "special" characters -- anything other than a-z, A-Z, and 0-9? If so, without telling me the password, can you tell which special characters are in the password?

On Thursday, April 24, 2014 2:00:53 PM UTC-4, Helder Rossa wrote:

Diagnostic Info

[Helder Rossa]

Tunnelblick does ask for the private key. I once saved in Keychain but, to make sure It was using the 'right' key, I removed from Keychain and write it manually. And no special characters in the private key only normal a-z and 0-9.

[jkbull...gmail.com]

One thing you should do is try a different version of OpenVPN -- 2.3.2 or 2.3.3. You can change that on Tunnelblick's "Settings" tab after selecting one or more configurations on the left of the "VPN Details…" window.

The only other thing I can think of is that the "openssl" command is accepting a private key that the OpenSSL library built into Tunnelblick does not accept.

Tunnelblick 3.4beta24 contains version 1.0.1g of the OpenSSL library. If you are using Mavericks, you are probably using version 0.9.8y of the "openssl" command. Perhaps it is a problem with the different versions, or perhaps the OpenSSL library built into Tunnelblick was built using different build parameters that don't include some particular encryption or hash method that the "openssl" command does include.

You can try using the "openssl" command on your Mac to change the private key. If the private key was generated on some other machine or some other version of OpenSSL originally, maybe this will fix the problem.

I'm not an OpenSSL expert, but I think you can change the private key as follows

openssl pkcs12 -des -in cert.p12 -out cert.new.p12

mv cert.p12     cert.ORIGINAL.p12

mv cert.NEW.p12 cert.p12

(I'm not sure about the "-des", though. It might be necessary to remove the private key encryption first with something other than "-des", then add it back in using "-des".)

Perhaps someone more knowledgable about OpenSSL can chime in?

[Helder Rossa]

What I found out is that the cert.p12 on the Tunnelblick Application Support folder is not the same of the original. I tried the same verification and it failed.
When I copy and replace with the original a popup asks me that "Tunnelblick needs to create or update a secure (shadow) copy of the configuration file". If I do that it changes the file again...

the original: MD5 (cert.p12) = 1f370c0d6e4f8d2f749612f115994753
after the 'update': MD5 (cert.p12) = de245b8887b0f35032b7a2ff60eb2ef7

[Helder Rossa]

removed all configurations, prepared a new .tblk folder and now works... go figures... :-)