gluetun: VPNSecure.me not working due to openssl upgrade and no longer secured DES encryption for keys

Hi,

So, I am unable to get this working via VPNSecure.me. I followed the wiki exactly. The error I’m getting is:

2023-03-12T05:12:10Z INFO [openvpn] Cannot load private key file [[INLINE]]
2023-03-12T05:12:10Z INFO [openvpn] SIGUSR1[soft,private-key-password-failure] received, process restarting

I did pass in my VPNSecure.me passthrough through OPENVPN_KEY_PASSPHRASE.

I did upload client.crt and openvpn_encrypted_key files on my server.

It looks like the passphrase can’t decrypt the encrypted key file.

I also should write that I’m running docker on a Synology box. The tun module is loaded.

Any other pointers? I will follow up.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 18 (4 by maintainers)

Most upvoted comments

Just tried it and qmcgaw/gluetun:pr-1471 now works with my ‘old ugly DES encrypted key’ 👍

+2
kevocl on Apr 1, 2023

Here’s what I think happened: OpenSSLv3 deprecates des encryption, used by VPNSecure to encrypt the client private key. To use latest, just re-encrypt it using aes, as follows (using macOS and homebrew):

/opt/homebrew/opt/openssl@1.1/bin/openssl pkcs8 -v2 aes256 -in /tmp/pk.pem -topk8 -out /tmp/pk.new.pem

Replace pk.pem with the old private key (e.g. openvpn_encrypted_key). Move the result to openvpn_encrypted_key.

+2
aldur on Mar 19, 2023

Cracked it (openssl was decrypting to pkcs1 format so that was just a format mismatch). Can any of you try image qmcgaw/gluetun:pr-1471 see how it behaves (with your old ugly DES encrypted key)? Thanks!

+1
qdm12 on Mar 25, 2023

First things first: thank you for your work!

Let’s sort this out: The PKCS #8 RFC states that the format does include the encryption algorithm:

Private-key information shall have ASN.1 type PrivateKeyInfo:

  PrivateKeyInfo ::= SEQUENCE {
    version                   Version,
    privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
    privateKey                PrivateKey,
    attributes           [0]  IMPLICIT Attributes OPTIONAL }

In openssl, you can get it as follows:

openssl asn1parse -inform pem -in pk.pem

Will output something like this before conversion

...
50:d=4  hl=2 l=   5 prim: OBJECT            :des-cbc
...

And after:

...
   64:d=4  hl=2 l=   9 prim: OBJECT            :aes-256-cbc
...

That said: what version of OpenSSL were you trying to use? For the command to work, we need v1 – which means we’d have to ship it in the container.

Also, assuming v1.1 available: the command to re-encrypt seems to be idem-potent. So assuming we can feed it the password, we could also consider just re-running it every time.

If you push the “rabbit hole” code somewhere, I can take a stab at it.

+1
aldur on Mar 23, 2023
Read more comments on GitHub
← gluetun: Synology wget: error getting response: Connection reset by peer
angular-webpack-starter: AOT scripts failing →