Can't get OpenVPN to work

viragomann

@pixel24
Doesn't show really much at all. I assume, the "example-Club" is your replacement of the destination host name?

However, as far as I know, the NetworkManager OpenVPN plugin doesn't like separated CA an client certs.
I only succeed with it by using encrypted pkcs12 file ("Password Protect Certificate" checked in the export utility and a password stated).
Then I downloaded the archive and extracted it on the client.
You may import the .ovpn file in NM, but then ensure the all the paths of CA, client cert and private key goes to the p12 file and enter the password for the p12. The TLS key has to be stated additionally on the security tab.

pixel24

@viragomann said in Can't get OpenVPN to work:

Doesn't show really much at all. I assume, the "example-Club" is your replacement of the destination host name?

Yes, I have replaced the real part of the name with example.

This log file was written when I tried to establish the VPN connection from the LAN.

I have just tried it again "from outside". I can get more information here:

Feb 25 12:55:08 lt001 NetworkManager[709]: <info>  [1645790108.3077] audit: op="connection-activate" uuid="9e6a7e66-3741-4d0c-b4c1-96edc5d329ab" name="Example-Club" pid=10803 uid=1049601120 result="success"
Feb 25 12:55:08 lt001 NetworkManager[709]: <info>  [1645790108.3116] vpn-connection[0x564dc19e4520,9e6a7e66-3741-4d0c-b4c1-96edc5d329ab,"Example-Club",0]: Started the VPN service, PID 15691
Feb 25 12:55:08 lt001 NetworkManager[709]: <info>  [1645790108.3168] vpn-connection[0x564dc19e4520,9e6a7e66-3741-4d0c-b4c1-96edc5d329ab,"Example-Club",0]: Saw the service appear; activating connection
Feb 25 12:55:08 lt001 NetworkManager[709]: <info>  [1645790108.3667] vpn-connection[0x564dc19e4520,9e6a7e66-3741-4d0c-b4c1-96edc5d329ab,"Example-Club",0]: VPN plugin: state changed: starting (3)
Feb 25 12:55:08 lt001 NetworkManager[709]: <info>  [1645790108.3667] vpn-connection[0x564dc19e4520,9e6a7e66-3741-4d0c-b4c1-96edc5d329ab,"Example-Club",0]: VPN connection: (ConnectInteractive) reply received
Feb 25 12:55:08 lt001 nm-openvpn[15701]: WARNING: file '/data01/Sicherheit/OVPN/Example-Club/gate01-UDP4-1194/gate01-UDP4-1194-tls.key' is group or others accessible
Feb 25 12:55:08 lt001 nm-openvpn[15701]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021
Feb 25 12:55:08 lt001 nm-openvpn[15701]: library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Feb 25 12:55:08 lt001 nm-openvpn[15701]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 25 12:55:08 lt001 nm-openvpn[15701]: TCP/UDP: Preserving recently used remote address: [AF_INET]37.49.18.169:1194
Feb 25 12:55:08 lt001 nm-openvpn[15701]: UDPv4 link local: (not bound)
Feb 25 12:55:08 lt001 nm-openvpn[15701]: UDPv4 link remote: [AF_INET]37.49.18.169:1194
Feb 25 12:55:08 lt001 nm-openvpn[15701]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Feb 25 12:55:08 lt001 nm-openvpn[15701]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Feb 25 12:55:08 lt001 nm-openvpn[15701]: VERIFY ERROR: depth=2, error=unable to get issuer certificate: C=US, O=Internet Security Research Group, CN=ISRG Root X1
Feb 25 12:55:08 lt001 nm-openvpn[15701]: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Feb 25 12:55:08 lt001 nm-openvpn[15701]: TLS_ERROR: BIO read tls_read_plaintext error
Feb 25 12:55:08 lt001 nm-openvpn[15701]: TLS Error: TLS object -> incoming plaintext read error
Feb 25 12:55:08 lt001 nm-openvpn[15701]: TLS Error: TLS handshake failed
Feb 25 12:55:08 lt001 nm-openvpn[15701]: SIGUSR1[soft,tls-error] received, process restarting
Feb 25 12:55:13 lt001 nm-openvpn[15701]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 25 12:55:13 lt001 nm-openvpn[15701]: TCP/UDP: Preserving recently used remote address: [AF_INET]37.49.18.169:1194
Feb 25 12:55:13 lt001 nm-openvpn[15701]: UDPv4 link local: (not bound)
Feb 25 12:55:13 lt001 nm-openvpn[15701]: UDPv4 link remote: [AF_INET]37.49.18.169:1194

viragomann

@pixel24
So the client cannot verify the issuer certificate.

Are the server and client certs issued by an intermediate CA?

Did you provide the p12 file in the meantime?
It should include all needed certs.
If you use PEM style files, you have to combine CA and intermediate manually.

pixel24

@viragomann said in Can't get OpenVPN to work:

Are the server and client certs issued by an intermediate CA?

As far as I understand it, yes:

What surprises me is that the Client Export field says "No Cert":

I download the bundle, unpack it:

Import it:

But the error remains the same

Feb 25 13:58:14 lt001 nm-openvpn[19759]: VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=R3
Feb 25 13:58:14 lt001 nm-openvpn[19759]: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Feb 25 13:58:14 lt001 nm-openvpn[19759]: TLS_ERROR: BIO read tls_read_plaintext error
Feb 25 13:58:14 lt001 nm-openvpn[19759]: TLS Error: TLS object -> incoming plaintext read error
Feb 25 13:58:14 lt001 nm-openvpn[19759]: TLS Error: TLS handshake failed

@viragomann said in Can't get OpenVPN to work:

Did you provide the p12 file in the meantime?

Where exactly do I do that?

@viragomann said in Can't get OpenVPN to work:

It should include all needed certs.
If you use PEM style files, you have to combine CA and intermediate manually.

How exactly do I have to proceed here?

viragomann

@pixel24 said in Can't get OpenVPN to work:

What surprises me is that the Client Export field says "No Cert":

This regards to the user cert.
So there might no client cert be assigned to that user.

But not clear, how this should be accepted by the client. When you set up an SSL OpenVPN a client cert is required.

viragomann

@pixel24
Just noticed that your server is in "user auth" mode. So it doesn't require any CA and cert at all.
But I'm wondering why it is providing the CA and server cert stuff in this mode.

You have to set the server into SSL/TLS (+Auth) mode to use SSL certificates.

It should include all needed certs.
If you use PEM style files, you have to combine CA
and intermediate manually.

How exactly do I have to proceed here?

pixel24

@viragomann said in Can't get OpenVPN to work:

Just noticed that your server is in "user auth" mode. So it doesn't require any CA and cert at all.
But I'm wondering why it is providing the CA and server cert stuff in this mode.
You have to set the server into SSL/TLS (+Auth) mode to use SSL certificates.

That's how I've always done it so far and never had any problems. However, it was version 2.5. Now I have 2.6.

I have removed the access on the laptop again, changed the OpenVPN server to "SSL/TLS (+Auth) mode" and activated the password protection for thed pkcs12 file.

However, the option to download the package for the client is missing under "OpenVPNClient -> Export Utility".

pixel24

viragomann

@pixel24 said in Can't get OpenVPN to work:

However, the option to download the package for the client is missing under "OpenVPNClient -> Export Utility".

This is only available if there is any user on the system who has assigned a certificate from the same CA as the selected server.

As you upper screeshot shows you're using an external user database. But I don't know how to assign a user certs in this case.

pixel24

@viragomann I have specified the Let's Encrypt CA and the real certificate of the host in the OpenVPN server. This does not work although the certificate has been signed and is valid.

I have now set up an internal CA for OpenVPN again. Auth: User & Pass. Package imported on the client.

Works.

viragomann

@pixel24 said in Can't get OpenVPN to work:

I have specified the Let's Encrypt CA and the real certificate of the host in the OpenVPN server.

No, not this.
The client needs both, the CA cert and the intermediate cert to verify the server certificate, as far as I know. That's what the client error log hints to me.

So when you use p12 file both should be included. When using PEM file (crt) you can simply bundle both with an text editor.

Gertjan

@pixel24 said in Can't get OpenVPN to work:

OpenVPN 2.4.7

pfSense uses OpenVPN 2.5.4

I won't say : it couldn't work.
I will say : only experts will try to mix 2.5.x series with the 2.4.x series ;)

Btw : no need to use a certificate from Letsencrypt.
See the Netgate channel on Youtube, the official OpenVPN video's. These videos are old, but still very valid.

viragomann

@gertjan said in Can't get OpenVPN to work:

pfSense uses OpenVPN 2.5.4
I won't say : it couldn't work.
I will say : only experts will try to mix 2.5.x series with the 2.4.x series ;)

So I'm an expert, obviously.

We never had issues here with OpenVPN 2.5.2 on pfSense and 2.4.x and 2.5.x on Windows and 2.4.x Linux clients.

Gertjan

@viragomann said in Can't get OpenVPN to work:

obviously

Very possible

I guess you've been cheating, that is, reading the OpenVPN release notes so you knew what 2.4.x option (server or client) can be used with a 2.5.x server or client.

JKnott

@gertjan

That setting doesn't work for me in the issue I've been having.