[SOLVED] OpenVPN + 1 User + Multiple PCs = Certificate exired
-
I've been googling this for a couple of days and not getting anywhere.
I am setting up a new pfSense firewall. It is replacing our old Watchguard, which did L2TP. pfSense was having problems with L2TP and clients behind NAT routers (99.9% of users), so I tried OpenVPN with RADIUS.
It worked very nicely, for the first user on the first PC. I generated the download packet and installed it on my first laptop, connected fine. Took the install packet with me and installed it on my second laptop and it says that the key has exired. I look in the Windows certificate store and the certificate is valid until 2027! Try the first laptop again and it still works.
I then created a second user, key generated, install packet generated, installed on laptop 1, works. Installed on laptop 2, certificate expired.
Am I doing something wrong, or do I need to really create a unique key for each user and each laptop combination? That would be several thousand combinations!
Am I missing a setting or is there an easier way to do this?
-
You can use the same certificate on multiple devices so long as they are not connected at the same time.
The dates for the certificate are in the certificate itself. If something claims it is expired, something is likely wrong with the time/date on the computer claiming it's expired.
What exactly says it's expired? Post the full log messages and/or error messages displayed.
-
Here is the OpenVPN log from the 2nd PC:
Sun Apr 09 11:43:54 2017 Warning: cryptapicert used, setting maximum TLS version to 1.1.
Sun Apr 09 11:43:54 2017 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 27 2016
Sun Apr 09 11:43:54 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Apr 09 11:43:54 2017 library versions: OpenSSL 1.0.2i 22 Sep 2016, LZO 2.09
Sun Apr 09 11:44:02 2017 WARNING: Your certificate has expired!
Sun Apr 09 11:44:02 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]1.1.1.1:1194
Sun Apr 09 11:44:02 2017 UDP link local (bound): [AF_INET][undef]:1194
Sun Apr 09 11:44:02 2017 UDP link remote: [AF_INET]1.1.1.1:1194
Sun Apr 09 11:44:02 2017 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent thisThe certifcate is valid through to 2027 and the same certificate works fine on the other PC - I used the same installer on both PCs. The first PC was switched off, so there wasn't a conflict there.
Edit: Here is the log from the other PC:
Sun Apr 09 11:51:23 2017 Warning: cryptapicert used, setting maximum TLS version to 1.1.
Sun Apr 09 11:51:23 2017 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 27 2016
Sun Apr 09 11:51:23 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Apr 09 11:51:23 2017 library versions: OpenSSL 1.0.2i 22 Sep 2016, LZO 2.09
Sun Apr 09 11:51:28 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]1.1.1.1:1194
Sun Apr 09 11:51:28 2017 UDP link local (bound): [AF_INET][undef]:1194
Sun Apr 09 11:51:28 2017 UDP link remote: [AF_INET]1.1.1.1:1194
Sun Apr 09 11:51:28 2017 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Sun Apr 09 11:51:28 2017 [185.74.183.149] Peer Connection Initiated with [AF_INET]1.1.1.1:1194
Sun Apr 09 11:51:29 2017 open_tun
Sun Apr 09 11:51:29 2017 TAP-WIN32 device [Ethernet 3] opened: \.\Global{E92DAAAC-573A-4856-B177-DFDD460C6471}.tap
Sun Apr 09 11:51:29 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.57.0/192.168.57.2/255.255.255.0 [SUCCEEDED]
Sun Apr 09 11:51:29 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.57.2/255.255.255.0 on interface {E92DAAAC-573A-4856-B177-DFDD460C6471} [DHCP-serv: 192.168.57.254, lease-time: 31536000]
Sun Apr 09 11:51:29 2017 Successful ARP Flush on interface [9] {E92DAAAC-573A-4856-B177-DFDD460C6471}
Sun Apr 09 11:51:29 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0I have anonymized the external addresses, they are correctly configured and both PCs find the pfSense.
The certificate is valid from 28.02.17 through 26.02.2027 and looking at the properties on both PCs, they look identical.
-
That's too early for it to have been a server-side conflict anyhow.
I haven't seen it do that before, though it's clearly something on the client. It has no way to know the certificate has been installed elsewhere. It must be misinterpreting the date somehow.
It's possible it is a bug in the Windows client. They have put out 2.4.1 recently. If you update the OpenVPN client export package it has 2.4.1 now. You'll have to uninstall OpenVPN from the client PC though.
-
I'll give it a try.
But it is interesting that the certificate always works on the first PC that it gets installed on, but never on the second - this was 2 certificates and 4 PCs, the first installation's certificate is always valid and the second always invalid.
-
I upgraded to the latest version, but now I get an additional error message:
error -ns-cert is depricated use -remote-cert-tls instead
But again, the first PC to get the package installed works fine, all additional PCs kick out this error message.
Edit: I also added the configuration to my Android phone (Nexus 5x) and that works fine too.
Edit 2: I added the above mentioned option to the 2nd device, now the message has gone and I am back to just certificate expired. The first PC doesn't need the -remote-cert-tls and its certificate is not expired.
On both machines I have deleted the certificate and all configuration files, deleted the OpenVPN server on the pfSense and re-created it with the wizard, re-created the users and downloaded and installed new installation files. Same result, the first PC still doesn't have any problems, the 2nd gets certificate expired and cannot connect.I did switch from SSL+TLS and User Auth to just User Auth, which works, but is obviously not as secure.
-
Update: On the OpenVPN forum, I was asked to download just the config file and install OpenVPN manually, using the December release.
I de-installed everything, deleted the config files and removed the certificate from the store.
I then manually installed the OpenVPN GUI client, copied the config into the config directory.
OpenVPN still gave the same error message (certificate valid until 2027 has expired).
Installed the certificate in the Windows certificate manager, still the same error message.
-
Update: I had a brainwave last night…
The notebook that doesn't work is private, therefore it has a different username to the company notebook... I tried adding a new account with the same name and voilá, OpenVPN stopped saying the certificate has expired...
So, wrong error message and checking in the wrong place? With OpenVPN, I am connecting from a PC to the server using credentials that are valid on the network, so it shouldn't, IMHO, have anything to do with the local username... The OpenVPN username and password are correct and correspond to the certificate.
I haven't had time to test this further - after changing to a user account on the PC with the same name, the error disappeared, but it still didn't connect, I am now looking into that. But it still doesn't solve the initial problem. Is this expected behaviour? It seems a bit odd, plus Android doesn't have this problem - I am "logged" on to that with my GMail account, not my corporate account...
-
Problem solved / workaround…
I had been using the setting to store the key in the Windows Certificate Manager, instead of local files.
This seems to work on PCs where the local user is in the domain, but not when the user is logged on with a local account. I changed the settings in the package manager on the pfSense to just use local files and et voilá it connected first time!
So there seems to be some problem with the way that the Windows Certificate Manager and OpenVPN are interacting, when local account name doesn't match the VPN login (we use RADIUS on the pfSense to authenticate users).
Once the name matches, the error about the exired certifivate goes away, but it still can't connect (server log says that the key was not transmitted / "TLS Error: cannot locate HMAC in incoming packet from [AF_INET]".
Once OpenVPN is configured to use local certificate files, instead of the Windows Certificate Manager, there are no errors and OpenVPN can connect without problem.
Not 100% ideal, but at least we can move forward with implementing pfSense now.
