Can't get OpenVPN to work

pixel24

Hi@all,

I have been trying to get OpenVPN to work for two days.

I have set up a certificate for the host 'gate01.lan.example.club' with ACME:

and a certificate is created:

then configures the OpenVPN server:

For the client (Ubuntu 20.04), I export the bundle on the server:

dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote gate01.lan.example.club 1194 udp4
nobind
auth-user-pass
ca gate01-UDP4-1194-ca.crt
tls-auth gate01-UDP4-1194-tls.key 1
remote-cert-tls server
explicit-exit-notify

A firewall rule is created:

When I now try to extend the connection, I only find the following on the pfSense in the openvpn.log:

Feb 25 12:00:21	openvpn	58429	OpenVPN 2.5.4 amd64-portbld-freebsd12.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 12 2022
Feb 25 12:00:21	openvpn	58429	library versions: OpenSSL 1.1.1l-freebsd 24 Aug 2021, LZO 2.10
Feb 25 12:00:21	openvpn	58761	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server1/sock
Feb 25 12:00:21	openvpn	58761	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 25 12:00:21	openvpn	58761	PLUGIN_INIT: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so '[/usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so] [/usr/local/sbin/ovpn_auth_verify_async] [user] [R2Voci1DbHViLU1hc3Rlcg==] [false] [server1] [1194]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Feb 25 12:00:21	openvpn	58761	Diffie-Hellman initialized with 2048 bit key
Feb 25 12:00:21	openvpn	58761	WARNING: experimental option --capath /var/etc/openvpn/server1/ca
Feb 25 12:00:21	openvpn	58761	Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Feb 25 12:00:21	openvpn	58761	Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Feb 25 12:00:21	openvpn	58761	TUN/TAP device ovpns1 exists previously, keep at program end
Feb 25 12:00:21	openvpn	58761	TUN/TAP device /dev/tun1 opened
Feb 25 12:00:21	openvpn	58761	/sbin/ifconfig ovpns1 10.0.10.1 10.0.10.2 mtu 1500 netmask 255.255.255.0 up
Feb 25 12:00:21	openvpn	58761	/sbin/route add -net 10.0.10.0 10.0.10.2 255.255.255.0
Feb 25 12:00:21	openvpn	58761	/usr/local/sbin/ovpn-linkup ovpns1 1500 1621 10.0.10.1 255.255.255.0 init
Feb 25 12:00:21	openvpn	58761	Socket Buffers: R=[42080->42080] S=[57344->57344]
Feb 25 12:00:21	openvpn	58761	UDPv4 link local (bound): [AF_INET]37.49.18.169:1194
Feb 25 12:00:21	openvpn	58761	UDPv4 link remote: [AF_UNSPEC]
Feb 25 12:00:21	openvpn	58761	MULTI: multi_init called, r=256 v=256
Feb 25 12:00:21	openvpn	58761	IFCONFIG POOL IPv4: base=10.0.10.2 size=252
Feb 25 12:00:21	openvpn	58761	Initialization Sequence Completed
Feb 25 12:00:26	openvpn	58761	MANAGEMENT: Client connected from /var/etc/openvpn/server1/sock
Feb 25 12:00:26	openvpn	58761	MANAGEMENT: CMD 'status 2'
Feb 25 12:00:26	openvpn	58761	MANAGEMENT: Client disconnected

It looks like nothing arrives at the OpenVPN server at all.

What have I overlooked?

with best
pixel24

viragomann

@pixel24
You will get more usefully information from the client log.

Which client are you using?

pixel24

Feb 25 12:36:54 lt001 NetworkManager[709]: <info>  [1645789014.1006] audit: op="connection-activate" uuid="9e6a7e66-3741-4d0c-b4c1-96edc5d329ab" name="example-Club" pid=10803 uid=1049601120 result="success"
Feb 25 12:36:54 lt001 NetworkManager[709]: <info>  [1645789014.1040] vpn-connection[0x564dc19e4310,9e6a7e66-3741-4d0c-b4c1-96edc5d329ab,"example-Club",0]: Started the VPN service, PID 12377
Feb 25 12:36:54 lt001 NetworkManager[709]: <info>  [1645789014.1103] vpn-connection[0x564dc19e4310,9e6a7e66-3741-4d0c-b4c1-96edc5d329ab,"example-Club",0]: Saw the service appear; activating connection
Feb 25 12:36:54 lt001 NetworkManager[709]: <info>  [1645789014.1595] vpn-connection[0x564dc19e4310,9e6a7e66-3741-4d0c-b4c1-96edc5d329ab,"example-Club",0]: VPN plugin: state changed: starting (3)
Feb 25 12:36:54 lt001 NetworkManager[709]: <info>  [1645789014.1596] vpn-connection[0x564dc19e4310,9e6a7e66-3741-4d0c-b4c1-96edc5d329ab,"example-Club",0]: VPN connection: (ConnectInteractive) reply received
Feb 25 12:36:54 lt001 nm-openvpn[12387]: WARNING: file '/data01/Sicherheit/OVPN/example-Club/gate01-UDP4-1194/gate01-UDP4-1194-tls.key' is group or others accessible
Feb 25 12:36:54 lt001 nm-openvpn[12387]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021
Feb 25 12:36:54 lt001 nm-openvpn[12387]: library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Feb 25 12:36:54 lt001 nm-openvpn[12387]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 25 12:36:54 lt001 nm-openvpn[12387]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.83.254:1194
Feb 25 12:36:54 lt001 nm-openvpn[12387]: UDPv4 link local: (not bound)
Feb 25 12:36:54 lt001 nm-openvpn[12387]: UDPv4 link remote: [AF_INET]192.168.83.254:1194
Feb 25 12:36:54 lt001 nm-openvpn[12387]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Feb 25 12:36:54 lt001 nm-openvpn[12387]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Feb 25 12:37:07 lt001 systemd[1]: Starting SSSD Sudo Service responder...
Feb 25 12:37:07 lt001 chown[12393]: /bin/chown: Zugriff auf '/var/log/sssd/sssd_sudo.log' nicht möglich: Datei oder Verzeichnis nicht gefunden
Feb 25 12:37:07 lt001 systemd[1]: Started SSSD Sudo Service responder.
Feb 25 12:37:07 lt001 sssd_sudo[12394]: Starting up
Feb 25 12:37:08 lt001 systemd[1]: Starting SSSD PAM Service responder...
Feb 25 12:37:08 lt001 systemd[1]: Started SSSD PAM Service responder.
Feb 25 12:37:08 lt001 sssd_pam[12396]: Starting up
Feb 25 12:37:08 lt001 sudo[12392]:   s.example : TTY=unknown ; PWD=/home/s.example ; USER=root ; COMMAND=/usr/lib/linuxmint/mintUpdate/dpkg_lock_check.sh
Feb 25 12:37:08 lt001 sudo[12392]: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb 25 12:37:08 lt001 sudo[12392]: pam_unix(sudo:session): session closed for user root
Feb 25 12:37:08 lt001 sudo[12399]:   s.example : TTY=unknown ; PWD=/home/s.example ; USER=root ; COMMAND=/usr/bin/mint-refresh-cache
Feb 25 12:37:08 lt001 sudo[12399]: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb 25 12:37:11 lt001 NetworkManager[709]: <info>  [1645789031.8259] audit: op="connection-deactivate" uuid="9e6a7e66-3741-4d0c-b4c1-96edc5d329ab" name="example-Club" pid=10803 uid=1049601120 result="success"
Feb 25 12:37:11 lt001 dbus-daemon[708]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.10' (uid=0 pid=709 comm="/usr/sbin/NetworkManager --no-daemon " label="unconfined")
Feb 25 12:37:11 lt001 systemd[1]: Starting Network Manager Script Dispatcher Service...
Feb 25 12:37:11 lt001 dbus-daemon[708]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Feb 25 12:37:11 lt001 systemd[1]: Started Network Manager Script Dispatcher Service.
Feb 25 12:37:11 lt001 nm-openvpn[12387]: event_wait : Interrupted system call (code=4)
Feb 25 12:37:11 lt001 nm-openvpn[12387]: SIGTERM[hard,] received, process exiting
Feb 25 12:37:11 lt001 NetworkManager[709]: <warn>  [1645789031.8444] vpn-connection[0x564dc19e4310,9e6a7e66-3741-4d0c-b4c1-96edc5d329ab,"example-Club",0]: VPN plugin: failed: connect-failed (1)
Feb 25 12:37:11 lt001 NetworkManager[709]: <info>  [1645789031.8445] vpn-connection[0x564dc19e4310,9e6a7e66-3741-4d0c-b4c1-96edc5d329ab,"example-Club",0]: VPN plugin: state changed: stopping (5)
Feb 25 12:37:11 lt001 nm-dispatcher[13801]: run-parts: failed to stat component /etc/network/if-post-down.d/avahi-daemon: No such file or directory
Feb 25 12:37:11 lt001 NetworkManager[709]: <info>  [1645789031.8465] vpn-connection[0x564dc19e4310,9e6a7e66-3741-4d0c-b4c1-96edc5d329ab,"example-Club",0]: VPN plugin: state changed: stopped (6)
Feb 25 12:37:12 lt001 dbus-daemon[708]: [system] Activating via systemd: service name='org.freedesktop.PackageKit' unit='packagekit.service' requested by ':1.179' (uid=0 pid=14178 comm="/usr/bin/gdbus call --system --dest org.freedeskto" label="unconfined")
Feb 25 12:37:12 lt001 systemd[1]: Starting PackageKit Daemon...
Feb 25 12:37:12 lt001 PackageKit[14181]: daemon start
Feb 25 12:37:12 lt001 dbus-daemon[708]: [system] Successfully activated service 'org.freedesktop.PackageKit'
Feb 25 12:37:12 lt001 systemd[1]: Started PackageKit Daemon.
Feb 25 12:37:15 lt001 sudo[12399]: pam_unix(sudo:session): session closed for user root
Feb 25 12:37:22 lt001 systemd[1]: NetworkManager-dispatcher.service: Succeeded.

viragomann

@pixel24
Doesn't show really much at all. I assume, the "example-Club" is your replacement of the destination host name?

However, as far as I know, the NetworkManager OpenVPN plugin doesn't like separated CA an client certs.
I only succeed with it by using encrypted pkcs12 file ("Password Protect Certificate" checked in the export utility and a password stated).
Then I downloaded the archive and extracted it on the client.
You may import the .ovpn file in NM, but then ensure the all the paths of CA, client cert and private key goes to the p12 file and enter the password for the p12. The TLS key has to be stated additionally on the security tab.

pixel24

@viragomann said in Can't get OpenVPN to work:

Doesn't show really much at all. I assume, the "example-Club" is your replacement of the destination host name?

Yes, I have replaced the real part of the name with example.

This log file was written when I tried to establish the VPN connection from the LAN.

I have just tried it again "from outside". I can get more information here:

Feb 25 12:55:08 lt001 NetworkManager[709]: <info>  [1645790108.3077] audit: op="connection-activate" uuid="9e6a7e66-3741-4d0c-b4c1-96edc5d329ab" name="Example-Club" pid=10803 uid=1049601120 result="success"
Feb 25 12:55:08 lt001 NetworkManager[709]: <info>  [1645790108.3116] vpn-connection[0x564dc19e4520,9e6a7e66-3741-4d0c-b4c1-96edc5d329ab,"Example-Club",0]: Started the VPN service, PID 15691
Feb 25 12:55:08 lt001 NetworkManager[709]: <info>  [1645790108.3168] vpn-connection[0x564dc19e4520,9e6a7e66-3741-4d0c-b4c1-96edc5d329ab,"Example-Club",0]: Saw the service appear; activating connection
Feb 25 12:55:08 lt001 NetworkManager[709]: <info>  [1645790108.3667] vpn-connection[0x564dc19e4520,9e6a7e66-3741-4d0c-b4c1-96edc5d329ab,"Example-Club",0]: VPN plugin: state changed: starting (3)
Feb 25 12:55:08 lt001 NetworkManager[709]: <info>  [1645790108.3667] vpn-connection[0x564dc19e4520,9e6a7e66-3741-4d0c-b4c1-96edc5d329ab,"Example-Club",0]: VPN connection: (ConnectInteractive) reply received
Feb 25 12:55:08 lt001 nm-openvpn[15701]: WARNING: file '/data01/Sicherheit/OVPN/Example-Club/gate01-UDP4-1194/gate01-UDP4-1194-tls.key' is group or others accessible
Feb 25 12:55:08 lt001 nm-openvpn[15701]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021
Feb 25 12:55:08 lt001 nm-openvpn[15701]: library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Feb 25 12:55:08 lt001 nm-openvpn[15701]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 25 12:55:08 lt001 nm-openvpn[15701]: TCP/UDP: Preserving recently used remote address: [AF_INET]37.49.18.169:1194
Feb 25 12:55:08 lt001 nm-openvpn[15701]: UDPv4 link local: (not bound)
Feb 25 12:55:08 lt001 nm-openvpn[15701]: UDPv4 link remote: [AF_INET]37.49.18.169:1194
Feb 25 12:55:08 lt001 nm-openvpn[15701]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Feb 25 12:55:08 lt001 nm-openvpn[15701]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Feb 25 12:55:08 lt001 nm-openvpn[15701]: VERIFY ERROR: depth=2, error=unable to get issuer certificate: C=US, O=Internet Security Research Group, CN=ISRG Root X1
Feb 25 12:55:08 lt001 nm-openvpn[15701]: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Feb 25 12:55:08 lt001 nm-openvpn[15701]: TLS_ERROR: BIO read tls_read_plaintext error
Feb 25 12:55:08 lt001 nm-openvpn[15701]: TLS Error: TLS object -> incoming plaintext read error
Feb 25 12:55:08 lt001 nm-openvpn[15701]: TLS Error: TLS handshake failed
Feb 25 12:55:08 lt001 nm-openvpn[15701]: SIGUSR1[soft,tls-error] received, process restarting
Feb 25 12:55:13 lt001 nm-openvpn[15701]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 25 12:55:13 lt001 nm-openvpn[15701]: TCP/UDP: Preserving recently used remote address: [AF_INET]37.49.18.169:1194
Feb 25 12:55:13 lt001 nm-openvpn[15701]: UDPv4 link local: (not bound)
Feb 25 12:55:13 lt001 nm-openvpn[15701]: UDPv4 link remote: [AF_INET]37.49.18.169:1194

viragomann

@pixel24
So the client cannot verify the issuer certificate.

Are the server and client certs issued by an intermediate CA?

Did you provide the p12 file in the meantime?
It should include all needed certs.
If you use PEM style files, you have to combine CA and intermediate manually.

pixel24

@viragomann said in Can't get OpenVPN to work:

Are the server and client certs issued by an intermediate CA?

As far as I understand it, yes:

What surprises me is that the Client Export field says "No Cert":

I download the bundle, unpack it:

Import it:

But the error remains the same

Feb 25 13:58:14 lt001 nm-openvpn[19759]: VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=R3
Feb 25 13:58:14 lt001 nm-openvpn[19759]: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Feb 25 13:58:14 lt001 nm-openvpn[19759]: TLS_ERROR: BIO read tls_read_plaintext error
Feb 25 13:58:14 lt001 nm-openvpn[19759]: TLS Error: TLS object -> incoming plaintext read error
Feb 25 13:58:14 lt001 nm-openvpn[19759]: TLS Error: TLS handshake failed

@viragomann said in Can't get OpenVPN to work:

Did you provide the p12 file in the meantime?

Where exactly do I do that?

@viragomann said in Can't get OpenVPN to work:

It should include all needed certs.
If you use PEM style files, you have to combine CA and intermediate manually.

How exactly do I have to proceed here?

viragomann

@pixel24 said in Can't get OpenVPN to work:

What surprises me is that the Client Export field says "No Cert":

This regards to the user cert.
So there might no client cert be assigned to that user.

But not clear, how this should be accepted by the client. When you set up an SSL OpenVPN a client cert is required.

viragomann

@pixel24
Just noticed that your server is in "user auth" mode. So it doesn't require any CA and cert at all.
But I'm wondering why it is providing the CA and server cert stuff in this mode.

You have to set the server into SSL/TLS (+Auth) mode to use SSL certificates.

It should include all needed certs.
If you use PEM style files, you have to combine CA
and intermediate manually.

How exactly do I have to proceed here?

pixel24

@viragomann said in Can't get OpenVPN to work:

Just noticed that your server is in "user auth" mode. So it doesn't require any CA and cert at all.
But I'm wondering why it is providing the CA and server cert stuff in this mode.
You have to set the server into SSL/TLS (+Auth) mode to use SSL certificates.

That's how I've always done it so far and never had any problems. However, it was version 2.5. Now I have 2.6.

I have removed the access on the laptop again, changed the OpenVPN server to "SSL/TLS (+Auth) mode" and activated the password protection for thed pkcs12 file.

However, the option to download the package for the client is missing under "OpenVPNClient -> Export Utility".

pixel24

viragomann

@pixel24 said in Can't get OpenVPN to work:

However, the option to download the package for the client is missing under "OpenVPNClient -> Export Utility".

This is only available if there is any user on the system who has assigned a certificate from the same CA as the selected server.

As you upper screeshot shows you're using an external user database. But I don't know how to assign a user certs in this case.

pixel24

@viragomann I have specified the Let's Encrypt CA and the real certificate of the host in the OpenVPN server. This does not work although the certificate has been signed and is valid.

I have now set up an internal CA for OpenVPN again. Auth: User & Pass. Package imported on the client.

Works.

viragomann

@pixel24 said in Can't get OpenVPN to work:

I have specified the Let's Encrypt CA and the real certificate of the host in the OpenVPN server.

No, not this.
The client needs both, the CA cert and the intermediate cert to verify the server certificate, as far as I know. That's what the client error log hints to me.

So when you use p12 file both should be included. When using PEM file (crt) you can simply bundle both with an text editor.

Gertjan

@pixel24 said in Can't get OpenVPN to work:

OpenVPN 2.4.7

pfSense uses OpenVPN 2.5.4

I won't say : it couldn't work.
I will say : only experts will try to mix 2.5.x series with the 2.4.x series ;)

Btw : no need to use a certificate from Letsencrypt.
See the Netgate channel on Youtube, the official OpenVPN video's. These videos are old, but still very valid.

viragomann

@gertjan said in Can't get OpenVPN to work:

pfSense uses OpenVPN 2.5.4
I won't say : it couldn't work.
I will say : only experts will try to mix 2.5.x series with the 2.4.x series ;)

So I'm an expert, obviously.

We never had issues here with OpenVPN 2.5.2 on pfSense and 2.4.x and 2.5.x on Windows and 2.4.x Linux clients.

Gertjan

@viragomann said in Can't get OpenVPN to work:

obviously

Very possible

I guess you've been cheating, that is, reading the OpenVPN release notes so you knew what 2.4.x option (server or client) can be used with a 2.5.x server or client.

JKnott

@gertjan

That setting doesn't work for me in the issue I've been having.