Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN asking for user Cert in ldap (user / pass) mode?

    2.0-RC Snapshot Feedback and Problems - RETIRED
    3
    11
    9177
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wallacebw last edited by

      All:

      When running in ldap user / pass mode, I am unable to connect and the openvpn logs show:

      openvpn[44818]: 32.163.191.169:3478 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

      If I use local mode and use key /user / pass, everything works fine.

      This ih happening on the latest build as of this posting.

      also, where is the openvpn conf file stored on pfaense?

      FYI:  this is amd64.

      Thanks,

      1 Reply Last reply Reply Quote 0
      • W
        wallacebw last edited by

        Here's some more info.

        the OpenVPN Server conf is:

        
dev ovpns2
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 1.2.3.4
tls-server
server 192.168.242.0 255.255.254.0
client-config-dir /var/etc/openvpn-csc
client-cert-not-required
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server2.php via-env
lport 1195
management /var/etc/openvpn/server2.sock unix
max-clients 100
push "route 192.168.0.0 255.255.0.0"
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server2.tls-auth 0
comp-lzo

        The client conf is:

        
dev tun
persist-tun
persist-key
proto tcp-client
cipher AES-256-CBC
tls-client
client
resolv-retry infinite
remote 1.2.3.4 1195
auth-user-pass
ca firewall-TCP-1195-ca.crt
tls-auth firewall-TCP-1195-tls.key 1
comp-lzo

        FY/i:  I'm using the nonstandard port 1195 because a have a working instance (local auth with cert) running on 1194 so I can get back in to troubleshoot.

        From the above, I see that a cert should not be required (client-cert-not-required).  That stated, I am unaware why I see the following log sequence when attempting to connect.

        Open VPN log:

        
Feb 7 19:00:15 	openvpn[10095]: Re-using SSL/TLS context
Feb 7 19:00:15 	openvpn[10095]: LZO compression initialized
Feb 7 19:00:15 	openvpn[10095]: TCP connection established with [AF_INET]5.6.7.8:41648
Feb 7 19:00:15 	openvpn[10095]: TCPv4_SERVER link local: [undef]
Feb 7 19:00:15 	openvpn[10095]: TCPv4_SERVER link remote: [AF_INET]71.203.129.198:41648
Feb 7 19:00:16 	openvpn[10095]: 5.6.7.8:41648 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Feb 7 19:00:16 	openvpn[10095]: 5.6.7.8:41648 TLS Error: TLS object -> incoming plaintext read error
Feb 7 19:00:16 	openvpn[10095]: 5.6.7.8:41648 TLS Error: TLS handshake failed
Feb 7 19:00:16 	openvpn[10095]: 5.6.7.8:41648 Fatal TLS error (check_tls_errors_co), restarting
Feb 7 19:00:21 	openvpn[10095]: Re-using SSL/TLS context
Feb 7 19:00:21 	openvpn[10095]: LZO compression initialized
Feb 7 19:00:21 	openvpn[10095]: TCP connection established with [AF_INET]5.6.7.8:4178
Feb 7 19:00:21 	openvpn[10095]: TCPv4_SERVER link local: [undef]
Feb 7 19:00:21 	openvpn[10095]: TCPv4_SERVER link remote: [AF_INET]5.6.7.8:4178
Feb 7 19:00:21 	openvpn[10095]: 5.6.7.8:4178 Connection reset, restarting [0]

        Also, I have done a diag -> authentication successfully, so I don't believe my ldap configuration is the issue

        Any help would be appreciated!

        Thanks all.

        1 Reply Last reply Reply Quote 0
        • C
          cmb last edited by

          missing something in your client config. Did you use the client export?

          configs on the firewall are in  /var/etc/openvpn/*

          1 Reply Last reply Reply Quote 0
          • W
            wallacebw last edited by

            Thanks.   I found the path ( I always forget /var for some reason)

            Yes I used the client export package, and I just recreated a new OpenVpn Service using udp and received the following in the ovpn file using client export.

            dev tun
            persist-tun
            persist-key
            proto udp
            cipher AES-256-CBC
            tls-client
            client
            resolv-retry infinite
            remote 1.2.3.4 1195
            auth-user-pass
            ca firewall-udp-1195-ca.crt
            tls-auth firewall-udp-1195-tls.key 1
            comp-lzo

            I'm going to go head off to the openVPN site to see if I can figure it out, but if you could post what's missing in the client config, that would be great.

            If it helps, here's my working client config:

            dev tun
            persist-tun
            persist-key
            proto tcp-client
            cipher AES-256-CBC
            tls-client
            client
            resolv-retry infinite
            remote 1.2.3.4 1194
            auth-user-pass
            pkcs12 firewall-TCP-1194.p12
            tls-auth firewall-TCP-1194-tls.key 1
            comp-lzo

            Thanks for the help.

            1 Reply Last reply Reply Quote 0
            • C
              cmb last edited by

              Compare the contents of the CA cert the server and client are using, and the TLS key.

              1 Reply Last reply Reply Quote 0
              • W
                wallacebw last edited by

                I believe the  CA CRT and TLS keys match

                here's what I did:

                CA:
                I downloaded the client config via the OpenVPN: Client Export Utility and then also manually downloaded the CA CRT via System: Certificate Authority Manager.  I then hashed each.

                2AE9EC4FE11B22B465B87FE5ECD1445A020012CB – System: Certificate Authority Manager
                2AE9EC4FE11B22B465B87FE5ECD1445A020012CB -- OpenVPN: Client Export Utility

                TLS Key
                I downloaded the client config via the OpenVPN: Client Export Utility and then also manually downloaded the TLS Key via OpenVpPN server: Cryptographic Settings -> TLS Authentication text box.  I then hashed each.

                273278FA506EE49E05B8D9FF1693F34C2C48200C -- System: Certificate Authority Manager
                273278FA506EE49E05B8D9FF1693F34C2C48200C -- OpenVPN: Client Export Utility

                Then retesting the connection, I receive the following in the logs.

                Client:

                
Tue Feb 08 09:14:09 2011 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010
Tue Feb 08 09:15:14 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Feb 08 09:15:14 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Feb 08 09:15:14 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Feb 08 09:15:14 2011 Control Channel Authentication: using 'firewall-udp-1194-tls.key' as a OpenVPN static key file
Tue Feb 08 09:15:14 2011 LZO compression initialized
Tue Feb 08 09:15:14 2011 UDPv4 link local (bound): [undef]:1194
Tue Feb 08 09:15:14 2011 UDPv4 link remote: 1.2.3.4:1194
Tue Feb 08 09:15:14 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Feb 08 09:16:15 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Feb 08 09:16:15 2011 TLS Error: TLS handshake failed
Tue Feb 08 09:16:15 2011 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 08 09:16:17 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Feb 08 09:16:17 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Feb 08 09:16:17 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Feb 08 09:16:17 2011 Re-using SSL/TLS context
Tue Feb 08 09:16:17 2011 LZO compression initialized
Tue Feb 08 09:16:17 2011 UDPv4 link local (bound): [undef]:1194
Tue Feb 08 09:16:17 2011 UDPv4 link remote: 1.2.3.4:1194
Tue Feb 08 09:16:17 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Feb 08 09:16:28 2011 SIGTERM[hard,] received, process exiting

                Server

                
Feb 8 08:58:26 	openvpn[33499]: event_wait : Interrupted system call (code=4)
Feb 8 08:58:26 	openvpn[33499]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.240.1 192.168.240.2 init
Feb 8 08:58:26 	openvpn[33499]: SIGTERM[hard,] received, process exiting
Feb 8 08:58:27 	openvpn[6006]: OpenVPN 2.x-testing-ae1de75c0fa5 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [IPv6 payload 20100922-1] [MH] [PF_INET6] built on Feb 3 2011
Feb 8 08:58:27 	openvpn[6006]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 8 08:58:27 	openvpn[6006]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Feb 8 08:58:27 	openvpn[6006]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Feb 8 08:58:27 	openvpn[6006]: TUN/TAP device /dev/tun1 opened
Feb 8 08:58:27 	openvpn[6006]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Feb 8 08:58:27 	openvpn[6006]: /sbin/ifconfig ovpns1 192.168.240.1 192.168.240.2 mtu 1500 netmask 255.255.255.255 up
Feb 8 08:58:27 	openvpn[6006]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.240.1 192.168.240.2 init
Feb 8 08:58:27 	openvpn[10812]: UDPv4 link local (bound): [AF_INET]173.8.52.61:1194
Feb 8 08:58:27 	openvpn[10812]: UDPv4 link remote: [undef]
Feb 8 08:58:27 	openvpn[10812]: Initialization Sequence Completed
Feb 8 08:59:07 	openvpn[10812]: 5.6.7.8:18099 Re-using SSL/TLS context
Feb 8 08:59:07 	openvpn[10812]: 5.6.7.8:18099 LZO compression initialized
Feb 8 08:59:07 	openvpn[10812]: 5.6.7.8:18099 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Feb 8 08:59:07 	openvpn[10812]: 5.6.7.8:18099 TLS Error: TLS object -> incoming plaintext read error
Feb 8 08:59:07 	openvpn[10812]: 5.6.7.8:18099 TLS Error: TLS handshake failed
Feb 8 09:14:38 	openvpn[10812]: event_wait : Interrupted system call (code=4)
Feb 8 09:14:38 	openvpn[10812]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.240.1 192.168.240.2 init
Feb 8 09:14:38 	openvpn[10812]: SIGTERM[hard,] received, process exiting
Feb 8 09:14:39 	openvpn[12199]: OpenVPN 2.x-testing-ae1de75c0fa5 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [IPv6 payload 20100922-1] [MH] [PF_INET6] built on Feb 3 2011
Feb 8 09:14:39 	openvpn[12199]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 8 09:14:39 	openvpn[12199]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Feb 8 09:14:39 	openvpn[12199]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Feb 8 09:14:39 	openvpn[12199]: TUN/TAP device /dev/tun1 opened
Feb 8 09:14:39 	openvpn[12199]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Feb 8 09:14:39 	openvpn[12199]: /sbin/ifconfig ovpns1 192.168.240.1 192.168.240.2 mtu 1500 netmask 255.255.255.255 up
Feb 8 09:14:39 	openvpn[12199]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.240.1 192.168.240.2 init
Feb 8 09:14:39 	openvpn[13385]: UDPv4 link local (bound): [AF_INET]173.8.52.61:1194
Feb 8 09:14:39 	openvpn[13385]: UDPv4 link remote: [undef]
Feb 8 09:14:39 	openvpn[13385]: Initialization Sequence Completed
Feb 8 09:15:15 	openvpn[13385]: 5.6.7.8:29107 Re-using SSL/TLS context
Feb 8 09:15:15 	openvpn[13385]: 5.6.7.8:29107 LZO compression initialized
Feb 8 09:15:16 	openvpn[13385]: 5.6.7.8:29107 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Feb 8 09:15:16 	openvpn[13385]: 5.6.7.8:29107 TLS Error: TLS object -> incoming plaintext read error
Feb 8 09:15:16 	openvpn[13385]: 5.6.7.8:29107 TLS Error: TLS handshake failed

                Also, I tried disabling TLS Authentication and received the same results.

                1 Reply Last reply Reply Quote 0
                • S
                  spiritbreaker last edited by

                  Hi,

                  i got exact same issue after update to snapshot built on Tue Feb 8 05:33:31 EST 2011.

                  TLS Keys match.

                  I tryed a new configuration via wizard and client export utility but always same error occurs.

                  TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

                  EDIT:

                  Server option "client-cert-not-required" seems to be ignored. Error still there.

                  EDIT2:

                  i switched back to an older snapshot (built on Thu Jan 20 19:54:38 EST 2011) and it works fine for me.

                  cya

                  Pfsense running at 11 Locations
                  -mobile OPENVPN and IPSEC
                  -multiwan failover
                  -filtering proxy(squidguard) in bridgemode with ntop monitoring

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb last edited by

                    hmm, yeah that error seemingly indicates it's not taking the client-cert-not-required on the server side for some reason. It hasn't been long since I've done a LDAP OpenVPN setup and it worked fine, I'll try it again as soon as I have a chance.

                    1 Reply Last reply Reply Quote 0
                    • W
                      wallacebw last edited by

                      @cmb:

                      hmm, yeah that error seemingly indicates it's not taking the client-cert-not-required on the server side for some reason. It hasn't been long since I've done a LDAP OpenVPN setup and it worked fine, I'll try it again as soon as I have a chance.

                      Any progress on this (no rush from my standpoint)?    I can open a bug if you prefer so this issue doesn't get "lost".
                      Thanks again.

                      1 Reply Last reply Reply Quote 0
                      • C
                        cmb last edited by

                        this should be fixed in newer snapshots, believe it was OpenVPN version-related.

                        1 Reply Last reply Reply Quote 0
                        • W
                          wallacebw last edited by

                          I can confirm the current snapshot is corrected and is functioning properly on the A64 build.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post