Usernames containing a dot (.) with OpenVPN RADIUS AD



  • I have followed the tutorial for setting up OpenVPN with RADIUS and Active Directory:

    http://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory

    My problem is that the part that explains how to create a user account by creating a certificate says that the descriptive name and common name should be set to the same username the user has in active directory… but the usernames contain a period, e.g. ben.golden. When I try to submit the form to create the certificate I get: The field 'Descriptive name' contains invalid characters.

    How can I create a certificate with the correct username?


  • Rebel Alliance Developer Netgate

    The descriptive name is just cosmetic, I'm not sure why that's restricted.

    The common name can contain ., and that's the only one that really matters for matching the username.


  • Rebel Alliance Developer Netgate

    I just checked in a fix so it will ignore '.' (and other characters) in the description for future releases.



  • Since posting that I found the php script that does the validation, and edited it myself… and it allowed me to add the certificate with the correct username!

    I still can't get OpenVPN to work though, after many hours of trying... I've just about given up :(

    I followed the how-to to the letter... but this is what I get in the logs. Any ideas?

    Jun 12 11:15:44 openvpn[59902]: event_wait : Interrupted system call (code=4)
    Jun 12 11:15:44 openvpn[59902]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1558 192.168.3.1 192.168.3.2 init
    Jun 12 11:15:44 openvpn[59902]: SIGTERM[hard,] received, process exiting
    Jun 12 11:15:45 openvpn[12538]: OpenVPN 2.2.2 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] built on Apr 2 2013
    Jun 12 11:15:45 openvpn[12538]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jun 12 11:15:45 openvpn[12538]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
    Jun 12 11:15:45 openvpn[12538]: TUN/TAP device /dev/tun1 opened
    Jun 12 11:15:45 openvpn[12538]: /sbin/ifconfig ovpns1 192.168.3.1 192.168.3.2 mtu 1500 netmask 255.255.255.255 up
    Jun 12 11:15:45 openvpn[12538]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1558 192.168.3.1 192.168.3.2 init
    Jun 12 11:15:46 openvpn[13942]: UDPv4 link local (bound): 10.0.5.2:1194
    Jun 12 11:15:46 openvpn[13942]: UDPv4 link remote: [undef]
    Jun 12 11:15:46 openvpn[13942]: Initialization Sequence Completed
    Jun 12 11:16:30 openvpn[13942]: 31.91.146.30:40706 Re-using SSL/TLS context
    Jun 12 11:16:30 openvpn[13942]: 31.91.146.30:40706 LZO compression initialized
    Jun 12 11:16:32 openvpn[13942]: 31.91.146.30:40706 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /CN=ben.golden@maskeddomain.com
    Jun 12 11:16:32 openvpn[13942]: 31.91.146.30:40706 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    Jun 12 11:16:32 openvpn[13942]: 31.91.146.30:40706 TLS Error: TLS object -> incoming plaintext read error
    Jun 12 11:16:32 openvpn[13942]: 31.91.146.30:40706 TLS Error: TLS handshake failed


  • Rebel Alliance Developer Netgate

    That looks like a certificate verification error, so something in the CA/Cert doesn't match or isn't right between the client and server, or it's invalid in some other way.