Update to 2.1, Issue with PKI



  • Hi,

    My setup from 2.0 does not seem to work with 2.1.  Here is the server log when I try to connect (newest to oldest):

    openvpn[4214]: 192.168.10.131:1194 TLS Error: TLS handshake failed
    Sep 30 14:59:30	openvpn[4214]: 192.168.10.131:1194 TLS Error: TLS object -> incoming plaintext read error
    Sep 30 14:59:30	openvpn[4214]: 192.168.10.131:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    Sep 30 14:59:30	openvpn[4214]: 192.168.10.131:1194 WARNING: Failed running command (--tls-verify script): could not execute external program
    

    I've re generated everything: CA, Server Cert, OpenVPN service instance, User Cert.  All correctly associated.  All else equal as previous setup.

    Client config:

    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    tls-client
    client
    resolv-retry infinite
    remote 102.106.12.15 1195 udp
    tls-remote test1
    auth-user-pass
    pkcs12 test1.p12
    tls-auth test1tls.key 1
    ns-cert-type server
    comp-lzo
    
    

    Any thoughts?

    Thanks.



  • I found that once I removed these advanced options on the server side:

    user nobody;group nobody
    

    It started to work.  I don't like this so much though, now the particular process is running as root.

    Any thoughts guys?

    Thanks.



  • You'll need to create yourself a user in "User Manager" and add to it the server CA likely with Local Database as the server.


  • Rebel Alliance Developer Netgate

    The permissions on the files in /var/etc/openvpn have been altered such that only root can read them. So using a custom user in that way is not (and never has been) supported.

    If you want to find the code that sets the permissions and fix it so your custom user can read them, feel free…



  • @markn62:

    You'll need to create yourself a user in "User Manager" and add to it the server CA likely with Local Database as the server.

    I did.  Thanks for the suggestion.



  • @jimp:

    The permissions on the files in /var/etc/openvpn have been altered such that only root can read them. So using a custom user in that way is not (and never has been) supported.

    If you want to find the code that sets the permissions and fix it so your custom user can read them, feel free…

    Hey Jimp.  You probably understand the topic further than I do… but what about the security that is gained by running the exposed daemon (assuming firewall rules allow any) as "nobody", in case of some kind of exploit?

    Maybe I am missing the purpose of running only as root.  Help me out?  :-, then again... i guess you're stating that if I want nobody to be able to run the daemon, I have to modify the script... OK.


  • Rebel Alliance Developer Netgate

    I'm not sure of the exact reason why it hasn't been done that way. If OpenVPN runs as root to bind and add routes and then drops privileges to nobody, it may still be able to do the same things as usual, but there is always the chance that some other bit may break (pushed routes, etc)



  • @jimp:

    I'm not sure of the exact reason why it hasn't been done that way. If OpenVPN runs as root to bind and add routes and then drops privileges to nobody, it may still be able to do the same things as usual, but there is always the chance that some other bit may break (pushed routes, etc)

    Hey Jimp, just to clarify, I had been running 2.0.x for many months using the nobody for group and user in the advanced options without a hitch, only to be woken up by 2.1 and finding that (removing the option(s)) as my only solution.  I am not sure why either but maybe there is an explanation.

    Oh one more thing, I have a site-to-site (shared keys) working fine with the user and group nobody, (in 2.1).

    But the PKI… using the SSL/TLS + User Auth gives me the hiccup.



  • I'm having the same problem, did creating the local user work as suggested? I created a local user and group and changed the config to use that but still get the error.  I'm not too sure what was meant by "add it to the server CA" though.  I did notice that the permissions on the tls-verify.php script are 755 so not sure why it gets the permissions problem since it's world readable/executable (unless freebsd has something similar to linux with security contexts)



  • This issue still exists.
    Can't seem to run the PKI server as user/group nobody with advanced option:

    user nobody;group nobody