Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Update to 2.1, Issue with PKI

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 4 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wm408
      last edited by

      Hi,

      My setup from 2.0 does not seem to work with 2.1.  Here is the server log when I try to connect (newest to oldest):

      openvpn[4214]: 192.168.10.131:1194 TLS Error: TLS handshake failed
      Sep 30 14:59:30	openvpn[4214]: 192.168.10.131:1194 TLS Error: TLS object -> incoming plaintext read error
      Sep 30 14:59:30	openvpn[4214]: 192.168.10.131:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
      Sep 30 14:59:30	openvpn[4214]: 192.168.10.131:1194 WARNING: Failed running command (--tls-verify script): could not execute external program
      

      I've re generated everything: CA, Server Cert, OpenVPN service instance, User Cert.  All correctly associated.  All else equal as previous setup.

      Client config:

      dev tun
      persist-tun
      persist-key
      cipher AES-128-CBC
      tls-client
      client
      resolv-retry infinite
      remote 102.106.12.15 1195 udp
      tls-remote test1
      auth-user-pass
      pkcs12 test1.p12
      tls-auth test1tls.key 1
      ns-cert-type server
      comp-lzo
      
      

      Any thoughts?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • W
        wm408
        last edited by

        I found that once I removed these advanced options on the server side:

        user nobody;group nobody
        

        It started to work.  I don't like this so much though, now the particular process is running as root.

        Any thoughts guys?

        Thanks.

        1 Reply Last reply Reply Quote 0
        • M
          markn62
          last edited by

          You'll need to create yourself a user in "User Manager" and add to it the server CA likely with Local Database as the server.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            The permissions on the files in /var/etc/openvpn have been altered such that only root can read them. So using a custom user in that way is not (and never has been) supported.

            If you want to find the code that sets the permissions and fix it so your custom user can read them, feel free…

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • W
              wm408
              last edited by

              @markn62:

              You'll need to create yourself a user in "User Manager" and add to it the server CA likely with Local Database as the server.

              I did.  Thanks for the suggestion.

              1 Reply Last reply Reply Quote 0
              • W
                wm408
                last edited by

                @jimp:

                The permissions on the files in /var/etc/openvpn have been altered such that only root can read them. So using a custom user in that way is not (and never has been) supported.

                If you want to find the code that sets the permissions and fix it so your custom user can read them, feel free…

                Hey Jimp.  You probably understand the topic further than I do… but what about the security that is gained by running the exposed daemon (assuming firewall rules allow any) as "nobody", in case of some kind of exploit?

                Maybe I am missing the purpose of running only as root.  Help me out?  :-, then again... i guess you're stating that if I want nobody to be able to run the daemon, I have to modify the script... OK.

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  I'm not sure of the exact reason why it hasn't been done that way. If OpenVPN runs as root to bind and add routes and then drops privileges to nobody, it may still be able to do the same things as usual, but there is always the chance that some other bit may break (pushed routes, etc)

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • W
                    wm408
                    last edited by

                    @jimp:

                    I'm not sure of the exact reason why it hasn't been done that way. If OpenVPN runs as root to bind and add routes and then drops privileges to nobody, it may still be able to do the same things as usual, but there is always the chance that some other bit may break (pushed routes, etc)

                    Hey Jimp, just to clarify, I had been running 2.0.x for many months using the nobody for group and user in the advanced options without a hitch, only to be woken up by 2.1 and finding that (removing the option(s)) as my only solution.  I am not sure why either but maybe there is an explanation.

                    Oh one more thing, I have a site-to-site (shared keys) working fine with the user and group nobody, (in 2.1).

                    But the PKI… using the SSL/TLS + User Auth gives me the hiccup.

                    1 Reply Last reply Reply Quote 0
                    • T
                      todd.tucker
                      last edited by

                      I'm having the same problem, did creating the local user work as suggested? I created a local user and group and changed the config to use that but still get the error.  I'm not too sure what was meant by "add it to the server CA" though.  I did notice that the permissions on the tls-verify.php script are 755 so not sure why it gets the permissions problem since it's world readable/executable (unless freebsd has something similar to linux with security contexts)

                      1 Reply Last reply Reply Quote 0
                      • W
                        wm408
                        last edited by

                        This issue still exists.
                        Can't seem to run the PKI server as user/group nobody with advanced option:

                        user nobody;group nobody

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.