Update to 2.1, Issue with PKI
-
Hi,
My setup from 2.0 does not seem to work with 2.1. Here is the server log when I try to connect (newest to oldest):
openvpn[4214]: 192.168.10.131:1194 TLS Error: TLS handshake failed Sep 30 14:59:30 openvpn[4214]: 192.168.10.131:1194 TLS Error: TLS object -> incoming plaintext read error Sep 30 14:59:30 openvpn[4214]: 192.168.10.131:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Sep 30 14:59:30 openvpn[4214]: 192.168.10.131:1194 WARNING: Failed running command (--tls-verify script): could not execute external programI've re generated everything: CA, Server Cert, OpenVPN service instance, User Cert. All correctly associated. All else equal as previous setup.
Client config:
dev tun persist-tun persist-key cipher AES-128-CBC tls-client client resolv-retry infinite remote 102.106.12.15 1195 udp tls-remote test1 auth-user-pass pkcs12 test1.p12 tls-auth test1tls.key 1 ns-cert-type server comp-lzoAny thoughts?
Thanks.
-
I found that once I removed these advanced options on the server side:
user nobody;group nobodyIt started to work. I don't like this so much though, now the particular process is running as root.
Any thoughts guys?
Thanks.
-
You'll need to create yourself a user in "User Manager" and add to it the server CA likely with Local Database as the server.
-
The permissions on the files in /var/etc/openvpn have been altered such that only root can read them. So using a custom user in that way is not (and never has been) supported.
If you want to find the code that sets the permissions and fix it so your custom user can read them, feel free…
-
You'll need to create yourself a user in "User Manager" and add to it the server CA likely with Local Database as the server.
I did. Thanks for the suggestion.
-
The permissions on the files in /var/etc/openvpn have been altered such that only root can read them. So using a custom user in that way is not (and never has been) supported.
If you want to find the code that sets the permissions and fix it so your custom user can read them, feel free…
Hey Jimp. You probably understand the topic further than I do… but what about the security that is gained by running the exposed daemon (assuming firewall rules allow any) as "nobody", in case of some kind of exploit?
Maybe I am missing the purpose of running only as root. Help me out? :-, then again... i guess you're stating that if I want nobody to be able to run the daemon, I have to modify the script... OK.
-
I'm not sure of the exact reason why it hasn't been done that way. If OpenVPN runs as root to bind and add routes and then drops privileges to nobody, it may still be able to do the same things as usual, but there is always the chance that some other bit may break (pushed routes, etc)
-
I'm not sure of the exact reason why it hasn't been done that way. If OpenVPN runs as root to bind and add routes and then drops privileges to nobody, it may still be able to do the same things as usual, but there is always the chance that some other bit may break (pushed routes, etc)
Hey Jimp, just to clarify, I had been running 2.0.x for many months using the nobody for group and user in the advanced options without a hitch, only to be woken up by 2.1 and finding that (removing the option(s)) as my only solution. I am not sure why either but maybe there is an explanation.
Oh one more thing, I have a site-to-site (shared keys) working fine with the user and group nobody, (in 2.1).
But the PKI… using the SSL/TLS + User Auth gives me the hiccup.
-
I'm having the same problem, did creating the local user work as suggested? I created a local user and group and changed the config to use that but still get the error. I'm not too sure what was meant by "add it to the server CA" though. I did notice that the permissions on the tls-verify.php script are 755 so not sure why it gets the permissions problem since it's world readable/executable (unless freebsd has something similar to linux with security contexts)
-
This issue still exists.
Can't seem to run the PKI server as user/group nobody with advanced option:user nobody;group nobody
