Topic: OpenVPN for Sme 7.0

[haymann]

This file is created during certificates generation. Anyway, I'm working on beta5 and it'll be corrected. This beta will seriously improve the security and will correct the last little problems like the .rnd one

I was wondering where that came from...

VIP-ire, you mentioned a post or two ago about sometimes the client certificate is blank. I have tried repeatedly to regenerate the certificates, but everytime the client.crt is 0bytes. Is the best way to fix this by uninstalling and installing your latest? I don't even know which version I have though...
Thanks.

[imcintyre]

Haymann;

I tried the uninstall/reinstall trick and it did not resolve the problem. I had beta 3 installed, then beta 4 when I noticed the problem. Thinking I had done something foolish (still completely plausible ), I uninstalled and reinstalled and the problem was still there. I did not reboot, (see previous post by me) but apparently that won't help either.

[imcintyre]

VIP ire;

Stoopid question time . My vpn connection did not work and I was pondering that and it occurred to me that I had not entered in the name of my site or the IP address anywhere that I remember. When I vpn into work, I know where the ip address is stored and could change it if I wanted. Shouldn't I have to tell the openvpn gui where I would like to vpn to?

To further complicate things, I have a dynamic address. I use zone edit to find my site.

Thx in advance for your help and your hard work.

[haymann]

Thanks imcintyre, maybe I'll wait a bit before uninstalling...

Just to see what happened (even though it appears my client.crt is blank) I installed OpenVPN on a remote computer and copied over the files that I downloaded from my OpenVPN panel in server-manager. When I try to connect it get this error:

Code: [Select]

Options error: Unrecognized option or missing parameter(s) in vpn.ovpn:10: fragment (2.0.5)
Use --help for more information.I noticed that vpn.ovpn has an entry "fragment" so for kicks I removed it. Then when I tried to connect it prompted me for my username and password. When those were supplied, I got this error:

Code: [Select]

Fri Nov 10 14:06:29 2006 us=978827 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Nov 10 14:06:29 2006 us=982909 Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Fri Nov 10 14:06:29 2006 us=982941 ExitingI don't know what to make of that first error, but I am guessing that the second error is because my client.crt is blank...

[Daniel B.]

VIP ire;

Stoopid question time . My vpn connection did not work and I was pondering that and it occurred to me that I had not entered in the name of my site or the IP address anywhere that I remember. When I vpn into work, I know where the ip address is stored and could change it if I wanted. Shouldn't I have to tell the openvpn gui where I would like to vpn to?

To further complicate things, I have a dynamic address. I use zone edit to find my site.

Thx in advance for your help and your hard work.

The address of your vpn server is in the config file of the client. It's generated with the domain name of your server, you should have something like

remote yourdomain.com

If you have a dynamic IP addres, maybe you will have to change it. For example, on my personal server, I use dyndns, my internal domain is domain.org but from the internet, it's accessible with domain.dyndns.org.
So the panel generate a file with domain.org wich I changed in domain.dyndns.org.

Just to see what happened (even though it appears my client.crt is blank) I installed OpenVPN on a remote computer and copied over the files that I downloaded from my OpenVPN panel in server-manager. When I try to connect it get this error:
Code:
Options error: Unrecognized option or missing parameter(s) in vpn.ovpn:10: fragment (2.0.5)
Use --help for more information.
I noticed that vpn.ovpn has an entry "fragment" so for kicks I removed it. Then when I tried to connect it prompted me for my username and password. When those were supplied, I got this error:
Code:
Fri Nov 10 14:06:29 2006 us=978827 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Nov 10 14:06:29 2006 us=982909 Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Fri Nov 10 14:06:29 2006 us=982941 Exiting
I don't know what to make of that first error, but I am guessing that the second error is because my client.crt is blank...

It looks like you're using beta 3. Those two problems (blank certif and fragment error) are known problems of beta3. You should upgrade to beta 4 or wait for beta 5 (next week I hope)

[haymann]

It looks like you're using beta 3. Those two problems (blank certif and fragment error) are known problems of beta3. You should upgrade to beta 4 or wait for beta 5 (next week I hope)

Excellent! I'll give it a shot tonight. Thank you for your effort on this, I appreciate it very much.
Ryan

[imcintyre]

The address of your vpn server is in the config file of the client. It's generated with the domain name of your server, you should have something like

remote yourdomain.com

If you have a dynamic IP addres, maybe you will have to change it. For example, on my personal server, I use dyndns, my internal domain is domain.org but from the internet, it's accessible with domain.dyndns.org.
So the panel generate a file with domain.org wich I changed in domain.dyndns.org.

I use zoneedit and I can get through on the internet with mysite.ca In my vpn.ovpn I have the line remote mysite.ca. I get the log on screen but apparently I don't know the login/password. I created the profile while I was logged in as admin. How do I link the profile to a user and password or did I miss something.

Thx in advance.

[Daniel B.]

I use zoneedit and I can get through on the internet with mysite.ca In my vpn.ovpn I have the line remote mysite.ca. I get the log on screen but apparently I don't know the login/password. I created the profile while I was logged in as admin. How do I link the profile to a user and password or did I miss something.

Thx in advance.

The login/passwords are the same as the main users accounts. If you create one certificate by client, use the same common name as the login he haves. don't forget to set VPNaccess to yes in the users page. By tha way, this will certainly change in the next release as all the login system will change.

[imcintyre]

*Solved* I took out the space in the name and everything is ok.

I tried to create a profile using "my name" and got the following error. If it is of any use, there is a space between "my" and "name". Also, "my name" is not a user account

 

Software error:

Bad caracteres in My Name at /etc/e-smith/web/panels/manager/cgi-bin/openvpn line 955.

For help, please send mail to the webmaster (admin), giving this error message and the time and date of the error.

any insight into this?

Thx

[Daniel B.]

When creating a new profile (new X.509 certificate with an IP address optionnaly associated), you should use the login for the common name. Anyway, if you don't want to use the login as common name, spaces are not allowed in the common name, so don't use it.

[imcintyre]

Okay, here we go again (please bear with me).

I created a new user profile, generated a new ca.crt, user.crt, user.key.

I am going to their house, where I will install openvpn, and put the ca.crt and user.crt in the directory, C:\Program Files\OpenVPN\config.

I copied the generated file that starts "port 1194..." using notebook to create the file VPN.ovpn. I copy that into the directory, C:\Program Files\OpenVPN\config.

I take the file "user.key" and put it in the same directory. Should I do anything else with it?

Thx.

[imcintyre]

Works Great, forgot to enable VPN access for user ( )

very awesome, <~~listening to tunes from my house while at my mom's

Rare Earth... I just want to celebrate

[Daniel B.]

smeserver-openvpn-bridge_beta5 is available. Have a look at http://sme.firewall-services.com/spip.php?rubrique3

[AndrewR]

smeserver-openvpn-bridge_beta5 is available. Have a look at http://sme.firewall-services.com/spip.php?rubrique3

That's all fine and good.. problem is, the upgrade broke my VPN. I was using Beta4, but when I attempt to connect using an existing client (after updating the configuration changes) this is what I get:

Fri Dec 01 16:08:16 2006 us=923573 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Fri Dec 01 16:08:16 2006 us=923611 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 01 16:08:16 2006 us=923623 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 01 16:08:16 2006 us=923662 LZO compression initialized
Fri Dec 01 16:08:16 2006 us=923712 Control Channel MTU parms [ L:1594 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Dec 01 16:08:16 2006 us=924482 Data Channel MTU parms [ L:1594 D:1450 EF:62 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Dec 01 16:08:16 2006 us=924510 Fragmentation MTU parms [ L:1594 D:1400 EF:61 EB:135 ET:33 EL:0 AF:3/1 ]
Fri Dec 01 16:08:16 2006 us=924545 Local Options String: 'V4,dev-type tap,link-mtu 1594,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Dec 01 16:08:16 2006 us=924555 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1594,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Dec 01 16:08:16 2006 us=924580 Local Options hash (VER=V4): '29f2fd82'
Fri Dec 01 16:08:16 2006 us=924596 Expected Remote Options hash (VER=V4): 'b35f3855'
Fri Dec 01 16:08:16 2006 us=924631 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Dec 01 16:08:16 2006 us=924647 UDPv4 link local: [undef]
Fri Dec 01 16:08:16 2006 us=924657 UDPv4 link remote: 209.89.132.81:1194
Fri Dec 01 16:08:16 2006 us=966217 TLS: Initial packet from 209.89.132.81:1194, sid=b416c8e3 bdcf3e5a
Fri Dec 01 16:08:17 2006 us=319696 VERIFY OK: depth=1, /C=CA/ST=France/L=Edmonton/O=Electronic_Connections/OU=VPN/CN=server.ecl.ca/emailAddress=andrewr@ecl.ca
Fri Dec 01 16:08:17 2006 us=320916 VERIFY nsCertType ERROR: /C=CA/ST=France/O=Electronic_Connections/OU=VPN/CN=server.ecl.ca/emailAddress=andrewr@ecl.ca, require nsCertType=SERVER
Fri Dec 01 16:08:17 2006 us=321123 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fri Dec 01 16:08:17 2006 us=321135 TLS Error: TLS object -> incoming plaintext read error
Fri Dec 01 16:08:17 2006 us=321143 TLS Error: TLS handshake failed
Fri Dec 01 16:08:17 2006 us=321507 TCP/UDP: Closing socket
Fri Dec 01 16:08:17 2006 us=321744 SIGUSR1[soft,tls-error] received, process restarting
Fri Dec 01 16:08:17 2006 us=322020 Restart pause, 2 second(s)

For now, I am restoring back to v4... (thank god I did a backup). I would like to use the new features in beta5, namely the increased authentication.. but not at the expense of stability.

Ideas?

[Daniel B.]

it looks like you have updated the configuration file of the client but you use the old certificates. You should erease all the certificates (in the panel of the server-manager) and regenerate them. Download the new one on your client and also the ta.key file and I think it'll work.