Koozali.org: home of the SME Server

sme 9 e vpn

Offline killrob

  • ****
  • 241
  • +0/-0
sme 9 e vpn
« on: March 28, 2018, 06:42:17 PM »
Salve a tutti,
ho sme 9 server server&gateway.
Dato che la "cara" melamarcia apple ha deciso che per le sue nuove versioni di ios dal 10 in poi non hanno più il protocollo pptp per collegarsi alla vpn, alcuni dei miei clienti sono in difficoltà proprio perché utilizzano il marciofonino o il marciotablet e non riescono più a collegarsi in vpn allo sme server.
Ci sono mica contribs in giro che utilizzano altri protocolli?
Su tutti i dispositivi mobili della mela marcia ci sono:
L2PT
IPSec
IKEv2

grazie a tutti
p.s.: si capisce mica che ho un filo di astio verso il marchio della mela marcia??? :lol: :lol: :lol:

Offline killrob

  • ****
  • 241
  • +0/-0
Re: sme 9 e vpn
« Reply #1 on: March 28, 2018, 06:49:33 PM »
Scusate tutti quanti... ho letto meglio il wiki ed ho trovato.
Grazie a tutti e scusate lo sfogo verso la mela marcia

Offline Fumetto

  • *
  • 874
  • +1/-0
Re: sme 9 e vpn
« Reply #2 on: March 28, 2018, 09:06:27 PM »
Non preoccuparti... l'astio è condiviso; una volta anche se il certificato del server era autogenerato lo si poteva autorizzare, adesso lo devi PRIMA esportare in base64, installare, autorizzare e solo DOPO la trafila precedente puoi configurare l'email (anche se ogni volta che ci provo ci sta sempre una vita a riconoscere le impostazioni come valide)... mela_di_mmerda!!!

:D

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: sme 9 e vpn
« Reply #3 on: April 01, 2018, 10:43:16 PM »
Anche se non amo Apple, hanno preso la decisione giusta. PPTP è molto insicuro. È quasi inutile.

Le opzioni disponibili sono ipsec, ipsec / l2tpd, openvpn.

Tutti sono più difficili da impostare, ma valgono il lavoro. Openvpn 'routed' con PHPKI è molto buono una volta installato, ma può essere complicato.

Ipsec / l2tpd è relativamente facile da configurare, anche se contrib ha bisogno di più test. Si integra con gli utenti SME per le password.

Pure ipsec (v2) per dispositivi mobili è possibile ma non l'ho provato. Può usare password o certificati, ma non ho nemmeno provato.

Si prega di chiedere se avete domande riguardanti ipsec ... Ho scritto i contributi !!

----

Although I do not love Apple, they made the correct decision. PPTP is very insecure. It is almost pointless.

Your options are ipsec, ipsec/l2tpd, openvpn. All of them are more difficult to set up, but they are worth the work.

Openvpn 'routed' with PHPKI is very good once you have it set up but it can be tricky.

Ipsec/l2tpd is relatively easy to set up, though the contrib needs more testing. It integrates with SME users for passwords.

Pure ipsec (v2) for mobile is possible but I have not tested it. It can use passwords or certificates but I have not tested either.

Please ask if you have any queries regarding ipsec... I wrote the contribs !!
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline killrob

  • ****
  • 241
  • +0/-0
Re: sme 9 e vpn
« Reply #4 on: April 07, 2018, 06:59:26 PM »
io ho installato e sto provando openvpn ma da client openvpn per windows 10 non riesco proprio a collegarmi continua a darmi questo errore:
"Sat Apr 07 18:58:36 2018 read UDP: Unknown error (code=10054)"

ed io non riesco a venirne fuori

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: sme 9 e vpn
« Reply #5 on: April 07, 2018, 08:44:46 PM »
Cosa dicono i tuoi registri?

What do your logs say?

Openvpn routed or bridged?

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline killrob

  • ****
  • 241
  • +0/-0
Re: sme 9 e vpn
« Reply #6 on: April 09, 2018, 08:01:02 PM »
OpenVPN bridged.
il log riporta questo:
Code: [Select]
"2018-04-09 19:50:39.381934500 WARNING: file 'priv/key.pem' is group or others accessible
2018-04-09 19:50:39.382200500 WARNING: file 'priv/takey.pem' is group or others accessible
2018-04-09 19:50:39.382432500 OpenVPN 2.4.4 i686-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017
2018-04-09 19:50:39.382563500 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
2018-04-09 19:50:39.384330500 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:11194
2018-04-09 19:50:39.384877500 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
2018-04-09 19:50:39.385683500 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
2018-04-09 19:50:39.421758500 Diffie-Hellman initialized with 1024 bit key
2018-04-09 19:50:39.423546500 Error: private key password verification failed
2018-04-09 19:50:39.423656500 Exiting due to fatal error"

il private key password verification failed penso che sia il problema però:


Offline killrob

  • ****
  • 241
  • +0/-0
Re: sme 9 e vpn
« Reply #7 on: April 09, 2018, 08:01:30 PM »
OpenVPN bridged.
il log riporta questo:
Code: [Select]
"2018-04-09 19:50:39.381934500 WARNING: file 'priv/key.pem' is group or others accessible
2018-04-09 19:50:39.382200500 WARNING: file 'priv/takey.pem' is group or others accessible
2018-04-09 19:50:39.382432500 OpenVPN 2.4.4 i686-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017
2018-04-09 19:50:39.382563500 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
2018-04-09 19:50:39.384330500 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:11194
2018-04-09 19:50:39.384877500 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
2018-04-09 19:50:39.385683500 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
2018-04-09 19:50:39.421758500 Diffie-Hellman initialized with 1024 bit key
2018-04-09 19:50:39.423546500 Error: private key password verification failed
2018-04-09 19:50:39.423656500 Exiting due to fatal error"

il private key password verification failed penso che sia il problema però le chiavi sono state caricate


https://ibb.co/cp4tpx
« Last Edit: April 09, 2018, 08:03:07 PM by killrob »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: sme 9 e vpn
« Reply #8 on: April 10, 2018, 03:50:09 PM »
Metà del tuo problema è di fronte a te.

Questi hanno bisogno delle autorizzazioni corrette:

"WARNING: file 'priv/key.pem' is group or others accessible"
"WARNING: file 'priv/takey.pem' is group or others accessible"

Penso che tu possa aver impostato una password sul file, nonostante il wiki che dice "Don't"

Error: private key password verification failed

https://wiki.contribs.org/OpenVPN_Bridge#Create_a_certificate_for_the_server

"Dimensione chiave: puoi inserire quello che vuoi (io uso il 2048 in generale)"

"Password: questo campo deve essere vuoto Ricordare che il daemon OpenVPN si avvia senza intervento umano all'avvio del server, quindi è necessario avere accesso alla chiave del certificato senza che venga richiesta una password."

"Uso certificato: è necessario utilizzare" Solo server VPN ". Questo è importante."

Google translate può aiutarti a capire ...
------------



Half your problem is in front of you.

These need the correct permissions:

"WARNING: file 'priv/key.pem' is group or others accessible"
"WARNING: file 'priv/takey.pem' is group or others accessible"

I think you may have set a password on the file, despite the wiki saying 'Don't'

Error: private key password verification failed

https://wiki.contribs.org/OpenVPN_Bridge#Create_a_certificate_for_the_server

"Key size: you can enter what you want (I use 2048 in general)"

"Password: This field must be blank. Remember that OpenVPN daemon starts without human intervention when the server boots, so it need to have access to the certificate key without being prompted for a password."

"Certificate Use: you should use "VPN Server Only". This is important."

Google translate can help you to understand...
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline killrob

  • ****
  • 241
  • +0/-0
Re: sme 9 e vpn
« Reply #9 on: April 18, 2018, 10:29:22 PM »
Ok ho fatto un passo avanti, adesso trovo questo errore nel log:
Code: [Select]
2018-04-18 22:25:53.027060500 185.8.149.138:46555 TLS: Initial packet from [AF_INET]185.8.149.138:46555, sid=a4a5894a 33e9b05b
2018-04-18 22:26:53.090606500 185.8.149.138:46555 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2018-04-18 22:26:53.090690500 185.8.149.138:46555 TLS Error: TLS handshake failed
2018-04-18 22:26:53.090869500 185.8.149.138:46555 SIGUSR1[soft,tls-error] received, client-instance restarting

le porte sono inoltrate correttamente sia su server che su client
il firewall sul client (windows 10) permette le connessioni in e out
stessa cosa sul server
l'unica cosa che non ho capito è come controllare se c'è eventuale overlap di indirizzi ip fra server e client
« Last Edit: April 18, 2018, 10:32:09 PM by killrob »

Offline killrob

  • ****
  • 241
  • +0/-0
Re: sme 9 e vpn
« Reply #10 on: April 18, 2018, 11:18:31 PM »
preciso inoltre che nella mia rete gli ip sono
192.168.1.x
nel server
192.168.0.x

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: sme 9 e vpn
« Reply #11 on: April 19, 2018, 01:37:21 AM »
https://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html

https://serverfault.com/questions/765521/openvpn-issue-tls-key-negotiation-failed-to-occur-within-60-seconds

Non preoccuparti degli IP. Prendi prima una connessione funzionante....

Il tuo server è una macchina virtuale?

Don't worry about IPs. Get a connection working first.....

Is your server a virtial machine?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline killrob

  • ****
  • 241
  • +0/-0
Re: sme 9 e vpn
« Reply #12 on: April 19, 2018, 05:56:05 PM »
https://openvpn.net/index.php/open-source/faq/79-client/253-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity.html

https://serverfault.com/questions/765521/openvpn-issue-tls-key-negotiation-failed-to-occur-within-60-seconds

Non preoccuparti degli IP. Prendi prima una connessione funzionante....

Il tuo server è una macchina virtuale?

il primo link che hai postato l'ho controllato tutto ieri sera punto per punto (la ricerca con google dell'errore l'ho fatta) e tutti i punti riportati sono negativi (nel senso che nessuno di quei punti da problemi perché ho controllato)

Don't worry about IPs. Get a connection working first.....

Is your server a virtial machine?

no il server è una macchina fisica
« Last Edit: April 19, 2018, 06:04:53 PM by killrob »

Offline killrob

  • ****
  • 241
  • +0/-0
Re: sme 9 e vpn
« Reply #13 on: April 19, 2018, 06:46:35 PM »
altro passo avanti ho modificato da UDP a TCP sia lato client che lato server i file di configurazione:

lato client:
Code: [Select]
rport 1194
proto tcp-client
dev tun
nobind
# Uncomment the following line if your system
# support passtos (not supported on Windows)
# passtos
remote sassone.ns0.it

tls-client
remote-cert-tls server


# Replace user.p12 with the certificate
# bundle in PKCS12 format
pkcs12 sassonevpn.p12

# You can replace the pkcs12
# directive with the old ones
#ca cacert.pem
#cert takey.pem
#key sassonevpn-key.pem

#mtu-test
comp-lzo
pull


lato server:
Code: [Select]
#------------------------------------------------------------
#              !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
# Virtual Interface Configuration

port 1194
proto tcp-server
dev tap0


# Drop down privileges
user nobody
group nobody
chroot /etc/openvpn/bridge

persist-key
persist-tun

# Certificates config
dh pub/dh.pem
ca pub/cacert.pem
cert pub/cert.pem
key priv/key.pem
tls-server



# CRL file for certificates verification
crl-verify pub/cacrl.pem

# Plugin for user-auth


# Server mode
server-bridge 192.168.0.30 255.255.255.0 192.168.0.1 192.168.0.29

# Options
keepalive 10 120
push "dhcp-option DOMAIN tenuta-sassone.it"
push "dhcp-option DNS 192.168.0.30"
push "dhcp-option WINS 192.168.0.30"

#mtu-test
passtos


nice 5

# Routes


push "topology subnet"
# Management interface
management localhost 11194 management-pass.txt

# Clients options
client-config-dir ccd
max-clients 20
comp-lzo adaptive
push "comp-lzo adaptive"


# Log
status-version 2
status bridge-status.txt
suppress-timestamps
verb 3

e questo è l'errore:

Code: [Select]
2018-04-19 18:30:39.119326500 185.8.149.138:46816 TLS: Initial packet from [AF_INET]185.8.149.138:46816, sid=35e8d800 c1f3ed0f
2018-04-19 18:30:39.601427500 185.8.149.138:46816 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=IT, ST=Grosseto, L=costa sassone, O=servizio VPN, O=21232f297a57a5a743894a0e4a801fc3, OU=VPN, CN=sassonevpn, emailAddress=killrob3@gmail.com
2018-04-19 18:30:39.601833500 185.8.149.138:46816 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
2018-04-19 18:30:39.601914500 185.8.149.138:46816 TLS_ERROR: BIO read tls_read_plaintext error
2018-04-19 18:30:39.601985500 185.8.149.138:46816 TLS Error: TLS object -> incoming plaintext read error
2018-04-19 18:30:39.602054500 185.8.149.138:46816 TLS Error: TLS handshake failed
2018-04-19 18:30:39.602384500 185.8.149.138:46816 Fatal TLS error (check_tls_errors_co), restarting
2018-04-19 18:30:39.602477500 185.8.149.138:46816 SIGUSR1[soft,tls-error] received, client-instance restarting

sono sicuro che il certificato lato client c'è

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: sme 9 e vpn
« Reply #14 on: April 20, 2018, 11:38:37 AM »
a) perché hai bisogno del TCP?

b) Si prega di leggere gli errori e fare una ricerca.

"error=unsupported certificate purpose"

Probabilmente hai impostato il tipo di certificato sbagliato quando lo hai generato.

Per favore leggi il wiki .....

--------------------

a) why do you need TCP?

b) Please read the errors and have a search.

"error=unsupported certificate purpose"

You have probably set the wrong certificate type when you generated it.

Please read the wiki.....
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation