Text only | Text with Images

OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: loganx1121 on October 15, 2019, 10:10:52 PM

Title: (Solved) Wellp, I can't get OpenVPN to work either
Post by: loganx1121 on October 15, 2019, 10:10:52 PM
In light of struggling trying to get IPSec running on Windows clients, I figured I'd just do OpenVPN so at least I had something...despite not feeling that I should have to use third party software to get a VPN working on this firewall...

Anyway, I followed the guide...again - https://docs.opnsense.org/manual/how-tos/sslvpn_client.html - minus the multi factor stuff.

Downloaded the OpenVPN client, did the client export stuff from the firewall, imported that file into the OpenVPN client, and I get an error "Missing external certificate".

I tried manually installing the CA. I tried manually installing the linked cert for my test VPN account into "Personal" cert store. I don't even have an option in the client to pick a cert. When I try, there are no available choices.

I also tried setting up the OpenVPN server using the wizard. Same result. I'm obviously not understanding how VPN's are supposed to work on this firewall..or something.

If someone could tell me what I'm doing wrong I would really appreciate it.
Title: Re: Wellp, I can't get OpenVPN to work either
Post by: mimugmail on October 16, 2019, 06:59:28 AM
Screenshots from server config, error log from client and server please
Title: Re: Wellp, I can't get OpenVPN to work either
Post by: loganx1121 on October 16, 2019, 02:01:13 PM
Apologies for the links but the attachment limit here is preventing me from uploading everything

https://ibb.co/6WbnFTb

https://ibb.co/wYNB58P

https://ibb.co/nQzWQxB

https://ibb.co/cxcLvJz

https://ibb.co/2Y16txt

https://ibb.co/w09jFdM

OpenVPN client logs below:

Code Select
Tue Oct 15 17:40:03 2019 Tue Oct 15 17:40:03 2019 OpenVPN Management Interface 1.0.0/3.2 (qa:d87f5bbc04) win x86_64 64-bit [MbedTLS] built on Feb 26 2019 07:53:13
Tue Oct 15 17:40:03 2019 Tue Oct 15 17:40:03 2019 OMI Connecting to [127.0.0.1]:47331 [tcp]
Tue Oct 15 17:40:08 2019 Tue Oct 15 17:40:08 2019 OpenVPN core 3.2 (qa:d87f5bbc04) win x86_64 64-bit built on Feb 26 2019 07:53:13
Tue Oct 15 17:40:08 2019 Tue Oct 15 17:40:08 2019 CLIENT_EXCEPTION : connect error: Missing External PKI alias [FATAL-ERR]
Tue Oct 15 17:40:08 2019 Tue Oct 15 17:40:08 2019 >FATAL:CLIENT_EXCEPTION: connect error: Missing External PKI alias
Tue Oct 15 17:40:21 2019 Tue Oct 15 17:40:21 2019 OpenVPN Management Interface 1.0.0/3.2 (qa:d87f5bbc04) win x86_64 64-bit [MbedTLS] built on Feb 26 2019 07:53:13
Tue Oct 15 17:40:21 2019 Tue Oct 15 17:40:21 2019 OMI Connecting to [127.0.0.1]:45297 [tcp]
Tue Oct 15 17:40:25 2019 Tue Oct 15 17:40:25 2019 OpenVPN core 3.2 (qa:d87f5bbc04) win x86_64 64-bit built on Feb 26 2019 07:53:13
Tue Oct 15 17:40:25 2019 Tue Oct 15 17:40:25 2019 CLIENT_EXCEPTION : connect error: Missing External PKI alias [FATAL-ERR]
Tue Oct 15 17:40:25 2019 Tue Oct 15 17:40:25 2019 >FATAL:CLIENT_EXCEPTION: connect error: Missing External PKI alias
Tue Oct 15 17:40:48 2019 Tue Oct 15 17:40:48 2019 OpenVPN Management Interface 1.0.0/3.2 (qa:d87f5bbc04) win x86_64 64-bit [MbedTLS] built on Feb 26 2019 07:53:13
Tue Oct 15 17:40:48 2019 Tue Oct 15 17:40:48 2019 OMI Connecting to [127.0.0.1]:40022 [tcp]
Tue Oct 15 17:41:10 2019 Tue Oct 15 17:41:10 2019 OpenVPN core 3.2 (qa:d87f5bbc04) win x86_64 64-bit built on Feb 26 2019 07:53:13
Tue Oct 15 17:41:10 2019 Tue Oct 15 17:41:10 2019 CLIENT_EXCEPTION : connect error: Missing External PKI alias [FATAL-ERR]
Tue Oct 15 17:41:10 2019 Tue Oct 15 17:41:10 2019 >FATAL:CLIENT_EXCEPTION: connect error: Missing External PKI alias
Tue Oct 15 17:42:05 2019 Tue Oct 15 17:42:05 2019 OpenVPN Management Interface 1.0.0/3.2 (qa:d87f5bbc04) win x86_64 64-bit [MbedTLS] built on Feb 26 2019 07:53:13
Tue Oct 15 17:42:05 2019 Tue Oct 15 17:42:05 2019 OMI Connecting to [127.0.0.1]:55065 [tcp]
Tue Oct 15 17:42:09 2019 Tue Oct 15 17:42:09 2019 OpenVPN core 3.2 (qa:d87f5bbc04) win x86_64 64-bit built on Feb 26 2019 07:53:13
Tue Oct 15 17:42:09 2019 Tue Oct 15 17:42:09 2019 CLIENT_EXCEPTION : connect error: Missing External PKI alias [FATAL-ERR]
Tue Oct 15 17:42:09 2019 Tue Oct 15 17:42:09 2019 >FATAL:CLIENT_EXCEPTION: connect error: Missing External PKI alias
Tue Oct 15 17:43:37 2019 Tue Oct 15 17:43:37 2019 OpenVPN Management Interface 1.0.0/3.2 (qa:d87f5bbc04) win x86_64 64-bit [MbedTLS] built on Feb 26 2019 07:53:13
Tue Oct 15 17:43:37 2019 Tue Oct 15 17:43:37 2019 OMI Connecting to [127.0.0.1]:34135 [tcp]
Tue Oct 15 17:43:45 2019 Tue Oct 15 17:43:45 2019 OpenVPN core 3.2 (qa:d87f5bbc04) win x86_64 64-bit built on Feb 26 2019 07:53:13
Tue Oct 15 17:43:45 2019 Tue Oct 15 17:43:45 2019 CLIENT_EXCEPTION : connect error: Missing External PKI alias [FATAL-ERR]
Tue Oct 15 17:43:45 2019 Tue Oct 15 17:43:45 2019 >FATAL:CLIENT_EXCEPTION: connect error: Missing External PKI alias
Tue Oct 15 17:44:34 2019 Tue Oct 15 17:44:34 2019 OpenVPN Management Interface 1.0.0/3.2 (qa:d87f5bbc04) win x86_64 64-bit [MbedTLS] built on Feb 26 2019 07:53:13
Tue Oct 15 17:44:34 2019 Tue Oct 15 17:44:34 2019 OMI Connecting to [127.0.0.1]:45891 [tcp]

So I tried viscosity, and it worked...well it connected at least. Can't seem to pass any traffic with it though. I've tried pinging out to the internet while connected and I've tried pinging some LAN subnets, no go. Also, don't see anything in the live traffic logs when I try to ping out or in.

OpenVPN client just doesn't want to work for me at all. Still getting that "Missing External PKI alias" message. Only thing I can really think of is 1. bug with client or 2. I'm being stupid and installing the certs in the wrong locations, but I get the same message just from importing the single file.

Viscosity connects at least, but that's about all it does.
Title: Re: Wellp, I can't get OpenVPN to work either
Post by: loganx1121 on October 16, 2019, 08:29:29 PM
Update again: So I got it working...mostly. The VPN connects with Viscosity and I can reach my various subnets and my file servers. I did this by selecting the Redirect Gateway option in the server configuration and that seemed to do the trick. There's just one small snafoo:

I have 2 file servers that replicate with each other. One is 10.5.7.35 and the other is 10.5.7.36. "In front" of these 2 servers is a DFS server at 10.5.7.172. So DFS works great internally, and it worked great on other VPN implementations I had before, but for whatever reason I can't use it with this. The event log shows the user account audit failure, but then it shows success for the same account...however it doesn't ever seem to get passed the DFS server and to the file servers.

I tried adding a host entry on the client laptop because I felt like that fixed an issue I was having once on my local LAN with this, but that doesn't seem to work. It seems like the VPN completely ignores the host entry. The DNS server on the adapter itself is set to 127.0.0.1. I tried messing with the DNS settings in the viscosity client and on the server configuration but I can't seem to get it to read from the host file. Not saying that would actually fix the problem, but it's just another odd thing.
Title: Re: Wellp, I can't get OpenVPN to work either
Post by: stayglassy on October 16, 2019, 10:43:50 PM
Delete your profile in the openvpn client and then edit the .ovpn file you exported from the server and add the following line before <ca>

client-cert-not-required

Now create a new profile with using the ovpn file and try to connect
Title: Re: Wellp, I can't get OpenVPN to work either
Post by: loganx1121 on October 17, 2019, 01:38:44 AM
Thanks.  I'll try that if I ever have to use that client for some reason.  For now, I got Viscosity working.
Text only | Text with Images