Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: J-Psy on April 27, 2022, 02:26:02 PM

Title: OpenVPN Road Warrior won't work without client certificates
Post by: J-Psy on April 27, 2022, 02:26:02 PM
Hello,

I'm struggling with the openVPN road warrior configuration. I've been following the following how to : https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

I want to make it work using LDAP accounts with TOTP but no client certificates.

The LDAP users have been imported fine and I configured the OTP Seed on them. When I add client certificates as described in the how to, it works fine. I can connect to the OpenVPN server, and traffic is working as expected.
But as I don't want to use client certificate, I don't create them, and in this case it does not work. Obviously I updated the openVPN client with an update export for it to embed the right settings.

I tried to add the client-cert-not-required option but still have the same problem.

On the OPNSense FW I have the following logs :

2022-04-27T14:16:25   Error   openvpn   CLIENTIP:51767 TLS Error: TLS handshake failed   
2022-04-27T14:16:25   Error   openvpn   CLIENTIP:51767 TLS Error: TLS object -> incoming plaintext read error   
2022-04-27T14:16:25   Error   openvpn   CLIENTIP:51767 TLS_ERROR: BIO read tls_read_plaintext error   
2022-04-27T14:16:25   Error   openvpn   CLIENTIP:51767 OpenSSL: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate

And on the client side :

⏎[Apr 27, 2022, 14:16:25] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Apr 27, 2022, 14:16:25] UNUSED OPTIONS
1 [persist-tun]
2 [persist-key]
6 [resolv-retry] [infinite]
8 [lport]
Text only | Text with Images