I've recently made the jump from PFSense to OPNsense and very impressed, so much so that I've setup a blade in our cabinet and would like to explore using this as a permanent firewall in our environment.
I am trying to setup a remote access VPN (openVPN) so that I can connect to the LAN interface connected to the servers in our cabinet. I would like to use both authentication + TLS authentication.
I have done the following so far:
1) I created a CA
2) I have created a server certificate which uses the CA created above
3) I have configured a openVPN server with the following:
- Remote Access (SLL/TLS + User Auth) that uses local database
- UDP
- TUN
- interface is set to any
- 1194 local port
- TLS Authentication is enabled with encryption
- CA is the CA created in step 1
- Server Certificate set to the cert created in step 2
- Strict user / CN matching is disabled
- IPv4 Tunnel is set to 10.1.101.0/24 (this is the network I wish for my VPN clients to be assigned an IP address when connected)
- IPv4 Local Network is set to a /24 which I want to access (these would be the server IP range)
- Dynamic IP
- Address Pool is enabled
- DNS is set to 8.8.8.8
- All other settings are default
5) I created a firewall rule on the WAN input to allow traffic to all (I will change this once I get the VPN working, I just wanted to ensure issues are not related to the firewall itself)
6) I created a user under Access > Users
- User is part of admins
- I created a user certificate that uses the CA created in step 1, certificate type is a Client Certificate
7) I then did a client export under VPN > OpenVPN with my
- hostname being the WAN IP and port 1194
- I disabled validate server subject
- All other settings are default
My config looks like this (with just the remote and pkcs12 filename changed):
dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
client
resolv-retry infinite
remote MYWANIP 1194 udp
lport 0
auth-user-pass
pkcs12 changed.p12I then tried the following 2 openVPN clients:
openvpn connect (version 3)
This was quite a tricky one to try and figure out and still dont know if I got it right
1) I imported the config which told me that it could not assign a certificate and key - AFter some troubleshooting I managed to import it via command line - I took the "changed.p12" file that came with the bundle and imported it with the flag --import-certificate=<path-to-certificate>
2) When I however try and connect, I immediately get the following error: "ssl_context_error: OpenSSLContext: CA not defined"
I cannot imagine that OPNsense export would not include the certiticate authority as part of the p12 file so imagine this to be a bug?
openvpn GUI(version 2.5)
Having had no success with openVPN connect in the past and normally getting better data from the openVPN GUI console, I opted to install the GUI, stored my config files (ovpn and pk12 file) in the config folder for openVPN which allows me to connect to it.
Trying to connect:
1) I am prompted for my credentials and then get the following recurring messages:
Sat Jul 30 11:19:42 2022 UDP link remote: [AF_INET]GATEWAYIP:1194
Sat Jul 30 11:19:42 2022 VERIFY ERROR: depth=0, error=self signed certificate: CN=OPNsense.localdomain, C=NL, ST=Zuid-Holland, L=Middelharnis, O=OPNsense self-signed web certificate, serial=195040175418146406786703695850969686114336621681
Sat Jul 30 11:19:42 2022 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Sat Jul 30 11:19:42 2022 TLS_ERROR: BIO read tls_read_plaintext error
Sat Jul 30 11:19:42 2022 TLS Error: TLS object -> incoming plaintext read error
Sat Jul 30 11:19:42 2022 TLS Error: TLS handshake failed
Sat Jul 30 11:19:42 2022 SIGUSR1[soft,tls-error] received, process restarting
Sat Jul 30 11:21:02 2022 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
And this is where I am, I dont know what I am missing as I am sure I followed the instructions correctly but cannot get this working. Any ideas?