OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: marc.laederach on December 02, 2016, 12:17:31 pm

Title: [SOLVED] VPN with SSL and LDAP Authentication
Post by: marc.laederach on December 02, 2016, 12:17:31 pm
Good day

I used the following road warrior manual to set up VPN with SSL:
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

But whereas this manual uses single user authentication, I would like to use LDAP Authentication which works fine without SSL. But as soon as I switch the authentication mode from "Remote Access (User Auth)" to "Remote Access (SSL/TLS + User Auth)", it stops working probably as there is no user certificate available.

The log of OpenVPN GUI says the following:
Quote
Fri Dec 02 11:47:42 2016 OpenVPN 2.3.13 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Nov  3 2016
Fri Dec 02 11:47:42 2016 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Dec 02 11:47:42 2016 library versions: OpenSSL 1.0.1u  22 Sep 2016, LZO 2.09
Enter Management Password:
Fri Dec 02 11:47:53 2016 Control Channel Authentication: tls-auth using INLINE static key file
Fri Dec 02 11:47:53 2016 Attempting to establish TCP connection with [AF_INET]<public-IP>:1194 [nonblock]
Fri Dec 02 11:47:54 2016 TCP connection established with [AF_INET]<public-IP>:1194
Fri Dec 02 11:47:54 2016 TCPv4_CLIENT link local (bound): [undef]
Fri Dec 02 11:47:54 2016 TCPv4_CLIENT link remote: [AF_INET]<public-IP):1194
Fri Dec 02 11:47:54 2016 Connection reset, restarting

Fri Dec 02 11:47:54 2016 SIGUSR1[soft,connection-reset] received, process restarting

Is it even possible to have VPN with SSL and LDAP authentication? Or is there a workaround (e.g. by using RADIUS via AD like in this manual for pfsense https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory)?

Thanks in advance for any help and suggestions.


Kind Regards
Marc
Title: Re: VPN with SSL and LDAP Authentication
Post by: marc.laederach on December 07, 2016, 09:30:04 am
Good morning

I figured it out.
There's no need to have user certificates but you definitely need a client certificate, which was missing here. After I created the client certificate (the lower one in the attached screenshot), I had to export the VPN settings again and after that it was working.


Have a great day
Marc