OPNsense Forum
English Forums => General Discussion => Topic started by: vividou on January 18, 2018, 07:07:05 pm
-
Hello Everyone,
I am using Opnsense 17.7.11, and would like to setup a VPN.
Based on these 2 tutorials:
https://www.kirkg.us/posts/building-an-openvpn-server-with-opnsense/
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
I have configured openvpn resulting in the following setup:
Server:
Server Mode: Remote Access (SSL/TLS + User Auth)
Backend for authentication: Local Database
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1194
TLS Authentication: enable
DH Parameters Length: 2048
Encryption algorithm: AES-256-CDC (256 bit key, 128 bit block)
Auth Digest Algorith: SHA512 (512-bit)
Hardware Crypto: No Hardware Crypto Accelearation
Certificate Depth: One (Client+Server)
IPv4 Tunnel Network: 10.0.8.0/24
Redirect Gateway: selected
Concurrent connections: 10
Compression: Enabled with Adaptative Compression
Disable IPv6: selected
dynamic IP: selected
Address Pool: selected
Topology: selected
I do not need to access the LAN with the VPN so I did not set the IPv4 Remote Network setting.
Client export:
Host Name Resolution: Interface IP Address
Verify Server CN: Automatic - Use verify-x509-name
Use Random Local Port: selected
And the firewall rules created by the wizard:
Interface Proto Source Port Destination Port Gateway
WAN: pass IPv4 UDP * * WAN address 1194 (OpenVPN) *
OPENVPN: pass IPv4 * * * * *
No other rules are set on these interfaces.
With this setup, my client can connect to the OpenVPN server without any problem from the LAN side.
However from the WAN side (set on a private ip) the connection is not possible using the same client/user.
The client message stucks there:
Thu Jan 18 18:30:40 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.185:1194
Thu Jan 18 18:30:40 2018 UDP link local (bound): [AF_INET][undef]:0
Thu Jan 18 18:30:40 2018 UDP link remote: [AF_INET]192.168.0.185:1194
and the following messages appears on my opnsense log:
TLS Error: TLS handshake failed
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
The port 1194 on the WAN side is correctly opened, which is confirmed using nmap:
PORT STATE SERVICE
1194/udp open|filtered openvpn
Spying the connection with wireshark, indicates that the packets are [Malformed Packet]. No idea if it is a/the problem or not.
Is there anyone having a clue to solve this problem?
Thanks!
-
I think you've missed something while creating the CA/user certs.
My suggestion is to delete all vpn users, certificates and CAs created during the OpenVPN tutorial and recreate/reassign them.
I too missed something (don't remember anymore what exactly), but instead of debugging, simply recreate them (much faster) paying attention to the 'trust' part of this tutorial: https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
-
Thanks for your help. It is not mentionned in the text but I have tried several times to setup the VPN, including (re)creating CA and Certificates. If the connection is possible from the LAN side, I suppose the CA and Certificates are correct otherwise the client could not connect?
-
So you are sure that you have created the CA, then you have created a server certificate for the CA, then you have created the vpn user, then you have created the client certificate for the user, both signed by the same CA you have created, and all assignments are in place.. right?
I still believe you should retry, it's easy to miss something. Personally, i got it right the third time, and i had the same errors as you :)
-
I think i got it. Just noticed that your server mode is SSL/TLS + User Auth
In this mode, in the vpn client, you also need to add the ca's cert, user cert and user key.
Did you do that? The client-export should do this automatically.. but just in case you should verify this.
-
I have recreate the CA after removing the old one.
I have created 2 Certificates: 1 server, 1 client using the certificate authority I create just before. Then reassigned the client certificate to the user and the CA and server certificate to openvpn server.
The end result is the same, LAN connection ok, WAN nok.
I played also with the Server Mode and in the 3 cases (SSL/TLS, Auth, SSL/TLS+Auth), LAN connection was ok, WAN nok.
In SSL/TLS+Auth mode, the CA is no present. Eventhough I added it to the exported files and added the line "ca name of my ca file" in the ovpn file, nothing has changed in the result.
-
I got another idea why this might be failing.
There is an option to add alternative names to the certificates (ip(s) & dns name(s) among others). I would fill in those with the dns name of your opnsense box from both the LAN side and the WAN side, for the server certificate. And also the IP if it's static on both sides. You have to recreate the certificate of course (and export/import the ovpn or other profile as well, in the client). verify-x509-name might fail to validate if you don't get this right (if you set to verify the cn in the client export).
It would also be useful to know what client are you using.
-
Also, this is how your ovpn file should look like.
It's edited, it is a general config but it works.
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
reneg-sec 0
remote <addr_edited>
lport 0
verify-x509-name "OpenVPN Server Certificate" name
auth-user-pass
remote-cert-tls server
comp-lzo adaptive
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
-
I am using OpenVPN 2.4.4 x86_64-pc-linux-gnu as client.
When exporting the client, I choose either Archive or Others which are working on the LAN side.
The export Others gives the following client configuration:
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote 192.168.0.185 1194 udp
lport 0
verify-x509-name "openvpn-server-certificate" name
auth-user-pass
remote-cert-tls server
comp-lzo adaptive
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
Where can I see the server.conf file, the one used to configure the openvpn server on the opensense drive? So far I only see a file with plenty of functions but nothing stating the explicit directives to configure the server.
-
I think there is a field on the client export where you select which interface you expect your client to come in on. Looks like you may have selected your lan interface instead of your wan interface on the client export. Also make sure you have a firewall rule to allow your inbound opvn port to your wan interface.
-
Do you mean the Host Name Resolution field?
Trying the different possibilities only changes the remote directive. The one I mentionned in my client configuration file is my wan address for this setup.
-
your remote ip in your open vpn config is a private ip space if i am reading that correctly. Are you behind another firewall that is doing NAT translation? You may have to port forward 1194 to your opnsense firewall? I know some ISP's give a cable modem with a router built in.
-
He's probably in a double NAT-ted environment, but i don't think the connection is the issue here. It looks like the vpn clients connect to the second router's wan from the first router's private ip pool, which is fine. His tls handshake fails, so he managed to connect to the vpn server.
@vividou: did you verify/try the stuff from reply #6?
If it's still failing (modify then revert each one, one by one, then both):
1. if you put the server into Remote Access (User auth) mode - is it working?
2. if you export the client not to verify the server cn - is it working?
-
My setup is like this:
WAN -- modem/router -- "local WAN" -- opnsense/openvpn -- LAN
What I mentionned as WAN in my previous messages correspond to "local WAN" in the setup.
The modem/router is only configured as basic DHCP server.
When using the Remote Access (User auth) mode, the result is the same. LAN side connected, WAN side not.
No change if I do not verify the server CN.
-
After recreating the VPN and CA/Certificates using the config mentionned in my first post, this the log I can extract now:
Client:
Sat Jan 20 16:47:30 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017
Sat Jan 20 16:47:30 2018 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Enter Auth Username:
Enter Auth Password:
Sat Jan 20 16:47:37 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.185:1194
Sat Jan 20 16:47:37 2018 UDP link local (bound): [AF_INET][undef]:0
Sat Jan 20 16:47:37 2018 UDP link remote: [AF_INET]192.168.0.185:1194
Sat Jan 20 16:48:05 2018 event_wait : Interrupted system call (code=4)
Sat Jan 20 16:48:05 2018 SIGINT[hard,] received, process exiting
Server (log level 6):
Jan 20 16:48:08 openvpn[81406]: 192.168.0.80:44618 UDPv4 WRITE [86] to [AF_INET]192.168.0.80:44618: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #6 ] [ ] pid=0 DATA len=0
Jan 20 16:47:52 openvpn[81406]: 192.168.0.80:44618 UDPv4 WRITE [94] to [AF_INET]192.168.0.80:44618: P_ACK_V1 kid=0 pid=[ #5 ] [ 0 ]
Jan 20 16:47:52 openvpn[81406]: 192.168.0.80:44618 UDPv4 READ [86] from [AF_INET]192.168.0.80:44618: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
Jan 20 16:47:52 openvpn[81406]: 192.168.0.80:44618 UDPv4 WRITE [86] to [AF_INET]192.168.0.80:44618: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
Jan 20 16:47:44 openvpn[81406]: 192.168.0.80:44618 UDPv4 WRITE [98] to [AF_INET]192.168.0.80:44618: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #3 ] [ 0 ] pid=0 DATA len=0
Jan 20 16:47:44 openvpn[81406]: 192.168.0.80:44618 UDPv4 READ [86] from [AF_INET]192.168.0.80:44618: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
Jan 20 16:47:40 openvpn[81406]: 192.168.0.80:44618 UDPv4 WRITE [98] to [AF_INET]192.168.0.80:44618: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #2 ] [ 0 ] pid=0 DATA len=0
Jan 20 16:47:40 openvpn[81406]: 192.168.0.80:44618 UDPv4 READ [86] from [AF_INET]192.168.0.80:44618: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
Jan 20 16:47:38 openvpn[81406]: 192.168.0.80:44618 UDPv4 WRITE [98] to [AF_INET]192.168.0.80:44618: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ 0 ] pid=0 DATA len=0
Jan 20 16:47:38 openvpn[81406]: 192.168.0.80:44618 TLS: Initial packet from [AF_INET]192.168.0.80:44618, sid=3a540cb4 c5d03502
Jan 20 16:47:38 openvpn[81406]: 192.168.0.80:44618 UDPv4 READ [86] from [AF_INET]192.168.0.80:44618: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
Jan 20 16:47:38 openvpn[81406]: 192.168.0.80:44618 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Jan 20 16:47:38 openvpn[81406]: 192.168.0.80:44618 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Jan 20 16:47:38 openvpn[81406]: 192.168.0.80:44618 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Jan 20 16:47:38 openvpn[81406]: 192.168.0.80:44618 Control Channel MTU parms [ L:1622 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Jan 20 16:47:38 openvpn[81406]: 192.168.0.80:44618 LZO compression initializing
Jan 20 16:47:38 openvpn[81406]: 192.168.0.80:44618 Re-using SSL/TLS context
Jan 20 16:47:38 openvpn[81406]: MULTI: multi_create_instance called
The event_wait : Interrupted system call (code=4) is a manual [Ctrl +C] as the client get stuck on the previous line.
-
This is no longer the original issue (tls handshake failure), right?
That new error might suggest that something is killing your client somehow.
Are both LAN IP pools 192.168.0.0/24 ?
-
No, they use different subnet address. Moreover I do not want my Openvpn client to access the LAN, only connect to the vpn server and browse the web from there.
What could kill my client?
-
I have finally localised the openvpn server.conf file in /var/etc/openvpn/ on freebsd.
Here is its content:
dev ovpns1
verb 6
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 192.168.0.185
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/1
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' 'false' 'server1'" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'openvpn-server-certificate' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "redirect-gateway def1"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
persist-remote-ip
float
topology subnet
-
After several attempts to configure, create certificates and in the meantime an update to 18.1.2, OpenVPN is now working.
I have noticed that the openvpn client on linux does not like when the ssl certificate for the same vpn changes. Once the certificate changes all following connection will contain the TSL error until the client is rebooted.
-
Nice, thank you for your feedback!