Issues starting OpenVPN in client Auth mode

Started by Mr2, March 14, 2021, 09:15:23 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 14, 2021, 09:15:23 AM
Hi there,

I am trying to configure the OpenVPN server in client Authentication mode with TLS+Password login.

On both 20.7 and 21.1 the server simply exits with no errors, if I try to start this manually on the command line it also simply exits with no output, even when verbosity is set to 11.

If I select the server mode as "Peer to peer" rather than "Remote access" then it all starts and is happy, although, obviously not the desired mode.

Selecting any of the Remote access" modes also produces the same result. The backend authentication is always set as "Local Database" in these cases.

Below is a copy of my config if that helps..

Let me know if you'd like a copy of the working config (peer-to-peer) and I can paste that

(Update: I am trying to run an IPv6 only network, and so had left out the IPv4 tunnel network, adding this back in added the parameters
server 10.0.0.0 255.255.255.0
server-ipv6 2001:dead:beef:0000::/64

And OpenVPN is now starting, is this a bug maybe?)

-- Start config --
dev ovpns1
verb 3
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-256-CBC
auth SHA256
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local 1.2.3.4
client-disconnect "/usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh server1"
tls-server
username-as-common-name
auth-user-pass-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify user 'Local Database' 'false' 'server1'" via-env
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'clients.mydomain.com' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 100
push "dhcp-option DNS 2001:dead:beef:0100::1010"
push "dhcp-option DNS 2001:dead:beef:0100::1011"
push "dhcp-option NTP 2001:dead:beef:0100::1010"
push "dhcp-option NTP 2001:dead:beef:0100::1011"
push "redirect-gateway def1"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/dh-parameters.2048.sample
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
persist-remote-ip
float
topology subnet
March 14, 2021, 02:28:33 PM #1
afaik opnsense add v6-server directive only after v4
(https://github.com/opnsense/core/blob/73016fdaf3814a3534385112519b8769e4387ca4/src/etc/inc/plugins.inc.d/openvpn.inc#L682-L689)
but afaik this is a requirement of the openvpn itself. is there references that openvpn began to maintain a pure ipv6-tunnel?
March 14, 2021, 03:11:49 PM #2
Ahh, you're right - sort of, it seems this functionality was introduced in OpenVPN 2.5_beta1 (allow usage of --server-ipv6 even when no --server is specified) and was actually requested 9(!) years ago and fixed in time for the 2.5 release  :)

I'm going to go ahead and assume that Opnsense probably doesn't run OpenVPN 2.5 (cant check right now) but hopefully it will be an option in the future.

For anyone interested, this was the link with the request https://community.openvpn.net/openvpn/ticket/208
March 14, 2021, 03:21:13 PM #3
no date set for 2.5 milestone
https://community.openvpn.net/openvpn/milestone/release%202.5
OPN is on 2.4.9_3
Print
Go Up Pages1
User actions