Setup SSL VPN Road Warrior - Problems

Started by Heathy65, October 30, 2017, 07:52:56 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
October 30, 2017, 05:02:18 PM #15
I've confirmed that the TLS static key is the same on both sides.

I do see this error in the iOS/client OpenVPN side.

Code Select
2017-10-30 15:58:37 Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Processing of the Certificate handshake message failed
2017-10-30 15:58:37 Client terminated, restarting in 2000 ms...
October 30, 2017, 05:40:13 PM #16
I think this is either a problem with the format of your cert on opnsense or just your ipad client being picky.

Any chance you can try a different client on ipad?

October 30, 2017, 05:43:08 PM #17
And read the very last lines of this thread.

https://forums.openvpn.net/viewtopic.php?t=21998
October 30, 2017, 08:12:24 PM #18
Quote from: xinnan on October 30, 2017, 05:40:13 PM
I think this is either a problem with the format of your cert on opnsense or just your ipad client being picky.

Any chance you can try a different client on ipad?
I tried Viscosity on my Mac and got this (IP addresses changed):

Code Select
2017-10-30 19:05:49: State changed to Connecting
2017-10-30 19:05:49: TCP/UDP: Preserving recently used remote address: [AF_INET]11.22.33.44:1194
2017-10-30 19:05:49: UDP link local (bound): [AF_INET][undef]:0
2017-10-30 19:05:49: UDP link remote: [AF_INET]11.22.33.44:1194
2017-10-30 19:05:49: State changed to Authenticating
2017-10-30 19:05:49: VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=GB, ST=State, L=City, O=Org, emailAddress=noreply@blah.co.uk, CN=SSLVPN Server Certificate
2017-10-30 19:05:49: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2017-10-30 19:05:49: TLS_ERROR: BIO read tls_read_plaintext error
2017-10-30 19:05:49: TLS Error: TLS object -> incoming plaintext read error
2017-10-30 19:05:49: TLS Error: TLS handshake failed
2017-10-30 19:05:49: SIGUSR1[soft,tls-error] received, process restarting
2017-10-30 19:05:49: Viscosity Mac 1.7.5 (1420)
2017-10-30 19:05:49: Viscosity OpenVPN Engine Started
2017-10-30 19:05:49: Running on macOS 10.12.6
October 30, 2017, 08:19:21 PM #19
Yep - Cert errors.

Be sure to create a proper CA.  I name mine VPN CA to avoid confusion.
Then use that CA to create a SERVER cert.  Not user cert.  I call mine something like VpnServerCert (to avoid confusion)

Make sure you fill in all the fields required for the certs.  Make crap up if you need to - I do.

Then go back to your VPN server and make sure its using your new server Cert and Shiny new CA

Then export it, and try again.
October 30, 2017, 09:22:56 PM #20
Quote from: xinnan on October 30, 2017, 08:19:21 PM
Yep - Cert errors.

Be sure to create a proper CA.  I name mine VPN CA to avoid confusion.
Then use that CA to create a SERVER cert.  Not user cert.  I call mine something like VpnServerCert (to avoid confusion)

Make sure you fill in all the fields required for the certs.  Make crap up if you need to - I do.

Then go back to your VPN server and make sure its using your new server Cert and Shiny new CA

Then export it, and try again.

Thanks for the advice.  I've checked my homework and this is what I have.

System:Trust:Authorities called SSL VPN CA
System:Trust:Certificates called SSLVPN (Issuer: SSL VPN CA)
System:Trust:Certificates called vpn-user1 (Issuer: SSL VPN CA)

VPN Server Config

Peer Certificate Authority: SSL VPN CA
Server Certificate: SSLVPN Server Certificate (SSL VPN CA)

System:Access:Users
vpn-user1 using vpn-user1 User Certificate (CA = SSL VPN CA)


October 30, 2017, 09:29:22 PM #21
Is that new or old cert.  Are these new that you just created?

October 30, 2017, 10:09:15 PM #22
Quote from: xinnan on October 30, 2017, 09:29:22 PM
Is that new or old cert.  Are these new that you just created?

Old, although I have previously deleted everything and tried again, so I guess I'm doing something stupid every time :)

I will give it another go anyway.
October 30, 2017, 10:19:56 PM #23
Be  careful at the point where you are making the cert and the ca.  There is a box that says "type".  Be sure to select server. 
October 30, 2017, 10:53:33 PM #24
Quote from: xinnan on October 30, 2017, 10:19:56 PM
Be  careful at the point where you are making the cert and the ca.  There is a box that says "type".  Be sure to select server.

Good news, tried again as you suggested and made sure I selected Type = Server in the Cert creation and I'm now getting authorisation/password issues which is good since I'm progressing.  (Although I'm sure I've selected server in the past and it still didn't work, but hey-ho, I could be wrong/blind!).

Since I'm using MFA inc. TOTP do I enter the password plus the authenticator code when I login?

Thanks again.
October 30, 2017, 10:56:44 PM #25
If I were you, I would use SSL/TLS authentication and no username / password.  Those settings are in the server setup.

Then I'd export the client again...   I hate typing passwords.
Print
Go Up Pages 1 2
User actions