OpenVPN Road Warrior won't work without client certificates

Started by J-Psy, April 27, 2022, 02:26:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 27, 2022, 02:26:02 PM
Hello,

I'm struggling with the openVPN road warrior configuration. I've been following the following how to : https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

I want to make it work using LDAP accounts with TOTP but no client certificates.

The LDAP users have been imported fine and I configured the OTP Seed on them. When I add client certificates as described in the how to, it works fine. I can connect to the OpenVPN server, and traffic is working as expected.
But as I don't want to use client certificate, I don't create them, and in this case it does not work. Obviously I updated the openVPN client with an update export for it to embed the right settings.

I tried to add the client-cert-not-required option but still have the same problem.

On the OPNSense FW I have the following logs :

2022-04-27T14:16:25   Error   openvpn   CLIENTIP:51767 TLS Error: TLS handshake failed   
2022-04-27T14:16:25   Error   openvpn   CLIENTIP:51767 TLS Error: TLS object -> incoming plaintext read error   
2022-04-27T14:16:25   Error   openvpn   CLIENTIP:51767 TLS_ERROR: BIO read tls_read_plaintext error   
2022-04-27T14:16:25   Error   openvpn   CLIENTIP:51767 OpenSSL: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate

And on the client side :

⏎[Apr 27, 2022, 14:16:25] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Apr 27, 2022, 14:16:25] UNUSED OPTIONS
1 [persist-tun]
2 [persist-key]
6 [resolv-retry] [infinite]
8 [lport]

  • ⏎[Apr 27, 2022, 14:16:25] EVENT: RESOLVE ⏎[Apr 27, 2022, 14:16:25] Contacting REMOTEIP:1194 via UDP
    ⏎[Apr 27, 2022, 14:16:25] EVENT: WAIT ⏎[Apr 27, 2022, 14:16:25] WinCommandAgent: transmitting bypass route to REMOTEIP
    {
       "host" : "REMOTEIP",
       "ipv6" : false
    }

    ⏎[Apr 27, 2022, 14:16:25] Connecting to [REMOTEIP]:1194 (REMOTEIP) via UDPv4
    ⏎[Apr 27, 2022, 14:16:25] EVENT: CONNECTING ⏎[Apr 27, 2022, 14:16:25] Tunnel Options:V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client
    ⏎[Apr 27, 2022, 14:16:25] Creds: Username/Password
    ⏎[Apr 27, 2022, 14:16:25] Peer Info:
    IV_VER=3.git::d3f8b18b
    IV_PLAT=win
    IV_NCP=2
    IV_TCPNL=1
    IV_PROTO=30
    IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
    IV_LZ4v2=1
    IV_GUI_VER=OCWindows_3.3.6-2752
    IV_SSO=webauth,openurl,crtext

    ⏎[Apr 27, 2022, 14:17:05] Session invalidated: KEEPALIVE_TIMEOUT
    ⏎[Apr 27, 2022, 14:17:05] Client terminated, restarting in 2000 ms...

    If anyone has an idea about this... Thank you for your help !
Print
Go Up Pages1
User actions