English Forums > Virtual private networks

TLS issues when trying to connect to openVPN remote-access

(1/1)

mauzilla:
I've recently made the jump from PFSense to OPNsense and very impressed, so much so that I've setup a blade in our cabinet and would like to explore using this as a permanent firewall in our environment.

I am trying to setup a remote access VPN (openVPN) so that I can connect to the LAN interface connected to the servers in our cabinet. I would like to use both authentication + TLS authentication.

I have done the following so far:

1) I created a CA
2) I have created a server certificate which uses the CA created above
3) I have configured a openVPN server with the following:

 - Remote Access (SLL/TLS + User Auth) that uses local database
 - UDP
 - TUN
 - interface is set to any
 - 1194 local port
 - TLS Authentication is enabled with encryption
 - CA is the CA created in step 1
 - Server Certificate set to the cert created in step 2
 - Strict user / CN matching is disabled
 - IPv4 Tunnel is set to 10.1.101.0/24 (this is the network I wish for my VPN clients to be assigned an IP address when connected)
 - IPv4 Local Network is set to a /24 which I want to access (these would be the server IP range)
 - Dynamic IP
 - Address Pool is enabled
 - DNS is set to 8.8.8.8
 - All other settings are default
5) I created a firewall rule on the WAN input to allow traffic to all (I will change this once I get the VPN working, I just wanted to ensure issues are not related to the firewall itself)
6) I created a user under Access > Users

 - User is part of admins
 - I created a user certificate that uses the CA created in step 1, certificate type is a Client Certificate

7) I then did a client export under VPN > OpenVPN with my

 - hostname being the WAN IP and port 1194
 - I disabled validate server subject
 - All other settings are default

My config looks like this (with just the remote and pkcs12 filename changed):


--- Code: ---dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
client
resolv-retry infinite
remote MYWANIP 1194 udp
lport 0
auth-user-pass
pkcs12 changed.p12
--- End code ---


I then tried the following 2 openVPN clients:

openvpn connect (version 3)

This was quite a tricky one to try and figure out and still dont know if I got it right

1) I imported the config which told me that it could not assign a certificate and key - AFter some troubleshooting I managed to import it via command line - I took the "changed.p12" file that came with the bundle and imported it with the flag --import-certificate=<path-to-certificate>
2) When I however try and connect, I immediately get the following error: "ssl_context_error: OpenSSLContext: CA not defined"

I cannot imagine that OPNsense export would not include the certiticate authority as part of the p12 file so imagine this to be a bug?

openvpn GUI(version 2.5)


Having had no success with openVPN connect in the past and normally getting better data from the openVPN GUI console, I opted to install the GUI, stored my config files (ovpn and pk12 file) in the config folder for openVPN which allows me to connect to it.

Trying to connect:
1) I am prompted for my credentials and then get the following recurring messages:


--- Code: ---Sat Jul 30 11:19:42 2022 UDP link remote: [AF_INET]GATEWAYIP:1194
Sat Jul 30 11:19:42 2022 VERIFY ERROR: depth=0, error=self signed certificate: CN=OPNsense.localdomain, C=NL, ST=Zuid-Holland, L=Middelharnis, O=OPNsense self-signed web certificate, serial=195040175418146406786703695850969686114336621681
Sat Jul 30 11:19:42 2022 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Sat Jul 30 11:19:42 2022 TLS_ERROR: BIO read tls_read_plaintext error
Sat Jul 30 11:19:42 2022 TLS Error: TLS object -> incoming plaintext read error
Sat Jul 30 11:19:42 2022 TLS Error: TLS handshake failed
Sat Jul 30 11:19:42 2022 SIGUSR1[soft,tls-error] received, process restarting
Sat Jul 30 11:21:02 2022 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

--- End code ---

And this is where I am, I dont know what I am missing as I am sure I followed the instructions correctly but cannot get this working. Any ideas?

chelming:
error=self signed certificate

Import your CA on your device?

Navigation

[0] Message Index