I started testing openVPN today and have run into a roadblock, so looking for some help.
A bit of background, I'm a IT admin, we currently use Watchguard firewalls at our offices, using their IKEv2 and SSL firewall clients for remote staff to get at internal resources like file servers.
We're looking to move to something more secure. We use OneLogin for SAML SSO and MFA, and I see openVPN supports this, so I thought I'd test it out.
I downloaded the OVA of the access server and deployed it to our vmware instance. It has an IP on one of our subnets for testing.
On the Watchguard, I created a rule allowing 443/943/1143, both TCP and UDP (I know I don't need UDP for the first two but for simplicities sake I added those).
I also setup the SAML connector to Onelogin, and created a SAML user, as well as creating a local user. My default is still local.
I setup a DNS record for vpn1.ourdomain.com, pointed to the external IP I assigned in the Watchguard, and setup a DNS entry on our internal DNS servers pointing to it's internal IP.
I have it set to dynamically assign IP's in the default 172.x.x.x VLAN (which we don't use internally for anything, not sure if that matters).
So from a remote computer, I can browse to https://vpn1.mydomain.com and I get the openVPN web interface. I can login here with the local user, or the SAML user (which goes to Onelogin, has me do MFA). In both cases, I then get the page where I can download the client and profiles.
I downloaded the client, and a profile (user and server locked).
I imported the profile into the app, and try to connect, but it just times out, again both for a local user, or SAML user, so I don't think it's the SAML config.
My client computer has ESET Protect AV, but I have the firewall disabled for testing.
The log file isn't too helpful, but a redacted one is below. Any Thoughts?
Code: Select all
[Jan 23, 2024, 16:49:44] Connecting to [vpn1.mydomain.org]:1194 (12.1.2.3) via UDP
[Jan 23, 2024, 16:49:44] EVENT: CONNECTING ⏎[Jan 23, 2024, 16:49:44] Tunnel Options:V4,dev-type tun,link-mtu 1477,tun-mtu 1420,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client
[Jan 23, 2024, 16:49:44] Creds: Username/Password
[Jan 23, 2024, 16:49:44] Peer Info:
IV_VER=3.8connect1
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
UV_ASCLI_VER=3.4.0-3121
UV_PLAT_REL=Microsoft Windows 11 Business_10.0.22631
UV_UUID=A28B9F4C-2288-11B2-A85C-C28C62C13AD5
IV_GUI_VER=OCWindows_3.4.0-3121
IV_SSO=webauth,openurl,crtext
IV_HWADDR=04:7b:cb:c4:04:da
IV_SSL=OpenSSL 3.0.8 7 Feb 2023
[Jan 23, 2024, 16:50:14] EVENT: CONNECTION_TIMEOUT BYTES_IN : 2334
BYTES_OUT : 80926
PACKETS_IN : 3
PACKETS_OUT : 90
CONNECTION_TIMEOUT : 1
[Jan 23, 2024, 16:50:14] EVENT: DISCONNECTED