authentication

Both users and developers can post their Howto guides in this section.
Post Reply
pedro555
OpenVpn Newbie
Posts: 3
Joined: Wed May 06, 2015 10:12 am

authentication

Post by pedro555 » Wed May 06, 2015 10:18 am

Hi i had install openvpn package in centos 6.6 wtith certifications.
I test vpn with certifications and connect without problem.
when i add the line of authentication.
When i test this authentication, can connect vpn due authentication failure

User avatar
maikcat
Forum Team
Posts: 4199
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: authentication

Post by maikcat » Wed May 06, 2015 11:10 am

please post your configs/logs first

Michael.

pedro555
OpenVpn Newbie
Posts: 3
Joined: Wed May 06, 2015 10:12 am

Re: authentication

Post by pedro555 » Wed May 06, 2015 3:00 pm

config

port 1194
proto tcp
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
;log-append openvpn.log
verb 5
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/opevpn
client-cert-not-required
username-as-common-name

log server
Wed May 6 15:36:18 2015 us=186107 IFCONFIG POOL LIST
Wed May 6 15:36:18 2015 us=186134 client,10.8.0.4
Wed May 6 15:36:18 2015 us=186161 rgoncalves,10.8.0.8
Wed May 6 15:36:18 2015 us=186235 Initialization Sequence Completed
Wed May 6 15:38:53 2015 us=325073 MULTI: multi_create_instance called
Wed May 6 15:38:53 2015 us=325211 192.168.1.6:51276 Re-using SSL/TLS context
Wed May 6 15:38:53 2015 us=325275 192.168.1.6:51276 LZO compression initialized
Wed May 6 15:38:53 2015 us=325510 192.168.1.6:51276 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed May 6 15:38:53 2015 us=325538 192.168.1.6:51276 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed May 6 15:38:53 2015 us=325746 192.168.1.6:51276 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed May 6 15:38:53 2015 us=325769 192.168.1.6:51276 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed May 6 15:38:53 2015 us=325814 192.168.1.6:51276 Local Options hash (VER=V4): '530fdded'
Wed May 6 15:38:53 2015 us=325843 192.168.1.6:51276 Expected Remote Options hash (VER=V4): '41690919'
RWed May 6 15:38:53 2015 us=325925 192.168.1.6:51276 TLS: Initial packet from [AF_INET]192.168.1.6:51276, sid=e825baf0 7ecb68fd
WRRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRWRWRWRWRWRWRWRWRWRWed May 6 15:38:54 2015 us=60241 192.168.1.6:51276 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=PT, ST=LX, L=Lisbon, O=FMF, OU=FMF, CN=pcorreia, name=FMFvpn, emailAddress=suporte@fmf-ferramentas.com
Wed May 6 15:38:54 2015 us=60390 192.168.1.6:51276 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Wed May 6 15:38:54 2015 us=60414 192.168.1.6:51276 TLS Error: TLS object -> incoming plaintext read error
Wed May 6 15:38:54 2015 us=60434 192.168.1.6:51276 TLS Error: TLS handshake failed
Wed May 6 15:38:54 2015 us=60530 192.168.1.6:51276 SIGUSR1[soft,tls-error] received, client-instance restarting
Wed May 6 15:39:55 2015 us=839368 MULTI: multi_create_instance called
Wed May 6 15:39:55 2015 us=839479 192.168.1.6:54000 Re-using SSL/TLS context
Wed May 6 15:39:55 2015 us=839520 192.168.1.6:54000 LZO compression initialized
Wed May 6 15:39:55 2015 us=839646 192.168.1.6:54000 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed May 6 15:39:55 2015 us=839675 192.168.1.6:54000 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed May 6 15:39:55 2015 us=839855 192.168.1.6:54000 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed May 6 15:39:55 2015 us=839877 192.168.1.6:54000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed May 6 15:39:55 2015 us=839910 192.168.1.6:54000 Local Options hash (VER=V4): '530fdded'
Wed May 6 15:39:55 2015 us=839940 192.168.1.6:54000 Expected Remote Options hash (VER=V4): '41690919'
RWed May 6 15:39:55 2015 us=839995 192.168.1.6:54000 TLS: Initial packet from [AF_INET]192.168.1.6:54000, sid=08400678 3c15c94e
WRRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRWRWRWRWRWRWRWRWRWRWed May 6 15:39:56 2015 us=605309 192.168.1.6:54000 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=PT, ST=LX, L=Lisbon, O=FMF, OU=FMF, CN=pcorreia, name=FMFvpn, emailAddress=suporte@fmf-ferramentas.com
Wed May 6 15:39:56 2015 us=605410 192.168.1.6:54000 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Wed May 6 15:39:56 2015 us=605433 192.168.1.6:54000 TLS Error: TLS object -> incoming plaintext read error
Wed May 6 15:39:56 2015 us=605453 192.168.1.6:54000 TLS Error: TLS handshake failed

log client
Wed May 06 15:40:35 2015 Local Options hash (VER=V4): 'd3a7571a'
Wed May 06 15:40:35 2015 Expected Remote Options hash (VER=V4): '5b1533a2'
Wed May 06 15:40:35 2015 UDPv4 link local: [undef]
Wed May 06 15:40:35 2015 UDPv4 link remote: 192.168.1.250:1194
Wed May 06 15:40:35 2015 TLS: Initial packet from 192.168.1.250:1194, sid=453f015f f6f4a5a7
Wed May 06 15:40:35 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed May 06 15:40:35 2015 VERIFY OK: depth=1, /C=PT/ST=LX/L=Lisbon/O=empresa/OU=empresaVpn/CN=empresa_CA/name=empresavpn/emailAddress=suporte@empresa-company.com
Wed May 06 15:40:35 2015 VERIFY OK: depth=0, /C=PT/ST=LX/L=Lisbon/O=empresa/OU=empresaVpn/CN=server/name=empresavpn/emailAddress=suporte@empresa-company.com
Wed May 06 15:41:36 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed May 06 15:41:36 2015 TLS Error: TLS handshake failed
Wed May 06 15:41:36 2015 TCP/UDP: Closing socket
Wed May 06 15:41:36 2015 SIGUSR1[soft,tls-error] received, process restarting

User avatar
maikcat
Forum Team
Posts: 4199
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: authentication

Post by maikcat » Thu May 07, 2015 6:29 am

--client-cert-not-required
Don't require client certificate, client will authenticate using username/password only. Be aware that using this directive is less secure than requiring certificates from all clients.
please remove this from your server...

also post your client config.

if you want to disable certs all together your configs need to be changed...

Michael.

pedro555
OpenVpn Newbie
Posts: 3
Joined: Wed May 06, 2015 10:12 am

Re: authentication

Post by pedro555 » Thu May 07, 2015 4:01 pm

My idea is to use both certification and password

client config

client
dev tun
proto udp
remote 192.168.1.250 1194 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
auth-user-pass
comp-lzo
reneg-sec 0
verb 3

User avatar
maikcat
Forum Team
Posts: 4199
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: authentication

Post by maikcat » Thu May 07, 2015 4:29 pm

then remove this from your server config

Code: Select all

client-cert-not-required
Michael.

Post Reply