Business solution to host your own OpenVPN server with web management interface and bundled clients.
-
puneet
- OpenVpn Newbie
- Posts: 9
- Joined: Wed May 30, 2018 11:00 pm
Post
by puneet » Thu Jun 28, 2018 2:39 am
I have deployed openvpn server from AWS marketplace. After
configuring the server I created an AMI of that instance.
When I deploy new instances from that AMI (multiple of them) my .conf (downloaded from "master" instance) works on some new instances but throw error on others!
AUTH: Received control message: AUTH_FAILED,REVOKED: client certificate has been revoked
How can I fix this?
PS: I have to autologin during/right-after bootup , I can use less secure method like just username/password and no certificate but all information have to be in .conf file as user can't provide any input.
-
puneet
- OpenVpn Newbie
- Posts: 9
- Joined: Wed May 30, 2018 11:00 pm
Post
by puneet » Thu Jun 28, 2018 2:51 am
I'm not sure if it's related but is their a server setting where I can flag certificate to not expire/change?
There are a lot of certificates in my .conf file, most of them are same between two AWS instances.
3 sections that are changing:
# Extra user-defined configuration
cipher AES-128-CBC
## -----BEGIN RSA SIGNATURE-----
## DIGEST:sha256
<cert>
-----BEGIN CERTIFICATE-----
<key>
-----BEGIN PRIVATE KEY-----
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Thu Jun 28, 2018 11:01 am
-
puneet
- OpenVpn Newbie
- Posts: 9
- Joined: Wed May 30, 2018 11:00 pm
Post
by puneet » Fri Jun 29, 2018 1:34 am
* Server *
Operating system:
Code: Select all
NAME="Ubuntu"
VERSION="16.04.4 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.4 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
Network setup:
Code: Select all
openvpnas@openvpnas2:~$ ifconfig
as0t0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.14.224.1 P-t-P:172.14.224.1 Mask:255.255.240.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:200
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth0 Link encap:Ethernet HWaddr 02:2b:c5:24:34:48
inet addr:172.15.110.100 Bcast:172.15.110.255 Mask:255.255.255.0
inet6 addr: fe80::2b:c5ff:fe24:3448/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:22531 errors:0 dropped:0 overruns:0 frame:0
TX packets:12064 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:27631153 (27.6 MB) TX bytes:1030223 (1.0 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:169 errors:0 dropped:0 overruns:0 frame:0
TX packets:169 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:12814 (12.8 KB) TX bytes:12814 (12.8 KB)
pr0 Link encap:Ethernet HWaddr d6:31:75:3e:90:ee
inet6 addr: fe80::d431:75ff:fe3e:90ee/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:648 (648.0 B)
Server config file:
as.conf
Code: Select all
# OpenVPN AS 1.1 configuration file
#
# NOTE: The ~ symbol used below expands to the directory that
# the configuration file is saved in
# remove for production
# DEBUG=false
# enable AS Connect functionality
AS_CONNECT=true
# temporary directory
tmp_dir=~/tmp
lic.dir=~/licenses
# run_start retries
run_start_retry.give_up=60
run_start_retry.resample=10
# enable client gateway
sa.show_c2s_routes=true
# certificates database
certs_db=sqlite:///~/db/certs.db
# user properties DB
user_prop_db=sqlite:///~/db/userprop.db
# configuration DB
config_db=sqlite:///~/db/config.db
# log DB
log_db=sqlite:///~/db/log.db
# wait this many seconds between failed retries
db_retry.interval=1
# how many retries to attempt before failing
db_retry.n_attempts=6
# On startup, wait up to n seconds for DB files to become
# available if they do not yet exist. This is generally
# only useful on secondary nodes used for standby purposes.
# db_startup_wait=
# Node type: PRIMARY|SECONDARY. Defaults to PRIMARY.
# node_type=
# bootstrap authentication via PAM -- allows
# admin to log into web UI before authentication
# system has been configured. Configure PAM users
# allowed to access via the bootstrap auth mechanism.
boot_pam_service=openvpnas
boot_pam_users.0=openvpn
# boot_pam_users.1=
# boot_pam_users.2=
# boot_pam_users.3=
# boot_pam_users.4=
# System users that are allowed to access the server agent XML API.
# The user that the web server will run as should be in this list.
system_users_local.0=root
system_users_local.1=openvpn_as
# The user/group that the web server will run as
cs.user=openvpn_as
cs.group=openvpn_as
# socket directory
general.sock_dir=~/sock
# path to linux openvpn executable
# if undefined, find openvpn on the PATH
#general.openvpn_exe_path=
# source directory for OpenVPN Windows executable
# (Must have been built with MultiFileExtract)
sa.win_exe_dir=~/exe
# The company name will be shown in the UI
sa.company_name=OpenVPN, Inc.
# server agent socket
sa.sock=~/sock/sagent
# If enabled, automatically generate a client configuration
# when a client logs into the site and successfully authenticates
cs.auto_generate=true
# files for web server (PEM format)
cs.ca_bundle=~/web-ssl/ca.crt
cs.priv_key=~/web-ssl/server.key
cs.cert=~/web-ssl/server.crt
# web server will use three consecutive ports starting at this
# address, for use with the OpenVPN port share feature
cs.dynamic_port_base=870
# which service groups should be started during
# server agent initialization
sa.initial_run_groups.0=web_group
#sa.initial_run_groups.1=openvpn_group
# use this twisted reactor
sa.reactor=epoll
# The unit number of this particular AS configuration.
# Normally set to 0. If you have multiple, independent AS instances
# running on the same machine, each should have a unique unit number.
sa.unit=0
# If true, open up web ports on the firewall using iptables
iptables.web=true
vpn.server.user=openvpn_as
vpn.server.group=openvpn_as
* Client *
Operating system:
Code: Select all
NAME="Ubuntu"
VERSION="18.04 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
Network setup:
Code: Select all
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.110.100 netmask 255.255.0.0 broadcast 192.168.255.255
inet6 fe80::250:56ff:fe88:d378 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:88:d3:78 txqueuelen 1000 (Ethernet)
RX packets 58449 bytes 4464306 (4.4 MB)
RX errors 0 dropped 126 overruns 0 frame 0
TX packets 42628 bytes 5094829 (5.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Client config file:
Code: Select all
# Automatically generated OpenVPN client config file
# Generated on Fri Jun 15 18:04:23 2018 by openvpnas2
# Note: this config file contains inline private keys
# and therefore should be kept confidential!
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=hol-admin
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=hol-admin@awsvpnserver.corp.local/AUTOLOGIN
# OVPN_ACCESS_SERVER_AUTOLOGIN=1
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=awsvpnserver.corp.local:80
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
# MIIDBjCCAe6gAwIBAgIEWwCgSzANBgkqhkiG9w0BAQsFADA8MTowOAYDVQQDDDFP
# cGVuVlBOIFdlYiBDQSAyMDE4LjA1LjE5IDIyOjA4OjExIFVUQyBvcGVudnBuYXMy
# MB4XDTE4MDUxMjIyMDgxMVoXDTI4MDUxNjIyMDgxMVowPDE6MDgGA1UEAwwxT3Bl
# blZQTiBXZWIgQ0EgMjAxOC4wNS4xOSAyMjowODoxMSBVVEMgb3BlbnZwbmFzMjCC
# ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFtiINz+TIettBz4ZUboy0M
# wU+Gt9D+pjbwFsQYYTf1SlxKVtFmJzAwOeOhZ2I3MegYf9v/kkdAIdrQBzLzYQPc
# SW5D3QxZFNOVlwgbt+b9zoyXzL6ZwL8Azg3AM9I0TIMsLgkRFvSswiRu0hM2oVP+
# mL7ID/HWWaLRKGVApOoNdiIrPEXtGyn1SxPstQ0L7YJrhHJnJcAGnpRSrDxwAQ4u
# IMw6FdUErQSpp5WzvGaTjlDqOz6V3kYT3i4XTnEhWXuwT4urRHJPjyqwlTK5xIl1
# JhuPwGNojrpoSi/qFiZcSiC3PcIrccLtgw7wGzuCAHpRX6vq+CI0lAFEptITi3cC
# AwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAPFakhXxJ
# oiIYtuzmLtCJ9iLyt7dAoJ/ygKsLMa4YHB13YWkQEU8hpzclN4CUuNfkKMwwgvSr
# ixKzP7ePR/fQEPWKjVGgb3QUdq1qjWY0nCMzl4kGkIPztAk7C+qylaRf0eSexL5d
# 6UEvkDkjZusn0+21FhhorB2I7nVnETSxnFtykYKr15HJkUN+gJfnuoNnqn6TBMx2
# /+KHBaDpBNNrqJeTIMqRA+0PMMrKCEwW8U3V7vN95pN7wJUMqe3OfrthOI1rJeQd
# dfbfLFzKGiqCEhRBXrZnByTitvp9ReswncEmzhdQ88DmR9GyPrmzpjJJ4v02NFaB
# lb/hypNGWYtJYQ==
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
# OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN, Inc.
setenv FORWARD_COMPATIBLE 1
client
proto tcp
remote awsvpnserver.corp.local
port 80
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
connect-retry 13 [max]
keepalive 20 60
##auth-user-pass pass.txt
## Tried auth user pass command but that throws following erroe:
## AUTH: Received control message: AUTH_FAILED,REVOKED: client certificate has been revoked
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO