[SOLVED] Not reading CCD files

[xTz]

I have a configuration where I'm pushing default gateway to all the clients, which works perfectly well. Most of them are using Androids and pushing the default GW is needed so that they can encrypt all their traffic.
However, I'd like to have another client, which needs to access only certain networks.
So what I did was:
Move away the default push options in ccd/DEFAULT:

Code: Select all

push "redirect-gateway def1"
push "dhcp-option DNS y.y.y.y"
push "dhcp-option DNS z.z.z.z"

And create a file for only that client to push only selected routes to it.
However, it appears that the OpenVPN daemon doesn't want to read files in ccd.

As for the purpose of testing, I renamed the ccd/DEFAULT file to ccd/username (where username = clients name as per CN), so that the default routes would be pushed to that client on connecting. This does not happen.
When I run the daemon with the --ccd-exclusive option, I get the following:

Code: Select all

	
    Jul  3 13:13:35 DeathStar openvpn[4989]: x.x.x.x:42367 TLS: Initial packet from x.x.x.x:42367, sid=bb027acd ef31e767
    Jul  3 13:13:37 DeathStar openvpn[4989]: x.x.x.x:42367 VERIFY OK: depth=1, /C=BG/ST=SF/L=Sofia/O=Techn0.eu/CN=DeathStar.Techn0.eu/emailAddress=xxx@xxx
    Jul  3 13:13:37 DeathStar openvpn[4989]: x.x.x.x:42367 VERIFY OK: depth=0, /C=BG/ST=SF/L=Sofia/O=Techn0.eu/CN=xTz/emailAddress=xxx@xxx
    Jul  3 13:13:37 DeathStar openvpn[4989]: x.x.x.x:42367 TLS Auth Error: --client-config-dir authentication failed for common name 'xTz' file='/etc/openvpn/ccd/xTz'
    Jul  3 13:13:37 DeathStar openvpn[4989]: x.x.x.x:42367 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Jul  3 13:13:37 DeathStar openvpn[4989]: x.x.x.x:42367 [xTz] Peer Connection Initiated with x.x.x.x:42367
    Jul  3 13:13:38 DeathStar openvpn[4989]: x.x.x.x:42367 PUSH: Received control message: 'PUSH_REQUEST'

If the options for pushing default GW and DNS servers are in the main config files, this doesn't happen. Why all the sudden am I getting TLS authentication failures when these options are used as a per-client basis?
Or why doesn't it parse the files in ccd/ when not run with --ccd-exclusive?

[maikcat]

post your server config,

use absolute path for ccd folder

check permissions for ccd folder & files

Michael.

[xTz]

# grep -vE '^#|^;|^$' /etc/openvpn/server.conf
local x.x.x.x
port 443
proto tcp
dev tun0
ca /etc/openvpn/ca.crt
cert /etc/openvpn/certfile.crt
key /etc/openvpn/private/certfile.key
dh /etc/openvpn/dh2048.pem
server 10.0.1.0 255.255.255.240
float
keepalive 10 120
comp-lzo
user _openvpn
group _openvpn
daemon openvpn
persist-key
persist-tun
duplicate-cn
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn-status.log
verb 6

# cat /etc/openvpn/ccd/xTz
push "redirect-gateway def1"
push "dhcp-option DNS y.y.y.y"
push "dhcp-option DNS z.z.z.z"

For the purpose of the test, both the ccd dir and the files inside are readable by everyone:

# ls -ld /etc/openvpn/ccd/
drwxr-xr-x 2 root wheel 512 Jul 3 13:42 /etc/openvpn/ccd/
# ls -l /etc/openvpn/ccd/xTz
-rw-r--r-- 1 root wheel 101 Jul 3 15:40 /etc/openvpn/ccd/xTz

[ecrist]

Take a look at the attached PDF around page 45 or so. It covers default CCD entries and has examples. This PDF is from a presentation I did in 2012 at BSDCan in Ottawa. Everything in this presentation worked as demonstrated.

http://secure-computing.net/files/openv ... n_2012.pdf

[maikcat]

also please post the output of:

Code: Select all

openssl x509 -subject -noout -in xTz.crt

can you also check the perms of /etc/openvpn directory ?

Michael.

[xTz]

Take a look at the attached PDF around page 45 or so. It covers default CCD entries and has examples. This PDF is from a presentation I did in 2012 at BSDCan in Ottawa. Everything in this presentation worked as demonstrated.

http://secure-computing.net/files/openv ... n_2012.pdf

Thanks mate, that's exactly what I have tried initially.

also please post the output of:

Code: Select all

openssl x509 -subject -noout -in xTz.crt

can you also check the perms of /etc/openvpn directory ?

Michael.

Michael, the permissions of the /etc/openvpn directory were exactly the same - 755, owned by root:wheel (for the purpose of the test).

It appears that permissions were in fact the problem.
I changed the group ownership of the /etc/openvpn (recursively, including everything underneath) to _openvpn and everything worked out (with permissions 750 (640 for files)). I still can't explain why it didn't work when it had 755 (644 for files)

Anyway, thanks to both of you for your help.
Am I supposed to mark this as solved in any way? I'm not able to edit my initial post to change the subject to '[solved] $subject' or something like this.