[SOLVED] Not reading CCD files

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
xTz
OpenVpn Newbie
Posts: 5
Joined: Wed Jul 03, 2013 10:27 am
Location: Belfast, UK

[SOLVED] Not reading CCD files

Post by xTz » Wed Jul 03, 2013 10:53 am

I have a configuration where I'm pushing default gateway to all the clients, which works perfectly well. Most of them are using Androids and pushing the default GW is needed so that they can encrypt all their traffic.
However, I'd like to have another client, which needs to access only certain networks.
So what I did was:
Move away the default push options in ccd/DEFAULT:

Code: Select all

push "redirect-gateway def1"
push "dhcp-option DNS y.y.y.y"
push "dhcp-option DNS z.z.z.z"
And create a file for only that client to push only selected routes to it.
However, it appears that the OpenVPN daemon doesn't want to read files in ccd.

As for the purpose of testing, I renamed the ccd/DEFAULT file to ccd/username (where username = clients name as per CN), so that the default routes would be pushed to that client on connecting. This does not happen.
When I run the daemon with the --ccd-exclusive option, I get the following:

Code: Select all

	
    Jul  3 13:13:35 DeathStar openvpn[4989]: x.x.x.x:42367 TLS: Initial packet from x.x.x.x:42367, sid=bb027acd ef31e767
    Jul  3 13:13:37 DeathStar openvpn[4989]: x.x.x.x:42367 VERIFY OK: depth=1, /C=BG/ST=SF/L=Sofia/O=Techn0.eu/CN=DeathStar.Techn0.eu/emailAddress=xxx@xxx
    Jul  3 13:13:37 DeathStar openvpn[4989]: x.x.x.x:42367 VERIFY OK: depth=0, /C=BG/ST=SF/L=Sofia/O=Techn0.eu/CN=xTz/emailAddress=xxx@xxx
    Jul  3 13:13:37 DeathStar openvpn[4989]: x.x.x.x:42367 TLS Auth Error: --client-config-dir authentication failed for common name 'xTz' file='/etc/openvpn/ccd/xTz'
    Jul  3 13:13:37 DeathStar openvpn[4989]: x.x.x.x:42367 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Jul  3 13:13:37 DeathStar openvpn[4989]: x.x.x.x:42367 [xTz] Peer Connection Initiated with x.x.x.x:42367
    Jul  3 13:13:38 DeathStar openvpn[4989]: x.x.x.x:42367 PUSH: Received control message: 'PUSH_REQUEST'
If the options for pushing default GW and DNS servers are in the main config files, this doesn't happen. Why all the sudden am I getting TLS authentication failures when these options are used as a per-client basis?
Or why doesn't it parse the files in ccd/ when not run with --ccd-exclusive?

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Not reading CCD files

Post by maikcat » Wed Jul 03, 2013 11:45 am

post your server config,

use absolute path for ccd folder

check permissions for ccd folder & files

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

xTz
OpenVpn Newbie
Posts: 5
Joined: Wed Jul 03, 2013 10:27 am
Location: Belfast, UK

Re: Not reading CCD files

Post by xTz » Wed Jul 03, 2013 12:56 pm

# grep -vE '^#|^;|^$' /etc/openvpn/server.conf
local x.x.x.x
port 443
proto tcp
dev tun0
ca /etc/openvpn/ca.crt
cert /etc/openvpn/certfile.crt
key /etc/openvpn/private/certfile.key
dh /etc/openvpn/dh2048.pem
server 10.0.1.0 255.255.255.240
float
keepalive 10 120
comp-lzo
user _openvpn
group _openvpn
daemon openvpn
persist-key
persist-tun
duplicate-cn
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn-status.log
verb 6
# cat /etc/openvpn/ccd/xTz
push "redirect-gateway def1"
push "dhcp-option DNS y.y.y.y"
push "dhcp-option DNS z.z.z.z"
For the purpose of the test, both the ccd dir and the files inside are readable by everyone:
# ls -ld /etc/openvpn/ccd/
drwxr-xr-x 2 root wheel 512 Jul 3 13:42 /etc/openvpn/ccd/
# ls -l /etc/openvpn/ccd/xTz
-rw-r--r-- 1 root wheel 101 Jul 3 15:40 /etc/openvpn/ccd/xTz

User avatar
ecrist
Forum Team
Posts: 265
Joined: Wed Nov 26, 2008 10:33 pm
Location: Minneapolis, MN
Contact:

Re: Not reading CCD files

Post by ecrist » Wed Jul 03, 2013 1:58 pm

Take a look at the attached PDF around page 45 or so. It covers default CCD entries and has examples. This PDF is from a presentation I did in 2012 at BSDCan in Ottawa. Everything in this presentation worked as demonstrated.

http://secure-computing.net/files/openv ... n_2012.pdf
OpenVPN Community Administrator
IRC: #openvpn, #openvpn-devel Twitter: @ecrist
Co-Author of Mastering OpenVPN
Author of Troubleshooting OpenVPN

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Not reading CCD files

Post by maikcat » Wed Jul 03, 2013 2:03 pm

also please post the output of:

Code: Select all

openssl x509 -subject -noout -in xTz.crt
can you also check the perms of /etc/openvpn directory ?

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

xTz
OpenVpn Newbie
Posts: 5
Joined: Wed Jul 03, 2013 10:27 am
Location: Belfast, UK

Re: Not reading CCD files

Post by xTz » Wed Jul 03, 2013 9:52 pm

ecrist wrote:Take a look at the attached PDF around page 45 or so. It covers default CCD entries and has examples. This PDF is from a presentation I did in 2012 at BSDCan in Ottawa. Everything in this presentation worked as demonstrated.

http://secure-computing.net/files/openv ... n_2012.pdf
Thanks mate, that's exactly what I have tried initially.
maikcat wrote:also please post the output of:

Code: Select all

openssl x509 -subject -noout -in xTz.crt
can you also check the perms of /etc/openvpn directory ?

Michael.
Michael, the permissions of the /etc/openvpn directory were exactly the same - 755, owned by root:wheel (for the purpose of the test).

It appears that permissions were in fact the problem.
I changed the group ownership of the /etc/openvpn (recursively, including everything underneath) to _openvpn and everything worked out (with permissions 750 (640 for files)). I still can't explain why it didn't work when it had 755 (644 for files) :? :evil:

Anyway, thanks to both of you for your help.
Am I supposed to mark this as solved in any way? I'm not able to edit my initial post to change the subject to '[solved] $subject' or something like this.

Post Reply