We are trying to configure OpenVPN using official certificates (SwissSign).
By default, one intermediate CA will generate certificates for servers (TLS) and the other one issues only client certificates. This will be something like this:
Code: Select all
+-------------------------+
| SwissSign Root CA |
+-----------+------------+
|
+-----------------+
| |
+--------------+ +--------------+
| Server CA | | Client CA |
+--------------+ +--------------+
| |
+------------------+ +-----------------+
| Server Certs | | Client Certs |
+------------------+ +------------------+
vpn_cert.pem client_cert.pem
vpn_key.pem client_key.pem
We set the configuration in the client side but the client can not authenticate.
So, this seems to be a problem related with the certificate configuration, even if the both intermediate are generated with the same root certificate. If we try with a self-signed certificate CA to generate the server certificate and the client certificate, and with the same configuration, all works perfectly.
Here is the current configuration for the server:
Code: Select all
[oconf=SERVER]
port 1194
proto udp
dev tun0
ca /etc/openvpn/easy-rsa/keys/swissign_ca.crt # Contains SwissSign Root CA and SwissSign Server Intermediate CA.
cert /etc/openvpn/easy-rsa/keys/server_cert.pem # server vpn certificate
key /etc/openvpn/easy-rsa/keys/server_cert.key # keep secret
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
topology subnet
server 10.10.10.0 255.255.255.0 # internal tun0 connection IP
push "route 192.168.1.0 255.255.240.0"
push "route 10.10.10.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.1.10"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DOMAIN myfakedomain.ch"
ifconfig-pool-persist ipp.txt
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
keepalive 10 120
persist-key
persist-tun
auth-nocache
cipher AES-256-CBC
auth SHA1
engine none
resolv-retry infinite
status log/openvpn-status.log
verb 5 # verbose mode
client-to-client
[/oconf]
Code: Select all
[oconf=CLIENT]
client
dev tun1
port 1194
proto udp
remote 192.168.1.11 1194 # VPN server IP : PORT
nobind
push "dhcp-options DNS 192.168.1.10"
redirect-gateway def1
ca /home/myuser/myuser.p12 # Contains the full certification chain.
pkcs12 /home/myuser/myuser.p12 # Contains the full certification chain.
remote-cert-tls server
auth-nocache
cipher AES-256-CBC
auth SHA1
connection-type password-tls
float yes
username myuser
password mypassword
resolv-retry infinite
persist-key
persist-tun
verb 5
nobind
push "dhcp-options DNS 192.168.1.10"
redirect-gateway def1
[/oconf]
Code: Select all
Nov 24 13:31:23 mypc NetworkManager[29337]: <info> [1511526683.3077] audit: op="connection-activate" uuid="967102b3-1563-450b-8879-e0a91334aaf1" name="VPN" pid=29458 uid=10139 result="success"
Nov 24 13:31:23 mypc NetworkManager[29337]: <info> [1511526683.3174] vpn-connection[0x56019d7543e0,967102b3-1563-450b-8879-e0a91334aaf1,"VPN",0]: Started the VPN service, PID 29746
Nov 24 13:31:23 mypc NetworkManager[29337]: <info> [1511526683.3358] vpn-connection[0x56019d7543e0,967102b3-1563-450b-8879-e0a91334aaf1,"VPN",0]: Saw the service appear; activating connection
Nov 24 13:31:23 mypc NetworkManager[29337]: <info> [1511526683.5807] keyfile: update /etc/NetworkManager/system-connections/VPN (967102b3-1563-450b-8879-e0a91334aaf1,"VPN")
Nov 24 13:31:23 mypc NetworkManager[29337]: <info> [1511526683.6270] vpn-connection[0x56019d7543e0,967102b3-1563-450b-8879-e0a91334aaf1,"VPN",0]: VPN plugin: state changed: starting (3)
Nov 24 13:31:23 mypc NetworkManager[29337]: <info> [1511526683.6270] vpn-connection[0x56019d7543e0,967102b3-1563-450b-8879-e0a91334aaf1,"VPN",0]: VPN connection: (ConnectInteractive) reply received
Nov 24 13:31:23 mypc nm-openvpn[29752]: OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Nov 24 13:31:23 mypc nm-openvpn[29752]: library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08
Nov 24 13:31:23 mypc nm-openvpn[29752]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 24 13:31:23 mypc nm-openvpn[29752]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 24 13:31:23 mypc nm-openvpn[29752]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.10:1194
Nov 24 13:31:23 mypc nm-openvpn[29752]: UDP link local: (not bound)
Nov 24 13:31:23 mypc nm-openvpn[29752]: UDP link remote: [AF_INET]192.168.179.251:1194
Nov 24 13:31:23 mypc nm-openvpn[29752]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Nov 24 13:31:23 mypc nm-openvpn[29752]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Nov 24 13:32:23 mypc nm-openvpn-serv[29746]: Connect timer expired, disconnecting.
Nov 24 13:32:23 mypc nm-openvpn[29752]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Nov 24 13:32:23 mypc nm-openvpn[29752]: TLS Error: TLS handshake failed
Nov 24 13:32:23 mypc NetworkManager[29337]: <warn> [1511526743.6041] vpn-connection[0x56019d7543e0,967102b3-1563-450b-8879-e0a91334aaf1,"VPN",0]: VPN connection: connect timeout exceeded.
Nov 24 13:32:23 mypc nm-openvpn[29752]: SIGTERM[hard,tls-error] received, process exiting
Nov 24 13:32:23 mypc NetworkManager[29337]: <warn> [1511526743.6074] vpn-connection[0x56019d7543e0,967102b3-1563-450b-8879-e0a91334aaf1,"VPN",0]: VPN plugin: failed: connect-failed (1)
Nov 24 13:32:23 mypc NetworkManager[29337]: <info> [1511526743.6076] vpn-connection[0x56019d7543e0,967102b3-1563-450b-8879-e0a91334aaf1,"VPN",0]: VPN plugin: state changed: stopping (5)
Code: Select all
Nov 24 13:32:45 openvpn[11931]: MANAGEMENT: Client disconnected
Nov 24 13:32:45 openvpn[38615]: I/O WAIT TR|Tw|SR|Sw [10/0]
Nov 24 13:32:45 openvpn[11931]: MANAGEMENT: CMD 'status 2'
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=6 arg=0x32df844e3f8
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=7 arg=0x32df844e3f4
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=8 arg=0x32df8e9f2b0
Nov 24 13:32:45 openvpn[11931]: MANAGEMENT: Client connected from /var/etc/openvpn/server3.sock
Nov 24 13:32:45 openvpn[38615]: SCHEDULE: schedule_find_least NULL
Nov 24 13:32:45 openvpn[38615]: MANAGEMENT: Client disconnected
Nov 24 13:32:45 openvpn[38615]: I/O WAIT status=0x0040
Nov 24 13:32:45 openvpn[38615]: event_wait returned 1
Nov 24 13:32:45 openvpn[38615]: PO_WAIT[2,0] fd=9 rev=0x00000011 rwflags=0x0001 arg=0x32df844e3f8
Nov 24 13:32:45 openvpn[38615]: I/O WAIT TR|Tw|SR|Sw [10/0]
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=9 arg=0x32df844e3f8
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=7 arg=0x32df844e3f4
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=8 arg=0x32df8e9f2b0
Nov 24 13:32:45 openvpn[38615]: SCHEDULE: schedule_find_least NULL
Nov 24 13:32:45 openvpn[38615]: I/O WAIT status=0x0080
Nov 24 13:32:45 openvpn[38615]: event_wait returned 1
Nov 24 13:32:45 openvpn[38615]: PO_WAIT[2,0] fd=9 rev=0x00000004 rwflags=0x0002 arg=0x32df844e3f8
Nov 24 13:32:45 openvpn[38615]: I/O WAIT TR|Tw|SR|Sw [10/0]
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0002 ev=9 arg=0x32df844e3f8
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=7 arg=0x32df844e3f4
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=8 arg=0x32df8e9f2b0
Nov 24 13:32:45 openvpn[38615]: SCHEDULE: schedule_find_least NULL
Nov 24 13:32:45 openvpn[38615]: MANAGEMENT: CMD 'status 2'
Nov 24 13:32:45 openvpn[38615]: I/O WAIT status=0x0040
Nov 24 13:32:45 openvpn[38615]: event_wait returned 1
Nov 24 13:32:45 openvpn[38615]: PO_WAIT[2,0] fd=9 rev=0x00000001 rwflags=0x0001 arg=0x32df844e3f8
Nov 24 13:32:45 openvpn[38615]: I/O WAIT TR|Tw|SR|Sw [10/0]
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=9 arg=0x32df844e3f8
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=7 arg=0x32df844e3f4
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=8 arg=0x32df8e9f2b0
Nov 24 13:32:45 openvpn[38615]: SCHEDULE: schedule_find_least NULL
Nov 24 13:32:45 openvpn[38615]: I/O WAIT status=0x0080
Nov 24 13:32:45 openvpn[38615]: event_wait returned 1
Nov 24 13:32:45 openvpn[38615]: PO_WAIT[2,0] fd=9 rev=0x00000004 rwflags=0x0002 arg=0x32df844e3f8
Nov 24 13:32:45 openvpn[38615]: I/O WAIT TR|Tw|SR|Sw [10/0]
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0002 ev=9 arg=0x32df844e3f8
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=7 arg=0x32df844e3f4
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=8 arg=0x32df8e9f2b0
Nov 24 13:32:45 openvpn[38615]: SCHEDULE: schedule_find_least NULL
Nov 24 13:32:45 openvpn[38615]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Nov 24 13:32:45 openvpn[38615]: MULTI: REAP range 32 -> 48
Nov 24 13:32:45 openvpn[38615]: I/O WAIT status=0x0040
Nov 24 13:32:45 openvpn[38615]: event_wait returned 1
Nov 24 13:32:45 openvpn[38615]: PO_WAIT[2,0] fd=6 rev=0x00000001 rwflags=0x0001 arg=0x32df844e3f8
Could someone give us a hint about this? Do you know if it is possible to use 2 different intermediates for clients and the server certificate?
Thanks a lot in advance.