• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 644
  • Last Modified:

Need help configuring OpenVPN server

Ubunto Server V11

I am trying to replace an older cisco vpn concentrator that has become unreliable with an openVPN server. I have installed it and am in the process of configuring it. The ubuntu server is behind our firewall and I have an internal ip address assigned to it. Because it is already on our LAN, do I need a bridge interface to make openVPN work properly? I am following these tutorials.

https://help.ubuntu.com/10.10/serverguide/C/openvpn.html
and for the active directory piece I am referring to this article
http://craig.backfire.ca/pages/computers/openvpn-ad-auth
0
J C
Asked:
J C
1 Solution
 
ArneLoviusCommented:
you need to use NAT/PAT with suitable ACLS to only allow OpenVPN traffic to reach the OpenVPN server

I would always use OpenVPN in routed rather than bridged mode
0
 
J CAuthor Commented:
I have the pinholes created and can reach the vpn server from the outside. Here is the error I receive when I try to connect.

Sat Oct 08 21:24:03 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Oct 08 21:24:03 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Oct 08 21:24:03 2011 LZO compression initialized
Sat Oct 08 21:24:03 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Oct 08 21:24:03 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Oct 08 21:24:03 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Oct 08 21:24:03 2011 Local Options hash (VER=V4): '41690919'
Sat Oct 08 21:24:03 2011 Expected Remote Options hash (VER=V4): '530fdded'
Sat Oct 08 21:24:03 2011 UDPv4 link local: [undef]
Sat Oct 08 21:24:03 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Sat Oct 08 21:24:03 2011 TLS: Initial packet from xxx.xxx.xxx.xxx:1194, sid=8cf3a863 6a99b963
Sat Oct 08 21:24:03 2011 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=US/ST=CA/L=Fresno/O=FPU/CN=server/emailAddress=john@mydomain.local
Sat Oct 08 21:24:03 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sat Oct 08 21:24:03 2011 TLS Error: TLS object -> incoming plaintext read error
Sat Oct 08 21:24:03 2011 TLS Error: TLS handshake failed
Sat Oct 08 21:24:03 2011 TCP/UDP: Closing socket
Sat Oct 08 21:24:03 2011 SIGUSR1[soft,tls-error] received, process restarting
Sat Oct 08 21:24:03 2011 Restart pause, 2 second(s)
Sat Oct 08 21:24:05 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Oct 08 21:24:05 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Oct 08 21:24:05 2011 LZO compression initialized
Sat Oct 08 21:24:05 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Oct 08 21:24:05 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Oct 08 21:24:05 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Oct 08 21:24:05 2011 Local Options hash (VER=V4): '41690919'
Sat Oct 08 21:24:05 2011 Expected Remote Options hash (VER=V4): '530fdded'
Sat Oct 08 21:24:05 2011 UDPv4 link local: [undef]
Sat Oct 08 21:24:05 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Sat Oct 08 21:24:05 2011 TCP/UDP: Closing socket
Sat Oct 08 21:24:05 2011 SIGTERM[hard,] received, process exiting

I am trying to configure OpenVPN to allows users to authenticate with their AD credentials.
0
 
simonlimonCommented:
Does the time match on both machines? Including timezones?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
J CAuthor Commented:
Yes
0
 
QlemoC++ DeveloperCommented:
The message you receive pretty much looks like your server CA certificate is not properly generated, or does not fit to the certifcate used for the client.
0
 
J CAuthor Commented:
I switched gears and am attempting to use a radius plugin to authenticate our vpn users. The request is reaching the windows radius server. I am receiving an "access denied" error. It is telling me that there are no matching policies. The only policy I have created is one that says all users who are a member of the domain users group are granted access. The user I am authenticating with is a member of that group. There are no other policies. Here is what I am seeing in the event log.

User josh.cole was denied access.
 Fully-Qualified-User-Name = <undetermined>
 NAS-IP-Address = 172.16.0.71
 NAS-Identifier = OpenVpn
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = xxx.xxx.xxx.xxx
 Client-Friendly-Name = 172.16.0.71
 Client-IP-Address = 172.16.0.71
 NAS-Port-Type = Virtual
 NAS-Port = 1
 Proxy-Policy-Name = <none>
 Authentication-Provider = <undetermined>
 Authentication-Server = <undetermined>
 Policy-Name = <undetermined>
 Authentication-Type = <undetermined>
 EAP-Type = <undetermined>
 Reason-Code = 49
 Reason = The connection attempt did not match any connection request policy.
0
 
J CAuthor Commented:
I was able to get it working.
0
 
J CAuthor Commented:
I ended up building a different radius server and the same policy allowed authentication on it. I then had to enable ip forwarding which I had failed to do up to this point and everything started working.
0
 
J CAuthor Commented:
I didn't receive any feedback that helped me resolve the problem. I eventually found the solution for myself and made sure to post it here.
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now