Need help configuring OpenVPN server

Ubunto Server V11

I am trying to replace an older cisco vpn concentrator that has become unreliable with an openVPN server. I have installed it and am in the process of configuring it. The ubuntu server is behind our firewall and I have an internal ip address assigned to it. Because it is already on our LAN, do I need a bridge interface to make openVPN work properly? I am following these tutorials.

https://help.ubuntu.com/10.10/serverguide/C/openvpn.html
and for the active directory piece I am referring to this article
http://craig.backfire.ca/pages/computers/openvpn-ad-auth
J CAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ArneLoviusCommented:
you need to use NAT/PAT with suitable ACLS to only allow OpenVPN traffic to reach the OpenVPN server

I would always use OpenVPN in routed rather than bridged mode
0
J CAuthor Commented:
I have the pinholes created and can reach the vpn server from the outside. Here is the error I receive when I try to connect.

Sat Oct 08 21:24:03 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Oct 08 21:24:03 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Oct 08 21:24:03 2011 LZO compression initialized
Sat Oct 08 21:24:03 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Oct 08 21:24:03 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Oct 08 21:24:03 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Oct 08 21:24:03 2011 Local Options hash (VER=V4): '41690919'
Sat Oct 08 21:24:03 2011 Expected Remote Options hash (VER=V4): '530fdded'
Sat Oct 08 21:24:03 2011 UDPv4 link local: [undef]
Sat Oct 08 21:24:03 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Sat Oct 08 21:24:03 2011 TLS: Initial packet from xxx.xxx.xxx.xxx:1194, sid=8cf3a863 6a99b963
Sat Oct 08 21:24:03 2011 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=US/ST=CA/L=Fresno/O=FPU/CN=server/emailAddress=john@mydomain.local
Sat Oct 08 21:24:03 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sat Oct 08 21:24:03 2011 TLS Error: TLS object -> incoming plaintext read error
Sat Oct 08 21:24:03 2011 TLS Error: TLS handshake failed
Sat Oct 08 21:24:03 2011 TCP/UDP: Closing socket
Sat Oct 08 21:24:03 2011 SIGUSR1[soft,tls-error] received, process restarting
Sat Oct 08 21:24:03 2011 Restart pause, 2 second(s)
Sat Oct 08 21:24:05 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Oct 08 21:24:05 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Oct 08 21:24:05 2011 LZO compression initialized
Sat Oct 08 21:24:05 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Oct 08 21:24:05 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Oct 08 21:24:05 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Oct 08 21:24:05 2011 Local Options hash (VER=V4): '41690919'
Sat Oct 08 21:24:05 2011 Expected Remote Options hash (VER=V4): '530fdded'
Sat Oct 08 21:24:05 2011 UDPv4 link local: [undef]
Sat Oct 08 21:24:05 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Sat Oct 08 21:24:05 2011 TCP/UDP: Closing socket
Sat Oct 08 21:24:05 2011 SIGTERM[hard,] received, process exiting

I am trying to configure OpenVPN to allows users to authenticate with their AD credentials.
0
simonlimonCommented:
Does the time match on both machines? Including timezones?
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

J CAuthor Commented:
Yes
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
The message you receive pretty much looks like your server CA certificate is not properly generated, or does not fit to the certifcate used for the client.
0
J CAuthor Commented:
I switched gears and am attempting to use a radius plugin to authenticate our vpn users. The request is reaching the windows radius server. I am receiving an "access denied" error. It is telling me that there are no matching policies. The only policy I have created is one that says all users who are a member of the domain users group are granted access. The user I am authenticating with is a member of that group. There are no other policies. Here is what I am seeing in the event log.

User josh.cole was denied access.
 Fully-Qualified-User-Name = <undetermined>
 NAS-IP-Address = 172.16.0.71
 NAS-Identifier = OpenVpn
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = xxx.xxx.xxx.xxx
 Client-Friendly-Name = 172.16.0.71
 Client-IP-Address = 172.16.0.71
 NAS-Port-Type = Virtual
 NAS-Port = 1
 Proxy-Policy-Name = <none>
 Authentication-Provider = <undetermined>
 Authentication-Server = <undetermined>
 Policy-Name = <undetermined>
 Authentication-Type = <undetermined>
 EAP-Type = <undetermined>
 Reason-Code = 49
 Reason = The connection attempt did not match any connection request policy.
0
J CAuthor Commented:
I was able to get it working.
0
J CAuthor Commented:
I ended up building a different radius server and the same policy allowed authentication on it. I then had to enable ip forwarding which I had failed to do up to this point and everything started working.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
J CAuthor Commented:
I didn't receive any feedback that helped me resolve the problem. I eventually found the solution for myself and made sure to post it here.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.