Need help configuring OpenVPN server
Ubunto Server V11
I am trying to replace an older cisco vpn concentrator that has become unreliable with an openVPN server. I have installed it and am in the process of configuring it. The ubuntu server is behind our firewall and I have an internal ip address assigned to it. Because it is already on our LAN, do I need a bridge interface to make openVPN work properly? I am following these tutorials.
https://help.ubuntu.com/10.10/serverguide/C/openvpn.html
and for the active directory piece I am referring to this article
http://craig.backfire.ca/pages/computers/openvpn-ad-auth
I am trying to replace an older cisco vpn concentrator that has become unreliable with an openVPN server. I have installed it and am in the process of configuring it. The ubuntu server is behind our firewall and I have an internal ip address assigned to it. Because it is already on our LAN, do I need a bridge interface to make openVPN work properly? I am following these tutorials.
https://help.ubuntu.com/10.10/serverguide/C/openvpn.html
and for the active directory piece I am referring to this article
http://craig.backfire.ca/pages/computers/openvpn-ad-auth
ASKER
I have the pinholes created and can reach the vpn server from the outside. Here is the error I receive when I try to connect.
Sat Oct 08 21:24:03 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Oct 08 21:24:03 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Oct 08 21:24:03 2011 LZO compression initialized
Sat Oct 08 21:24:03 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Oct 08 21:24:03 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Oct 08 21:24:03 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Oct 08 21:24:03 2011 Local Options hash (VER=V4): '41690919'
Sat Oct 08 21:24:03 2011 Expected Remote Options hash (VER=V4): '530fdded'
Sat Oct 08 21:24:03 2011 UDPv4 link local: [undef]
Sat Oct 08 21:24:03 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Sat Oct 08 21:24:03 2011 TLS: Initial packet from xxx.xxx.xxx.xxx:1194, sid=8cf3a863 6a99b963
Sat Oct 08 21:24:03 2011 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=US/ST=CA/L=Fresno/O=FPU
Sat Oct 08 21:24:03 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_C
Sat Oct 08 21:24:03 2011 TLS Error: TLS object -> incoming plaintext read error
Sat Oct 08 21:24:03 2011 TLS Error: TLS handshake failed
Sat Oct 08 21:24:03 2011 TCP/UDP: Closing socket
Sat Oct 08 21:24:03 2011 SIGUSR1[soft,tls-error] received, process restarting
Sat Oct 08 21:24:03 2011 Restart pause, 2 second(s)
Sat Oct 08 21:24:05 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Oct 08 21:24:05 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Oct 08 21:24:05 2011 LZO compression initialized
Sat Oct 08 21:24:05 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Oct 08 21:24:05 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Oct 08 21:24:05 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Oct 08 21:24:05 2011 Local Options hash (VER=V4): '41690919'
Sat Oct 08 21:24:05 2011 Expected Remote Options hash (VER=V4): '530fdded'
Sat Oct 08 21:24:05 2011 UDPv4 link local: [undef]
Sat Oct 08 21:24:05 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Sat Oct 08 21:24:05 2011 TCP/UDP: Closing socket
Sat Oct 08 21:24:05 2011 SIGTERM[hard,] received, process exiting
I am trying to configure OpenVPN to allows users to authenticate with their AD credentials.
Sat Oct 08 21:24:03 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Oct 08 21:24:03 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Oct 08 21:24:03 2011 LZO compression initialized
Sat Oct 08 21:24:03 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Oct 08 21:24:03 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Oct 08 21:24:03 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Oct 08 21:24:03 2011 Local Options hash (VER=V4): '41690919'
Sat Oct 08 21:24:03 2011 Expected Remote Options hash (VER=V4): '530fdded'
Sat Oct 08 21:24:03 2011 UDPv4 link local: [undef]
Sat Oct 08 21:24:03 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Sat Oct 08 21:24:03 2011 TLS: Initial packet from xxx.xxx.xxx.xxx:1194, sid=8cf3a863 6a99b963
Sat Oct 08 21:24:03 2011 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=US/ST=CA/L=Fresno/O=FPU
Sat Oct 08 21:24:03 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_C
Sat Oct 08 21:24:03 2011 TLS Error: TLS object -> incoming plaintext read error
Sat Oct 08 21:24:03 2011 TLS Error: TLS handshake failed
Sat Oct 08 21:24:03 2011 TCP/UDP: Closing socket
Sat Oct 08 21:24:03 2011 SIGUSR1[soft,tls-error] received, process restarting
Sat Oct 08 21:24:03 2011 Restart pause, 2 second(s)
Sat Oct 08 21:24:05 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Oct 08 21:24:05 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Oct 08 21:24:05 2011 LZO compression initialized
Sat Oct 08 21:24:05 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Oct 08 21:24:05 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Oct 08 21:24:05 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Oct 08 21:24:05 2011 Local Options hash (VER=V4): '41690919'
Sat Oct 08 21:24:05 2011 Expected Remote Options hash (VER=V4): '530fdded'
Sat Oct 08 21:24:05 2011 UDPv4 link local: [undef]
Sat Oct 08 21:24:05 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Sat Oct 08 21:24:05 2011 TCP/UDP: Closing socket
Sat Oct 08 21:24:05 2011 SIGTERM[hard,] received, process exiting
I am trying to configure OpenVPN to allows users to authenticate with their AD credentials.
Does the time match on both machines? Including timezones?
ASKER
Yes
The message you receive pretty much looks like your server CA certificate is not properly generated, or does not fit to the certifcate used for the client.
ASKER
I switched gears and am attempting to use a radius plugin to authenticate our vpn users. The request is reaching the windows radius server. I am receiving an "access denied" error. It is telling me that there are no matching policies. The only policy I have created is one that says all users who are a member of the domain users group are granted access. The user I am authenticating with is a member of that group. There are no other policies. Here is what I am seeing in the event log.
User josh.cole was denied access.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 172.16.0.71
NAS-Identifier = OpenVpn
Called-Station-Identifier = <not present>
Calling-Station-Identifier
Client-Friendly-Name = 172.16.0.71
Client-IP-Address = 172.16.0.71
NAS-Port-Type = Virtual
NAS-Port = 1
Proxy-Policy-Name = <none>
Authentication-Provider = <undetermined>
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = <undetermined>
EAP-Type = <undetermined>
Reason-Code = 49
Reason = The connection attempt did not match any connection request policy.
User josh.cole was denied access.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 172.16.0.71
NAS-Identifier = OpenVpn
Called-Station-Identifier = <not present>
Calling-Station-Identifier
Client-Friendly-Name = 172.16.0.71
Client-IP-Address = 172.16.0.71
NAS-Port-Type = Virtual
NAS-Port = 1
Proxy-Policy-Name = <none>
Authentication-Provider = <undetermined>
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = <undetermined>
EAP-Type = <undetermined>
Reason-Code = 49
Reason = The connection attempt did not match any connection request policy.
ASKER
I was able to get it working.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I didn't receive any feedback that helped me resolve the problem. I eventually found the solution for myself and made sure to post it here.
I would always use OpenVPN in routed rather than bridged mode