Solved

OpenVPN

Posted on 2013-12-17
23
1,126 Views
Last Modified: 2014-02-10
Trying to setup an OpenVPN server that will authenticate users against active directory.
I currently have it running using client/server certificates and all is good. When I add the approprate settings for user authentication I can't connect.
I'm using IPFIRE 3.2.48-ipfire-pae. Not sure what flavor linux it's built around. Website is ipfire.org.


Server.conf ->
#OpenVPN Server conf

daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local 24.242.180.212
dev tun
proto udp
port 1194
script-security 3 system
ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
client-config-dir /var/ipfire/ovpn/ccd
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
server 10.46.108.0 255.255.255.0
tun-mtu 1500
push "route 192.168.3.0 255.255.255.0"
push "route 192.168.4.0 255.255.255.0"
push "route 192.168.5.0 255.255.255.0"
push "route 192.168.6.0 255.255.255.0"
push "route 192.168.7.0 255.255.255.0"
push "route 192.168.8.0 255.255.255.0"
push "route 192.168.9.0 255.255.255.0"
push "route 192.168.10.0 255.255.255.0"
mtu-disc maybe
keepalive 10 60
status-version 1
status /var/log/ovpnserver.log 30
cipher AES-256-CBC
comp-lzo
push "redirect-gateway def1"
push "dhcp-option DOMAIN hoodview.fcu"
push "dhcp-option DNS 192.168.6.1"
max-clients 100
tls-verify /var/ipfire/ovpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
#client-cert-not-required
username-as-common-name
user nobody
group nobody
persist-key
persist-tun
verb 5

Client conf.->
#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1500
remote 24.242.180.212 1194
pkcs12 TPClient1.p12
cipher AES-256-CBC
comp-lzo
verb 3
ns-cert-type server
tls-remote rrcs-24-242-180-212.sw.biz.rr.com
route-method exe
route-delay 2
#mtu-disc maybe

Other information from the Web Gui setup->
Base DN; CN=Users,DC=hoodview,DC=fcu
LDAP type: Active Directory
Port: 389
LDAP Server: (IP of Active directory server)
Bind DN username: CN=ipldap,DC=hoodview,DC=fcu
Bind DN password: (correct password)

Log from server->
13:21:08      openvpnserver[24720]:       MULTI: multi_create_instance called
13:21:08      openvpnserver[24720]:       166.161.51.82:57552 Re-using SSL/TLS context
13:21:08      openvpnserver[24720]:       166.161.51.82:57552 LZO compression initialized
13:21:08      openvpnserver[24720]:       166.161.51.82:57552 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL: 0 ]
13:21:08      openvpnserver[24720]:       166.161.51.82:57552 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL: 0 AF:3/1 ]
13:21:08      openvpnserver[24720]:       166.161.51.82:57552 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2 ,tls-server'
13:21:08      openvpnserver[24720]:       166.161.51.82:57552 Expected Remote Options String: 'V4,dev-type tun,link-mtu 15 58,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,ke y-method 2,tls-client'
13:21:08      openvpnserver[24720]:       166.161.51.82:57552 Local Options hash (VER=V4): 'a8f55717'
13:21:08      openvpnserver[24720]:       166.161.51.82:57552 Expected Remote Options hash (VER=V4): '22188c5b'
13:21:08      openvpnserver[24720]:       166.161.51.82:57552 TLS: Initial packet from 166.161.51.82:57552, sid=9663f7bf e 051062c
13:21:15      openvpnserver[24720]:       166.161.51.82:57552 VERIFY SCRIPT OK: depth=1, /C=US/O=Texas_Partners_FCU/CN=Tex as_Partners_FCU_CA
13:21:15      openvpnserver[24720]:       166.161.51.82:57552 CRL CHECK OK: /C=US/O=Texas_Partners_FCU/CN=Texas_Partners_F CU_CA
13:21:15      openvpnserver[24720]:       166.161.51.82:57552 VERIFY OK: depth=1, /C=US/O=Texas_Partners_FCU/CN=Texas_Part ners_FCU_CA
13:21:16      openvpnserver[24720]:       166.161.51.82:57552 VERIFY SCRIPT OK: depth=0, /C=US/ST=Texas/O=Texas_Partners_F CU/OU=IT-Dept/CN=TPClient1
13:21:16      openvpnserver[24720]:       166.161.51.82:57552 CRL CHECK OK: /C=US/ST=Texas/O=Texas_Partners_FCU/OU=IT-Dept /CN=TPClient1
13:21:16      openvpnserver[24720]:       166.161.51.82:57552 VERIFY OK: depth=0, /C=US/ST=Texas/O=Texas_Partners_FCU/OU=I T-Dept/CN=TPClient1
13:21:16      openvpnserver[24720]:       166.161.51.82:57552 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGI N_AUTH_USER_PASS_VERIFY status=1
13:21:16      openvpnserver[24720]:       166.161.51.82:57552 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY fa iled with status 1: /usr/lib/openvpn/openvpn-auth-pam.so
13:21:16      openvpnserver[24720]:       166.161.51.82:57552 TLS Auth Error: Auth Username/Password verification failed f or peer
13:21:16      openvpnserver[24720]:       166.161.51.82:57552 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SH A, 1024 bit RSA
13:21:16      openvpnserver[24720]:       166.161.51.82:57552 [TPClient1] Peer Connection Initiated with 166.161.51.82:575 52
13:21:18      openvpnserver[24720]:       166.161.51.82:57552 PUSH: Received control message: 'PUSH_REQUEST'
13:21:18      openvpnserver[24720]:       166.161.51.82:57552 Delayed exit in 5 seconds
13:21:18      openvpnserver[24720]: 166.161.51.82:57552 SENT CONTROL [TPClient1]:       'AUTH_FAILED' (status=1)
13:21:23      openvpnserver[24720]:       166.161.51.82:57552 SIGTERM[soft,delayed-exit] received, client-instance exiting

I'm really at my wits end on this.

Thanks in advance.
0
Comment
Question by:RichardPWolf
  • 13
  • 10
23 Comments
 
LVL 32

Expert Comment

by:nappy_d
ID: 39726699
Are you sure the Canonical name is correct that points to the OU where your users reside?

Did you also set as seen in the screenshot?

screenshot1
0
 

Author Comment

by:RichardPWolf
ID: 39726772
Ok, What I used for the ldap. My screen is a little different than yours;

Is there a test I can perform that would validate a user logon request via the cli? i.e. "root-Prompt> validate user xxxx password yyy" against the ldap server?

Another thing where can I go behind the scenes to verify the settings that are put in the WUI?
What I'm most interested in is to verify that ldap is trying to pull the correct attribute.

Thanks.
screen.docx
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 39726945
You can try this app to see if it works http://www.ldapbrowser.com/download.htm
0
 

Author Comment

by:RichardPWolf
ID: 39726974
I already use that. What I'm looking for is a way from the cli of the openvpn server to verify connectivity to the AD server.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 39728367
Well, I am not familiar with the appliance you are using. At the same time, it looks as though you have to have required field that you're missing information from.

missing field
If you're using LDAPBrowser, then you should also be able to test your credentials.  If you want to see if credentials work, create a "Profile" for the LDAP server, and then enter the credentials during Step 3 of the creation process.

With my OpenVPN appliance, I have a log file and if my bind account fails for lookups, an error such as the following is generated:

LDAP invalid credentials on ldap://172.16.0.6/: {'info': '80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772', 'desc': 'Invalid credentials'} (facility='admin_bind to [CN=OpenVPN,OU=VPNUsers,DC=myDomain,DC=net,DC=private]')



When I am successful is connecting to my DC for authentication and user doesn't exist, I get this error generated in my logs:

 LDAP exception on ldap://172.16.0.6/ (facility='search ('OU=VPNUsers,DC=myDomain,DC=net,DC=private', 2, '(sAMAccountName=test)')'): user not found: auth/authldap:128,python2.6/threading:504,python2.6/threading:532,python2.6/threading:484,python/threadpool:210,python/context:59,python/context:37,auth/authldap:93,auth/authldap:128,util/error:60,util/error:43


When I am successful is connecting to my DC for authentication and an account fails with an invalid password, I get this error generated in my logs:

LDAP invalid credentials on ldap://172.16.0.6/: {'info': '80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772', 'desc': 'Invalid credentials'} (facility='user_bind on [CN=Finance POC,OU=VPNUsers,DC=myDomain,DC=net,DC=private] via search ('OU=VPNUsers,DC=myDomain,DC=net,DC=private', 2, '(sAMAccountName=finance)')')
0
 

Author Comment

by:RichardPWolf
ID: 39729438
Great let me look into what you've said. On the picture the red * means that the field is optional and I've created a group and tried it. I'm going to go through this with a fresh perspective and redo everything. One piece of information would help. In a standard LDAP configuration, "Where is the configuration file stored within Linux?" I want to verify what is seen on the GUI is what is in the configuration. I'm especially interested in the sAMAccountName attribute.

Thanks.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 39731056
The install path is here /usr/local/openvpn_as

Some config files are here /usr/local/openvpn_as/etc
0
 

Author Comment

by:RichardPWolf
ID: 39731963
Thanks, I wasn't able to work on it yesterday but will try to check things out today.
0
 

Author Comment

by:RichardPWolf
ID: 39732402
OK, finally got a chance to work on it. Here's the latest log from openvpn.
log.txt
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 39732491
I do not see any attempts against your Active Directory environment. Also it does not seem to show any type of communication towards Active Directory.

Are you sure that it is configured and functioning properly?

Can you test using LDAP browser and verify the password and username does work?
0
 

Author Comment

by:RichardPWolf
ID: 39732766
The credentials I'm using are the ones I use everyday to log into my system. Ran the LDAP browser but not sure where to test the credentials however as I've said it's the same username/password I use everyday. Your first comment on not authenticating against the AD enviroment in my opinion is where my problem lies.

As I'm using TLS should I be using port 389 or 636 for LDAP?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 32

Expert Comment

by:nappy_d
ID: 39732823
I use port 389.

I mean if you are not even seeing any attempt to communicate with your AD server such as the errors I included a few posts ago, my inclination is to think that your appliance is not even making an attempt to connect to your AD box for authentication.
0
 

Author Comment

by:RichardPWolf
ID: 39732831
That's kind of what I'm thinking. I'd like to go into the cli and attempt to do a ldap query from it but I don't know if I can. There was a post on another board that basically had me do a DNS query and that works fine. The other thing "could" there be a setting on the web proxy page (further up on the screen) that's keeping me from connecting correctly?

Also using LDP (another ldap query tool) I can bind with the AD servers just fine using the domain account that I created specifically for this box.
0
 

Author Comment

by:RichardPWolf
ID: 39748109
I'm back from vacation and I'll be starting to work on this again after the 1st.

If I can't get this resolved what are your thoughts on using the standard OpenVPN on OpenSUSE?
0
 
LVL 32

Accepted Solution

by:
nappy_d earned 500 total points
ID: 39748252
This should not be an issue as OpenSuse Has a doc on installation and usage.

I have not used it but here is a link to the instructions. CLICK HERE
0
 

Author Comment

by:RichardPWolf
ID: 39748265
Great, Thanks.

I'm not quite ready to give up on this installation but if I can't get the authentication working I don't see what else I can do.
0
 

Author Closing Comment

by:RichardPWolf
ID: 39813610
Appears my configuration is correct but nobody on any forum I've visited can help me solve this. I believe it's an issue within the Linux core of this release. As to other OpenVPN solutions.....generally to expensive to impliment. So we'll be looking for another solution. To Bad as I really like how IPFIRE has done there overall package.

Thanks for your help.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 39813856
BTW, you should checkout pfSense.  They also have an implementation of OpnVPN that works.
0
 

Author Comment

by:RichardPWolf
ID: 39847092
Sorry for the delay. Yes, I have been trying to get that working. So far it hasn't worked for me.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 39848062
Interesting.  I use it and it works well. What issue are you having?
0
 

Author Comment

by:RichardPWolf
ID: 39848073
Mostly hardware. Haven't found a spare box around here that works. At this point it has been moved to the back burner as we're looking at some consolidation of services.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 39848130
OK.  Trying this our when you have some time.  It would walk you through it but I think this has all the instructions you will need :)

https://www.blackvpn.com/support/pfsense-with-openvpn/
0
 

Author Comment

by:RichardPWolf
ID: 39848142
Thanks, Will do.

Just tried link. Won't open.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now