OpenVPN GUI 2.0 client keeps disconnecting right after conne

Home Page Forums Network Management VPN OpenVPN GUI 2.0 client keeps disconnecting right after conne

This topic contains 29 replies, has 0 voices, and was last updated by  DrmCa 2 years, 6 months ago.

Viewing 15 posts - 1 through 15 (of 31 total)
  • Author
    Posts
  • #44531

    DrmCa
    Participant

    One of my users is trying to use OpenVPN to connect to my Zeroshell box and LAN. Their VPN connection establishes, I can see them connected in the clients list, but a few seconds later they disconnect.

    Here’s what they see in the log:

    Sat Apr 09 18:44:05 2016 OpenVPN 2.0_rc18 Win32-MinGW [SSL] [LZO] built on Mar 28 2005
    Sat Apr 09 18:44:24 2016 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Sat Apr 09 18:44:24 2016 Re-using SSL/TLS context
    Sat Apr 09 18:44:24 2016 LZO compression initialized
    Sat Apr 09 18:44:24 2016 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Sat Apr 09 18:44:24 2016 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:23 ET:32 EL:0 AF:3/1 ]
    Sat Apr 09 18:44:24 2016 Local Options hash (VER=V4): '31fdf004'
    Sat Apr 09 18:44:24 2016 Expected Remote Options hash (VER=V4): '3e6d1056'
    Sat Apr 09 18:44:24 2016 Attempting to establish TCP connection with 2**.***.***.**4:1194
    Sat Apr 09 18:44:24 2016 TCP connection established with 2**.***.***.**4:1194
    Sat Apr 09 18:44:24 2016 TCPv4_CLIENT link local: [undef]
    Sat Apr 09 18:44:24 2016 TCPv4_CLIENT link remote: 2**.***.***.**4:1194
    Sat Apr 09 18:44:25 2016 TLS: Initial packet from 2**.***.***.**4:1194, sid=af7e203b c6dd3070
    Sat Apr 09 18:44:27 2016 VERIFY OK: depth=1, /C=IT/O=Zeroshell.net/OU=Example/CN=ZeroShell_Example_CA/emailAddress=Fulvio.Ricciardi@zeroshell.net
    Sat Apr 09 18:44:27 2016 VERIFY ERROR: depth=0, error=certificate signature failure: /OU=Hosts/CN=router.earthlovesme.ca
    Sat Apr 09 18:44:27 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:04077077:rsa routines:RSA_verify:wrong signature length: error:0D089006:asn1 encoding routines:ASN1_verify:EVP lib: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Sat Apr 09 18:44:27 2016 TLS Error: TLS object -> incoming plaintext read error
    Sat Apr 09 18:44:27 2016 TLS Error: TLS handshake failed
    Sat Apr 09 18:44:27 2016 Fatal TLS error (check_tls_errors_co), restarting
    Sat Apr 09 18:44:27 2016 TCP/UDP: Closing socket
    Sat Apr 09 18:44:27 2016 SIGUSR1[soft,tls-error] received, process restarting
    Sat Apr 09 18:44:27 2016 Restart pause, 5 second(s)

    I downloaded the CA.pem file from the Zeroshell login page and emailed as an attachment to the user, they copied the file to the Open VPN client config directory and changed remote in the OVPN file to the external IP of the Zeroshell box.

    What are we doing wrong?

    Is 2.0 client going to work? Or should we upgrade? I am not very confident that OpenVPN sight is what it should be – they redirect to some Tunelling application – is it still OpenVPN or their site has been hijacked?

    #54069

    redfive
    Participant

    Are you sure that the certificates are the correct ones ??

    Sat Apr 09 18:44:19 2016 VERIFY OK: depth=1, /C=IT/O=Zeroshell.net/OU=Example/CN=ZeroShell_Example_CA/emailAddress=Fulvio.Ricciardi@zeroshell.net
    Sat Apr 09 18:44:19 2016 VERIFY ERROR: depth=0, error=certificate signature failure: /OU=Hosts/CN=router.earthlovesme.ca
    Sat Apr 09 18:44:19 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:04077077:rsa routines:RSA_verify:wrong signature length: error:0D089006:asn1 encoding routines:ASN1_verify:EVP lib: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

    Cheers,
    jonatha
    P.S. Which cert. are you using in ZS, for the vpn ??
    VPN, X.509 Configuration, X.509 Host Certificate, drop down menu’ …

    #54070

    DrmCa
    Participant

    Not really sure I have set up everything correctly.
    How can I find out for sure?

    VPN is set up to use 509+password, the certificate CA.pem downloaded from the login page and the user installed it.
    1st drop down: Local CA
    2nd drop down: OU=hosts, CN=router.earthlovesme.ca
    It is a valid non-expired certificate

    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number: 3 (0x3)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=IT, O=Zeroshell.net, OU=Example, CN=ZeroShell Example CA/emailAddress=Fulvio.Ricciardi@zeroshell.net
    Validity
    Not Before: Apr 9 16:11:41 2016 GMT
    Not After : Apr 7 16:11:41 2026 GMT
    Subject: OU=Hosts, CN=router.earthlovesme.ca
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
    Modulus (2048 bit):
    00:c2:df:e5:5d:b6:2d:7f:32:27:4c:c3:32:29:4c:
    ...
    ec:b3:7d:1f:d2:95:4b:94:a5:38:f6:ea:03:f1:3b:
    08:a3
    Exponent: 65537 (0x10001)
    X509v3 extensions:
    X509v3 Extended Key Usage:
    TLS Web Server Authentication, TLS Web Client Authentication
    Signature Algorithm: sha1WithRSAEncryption
    9f:d6:62:66:23:85:1a:bb:31:e5:15:f8:5a:06:e9:20:43:2b:
    ...
    1e:0f:af:6e:c6:4e:27:3c:33:30:56:df:94:a1:c9:fa:29:aa:
    12:97:ca:84
    Certificate purposes:
    SSL client : Yes
    SSL client CA : No
    SSL server : Yes
    SSL server CA : No
    Netscape SSL server : Yes
    Netscape SSL server CA : No
    S/MIME signing : No
    S/MIME signing CA : No
    S/MIME encryption : No
    S/MIME encryption CA : No
    CRL signing : Yes
    CRL signing CA : No
    Any Purpose : Yes
    Any Purpose CA : Yes
    OCSP helper : Yes
    OCSP helper CA : No
    BEGIN CERTIFICATE
    MIIDUzCCAjugAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBhTELMAkGA1UEBhMCSVQx
    ...
    28272mxnj5f7XTJeujiFXHoeD69uxk4nPDMwVt+Uocn6KaoSl8qE
    END CERTIFICATE

    But here is something I do not understand: when exporting the router certificate from X590 manager, it spits out router.earthlovesme.ca.pem which is 2891 bytes long and has 2 secons inside for the cert and sig:

    
    
    BEGIN CERTIFICATE
    MIIDUzCCAjugAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBhTELMAkGA1UEBhMCSVQx
    ...
    28272mxnj5f7XTJeujiFXHoeD69uxk4nPDMwVt+Uocn6KaoSl8qE
    END CERTIFICATE

    BEGIN RSA PRIVATE KEY
    MIIEpQIBAAKCAQEAwt/lXbYtfzInTMMyKUw/U5zVyUm4xLxjAQVxfkE2t4DGlgfo
    ...
    6yqRZHfxGMDIFkp+eONj5Mqw7I8amjX6PW9ZWg9aMT3P3UCUIdkGlz8=
    END RSA PRIVATE KEY

    But CA.pem that the login page spits out (and which I sent to the user to install in OpenVPN GUI config folder) is 1619 bytes long and has only one section (it is Okay if they are different, as I had to re-generate since exporting the router.earthlovesme.pem):

    
    
    BEGIN CERTIFICATE
    MIIEfTCCA2WgAwIBAgIJAN5geVTw/yoQMA0GCSqGSIb3DQEBBQUAMIGFMQswCQYD
    ...
    DEfTvzA/KxMOY0q47fQ41wJrcYFkwSL5okHsbsJvbyKsMluJx9Gw2NY5opNRqwaP
    zw==
    END CERTIFICATE
    #54071

    DrmCa
    Participant

    Is this line in the certificate killing me?

    Netscape SSL server : Yes

    This error seems to have something to do with Netscape:

    VERIFY nsCertType ERROR: /OU

    This is a torture!!! Following the instructions to the letter and not getting anywhere. Can anyone at all clarify how to set up host-to-lan VPN with ZS? It seems to be working for some, but `some` is a very small number when we are talking about following instructions such as this https://www.zeroshell.org/openvpn-client/ and downloading ready-made files.

    #54072

    redfive
    Participant

    Hi DrmCa, you may try as follows … firstly, install openvpn 2.3.10, then …
    On ZS, in the vpn section, X.509 Configuration, X.509 Host Certificate, are you using local or imported ? In the first case, the client must hace , as CA certificate, the CA certificate of ZS itself ( without the private key),
    SECURITY, X.509 CA, Setup, export button (uncheck the flag ‘key’).
    In the second case, the client must have the CA certificate of the CA which has signed the imported certificate that you are using in ZS for the vpn server (and which could also be the same that you are using for the https server…).
    For eg, personally I use for ZS as well as for the client, certificates which have been generated from an external CA, so for my, an additional step is importing the ‘external’ CA certificate in ‘Trusted CAs’, and still in vpn section, X.509 Configuration, authentication button
    ‘Allow the X.509 VPN access with the certificates signed by the following Trusted CAs:’ , check the imported CA certificate ……
    Cheers,
    jonatha

    #54073

    DrmCa
    Participant

    Using the certificates generated by Zeroshell.

    This https://openvpn.net/index.php/open-source/documentation/howto.html#pki talks about generating a whole load of files, but never mentiones CA.pem – is that a problem?

    I do not undertand how OpenVPN would work with Zeroshell if the instructions here https://www.zeroshell.org/openvpn-client/ were wrong – then it would not work for anyone. So whose instructions are correct and which of them should I follow?

    This really feels like a torture – something that should be so straightforward (and is with Cisco, FortiClient etc VPN solutions – install, click connect and voila, no certificate generation, no exporting and sending files across the globe etc) turns into several weeks of frustration from getting nowhere.

    #54074

    redfive
    Participant

    With cisco, things not always go so fine and smoothly… (eg, fort make the vpn-client work, on win8.1, was required to install also the citrix DNE, other story, btw …)
    Could you post the ‘sanitized’ client config ? Also, the cert. on the server is local, but which is ? Is the cert for the host router.earthlovesme.ca, or another one ?
    Cheers,
    jonatha

    #54075

    DrmCa
    Participant

    We used vanilla client config downloaded from https://www.zeroshell.org/download/zeroshell.ovpn with only a change for the server IP.

    I also asked in the OpenVPN forum https://forums.openvpn.net/topic21541.html#p60956 but so far it seems he is talking about generating the certificate. As I understand, Zeroshell generates its own certificates. Do we have to use 1024 bit certificate only? I’ve used 4096 bits. Is that a problem?

    What is he talking about here:

    There are two ways to designate a certificate as a server:

    nscerttype server (deprecated)
    remote-cert-tls server

    It seems that above the certificate says it is “nscerttype server”.
    Overall, I feel lost and confused. This should not be such a daunting task, somewhere there is a huge design flaw if getting VPN to work is so difficult.

    #54076

    redfive
    Participant

    It’s funny, personally I’ve found the configuration of the VPNs in ZS much more easier than in most other appliances … anyway, this is one of my (client side) config

    remote xxxx.dyndns.org 1198
    proto tcp
    auth-user-pass
    ca my.ca.file.pem
    cert admin.cert.pem
    key admin.-key.pem
    remote-cert-eku 'TLS Web Server Authentication'
    verify-x509-name 'C=it, ST=xx, L=xx, O=xxxx, OU=server01, CN=server01.xxxx, emailAddress=xxxxxxx@libero.it'
    cipher AES-128-CBC
    auth RSA-SHA224
    comp-lzo
    verb 3
    mute 20
    resolv-retry infinite
    nobind
    client
    dev tap
    persist-key
    persist-tun
    auth-nocache
    route-method exe
    route-delay 2
    script-security 3

    You may try something like

    remote your.fqdn|ip 1194
    proto tcp
    auth-user-pass
    ca your.ca.file.pem
    cert user.cert.pem
    key user.-key.pem
    remote-cert-eku 'TLS Web Server Authentication'
    verify-x509-name 'C=xx, ST=xx, L=xx, O=xxxx, OU=xxxxxx, CN=xxxxx.xxxx, emailAddress=xxxxxxx@xxxxxx'
    comp-lzo
    verb 3
    mute 20
    resolv-retry infinite
    nobind
    client
    dev tap
    persist-key
    persist-tun
    auth-nocache
    route-method exe
    route-delay 2
    script-security 3

    Firstly, I’d advise to install openvpn 2.3.10, then, about the above config, for the
    verify-x509-name
    you have to replace the voices with those that appear in your host-cert, that one which you are using for the vpn-server, and only those which are present, eg. if your host cert is for the host router.earthlovesme.ca, and you have only the CN and the OU in the cert, use only
    verify-x509-name ‘OU=Hosts, CN=router.earthlovesme.ca’
    Once you’ll have the vpn running, I’ll post how to give static ip addresses based on username/common-name, so you can use firwall rules user-based …..
    cheers,
    jonatha

    #54077

    DrmCa
    Participant

    The user already upgraded to 2.3.10.
    Where do I get client cert and key from?

    cert admin.cert.pem
    key admin.-key.pem

    Interesting! I tried the same CA.pem with the latest version 2.3.10 and getting this error:

    Tue Apr 19 14:06:18 2016 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=IT, O=Zeroshell.net, OU=Example, CN=ZeroShell Example CA, emailAddress=Fulvio.Ricciardi@zeroshell.net
    Tue Apr 19 14:06:18 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Tue Apr 19 14:06:18 2016 TLS Error: TLS object -> incoming plaintext read error
    Tue Apr 19 14:06:18 2016 TLS Error: TLS handshake failed
    Tue Apr 19 14:06:18 2016 Fatal TLS error (check_tls_errors_co), restarting

    I do not understand why the certificate generated by Zeroshell router is not satisfactory for using with the config file downloaded from zeroshell.org
    Are the instructions outdated, incomplete or incorrect?

    #54078

    redfive
    Participant

    Directly from Zs, for starting, let’s make things simple …. download, from ZS (SECURITY, X.509 CA, admin, export button, key and PEM) the admin certificate with the private key in .pem format, if the cert is named, eg., admin.earthlovesme.ca, in the vpn client’s config, after cert put admin.earthlovesme.ca.pem, the same after key,
    then, try to connect via vpn, use admin as usr and the admin pwd
    Cheers,
    jonatha

    #54079

    DrmCa
    Participant

    Are you telling me that downloading CA.pem from the login page was not sufficient and I also had to download router.earthlovesme.ca.pem from the X508 admin page and use it for cert/key?

    If that is the case, than it would explain why nothing worked! It was simply not mentioned in the instructions and how on Earth would I be expected to realize that???

    OMG!!! How did you know to do that?

    #54080

    redfive
    Participant

    No, I’m saying that you have to download the CA. pem and the user cert (admin) with private key, (not the host cert) 😀
    Cheers,
    jonatha

    #54081

    DrmCa
    Participant

    Ah… But if the user connecting to the VPN is not admin – I created another user name like vpn0, does it have to be that user’s key?

    #54082

    redfive
    Participant

    The user vpn0 will have its own cert and private key, just like the admin …
    Cheers,
    jonatha

Viewing 15 posts - 1 through 15 (of 31 total)

You must be logged in to reply to this topic.