EFW Support

Hello everybody,

on my Endian Community FW 3.0.5 beta 1, OpenVPN is configured with AD authentication.
For auth-user-pass it uses /usr/bin/openvpn-auth via-file. This works

I recently installed a test machine with community version 3.3.0.
I set up the ldap settings as described here:
h**ps://help.endian.com/hc/en-us/articles/218144458-SSL-VPN-How-to-Authenticate-VPN-Users-with-Active-Directory

The settings are basically identical with my working installation.

Authenticating a local user works.
Authenticating an AD User does not work. But I receive a "Benutzer nicht gefunden" / "User not found" message.

tail -f /var/log/endian/authentication

2019-06-13 07:47:35,307 - authentication[2703] - INFO - Endian Authentication Layer startup

Jun 13 08:00:23 endianFWcommunity authentication[2703]: AUTH_STATUS(ACCEPTED) SCOPE(openvpn) USER(localuser) PROVIDER(local)

Jun 13 08:00:36 endianFWcommunity authentication[2703]: AUTH_STATUS(FAILED) SCOPE(openvpn) USER(testvpn) REASON(Benutzer nicht gefunden)

The openvpn.log shows


Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 TLS: Initial packet from [AF_INET]80.187.111.43:6776 (via [AF_INET]<IP>%eth1), sid=a4552829 55a1cacc
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_VER=2.5_master
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_PLAT=android
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_PROTO=2
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_NCP=2
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_LZ4=1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_LZ4v2=1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_LZO=1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_COMP_STUB=1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_COMP_STUBv2=1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_TCPNL=1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.8
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 TLS Auth Error: Auth Username/Password verification failed for peer
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1574', remote='link-mtu 1542'
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 Peer Connection Initiated with [AF_INET]80.187.111.53:6776 (via [AF_INET]<IP>%eth1)
Jun 13 09:53:58 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 PUSH: Received control message: 'PUSH_REQUEST'
Jun 13 09:53:58 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 Delayed exit in 5 seconds
Jun 13 09:53:58 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Jun 13 09:54:03 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 SIGTERM[soft,delayed-exit] received, client-instance exiting


I can not find more detailed logfiles.
In my old 3.0.5b1 it used openvpn-auth via-file

The 3.3.0 has only openvpn-auth-env and tries to use openvpn-auth-env via-env.

When try openvpn-auth -i on my old machine, and use a wrong password,
I get the same german error "Benutzer nicht gefunden" / "User not found"

The same error, I see in the authentication log on the 3.3.0.

Is there a current manual on how-to get ad authentication with OpenVPN on 3.3.0?
Any ideas?

Greetings

Frank

root@endianFWcommunity:/var/efw/openvpn # cat settings

AUTHENTICATION_STACK=ldap,local
CA_FILENAME=cacert.pem
CERT_FILENAME=VPNcert.pem
LDAP_BIND_DN=cn=user,cn=Users,dc=domain,dc=local
LDAP_BIND_PASSWORD=password
LDAP_URI=ldap://1.2.3.4
LDAP_USER_BASEDN=ou=SBSUsers,ou=Users,ou=MyBusiness,dc=domain,dc=local
LDAP_USER_SEARCHFILTER=(&(objectCategory=person)(objectClass=user)(sAMAccountName=%(u)s))

I get the same error, if I enter a wrong IP in my settings file and no LDAP Server behind.
So maybe it is not getting to ldap auth or the settings file is ignored?

On 3.3 community VPN with LDAP/Active Directory is not supported, the authentication backend is changed and it's only supported on the enterprise version.

Oh my dear.
Which is the latest version, that still supports LDAP VPN?

3.0.5 beta 1 is the last version based on the old platform that support it.