Welcome, Guest. Please login or register.
Did you miss your activation email?
Tuesday 03 December 2024, 11:01:04 am

Login with username, password and session length

Visit the official Endian Community Mailinglist  HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  vpn ssl activation with open vpn client
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: vpn ssl activation with open vpn client  (Read 102505 times)
miki22
Full Member
***
Offline Offline

Posts: 20



« on: Sunday 25 April 2021, 05:45:19 pm »

Goodmorning everyone,
we are trying to activate a vpn ssl with Endian but without success.

we are doing the simplest things, so:
(Endian is latest version) (3.3.2 COMMUNITY)

1)   Open port TCP / UDP 1194 in a router and in a Endian Firewall.

Our Router Fritzbox 7590 have a nat 1:1 to Endian Red IP
Our Endian Firewall have a GREEN interface ip: 192.168.1.1(gateway) and we open 1194 port here.

(screenshot 1)

2)   We disable the Firewa vpn:

Vpn Traffic -> Disable Firewall VPN

(screenshot 2)

3)   We have activate open vpn server with all standard parameters

(screenshot 3)

4)   We create a user and password (Menu -> Vpn -> Autentication -> Add user)

5)   We download the correct certificate in a Windows PC

(VPN -> Open VPN Server -> Download Certificate)
(the certificate have the name: “cacert.pem”)

6)   Go in client pc Windows -> I have download the software:
OpenVPN-2.5.2-I601-amd64.msi

7)   We create a file “ACME-vpn.ovpn” and insert this file here:

C:\Program Files\OpenVPN\config\ACME-vpn

File: “ACME-vpn.ovpn” -> has inside:

client
dev tap                             
proto udp            #only if you use udp protocol
remote OurPublicIP 1194  #1194 only if your vpn server's port is the default port     
resolv-retry infinite
nobind
persist-key
persist-tun
ca cacert.pem      #this is the p12 client certificate
auth-user-pass      #uncomment this row if you want to use two factor authentication
verb 3
comp-lzo
remote-cert-tls server

8 )   Here -> C:\Program Files\OpenVPN\config\ACME-vpn

We copy the “cacert.pem” certificated

9)   Stop. We try to connect with open vpn client. The errori is:

2021-04-25 09:39:31 VERIFY OK: depth=1, C=IT, O=misty-disk-0130, CN=efw CA
2021-04-25 09:39:31 Certificate does not have key usage extension
2021-04-25 09:39:31 VERIFY KU ERROR
2021-04-25 09:39:31 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-04-25 09:39:31 TLS_ERROR: BIO read tls_read_plaintext error
2021-04-25 09:39:31 TLS Error: TLS object -> incoming plaintext read error
2021-04-25 09:39:31 TLS Error: TLS handshake failed
2021-04-25 09:39:31 SIGUSR1[soft,tls-error] received, process restarting
2021-04-25 09:39:31 MANAGEMENT: >STATE:1619336371,RECONNECTING,tls-error,,,,,
2021-04-25 09:39:31 Restart pause, 300 second(s)


Why not work?
Thanks
Logged
miki22
Full Member
***
Offline Offline

Posts: 20



« Reply #1 on: Monday 26 April 2021, 04:06:34 am »

today I solved everything:
I understand that:

1)   There is no need to open the ports on the endian Firewall (screenshot 1)

2)   To make the vpn work just remove the line:
remote-cert-tls server


The further questions are:

1)   We lowered the security level by removing the string:

remote-cert-tls server              ?

what should i do?

2)   Another waring comes out, which I think is related to compression:

WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.

2021-04-25 19:44:15 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.


Seems the error disappears when i delete the line:

“comp-lzo”

but in that case other errors appear:

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1573', remote='link-mtu 1574'
WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo’

3)   Another waring comes out, which I think is related to TLS

WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

but here in the end it is not clear what must be done.

4)   Another waring comes out:
Sun Apr 25 19:51:57 2021 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.

but here in the end it is not clear what must be done.


5)   Another warning comes out:

WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

but here in the end it is not clear what must be done.




in short, the vpn works but there are “warnings” everywhere!

No good…
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.063 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com