EFW Support

Support => General Support => Topic started by: miki22 on Sunday 25 April 2021, 05:45:19 pm



Title: vpn ssl activation with open vpn client
Post by: miki22 on Sunday 25 April 2021, 05:45:19 pm
Goodmorning everyone,
we are trying to activate a vpn ssl with Endian but without success.

we are doing the simplest things, so:
(Endian is latest version) (3.3.2 COMMUNITY)

1)   Open port TCP / UDP 1194 in a router and in a Endian Firewall.

Our Router Fritzbox 7590 have a nat 1:1 to Endian Red IP
Our Endian Firewall have a GREEN interface ip: 192.168.1.1(gateway) and we open 1194 port here.

(screenshot 1)

2)   We disable the Firewa vpn:

Vpn Traffic -> Disable Firewall VPN

(screenshot 2)

3)   We have activate open vpn server with all standard parameters

(screenshot 3)

4)   We create a user and password (Menu -> Vpn -> Autentication -> Add user)

5)   We download the correct certificate in a Windows PC

(VPN -> Open VPN Server -> Download Certificate)
(the certificate have the name: “cacert.pem”)

6)   Go in client pc Windows -> I have download the software:
OpenVPN-2.5.2-I601-amd64.msi

7)   We create a file “ACME-vpn.ovpn” and insert this file here:

C:\Program Files\OpenVPN\config\ACME-vpn

File: “ACME-vpn.ovpn” -> has inside:

client
dev tap                             
proto udp            #only if you use udp protocol
remote OurPublicIP 1194  #1194 only if your vpn server's port is the default port     
resolv-retry infinite
nobind
persist-key
persist-tun
ca cacert.pem      #this is the p12 client certificate
auth-user-pass      #uncomment this row if you want to use two factor authentication
verb 3
comp-lzo
remote-cert-tls server

8 )   Here -> C:\Program Files\OpenVPN\config\ACME-vpn

We copy the “cacert.pem” certificated

9)   Stop. We try to connect with open vpn client. The errori is:

2021-04-25 09:39:31 VERIFY OK: depth=1, C=IT, O=misty-disk-0130, CN=efw CA
2021-04-25 09:39:31 Certificate does not have key usage extension
2021-04-25 09:39:31 VERIFY KU ERROR
2021-04-25 09:39:31 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-04-25 09:39:31 TLS_ERROR: BIO read tls_read_plaintext error
2021-04-25 09:39:31 TLS Error: TLS object -> incoming plaintext read error
2021-04-25 09:39:31 TLS Error: TLS handshake failed
2021-04-25 09:39:31 SIGUSR1[soft,tls-error] received, process restarting
2021-04-25 09:39:31 MANAGEMENT: >STATE:1619336371,RECONNECTING,tls-error,,,,,
2021-04-25 09:39:31 Restart pause, 300 second(s)


Why not work?
Thanks


Title: Re: vpn ssl activation with open vpn client
Post by: miki22 on Monday 26 April 2021, 04:06:34 am
today I solved everything:
I understand that:

1)   There is no need to open the ports on the endian Firewall (screenshot 1)

2)   To make the vpn work just remove the line:
remote-cert-tls server


The further questions are:

1)   We lowered the security level by removing the string:

remote-cert-tls server              ?

what should i do?

2)   Another waring comes out, which I think is related to compression:

WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.

2021-04-25 19:44:15 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.


Seems the error disappears when i delete the line:

“comp-lzo”

but in that case other errors appear:

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1573', remote='link-mtu 1574'
WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo’

3)   Another waring comes out, which I think is related to TLS

WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

but here in the end it is not clear what must be done.

4)   Another waring comes out:
Sun Apr 25 19:51:57 2021 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.

but here in the end it is not clear what must be done.


5)   Another warning comes out:

WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

but here in the end it is not clear what must be done.




in short, the vpn works but there are “warnings” everywhere!

No good…