|
Title: vpn ssl activation with open vpn client Post by: miki22 on Sunday 25 April 2021, 05:45:19 pm Goodmorning everyone,
we are trying to activate a vpn ssl with Endian but without success. we are doing the simplest things, so: (Endian is latest version) (3.3.2 COMMUNITY) 1) Open port TCP / UDP 1194 in a router and in a Endian Firewall. Our Router Fritzbox 7590 have a nat 1:1 to Endian Red IP Our Endian Firewall have a GREEN interface ip: 192.168.1.1(gateway) and we open 1194 port here. (screenshot 1) 2) We disable the Firewa vpn: Vpn Traffic -> Disable Firewall VPN (screenshot 2) 3) We have activate open vpn server with all standard parameters (screenshot 3) 4) We create a user and password (Menu -> Vpn -> Autentication -> Add user) 5) We download the correct certificate in a Windows PC (VPN -> Open VPN Server -> Download Certificate) (the certificate have the name: “cacert.pem”) 6) Go in client pc Windows -> I have download the software: OpenVPN-2.5.2-I601-amd64.msi 7) We create a file “ACME-vpn.ovpn” and insert this file here: C:\Program Files\OpenVPN\config\ACME-vpn File: “ACME-vpn.ovpn” -> has inside: client dev tap proto udp #only if you use udp protocol remote OurPublicIP 1194 #1194 only if your vpn server's port is the default port resolv-retry infinite nobind persist-key persist-tun ca cacert.pem #this is the p12 client certificate auth-user-pass #uncomment this row if you want to use two factor authentication verb 3 comp-lzo remote-cert-tls server 8 ) Here -> C:\Program Files\OpenVPN\config\ACME-vpn We copy the “cacert.pem” certificated 9) Stop. We try to connect with open vpn client. The errori is: 2021-04-25 09:39:31 VERIFY OK: depth=1, C=IT, O=misty-disk-0130, CN=efw CA 2021-04-25 09:39:31 Certificate does not have key usage extension 2021-04-25 09:39:31 VERIFY KU ERROR 2021-04-25 09:39:31 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed 2021-04-25 09:39:31 TLS_ERROR: BIO read tls_read_plaintext error 2021-04-25 09:39:31 TLS Error: TLS object -> incoming plaintext read error 2021-04-25 09:39:31 TLS Error: TLS handshake failed 2021-04-25 09:39:31 SIGUSR1[soft,tls-error] received, process restarting 2021-04-25 09:39:31 MANAGEMENT: >STATE:1619336371,RECONNECTING,tls-error,,,,, 2021-04-25 09:39:31 Restart pause, 300 second(s) Why not work? Thanks Title: Re: vpn ssl activation with open vpn client Post by: miki22 on Monday 26 April 2021, 04:06:34 am today I solved everything:
I understand that: 1) There is no need to open the ports on the endian Firewall (screenshot 1) 2) To make the vpn work just remove the line: remote-cert-tls server The further questions are: 1) We lowered the security level by removing the string: remote-cert-tls server ? what should i do? 2) Another waring comes out, which I think is related to compression: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set. 2021-04-25 19:44:15 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers. Seems the error disappears when i delete the line: “comp-lzo” but in that case other errors appear: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1573', remote='link-mtu 1574' WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo’ 3) Another waring comes out, which I think is related to TLS WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. but here in the end it is not clear what must be done. 4) Another waring comes out: Sun Apr 25 19:51:57 2021 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers. but here in the end it is not clear what must be done. 5) Another warning comes out: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this but here in the end it is not clear what must be done. in short, the vpn works but there are “warnings” everywhere! No good… |