How do i correctly configure the "Allowed Clients" Table for OpenVPN ? HELP!

[-KS-Silence[AU]]

Hello guys, bit of an issue here....

I already know how to get a secured OpenVPN Server running that does NOT use a White / Blacklist and that works fine, but what i cant work out is why when i turn on Whitelisting in the GUI : "Allow Only specified clients" and fill in the field, NOT a Single client can successfuly connect, they ALL get rejected at what appears to the final stage of connecting with a PUSH Request and an Authentication Failure and some errors in the log that i dont understand.

Here is a screenshot of:
the Server settings on the left hand side
Client Log in the top right portion of the screen on the remote computer
Relevant portion of Server log in notepad in the bottom right of my screen

(If the screenshot fails to load just copy and paste the link into a new broswer tab and it will load..... its way to big to be uploaded as an attachment @ ~1920x1080 and ~500Kb)
(alternate image link: https://www.dropbox.com/s/jvccxte8xl91hq8/VPN Access control not working.JPG click image to zoom)

I have no idea how to do router scripting or anything like that if any is required... Chances are its something totally obvious to you, and im totally oblivious to it....

Thanks...

-Alex

 

[RMerlin]

Try increasing OpeNVPN logging. Through SSH/Telnet:

nvram set vpn_loglevel=9
nvram commit

(log level can go up to 15, but I suspect that going THAT high will generate more noise than useful info)

Then restart the OpenVPN servers. See what you get in syslog when you try to connect.

To revert it back, set loglevel to 3.

 

[-KS-Silence[AU]]

Heres a Very long logfile for you....

Erm is this what you want, sounds like level 9 might be a bit to Verbose??
WARNING! Very Very Very Very LONG Log in Attached file!
(thats only the relevant bit.... some 93900 Characters....)

 

[RMerlin]

At least it confirms that the cn part is what is being rejected:

May 28 03:45:04 openvpn[1416]: 74.111.111.111:51283 TLS Auth Error: --client-config-dir authentication failed for common name 'Win-8-VMware' file='ccd/Win-8-VMware'\

I would try using a CN without any dash in it to see if it works better.

 

[-KS-Silence[AU]]

Same as before

Well trying new certs and stuff without a - in the CN's and other fields where possible made no effect (I made sure i updated the allowed clients table with the correct CN:

May 28 04:25:12 openvpn[1702]: TCP connection established with [AF_INET]74.---.---.---:51339
May 28 04:25:12 openvpn[1702]: 74.---.---.---:51339 TLS: Initial packet from [AF_INET]74.---.---.---:51339, sid=b8c299aa 31b1cd57
May 28 04:25:15 kernel: printk: 1033 messages suppressed.
May 28 04:25:15 kernel: protocol 0000 is buggy, dev eth1
May 28 04:25:20 kernel: printk: 969 messages suppressed.
May 28 04:25:20 kernel: protocol 0000 is buggy, dev eth1
May 28 04:25:22 openvpn[1702]: 74.---.---.---:51339 VERIFY OK: depth=1, C=AU, ST=NSW, L=Sydney, O=Silence-Home, OU=Home-VPN, CN=RT-AC66U, name=RT-AC66U, emailAddress=POQ-Silence@live.com
May 28 04:25:22 openvpn[1702]: 74.---.---.---:51339 VERIFY OK: depth=0, C=AU, ST=NSW, L=Sydney, O=Silence, OU=HomeVPN, CN=TestPC, name=TestPC, emailAddress=POQ-Silence@live.com
May 28 04:25:25 kernel: printk: 979 messages suppressed.
May 28 04:25:25 kernel: protocol 0000 is buggy, dev eth2
May 28 04:25:25 openvpn[1702]: 74.---.---.---:51339 TLS Auth Error: --client-config-dir authentication failed for common name 'TestPC' file='ccd/TestPC'
May 28 04:25:26 openvpn[1702]: 74.---.---.---:51339 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
May 28 04:25:26 openvpn[1702]: 74.---.---.---:51339 [TestPC] Peer Connection Initiated with [AF_INET]74.---.---.---:51339
May 28 04:25:28 openvpn[1702]: 74.---.---.---:51339 PUSH: Received control message: 'PUSH_REQUEST'
May 28 04:25:28 openvpn[1702]: 74.---.---.---:51339 Delayed exit in 5 seconds
May 28 04:25:28 openvpn[1702]: 74.---.---.---:51339 SENT CONTROL [TestPC]: 'AUTH_FAILED' (status=1)
May 28 04:25:28 openvpn[1702]: 74.---.---.---:51339 Connection reset, restarting [0]
May 28 04:25:28 openvpn[1702]: 74.---.---.---:51339 SIGUSR1[soft,connection-reset] received, client-instance restarting

 

[RMerlin]

No other idea personally, as I'm not an OpenVPN expert, and I never worked with CN-based authentication.

 

[-KS-Silence[AU]]

Well this aint good

No other idea personally, as I'm not an OpenVPN expert, and I never worked with CN-based authentication.

Should i post about it on the OpenVPN forums?
Even though the VPN here is apparently based off of tomato's, i cant find anything that shows how to do it on the tomato routers (and ive got an old one laying around somewhere), even though they also have a very similar function apparently (Version specific).

The information just doesnt seem to publicly exist!

Does anyone else here know how to make this behave?

 

[Brouno]

Hello,

I think you get the same problem as in here : http://openvpn.net/archive/openvpn-users/2006-04/msg00083.html

The openvpn server daemon doesn't find the file ''ccd/Win-8-VMware''

I'll try to be sure that the ccd folder is a the correct place.

Try to add :
client-config-dir /ccd

in the custom configuration

or replace /ccd with the correct location

 

[-KS-Silence[AU]]

Il give that a shot, thanks for the tip Brouno!

 

[-KS-Silence[AU]]

Hello,

I think you get the same problem as in here : http://openvpn.net/archive/openvpn-users/2006-04/msg00083.html

The openvpn server daemon doesn't find the file ''ccd/Win-8-VMware''

I'll try to be sure that the ccd folder is a the correct place.

Try to add :
client-config-dir /ccd

in the custom configuration

or replace /ccd with the correct location

i WinSCP'd my router and cant find /ccd anywhere at all....
I guess the issue is where does the folder go and what needs to go in it...
can i put it anywhere as long as i give the path to the folder?

Im gonna throw a topic on the OpenVPN forums As well to broaden my audience.

 

[RMerlin]

The firmware creates the ccd directory dynamically in ram, in:

/etc/openvpn/server1/ccd

Try looking there while the server is running.

 

[-KS-Silence[AU]]

The firmware creates the ccd directory dynamically in ram, in:

/etc/openvpn/server1/ccd

Try looking there while the server is running.

If that directory exists on a storage medium like jffs will the router load that into ram?

EDIT:
FIXED! GOT IT WORKING!
I got it working by putting the required files in with WinSCP and instead of using the Radio button option to turn on Allowed clients list, i used the ccd based auth mode command line option in the Config field and that worked till a reboot when it cleared the files, so i put them on the USB HDD and specified the path of the ccd folder and now it works fine.

 

[RMerlin]

If that directory exists on a storage medium like jffs will the router load that into ram?

No. The router creates it in that specific location, and will expect the settings to be stored there.

 

[-KS-Silence[AU]]

Edited my last post incase you didnt notice, the issue of the router expecting things to be in a certain location can be dealt with easilly, just put:
client-config-dir <path to directory>
in the OpenVPN server config box under advanced settings.



Now i just need to somehow make it so that even if the Certifictes and keys the client has are valid and the CN is whitelisted, if the connection comes from a certain IP its allowed and Any other IP is refused... (say someone breaks in and steals the PC, they wont be able to connect because of different IP).

Not expecting anyone here to know but if they do it helps, i also posted about this on the openvpn forums....

(why am i going to all this trouble? As part of my Sys Admin diploma course we have to do a Secure VPN assessment [open book], and i want to make my home network vpn very secure anyway so why not do both in one go?)

Once i get that IP auth bit worked out then everything is done

 

[berez]

Hi,

I added to textbox:

client-config-dir /etc/openvpn/server2/ccd

And set:

Allow only specified clients to YES

And add one allowed user.

But I get Error (user name and pass are correct):

Sat Mar 10 08:42:17 2018 OpenVPN 2.4.5 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar  1 2018
Sat Mar 10 08:42:17 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sat Mar 10 08:42:17 2018 library versions: OpenSSL 1.1.0f  25 May 2017, LZO 2.10
Enter Management Password:
Sat Mar 10 08:42:18 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]myIP:1195
Sat Mar 10 08:42:18 2018 UDP link local: (not bound)
Sat Mar 10 08:42:18 2018 UDP link remote: [AF_INET]myIP:1195
Sat Mar 10 08:42:18 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Mar 10 08:42:19 2018 [RT-AC68U] Peer Connection Initiated with [AF_INET]myIP:1195
Sat Mar 10 08:42:20 2018 AUTH: Received control message: AUTH_FAILED
Sat Mar 10 08:42:20 2018 SIGUSR1[soft,auth-failure] received, process restarting
Sat Mar 10 08:42:33 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]myIP:1195
Sat Mar 10 08:42:33 2018 UDP link local: (not bound)
Sat Mar 10 08:42:33 2018 UDP link remote: [AF_INET]myIP:1195
Sat Mar 10 08:42:33 2018 [RT-AC68U] Peer Connection Initiated with [AF_INET]myIP:1195
Sat Mar 10 08:42:34 2018 AUTH: Received control message: AUTH_FAILED
Sat Mar 10 08:42:34 2018 SIGUSR1[soft,auth-failure] received, process restarting

How to fix it? I want set specific IP for specific user.