How do i correctly configure the "Allowed Clients" Table for OpenVPN ? HELP!

Discussion in 'Asuswrt-Merlin' started by -KS-Silence[AU], May 27, 2013.

  1. -KS-Silence[AU]

    -KS-Silence[AU] Occasional Visitor

    Joined:
    May 27, 2013
    Messages:
    22
    Hello guys, bit of an issue here....

    I already know how to get a secured OpenVPN Server running that does NOT use a White / Blacklist and that works fine, but what i cant work out is why when i turn on Whitelisting in the GUI : "Allow Only specified clients" and fill in the field, NOT a Single client can successfuly connect, they ALL get rejected at what appears to the final stage of connecting with a PUSH Request and an Authentication Failure and some errors in the log that i dont understand.

    Here is a screenshot of:
    the Server settings on the left hand side
    Client Log in the top right portion of the screen on the remote computer
    Relevant portion of Server log in notepad in the bottom right of my screen

    [​IMG]

    (If the screenshot fails to load just copy and paste the link into a new broswer tab and it will load..... its way to big to be uploaded as an attachment @ ~1920x1080 and ~500Kb)
    (alternate image link: https://www.dropbox.com/s/jvccxte8xl91hq8/VPN Access control not working.JPG click image to zoom)

    I have no idea how to do router scripting or anything like that if any is required... Chances are its something totally obvious to you, and im totally oblivious to it....

    Thanks...

    -Alex
     
    Last edited: May 27, 2013
  2. Log in / Register to remove this ad

  3. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    14,338
    Location:
    Canada
    Try increasing OpeNVPN logging. Through SSH/Telnet:

    Code:
    nvram set vpn_loglevel=9
    nvram commit
    
    (log level can go up to 15, but I suspect that going THAT high will generate more noise than useful info)

    Then restart the OpenVPN servers. See what you get in syslog when you try to connect.

    To revert it back, set loglevel to 3.
     
  4. -KS-Silence[AU]

    -KS-Silence[AU] Occasional Visitor

    Joined:
    May 27, 2013
    Messages:
    22
    Heres a Very long logfile for you....

    Erm is this what you want, sounds like level 9 might be a bit to Verbose??
    WARNING! Very Very Very Very LONG Log in Attached file!
    (thats only the relevant bit.... some 93900 Characters....)
     

    Attached Files:

  5. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    14,338
    Location:
    Canada
    At least it confirms that the cn part is what is being rejected:

    Code:
    May 28 03:45:04 openvpn[1416]: 74.111.111.111:51283 TLS Auth Error: --client-config-dir authentication failed for common name 'Win-8-VMware' file='ccd/Win-8-VMware'\
    
    I would try using a CN without any dash in it to see if it works better.
     
    Last edited: May 27, 2013
  6. -KS-Silence[AU]

    -KS-Silence[AU] Occasional Visitor

    Joined:
    May 27, 2013
    Messages:
    22
    Same as before

    Well trying new certs and stuff without a - in the CN's and other fields where possible made no effect (I made sure i updated the allowed clients table with the correct CN:

    Code:
    May 28 04:25:12 openvpn[1702]: TCP connection established with [AF_INET]74.---.---.---:51339
    May 28 04:25:12 openvpn[1702]: 74.---.---.---:51339 TLS: Initial packet from [AF_INET]74.---.---.---:51339, sid=b8c299aa 31b1cd57
    May 28 04:25:15 kernel: printk: 1033 messages suppressed.
    May 28 04:25:15 kernel: protocol 0000 is buggy, dev eth1
    May 28 04:25:20 kernel: printk: 969 messages suppressed.
    May 28 04:25:20 kernel: protocol 0000 is buggy, dev eth1
    May 28 04:25:22 openvpn[1702]: 74.---.---.---:51339 VERIFY OK: depth=1, C=AU, ST=NSW, L=Sydney, O=Silence-Home, OU=Home-VPN, CN=RT-AC66U, name=RT-AC66U, emailAddress=POQ-Silence@live.com
    May 28 04:25:22 openvpn[1702]: 74.---.---.---:51339 VERIFY OK: depth=0, C=AU, ST=NSW, L=Sydney, O=Silence, OU=HomeVPN, CN=TestPC, name=TestPC, emailAddress=POQ-Silence@live.com
    May 28 04:25:25 kernel: printk: 979 messages suppressed.
    May 28 04:25:25 kernel: protocol 0000 is buggy, dev eth2
    May 28 04:25:25 openvpn[1702]: 74.---.---.---:51339 TLS Auth Error: --client-config-dir authentication failed for common name 'TestPC' file='ccd/TestPC'
    May 28 04:25:26 openvpn[1702]: 74.---.---.---:51339 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    May 28 04:25:26 openvpn[1702]: 74.---.---.---:51339 [TestPC] Peer Connection Initiated with [AF_INET]74.---.---.---:51339
    May 28 04:25:28 openvpn[1702]: 74.---.---.---:51339 PUSH: Received control message: 'PUSH_REQUEST'
    May 28 04:25:28 openvpn[1702]: 74.---.---.---:51339 Delayed exit in 5 seconds
    May 28 04:25:28 openvpn[1702]: 74.---.---.---:51339 SENT CONTROL [TestPC]: 'AUTH_FAILED' (status=1)
    May 28 04:25:28 openvpn[1702]: 74.---.---.---:51339 Connection reset, restarting [0]
    May 28 04:25:28 openvpn[1702]: 74.---.---.---:51339 SIGUSR1[soft,connection-reset] received, client-instance restarting
     
    Last edited: May 27, 2013
  7. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    14,338
    Location:
    Canada
    No other idea personally, as I'm not an OpenVPN expert, and I never worked with CN-based authentication.
     
  8. -KS-Silence[AU]

    -KS-Silence[AU] Occasional Visitor

    Joined:
    May 27, 2013
    Messages:
    22
    Well this aint good

    Should i post about it on the OpenVPN forums?
    Even though the VPN here is apparently based off of tomato's, i cant find anything that shows how to do it on the tomato routers (and ive got an old one laying around somewhere), even though they also have a very similar function apparently (Version specific).

    The information just doesnt seem to publicly exist!

    Does anyone else here know how to make this behave?
     
  9. Brouno

    Brouno Occasional Visitor

    Joined:
    May 3, 2013
    Messages:
    30
    Hello,

    I think you get the same problem as in here : http://openvpn.net/archive/openvpn-users/2006-04/msg00083.html

    The openvpn server daemon doesn't find the file ''ccd/Win-8-VMware''

    I'll try to be sure that the ccd folder is a the correct place.

    Try to add :
    client-config-dir /ccd

    in the custom configuration

    or replace /ccd with the correct location
     
    Last edited: May 29, 2013
  10. -KS-Silence[AU]

    -KS-Silence[AU] Occasional Visitor

    Joined:
    May 27, 2013
    Messages:
    22
    Il give that a shot, thanks for the tip Brouno!
     
  11. -KS-Silence[AU]

    -KS-Silence[AU] Occasional Visitor

    Joined:
    May 27, 2013
    Messages:
    22
    i WinSCP'd my router and cant find /ccd anywhere at all....
    I guess the issue is where does the folder go and what needs to go in it...
    can i put it anywhere as long as i give the path to the folder?

    Im gonna throw a topic on the OpenVPN forums As well to broaden my audience.
     
  12. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    14,338
    Location:
    Canada
    The firmware creates the ccd directory dynamically in ram, in:

    Code:
    /etc/openvpn/server1/ccd
    
    Try looking there while the server is running.
     
  13. -KS-Silence[AU]

    -KS-Silence[AU] Occasional Visitor

    Joined:
    May 27, 2013
    Messages:
    22
    If that directory exists on a storage medium like jffs will the router load that into ram?

    EDIT:
    FIXED! GOT IT WORKING!
    I got it working by putting the required files in with WinSCP and instead of using the Radio button option to turn on Allowed clients list, i used the ccd based auth mode command line option in the Config field and that worked till a reboot when it cleared the files, so i put them on the USB HDD and specified the path of the ccd folder and now it works fine.
     
    Last edited: Jun 3, 2013
  14. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    14,338
    Location:
    Canada
    No. The router creates it in that specific location, and will expect the settings to be stored there.
     
  15. -KS-Silence[AU]

    -KS-Silence[AU] Occasional Visitor

    Joined:
    May 27, 2013
    Messages:
    22
    Edited my last post incase you didnt notice, the issue of the router expecting things to be in a certain location can be dealt with easilly, just put:
    client-config-dir <path to directory>
    in the OpenVPN server config box under advanced settings.



    Now i just need to somehow make it so that even if the Certifictes and keys the client has are valid and the CN is whitelisted, if the connection comes from a certain IP its allowed and Any other IP is refused... (say someone breaks in and steals the PC, they wont be able to connect because of different IP).

    Not expecting anyone here to know but if they do it helps, i also posted about this on the openvpn forums....

    (why am i going to all this trouble? As part of my Sys Admin diploma course we have to do a Secure VPN assessment [open book], and i want to make my home network vpn very secure anyway so why not do both in one go?)

    Once i get that IP auth bit worked out then everything is done :p
     
    Last edited: Jun 3, 2013

Share This Page