OpenVPN bug ccd/client

Laxarus

Regular Contributor
Hello,
I was trying to setup a two-way site2site OpenVPN server and noticed a particular bug or configuration mistake.
RT-AC5300 with merlin fw 386.3_2 as openvpn server
RT-AX86U with merlin fw 386.4 as openvpn client.

I used server 2 since server 1 was in use.
I have created a user from the VPN Server menu and setup my VPN server with "Allow only specified clients" setting then I used the newly created username on it. However, I got an autharization failure on the client side. when trying to connect to the server. When I looked at the logs on the server, I noticed the error line like this:

Jan 15 14:37:42 ovpn-server2[10325]: 176.232.59.7:27913 TLS Auth Error: --client-config-dir authentication failed for common name 'client' file='ccd/client'

It appears that the vpn server CN setting is not relayed correctly since it is looking for 'ccd/client', however, it should look for 'ccd/Guneycity'. Since it was the CN I assigned.

I have created another entry under the "Allowed Clients" and named it client. This time my VPN client successfully connected.

I am not sure if this is fixed in the latest version if not I would like to report it @RMerlin and cannot access the server side since I am not on site.

I hope this will be helpful. I can provide more logs if requested.
 

eibgrad

Part of the Furniture
If you're using the certs and keys auto-generated by the router for the OpenVPN server, then the CN (Common Name) is client (it's part of the cert). You can't change this unless you generate your own certs and keys using EASY-RSA. Is that what you did?
 

eibgrad

Part of the Furniture
BTW, post your entire OpenVPN server configuration page so we can see exactly how you configured it. There are so many options available, and depending on how you set them can greatly change how it works wrt authentication.

In fact, let's cut to the chase, dump the configuration file as well.

Code:
cat /tmp/etc/openvpn/server2/config.ovpn
 

Laxarus

Regular Contributor
This is the configuration:
Bash:
daemon ovpn-server2
topology subnet
server 10.16.0.0 255.255.255.0
proto tcp-server
port 1195
dev tun22
txqueuelen 1000
data-ciphers CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"
client-config-dir ccd
client-to-client
ccd-exclusive
route 192.168.50.0 255.255.255.0
route 192.168.50.0 255.255.255.0
push "dhcp-option DOMAIN laxhome.org"
push "dhcp-option DNS 192.168.1.45"
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DNS 192.168.1.1"
tls-auth static.key 1
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up 'ovpn-up 2 server'
down 'ovpn-down 2 server'
status-version 2
status status 5

And the screenshots:
1642260189144.png


I am using Guneycity username and password to connect the server but if I remove the "client" from the "Allowed Clients" it fails to authenticate.
The certs are auto generated.
 

eibgrad

Part of the Furniture
Try adding the following directive to the OpenVPN server custom config field and see if you can now remove the entry for 'client'.

Code:
username-as-common-name

I'm assuming Guneycity is indeed a valid username.
 

Laxarus

Regular Contributor
Try adding the following directive to the OpenVPN server custom config field and see if you can now remove the entry for 'client'.

Code:
username-as-common-name

I'm assuming Guneycity is indeed a valid username.
That did the trick. Thanks.
However, logically you should not use any custom config at all if you add this CN to the list right?
 

eibgrad

Part of the Furniture
That did the trick. Thanks.
However, logically you should not use any custom config at all if you add this CN to the list right?

Yes, but YOU insisted on distinguishing the user based on the username, when the default is the CN of the client's cert, which is 'client'. We added the username-as-common-name directive to override that default and satisfy your preference for username.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top