Topic: [ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm

[AndrewR]

Vip-ire;

A question about the keys and certificates. When I am giving a new person vpn access. I have been giving them user.key, user.crt, ca.crt, ta.key, and VPN.ovpn.

Do they need all of this? I had a paranoid moment that I may be creating a security issue.

Thx in advance for your help.

Ian

Ian,

Those keys are necessary... and in this case, it's because of paranoia that they all are. Without them, they can't have access... and they way the contrib is set up, all it's doing is giving them an address on your network. To further secure your network and file shares, then you can create additional security / group policy.

To give you an idea, this is how OVPN is being used in our office:

OVPN clients connect and establish a connection. From there, the users in question connect to their machines via RDP, and within those remote sessions, they access printers, file shares, etc, using our existing AD structure. Seeing as we didn't want to provide everyone with laptops, when they use their personal machines, this affords us some security. while it is true that the users still could connect to the network from home, not without a great deal of savvy, and it's better than opening up ports for RDP for each machine (and much easier to manage).

If you don't want to be distributing so many files, consider using one of the other 3 levels of security in the OVPN server brigde panel. honestly, unless you have a good reason not to, go with #4 (the default) as it is the most secure.

Hope this helps.

[Daniel B.]

Vip-ire;

A question about the keys and certificates. When I am giving a new person vpn access. I have been giving them user.key, user.crt, ca.crt, ta.key, and VPN.ovpn.

Do they need all of this? I had a paranoid moment that I may be creating a security issue.

Thx in advance for your help.

Ian

Yes, they need all these files. You shouldn't be too worried about the security (especially if you're using auth method 4). I've worked a lot on this part. It's protected against a client trying to spoof the server (with the verification of the type and the CN of the server certificate) and some other attack
Of course, you need to take care on the way you distribute these files, for example, you should never send them by email. The best is to download these files directly from the server-manager on the PC, and to be sure there's no windows share activated. Restrict the permission on these files to the user account (with NTFS permission). And don't forget to have a firewall/AV on.
The only problem then is if one of your allowed client lost is laptop for exemple: someone have all the needed certificate and key but:

- he still needs the password of the user
- you can and you should immediatly revoke this certificate

with this, there's no real danger, you just have to react quickly if someone tells you he may have lost his certificate.

I'd like to implement a new security option in the next version:
- every certificate as an email address associated (the email address of the user who will use the certificate)
- each time a client connect, he is sent an email telling he is connected

So, when a client receive an email while he's not connected, he can imediatly prevent the admin.

I'd also like to regularly parse the log, extract all the connexion informations and enter them in a mysql database, then with something like rrd, we could see the activity of each client.

I don't know when it'll be ready, and if others think it's good ideas, but I think I'll implement this as an option.

[AndrewR]

[

I'd like to implement a new security option in the next version:
- every certificate as an email address associated (the email address of the user who will use the certificate)
- each time a client connect, he is sent an email telling he is connected

So, when a client receive an email while he's not connected, he can imediatly prevent the admin.

I'd also like to regularly parse the log, extract all the connexion informations and enter them in a mysql database, then with something like rrd, we could see the activity of each client.

I don't know when it'll be ready, and if others think it's good ideas, but I think I'll implement this as an option.

I like where you're going with the proposed new features.. one thing I would like to see is a "who's online" area on the panel.. basically showing who is currently connected to the VPN, and maybe their source IP (gives us a who and where type deal). Being able to track activity would be helpful too, but just getting a SQL db that I do reports from is fine.

[Daniel B.]

Well, the email function will be quite easy to implement (I think) but for the connexions informations, I don't know for now. I never played with mysql or rrd (just a little mysql when I was at school), so I don't know when I'll implement that, for now it's just some ideas for the futur. If anyone have other ideas, you're welcom.

[imcintyre]

Thanks for the information. The extra layer of security is appreciated. I just wanted to make sure I wasn't handing out anything "extra", that could be used.

I know that the files VPN.ovpn, username.crt, and username.key are unique. Are the ta.key and ca.crt also unique for each user? I won't have the opportunity to always set up other people's machines, so I am trying to be careful with passwords/keys etc.

Vip-ire obviously this should work with the other contribs you have on your site???  I wanted to try them out.

[AndrewR]

Thanks for the information. The extra layer of security is appreciated. I just wanted to make sure I wasn't handing out anything "extra", that could be used.

I know that the files VPN.ovpn, username.crt, and username.key are unique. Are the ta.key and ca.crt also unique for each user? I won't have the opportunity to always set up other people's machines, so I am trying to be careful with passwords/keys etc.

Vip-ire obviously this should work with the other contribs you have on your site???  I wanted to try them out.

the Ta.key and ca.crt are common to all clients.. that's what allows the certificates to be authenticated etc. If those are missing with your client files, then those clients won't be able to connect.

If you haven't already.. look at the following how to:

http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html

You can create executables that will install the OpenVPN GUI on a windows  system, and have the config files be pre-loaded into their config directory. I use this method and simply create the exe for the user, and install it onto their computer. Using this method also allows you to make sure that the setup on the user's machines are correct... without necessarily having to babysit the install.

[del]

Hi VIP-ire,

I followed your advice and changed the IP/subnet at the office and it now works according to plan Thank you very much.

Regards,
Del

[Daniel B.]

Vip-ire obviously this should work with the other contribs you have on your site???  I wanted to try them out.

Well, yes, all our contribs on the site http://sme.firewall-services.com can work on the same server, there's no conflict. (sme7admin, backuppc and  trixbox)

[gerd]

@VIP-ire
I have installed your contrib on the office-server (client installation to be done next week). My problem: during the installation of the (fresh) SME7.0 server I named the server: xxxyyy.local. As we got very night at midnight a new IP-address, I published a virtual domain name zzzzyyyy.dyndns.org . This domain can be pinged without problem.
But: when I controlled the server-bridge.conf file (etc/openvpn/server-bridge.conf) I found:

                  push "dhcp-option Domain xxxyyy.local".

To my understanding I will never ever be able to contact xxxyyy.local....How can I manage to have:

                  push "dhcp-option Domain zzzzyyy.dyndns.org" ?

Did I miss something during the  installation procedure??

thanx in advance for your help and

"Joyeux Fete de Noel et une bonne nouvelle annee"

regards

gerd

[Daniel B.]

@VIP-ire
I have installed your contrib on the office-server (client installation to be done next week). My problem: during the installation of the (fresh) SME7.0 server I named the server: xxxyyy.local. As we got very night at midnight a new IP-address, I published a virtual domain name zzzzyyyy.dyndns.org . This domain can be pinged without problem.
But: when I controlled the server-bridge.conf file (etc/openvpn/server-bridge.conf) I found:

                  push "dhcp-option Domain xxxyyy.local".

To my understanding I will never ever be able to contact xxxyyy.local....How can I manage to have:

                  push "dhcp-option Domain zzzzyyy.dyndns.org" ?

Did I miss something during the  installation procedure??

It shouldn't be a problem for you. This directive is used to tell the client to search in this domain for DNS querry. Because, when a client connect to the server, he automatically uses the DNS of the VPN server. All your PC behind your server use this configuration (because DHCP tells them to do so). The thing you should changed is in the client configuration file, you'll have something like:

Code: [Select]

remote xxxyyy.local
just replace this by

Code: [Select]

remote xxxyyy.dyndns.org and it should work.

[gerd]

It's ok.

So I  made  a fresh install of a SME7 server and installed your contrib - and installed the client on WinXP. I copied the key files & certificates
(ca.cert/client.cert/client.key/ta.key; created the VPN.ovpn file as follows:

=================================================

rport 1194
proto udp
dev tap
nobind
remote xxxxyyyyy.dyndns.org 1194
tls-client
tls-auth ta.key
tls-remote server
ns-cert-type server
auth-user-pass
ca ca.crt
cert client.crt
key client.key
fragment 1400
mssfix 1450
tun-mtu-extra 32
pull
comp-lzo
verb 4

and started the openvpn client....: Connecting to VPN has failed.

The log file shows fianally

==================================================

Sat Dec 23 21:50:27 2006 us=398227 Current Parameter Settings:
Sat Dec 23 21:50:27 2006 us=398313   config = 'VPN.ovpn'
Sat Dec 23 21:50:27 2006 us=398338   mode = 0
Sat Dec 23 21:50:27 2006 us=398360   show_ciphers = DISABLED
Sat Dec 23 21:50:27 2006 us=398383   show_digests = DISABLED
Sat Dec 23 21:50:27 2006 us=398406   show_engines = DISABLED
Sat Dec 23 21:50:27 2006 us=398428   genkey = DISABLED
Sat Dec 23 21:50:27 2006 us=398450   key_pass_file = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=398473   show_tls_ciphers = DISABLED
Sat Dec 23 21:50:27 2006 us=398495   proto = 0
Sat Dec 23 21:50:27 2006 us=398517   local = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=398543   remote_list[0] = {'power-be.dyndns.org', 1194}
Sat Dec 23 21:50:27 2006 us=398567   remote_random = DISABLED
Sat Dec 23 21:50:27 2006 us=398590   local_port = 1194
Sat Dec 23 21:50:27 2006 us=398611   remote_port = 1194
Sat Dec 23 21:50:27 2006 us=398633   remote_float = DISABLED
Sat Dec 23 21:50:27 2006 us=398655   ipchange = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=398678   bind_local = DISABLED
Sat Dec 23 21:50:27 2006 us=398699   dev = 'tap'
Sat Dec 23 21:50:27 2006 us=398721   dev_type = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=398743   dev_node = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=398764   tun_ipv6 = DISABLED
Sat Dec 23 21:50:27 2006 us=398786   ifconfig_local = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=398810   ifconfig_remote_netmask = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=398833   ifconfig_noexec = DISABLED
Sat Dec 23 21:50:27 2006 us=398855   ifconfig_nowarn = DISABLED
Sat Dec 23 21:50:27 2006 us=398877   shaper = 0
Sat Dec 23 21:50:27 2006 us=398898   tun_mtu = 1500
Sat Dec 23 21:50:27 2006 us=398920   tun_mtu_defined = ENABLED
Sat Dec 23 21:50:27 2006 us=398942   link_mtu = 1500
Sat Dec 23 21:50:27 2006 us=398965   link_mtu_defined = DISABLED
Sat Dec 23 21:50:27 2006 us=398987   tun_mtu_extra = 32
Sat Dec 23 21:50:27 2006 us=399010   tun_mtu_extra_defined = ENABLED
Sat Dec 23 21:50:27 2006 us=399032   fragment = 1400
Sat Dec 23 21:50:27 2006 us=399054   mtu_discover_type = -1
Sat Dec 23 21:50:27 2006 us=399076   mtu_test = 0
Sat Dec 23 21:50:27 2006 us=399097   mlock = DISABLED
Sat Dec 23 21:50:27 2006 us=399118   keepalive_ping = 0
Sat Dec 23 21:50:27 2006 us=399141   keepalive_timeout = 0
Sat Dec 23 21:50:27 2006 us=399170   inactivity_timeout = 0
Sat Dec 23 21:50:27 2006 us=399193   ping_send_timeout = 0
Sat Dec 23 21:50:27 2006 us=399216   ping_rec_timeout = 120
Sat Dec 23 21:50:27 2006 us=399239   ping_rec_timeout_action = 2
Sat Dec 23 21:50:27 2006 us=399261   ping_timer_remote = DISABLED
Sat Dec 23 21:50:27 2006 us=399283   remap_sigusr1 = 0
Sat Dec 23 21:50:27 2006 us=399306   explicit_exit_notification = 0
Sat Dec 23 21:50:27 2006 us=399328   persist_tun = DISABLED
Sat Dec 23 21:50:27 2006 us=399351   persist_local_ip = DISABLED
Sat Dec 23 21:50:27 2006 us=399374   persist_remote_ip = DISABLED
Sat Dec 23 21:50:27 2006 us=399396   persist_key = DISABLED
Sat Dec 23 21:50:27 2006 us=399418   mssfix = 1450
Sat Dec 23 21:50:27 2006 us=399442   resolve_retry_seconds = 1000000000
Sat Dec 23 21:50:27 2006 us=399465   connect_retry_seconds = 5
Sat Dec 23 21:50:27 2006 us=399515   username = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=399537   groupname = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=399559   chroot_dir = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=399581   cd_dir = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=399603   writepid = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=399625   up_script = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=399647   down_script = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=399669   down_pre = DISABLED
Sat Dec 23 21:50:27 2006 us=399691   up_restart = DISABLED
Sat Dec 23 21:50:27 2006 us=399713   up_delay = DISABLED
Sat Dec 23 21:50:27 2006 us=399735   daemon = DISABLED
Sat Dec 23 21:50:27 2006 us=399756   inetd = 0
Sat Dec 23 21:50:27 2006 us=399777   log = DISABLED
Sat Dec 23 21:50:27 2006 us=399799   suppress_timestamps = DISABLED
Sat Dec 23 21:50:27 2006 us=399821   nice = 0
Sat Dec 23 21:50:27 2006 us=399841   verbosity = 4
Sat Dec 23 21:50:27 2006 us=491011   mute = 0
Sat Dec 23 21:50:27 2006 us=491028   gremlin = 0
Sat Dec 23 21:50:27 2006 us=491037   status_file = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=491045   status_file_version = 1
Sat Dec 23 21:50:27 2006 us=491054   status_file_update_freq = 60
Sat Dec 23 21:50:27 2006 us=491062   occ = ENABLED
Sat Dec 23 21:50:27 2006 us=491070   rcvbuf = 0
Sat Dec 23 21:50:27 2006 us=491078   sndbuf = 0
Sat Dec 23 21:50:27 2006 us=491087   socks_proxy_server = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=491100   socks_proxy_port = 0
Sat Dec 23 21:50:27 2006 us=491108   socks_proxy_retry = DISABLED
Sat Dec 23 21:50:27 2006 us=491116   fast_io = DISABLED
Sat Dec 23 21:50:27 2006 us=491124   comp_lzo = ENABLED
Sat Dec 23 21:50:27 2006 us=491133   comp_lzo_adaptive = ENABLED
Sat Dec 23 21:50:27 2006 us=491142   route_script = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=491150   route_default_gateway = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=491159   route_noexec = DISABLED
Sat Dec 23 21:50:27 2006 us=491646   route_delay = 0
Sat Dec 23 21:50:27 2006 us=491657   route_delay_window = 30
Sat Dec 23 21:50:27 2006 us=491666   route_delay_defined = ENABLED
Sat Dec 23 21:50:27 2006 us=491675   management_addr = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=491683   management_port = 0
Sat Dec 23 21:50:27 2006 us=491692   management_user_pass = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=491701   management_log_history_cache = 250
Sat Dec 23 21:50:27 2006 us=491710   management_echo_buffer_size = 100
Sat Dec 23 21:50:27 2006 us=491719   management_query_passwords = DISABLED
Sat Dec 23 21:50:27 2006 us=491728   management_hold = DISABLED
Sat Dec 23 21:50:27 2006 us=491736   shared_secret_file = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=491745   key_direction = 0
Sat Dec 23 21:50:27 2006 us=491753   ciphername_defined = ENABLED
Sat Dec 23 21:50:27 2006 us=491761   ciphername = 'BF-CBC'
Sat Dec 23 21:50:27 2006 us=491770   authname_defined = ENABLED
Sat Dec 23 21:50:27 2006 us=503701   authname = 'SHA1'
Sat Dec 23 21:50:27 2006 us=503713   keysize = 0
Sat Dec 23 21:50:27 2006 us=503721   engine = DISABLED
Sat Dec 23 21:50:27 2006 us=503729   replay = ENABLED
Sat Dec 23 21:50:27 2006 us=503738   mute_replay_warnings = DISABLED
Sat Dec 23 21:50:27 2006 us=503746   replay_window = 64
Sat Dec 23 21:50:27 2006 us=503812   replay_time = 15
Sat Dec 23 21:50:27 2006 us=503821   packet_id_file = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=503829   use_iv = ENABLED
Sat Dec 23 21:50:27 2006 us=503838   test_crypto = DISABLED
Sat Dec 23 21:50:27 2006 us=503846   tls_server = DISABLED
Sat Dec 23 21:50:27 2006 us=503854   tls_client = ENABLED
Sat Dec 23 21:50:27 2006 us=503863   key_method = 2
Sat Dec 23 21:50:27 2006 us=503871   ca_file = 'ca.crt'
Sat Dec 23 21:50:27 2006 us=503879   dh_file = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=503887   cert_file = 'client.crt'
Sat Dec 23 21:50:27 2006 us=517225   priv_key_file = 'client.key'
Sat Dec 23 21:50:27 2006 us=517236   pkcs12_file = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=517245   cryptoapi_cert = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=517253   cipher_list = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=517262   tls_verify = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=517271   tls_remote = 'server'
Sat Dec 23 21:50:27 2006 us=517279   crl_file = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=517287   ns_cert_type = 64
Sat Dec 23 21:50:27 2006 us=517295   tls_timeout = 2
Sat Dec 23 21:50:27 2006 us=517304   renegotiate_bytes = 0
Sat Dec 23 21:50:27 2006 us=517312   renegotiate_packets = 0
Sat Dec 23 21:50:27 2006 us=517321   renegotiate_seconds = 3600
Sat Dec 23 21:50:27 2006 us=517329   handshake_window = 60
Sat Dec 23 21:50:27 2006 us=517338   transition_window = 3600
Sat Dec 23 21:50:27 2006 us=517346   single_session = DISABLED
Sat Dec 23 21:50:27 2006 us=517354   tls_exit = DISABLED
Sat Dec 23 21:50:27 2006 us=531336   tls_auth_file = 'ta.key'
Sat Dec 23 21:50:27 2006 us=531356   server_network = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=531366   server_netmask = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=531376   server_bridge_ip = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=531385   server_bridge_netmask = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=531395   server_bridge_pool_start = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=531405   server_bridge_pool_end = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=531415   ifconfig_pool_defined = DISABLED
Sat Dec 23 21:50:27 2006 us=531424   ifconfig_pool_start = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=531433   ifconfig_pool_end = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=531442   ifconfig_pool_netmask = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=531452   ifconfig_pool_persist_filename = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=531462   ifconfig_pool_persist_refresh_freq = 600
Sat Dec 23 21:50:27 2006 us=531471   ifconfig_pool_linear = DISABLED
Sat Dec 23 21:50:27 2006 us=531480   n_bcast_buf = 256
Sat Dec 23 21:50:27 2006 us=545465   tcp_queue_limit = 64
Sat Dec 23 21:50:27 2006 us=545476   real_hash_size = 256
Sat Dec 23 21:50:27 2006 us=545486   virtual_hash_size = 256
Sat Dec 23 21:50:27 2006 us=545495   client_connect_script = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=545504   learn_address_script = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=545513   client_disconnect_script = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=545522   client_config_dir = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=545530   ccd_exclusive = DISABLED
Sat Dec 23 21:50:27 2006 us=545538   tmp_dir = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=545547   push_ifconfig_defined = DISABLED
Sat Dec 23 21:50:27 2006 us=545557   push_ifconfig_local = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=545567   push_ifconfig_remote_netmask = 0.0.0.0
Sat Dec 23 21:50:27 2006 us=545576   enable_c2c = DISABLED
Sat Dec 23 21:50:27 2006 us=545584   duplicate_cn = DISABLED
Sat Dec 23 21:50:27 2006 us=545592   cf_max = 0
Sat Dec 23 21:50:27 2006 us=557937   cf_per = 0
Sat Dec 23 21:50:27 2006 us=557948   max_clients = 1024
Sat Dec 23 21:50:27 2006 us=557957   max_routes_per_client = 256
Sat Dec 23 21:50:27 2006 us=557966   client_cert_not_required = DISABLED
Sat Dec 23 21:50:27 2006 us=557975   username_as_common_name = DISABLED
Sat Dec 23 21:50:27 2006 us=557985   auth_user_pass_verify_script = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=558044   auth_user_pass_verify_script_via_file = DISABLED
Sat Dec 23 21:50:27 2006 us=558054   client = DISABLED
Sat Dec 23 21:50:27 2006 us=558062   pull = ENABLED
Sat Dec 23 21:50:27 2006 us=558071   auth_user_pass_file = 'stdin'
Sat Dec 23 21:50:27 2006 us=558081   show_net_up = DISABLED
Sat Dec 23 21:50:27 2006 us=558089   route_method = 0
Sat Dec 23 21:50:27 2006 us=558098   ip_win32_defined = DISABLED
Sat Dec 23 21:50:27 2006 us=558106   ip_win32_type = 3
Sat Dec 23 21:50:27 2006 us=558115   dhcp_masq_offset = 0
Sat Dec 23 21:50:27 2006 us=558123   dhcp_lease_time = 31536000
Sat Dec 23 21:50:27 2006 us=572126   tap_sleep = 0
Sat Dec 23 21:50:27 2006 us=572136   dhcp_options = DISABLED
Sat Dec 23 21:50:27 2006 us=572145   dhcp_renew = DISABLED
Sat Dec 23 21:50:27 2006 us=572154   dhcp_pre_release = DISABLED
Sat Dec 23 21:50:27 2006 us=572162   dhcp_release = DISABLED
Sat Dec 23 21:50:27 2006 us=572170   domain = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=572178   netbios_scope = '[UNDEF]'
Sat Dec 23 21:50:27 2006 us=572187   netbios_node_type = 0
Sat Dec 23 21:50:27 2006 us=572195   disable_nbt = DISABLED
Sat Dec 23 21:50:27 2006 us=572208 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Sat Dec 23 21:50:29 2006 us=732621 ERROR: could not read Auth username from stdin
Sat Dec 23 21:50:29 2006 us=732644 Exiting  

What is the meaning of: could not read Auth username from stdin ??

I used the same user name/password as in the office, so I have no idea as to the aforementioned error message. The SME 7.0 is running (24/24H). On my client laptop I switvched off Zone Alarm and the antivirus soft...

Any further ideas as to the roozt cause of the error message??

thanx in advance & merry christmas

gerd
[/b]

[gerd]

Mystere et boule de gomme...
I just discovered that:

- my (wireless connection) to the internert is ok
  (I can ping my server in the office)
- the TAP-Win32 Adapter V8 was installed by Open VPN
  (I use OpenVPN GUI 1.03 with OpenVPN 2.09 with DHCP options).
- however after the input of user- and passwort the OpenVPN soft
  doesn't establish an internet connection... the symbol of the
  TAP-Win32 adapter remains inactive.
- The error message of my previous mail net remains the same, even I
   switch off the internet connection.

Seems that I have first a local problem which needs to be solved. But have yet no ideas where to look for the error.  

regards

gerd

[gerd]

In order to exclude a what-so-ever error, I made a fresh installation of WinXP SP2 on my laptop and installed OpenVPN. Then I created the VPN.opvn file, installed it in the config.file and added into this file the ca.cert, client.crt, client.key and ta.key.

But no way out:

Mon Dec 25 12:23:06 2006 us=773193 Current Parameter Settings:
Mon Dec 25 12:23:06 2006 us=773287   config = 'VPN.ovpn'
Mon Dec 25 12:23:06 2006 us=773312   mode = 0
Mon Dec 25 12:23:06 2006 us=773334   show_ciphers = DISABLED
Mon Dec 25 12:23:06 2006 us=773357   show_digests = DISABLED
Mon Dec 25 12:23:06 2006 us=773501   show_engines = DISABLED
Mon Dec 25 12:23:06 2006 us=773525   genkey = DISABLED
Mon Dec 25 12:23:06 2006 us=773547   key_pass_file = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=773572   show_tls_ciphers = DISABLED
Mon Dec 25 12:23:06 2006 us=773594   proto = 0
Mon Dec 25 12:23:06 2006 us=773616   local = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=773642   remote_list[0] = {'xxxyyy.dyndns.org', 1194}
Mon Dec 25 12:23:06 2006 us=773666   remote_random = DISABLED
Mon Dec 25 12:23:06 2006 us=773690   local_port = 1194
Mon Dec 25 12:23:06 2006 us=773712   remote_port = 1194
Mon Dec 25 12:23:06 2006 us=773860   remote_float = DISABLED
Mon Dec 25 12:23:06 2006 us=773888   ipchange = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=773911   bind_local = DISABLED
Mon Dec 25 12:23:06 2006 us=773933   dev = 'tap'
Mon Dec 25 12:23:06 2006 us=773955   dev_type = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=773978   dev_node = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774000   tun_ipv6 = DISABLED
Mon Dec 25 12:23:06 2006 us=774024   ifconfig_local = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774048   ifconfig_remote_netmask = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774072   ifconfig_noexec = DISABLED
Mon Dec 25 12:23:06 2006 us=774095   ifconfig_nowarn = DISABLED
Mon Dec 25 12:23:06 2006 us=774117   shaper = 0
Mon Dec 25 12:23:06 2006 us=774139   tun_mtu = 1500
Mon Dec 25 12:23:06 2006 us=774162   tun_mtu_defined = ENABLED
Mon Dec 25 12:23:06 2006 us=774185   link_mtu = 1500
Mon Dec 25 12:23:06 2006 us=774208   link_mtu_defined = DISABLED
Mon Dec 25 12:23:06 2006 us=774231   tun_mtu_extra = 32
Mon Dec 25 12:23:06 2006 us=774254   tun_mtu_extra_defined = ENABLED
Mon Dec 25 12:23:06 2006 us=774277   fragment = 1400
Mon Dec 25 12:23:06 2006 us=774300   mtu_discover_type = -1
Mon Dec 25 12:23:06 2006 us=774323   mtu_test = 0
Mon Dec 25 12:23:06 2006 us=774344   mlock = DISABLED
Mon Dec 25 12:23:06 2006 us=774366   keepalive_ping = 0
Mon Dec 25 12:23:06 2006 us=774389   keepalive_timeout = 0
Mon Dec 25 12:23:06 2006 us=774411   inactivity_timeout = 0
Mon Dec 25 12:23:06 2006 us=774434   ping_send_timeout = 0
Mon Dec 25 12:23:06 2006 us=774464   ping_rec_timeout = 120
Mon Dec 25 12:23:06 2006 us=774489   ping_rec_timeout_action = 2
Mon Dec 25 12:23:06 2006 us=774512   ping_timer_remote = DISABLED
Mon Dec 25 12:23:06 2006 us=774536   remap_sigusr1 = 0
Mon Dec 25 12:23:06 2006 us=774559   explicit_exit_notification = 0
Mon Dec 25 12:23:06 2006 us=774582   persist_tun = DISABLED
Mon Dec 25 12:23:06 2006 us=774606   persist_local_ip = DISABLED
Mon Dec 25 12:23:06 2006 us=774630   persist_remote_ip = DISABLED
Mon Dec 25 12:23:06 2006 us=774653   persist_key = DISABLED
Mon Dec 25 12:23:06 2006 us=774676   mssfix = 1450
Mon Dec 25 12:23:06 2006 us=774700   resolve_retry_seconds = 1000000000
Mon Dec 25 12:23:06 2006 us=774724   connect_retry_seconds = 5
Mon Dec 25 12:23:06 2006 us=774747   username = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774769   groupname = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774793   chroot_dir = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774816   cd_dir = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774838   writepid = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774861   up_script = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774884   down_script = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=774907   down_pre = DISABLED
Mon Dec 25 12:23:06 2006 us=774930   up_restart = DISABLED
Mon Dec 25 12:23:06 2006 us=774953   up_delay = DISABLED
Mon Dec 25 12:23:06 2006 us=774975   daemon = DISABLED
Mon Dec 25 12:23:06 2006 us=774997   inetd = 0
Mon Dec 25 12:23:06 2006 us=775018   log = DISABLED
Mon Dec 25 12:23:06 2006 us=775042   suppress_timestamps = DISABLED
Mon Dec 25 12:23:06 2006 us=775063   nice = 0
Mon Dec 25 12:23:06 2006 us=775085   verbosity = 4
Mon Dec 25 12:23:06 2006 us=848565   mute = 0
Mon Dec 25 12:23:06 2006 us=848581   gremlin = 0
Mon Dec 25 12:23:06 2006 us=848590   status_file = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=848598   status_file_version = 1
Mon Dec 25 12:23:06 2006 us=848607   status_file_update_freq = 60
Mon Dec 25 12:23:06 2006 us=848615   occ = ENABLED
Mon Dec 25 12:23:06 2006 us=848624   rcvbuf = 0
Mon Dec 25 12:23:06 2006 us=848632   sndbuf = 0
Mon Dec 25 12:23:06 2006 us=848641   socks_proxy_server = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=848653   socks_proxy_port = 0
Mon Dec 25 12:23:06 2006 us=848661   socks_proxy_retry = DISABLED
Mon Dec 25 12:23:06 2006 us=848669   fast_io = DISABLED
Mon Dec 25 12:23:06 2006 us=848677   comp_lzo = ENABLED
Mon Dec 25 12:23:06 2006 us=848686   comp_lzo_adaptive = ENABLED
Mon Dec 25 12:23:06 2006 us=848694   route_script = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=848703   route_default_gateway = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=848712   route_noexec = DISABLED
Mon Dec 25 12:23:06 2006 us=862000   route_delay = 0
Mon Dec 25 12:23:06 2006 us=862013   route_delay_window = 30
Mon Dec 25 12:23:06 2006 us=862022   route_delay_defined = ENABLED
Mon Dec 25 12:23:06 2006 us=862031   management_addr = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=862039   management_port = 0
Mon Dec 25 12:23:06 2006 us=862048   management_user_pass = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=862057   management_log_history_cache = 250
Mon Dec 25 12:23:06 2006 us=862066   management_echo_buffer_size = 100
Mon Dec 25 12:23:06 2006 us=862076   management_query_passwords = DISABLED
Mon Dec 25 12:23:06 2006 us=862085   management_hold = DISABLED
Mon Dec 25 12:23:06 2006 us=862093   shared_secret_file = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=862102   key_direction = 0
Mon Dec 25 12:23:06 2006 us=862110   ciphername_defined = ENABLED
Mon Dec 25 12:23:06 2006 us=862119   ciphername = 'BF-CBC'
Mon Dec 25 12:23:06 2006 us=862128   authname_defined = ENABLED
Mon Dec 25 12:23:06 2006 us=875350   authname = 'SHA1'
Mon Dec 25 12:23:06 2006 us=875361   keysize = 0
Mon Dec 25 12:23:06 2006 us=875370   engine = DISABLED
Mon Dec 25 12:23:06 2006 us=875378   replay = ENABLED
Mon Dec 25 12:23:06 2006 us=875387   mute_replay_warnings = DISABLED
Mon Dec 25 12:23:06 2006 us=875395   replay_window = 64
Mon Dec 25 12:23:06 2006 us=875404   replay_time = 15
Mon Dec 25 12:23:06 2006 us=875413   packet_id_file = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=875421   use_iv = ENABLED
Mon Dec 25 12:23:06 2006 us=875430   test_crypto = DISABLED
Mon Dec 25 12:23:06 2006 us=875438   tls_server = DISABLED
Mon Dec 25 12:23:06 2006 us=875447   tls_client = ENABLED
Mon Dec 25 12:23:06 2006 us=875455   key_method = 2
Mon Dec 25 12:23:06 2006 us=875464   ca_file = 'ca.crt'
Mon Dec 25 12:23:06 2006 us=875472   dh_file = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=875502   cert_file = 'client.crt'
Mon Dec 25 12:23:06 2006 us=888734   priv_key_file = 'client.key'
Mon Dec 25 12:23:06 2006 us=888747   pkcs12_file = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=888756   cryptoapi_cert = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=888764   cipher_list = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=888773   tls_verify = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=888782   tls_remote = 'server'
Mon Dec 25 12:23:06 2006 us=888790   crl_file = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=888799   ns_cert_type = 64
Mon Dec 25 12:23:06 2006 us=888807   tls_timeout = 2
Mon Dec 25 12:23:06 2006 us=888815   renegotiate_bytes = 0
Mon Dec 25 12:23:06 2006 us=888824   renegotiate_packets = 0
Mon Dec 25 12:23:06 2006 us=888832   renegotiate_seconds = 3600
Mon Dec 25 12:23:06 2006 us=888841   handshake_window = 60
Mon Dec 25 12:23:06 2006 us=888849   transition_window = 3600
Mon Dec 25 12:23:06 2006 us=888857   single_session = DISABLED
Mon Dec 25 12:23:06 2006 us=888866   tls_exit = DISABLED
Mon Dec 25 12:23:06 2006 us=902716   tls_auth_file = 'ta.key'
Mon Dec 25 12:23:06 2006 us=902736   server_network = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=902746   server_netmask = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=902756   server_bridge_ip = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=902765   server_bridge_netmask = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=902775   server_bridge_pool_start = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=902784   server_bridge_pool_end = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=902793   ifconfig_pool_defined = DISABLED
Mon Dec 25 12:23:06 2006 us=902803   ifconfig_pool_start = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=902813   ifconfig_pool_end = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=902822   ifconfig_pool_netmask = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=902832   ifconfig_pool_persist_filename = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=902842   ifconfig_pool_persist_refresh_freq = 600
Mon Dec 25 12:23:06 2006 us=902851   ifconfig_pool_linear = DISABLED
Mon Dec 25 12:23:06 2006 us=902860   n_bcast_buf = 256
Mon Dec 25 12:23:06 2006 us=916799   tcp_queue_limit = 64
Mon Dec 25 12:23:06 2006 us=916810   real_hash_size = 256
Mon Dec 25 12:23:06 2006 us=916819   virtual_hash_size = 256
Mon Dec 25 12:23:06 2006 us=916828   client_connect_script = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=916837   learn_address_script = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=916846   client_disconnect_script = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=916855   client_config_dir = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=916864   ccd_exclusive = DISABLED
Mon Dec 25 12:23:06 2006 us=916872   tmp_dir = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=916880   push_ifconfig_defined = DISABLED
Mon Dec 25 12:23:06 2006 us=916891   push_ifconfig_local = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=916900   push_ifconfig_remote_netmask = 0.0.0.0
Mon Dec 25 12:23:06 2006 us=916909   enable_c2c = DISABLED
Mon Dec 25 12:23:06 2006 us=916918   duplicate_cn = DISABLED
Mon Dec 25 12:23:06 2006 us=916926   cf_max = 0
Mon Dec 25 12:23:06 2006 us=929136   cf_per = 0
Mon Dec 25 12:23:06 2006 us=929147   max_clients = 1024
Mon Dec 25 12:23:06 2006 us=929156   max_routes_per_client = 256
Mon Dec 25 12:23:06 2006 us=929165   client_cert_not_required = DISABLED
Mon Dec 25 12:23:06 2006 us=929174   username_as_common_name = DISABLED
Mon Dec 25 12:23:06 2006 us=929184   auth_user_pass_verify_script = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=929193   auth_user_pass_verify_script_via_file = DISABLED
Mon Dec 25 12:23:06 2006 us=929202   client = DISABLED
Mon Dec 25 12:23:06 2006 us=929210   pull = ENABLED
Mon Dec 25 12:23:06 2006 us=929218   auth_user_pass_file = 'stdin'
Mon Dec 25 12:23:06 2006 us=929229   show_net_up = DISABLED
Mon Dec 25 12:23:06 2006 us=929237   route_method = 0
Mon Dec 25 12:23:06 2006 us=929246   ip_win32_defined = DISABLED
Mon Dec 25 12:23:06 2006 us=929254   ip_win32_type = 3
Mon Dec 25 12:23:06 2006 us=929263   dhcp_masq_offset = 0
Mon Dec 25 12:23:06 2006 us=929272   dhcp_lease_time = 31536000
Mon Dec 25 12:23:06 2006 us=942784   tap_sleep = 0
Mon Dec 25 12:23:06 2006 us=942794   dhcp_options = DISABLED
Mon Dec 25 12:23:06 2006 us=942803   dhcp_renew = DISABLED
Mon Dec 25 12:23:06 2006 us=942811   dhcp_pre_release = DISABLED
Mon Dec 25 12:23:06 2006 us=942820   dhcp_release = DISABLED
Mon Dec 25 12:23:06 2006 us=942828   domain = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=942836   netbios_scope = '[UNDEF]'
Mon Dec 25 12:23:06 2006 us=942844   netbios_node_type = 0
Mon Dec 25 12:23:06 2006 us=942853   disable_nbt = DISABLED
Mon Dec 25 12:23:06 2006 us=942866 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Mon Dec 25 12:23:23 2006 us=45042 Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Mon Dec 25 12:23:23 2006 us=45083 Exiting

===============================================

Especially as to the error messsage:

us=45042 Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib

I found in http://forums.contribs.org/index.php?topic=33194.0

an identical error message, but contrary to hayman my client.crt is not empty at all....

Any ideas???

regards

gerd[/i]

[crazybob]

VIP-ire,
  I have just finished installing another copy of this wonderful contrib, and thanks for the great job. I was wondering why openvpn may not be starting by its self. I have to start it manually during each install. In an unrelated issue, I receive a bunch of errors concerning form-magic. I will post them if needed.

Thanks

Bob

[Daniel B.]

In order to exclude a what-so-ever error, I made a fresh installation of WinXP SP2 on my laptop and installed OpenVPN. Then I created the VPN.opvn file, installed it in the config.file and added into this file the ca.cert, client.crt, client.key and ta.key.

...
Mon Dec 25 12:23:23 2006 us=45042 Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Mon Dec 25 12:23:23 2006 us=45083 Exiting

===============================================

Especially as to the error messsage:

us=45042 Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib

I found in http://forums.contribs.org/index.php?topic=33194.0

an identical error message, but contrary to hayman my client.crt is not empty at all....

Any ideas???

regards

gerd[/i]

What do you mean by "added into this file the ca.cert, client.crt, client.key and ta.key". These files (ca.crt, ta.key, client.crt and client.key) must be in the same directory (C:\\Program Files\OpenVPN\config) but not in the same file as the configuration file.

VIP-ire,
I have just finished installing another copy of this wonderful contrib, and thanks for the great job. I was wondering why openvpn may not be starting by its self. I have to start it manually during each install. In an unrelated issue, I receive a bunch of errors concerning form-magic. I will post them if needed.

I choosed not to start it automatically because we must configure the IP range first (default is 192.168.xx.xx wich isn't valid). I do so because I'm to lazy to detect the network address, the dhcp parameters etc... and to configure openvpn according to these settings.
For the error messages, I think it comes from some sub's prototype not declared at the begining of the panel. It's not really important but I'll try to fix it for the next release.[/code]