Koozali.org: home of the SME Server

OpenVPN SME 10, PhpKi

Offline lpinux

  • 20
  • +0/-0
OpenVPN SME 10, PhpKi
« on: August 30, 2022, 11:06:54 AM »
Bonjour,
je teste OPENVPN sur un serveur SME fraichement installé, en suivant le wiki à l'adresse https://wiki.koozali.org/OpenVPN_Bridge/fr, merci au contributeur pour ce travail.
Je rencontre un problème lors de la configuration d'un client pour un accès sous windows 10 avec openvpn.
J'ai placé dans le dossier config le fichier de configuration (.ovpn) de la liaison à partir de celui fourni sur le wiki.
J'ai dé-commenté la ligne pkcs12 pascal-ca.p12 et placé le fichier pascal-ca.p12 dans ce dossier config sur le mposte sous w10.
Le PC W10 n'est pas sur le réseau du serveur VPN.
Lors de la connexion, le login et mot de passe de l'utilisateur est demandé, puis renseigné.
En analysant le fichier de log sous win10, après échec je me retrouve avec la ligne UDP local (no bound).
Sur le serveur SME, je semble déceler une erreur de certificat que je n'arrive pas à résoudre.

Autre petite question, la version 083 de phpki ne propose plus la possibilité de télécharger la clé statique, menu qui apparaissait dans la version 082 !!!

Merci pour l'aide me permettant de comprendre mes erreurs.

Cordialement,

Pascal



Aug 30 10:57:10 sme openvpn: xx.xx.xx.xx:60622 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:60622, sid=541ccd95 ea5b065e
Aug 30 10:57:10 sme openvpn: xx.xx.xx.xx:60622 CRL: loaded 1 CRLs from file pub/cacrl.pem
Aug 30 10:57:10 sme openvpn: xx.xx.xx.xx:60622 OpenSSL: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate
Aug 30 10:57:10 sme openvpn: xx.xx.xx.xx:60622 TLS_ERROR: BIO read tls_read_plaintext error
Aug 30 10:57:10 sme openvpn: xx.xx.xx.xx:60622 TLS Error: TLS object -> incoming plaintext read error
Aug 30 10:57:10 sme openvpn: xx.xx.xx.xx:60622 TLS Error: TLS handshake failed
Aug 30 10:57:10 sme openvpn: xx.xx.xx.xx:60622 SIGUSR1[soft,tls-error] received, client-instance restarting
Aug 30 10:57:56 sme openvpn: MANAGEMENT: Client connected from [AF_INET]127.0.0.1:11194

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: OpenVPN SME 10, PhpKi
« Reply #1 on: August 30, 2022, 12:37:48 PM »
que dit le log du client ?

les autres type de format que pk12 ont ils été commentés  ?

pour la connexion, il peut être demandé login/pass, certificat ou login/pass + certificat. Vérifies que le mode est bien seulement certificats.

le certificat client a t il été généré avec ou sans mot de passe ?

as tu vérifié le contenu du pk12 (en utilisant la commande openssl) ?

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: OpenVPN SME 10, PhpKi
« Reply #2 on: August 30, 2022, 02:55:41 PM »
Autre petite question, la version 083 de phpki ne propose plus la possibilité de télécharger la clé statique, menu qui apparaissait dans la version 082 !!!

You should be using phpki-ng 0.84

Earlier versions are not supported.

I am not sure why you would be using the old 0.83 but issues with it will not be fixed.


...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: OpenVPN SME 10, PhpKi
« Reply #3 on: August 30, 2022, 03:22:24 PM »
So a quick look reveals that

0.83 likely didn't detect openvpn correctly which it required to generate the TA key.

0.84 will throw a warning about that:

Code: [Select]
        #
        # Create a TLS auth key for OpenVPN if openvpn is installed
        #
        $command = 'which openvpn';
        $command = escapeshellcmd($command);

        if (system($command) == '/usr/sbin/openvpn') {
            print '<p><strong>Creating a TLS authentication key used by OpenVPN.<br>';
            print "Saving to $store_dir/takey.pem.</strong><br>";
            $cmd = "openvpn --genkey --secret '$configPrivate_dir/takey.pem'";
            print $cmd.'<br>';
            flush();
            flush_exec($cmd);
        } else {
            echo "openvpn is required to generate a takey.pem<br>";
            echo "You can create one later like this:<br>";
            echo "openvpn --genkey --secret ". $configPrivate_dir . "/takey.pem<br>";
        }

If you have not moved the default directory then you can do this once openvpn is installed

Code: [Select]
openvpn --genkey --secret /opt/phpki/phpki-store/CA/private/takey.pem
If this is a new install I suggest you start again as it will also generate a CA with a bigger ley length and stronger certificates.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline lpinux

  • 20
  • +0/-0
Re: OpenVPN SME 10, PhpKi
« Reply #4 on: August 30, 2022, 09:33:08 PM »
Bonsoir et merci pour ces réponses et propositions de piste de recherche.

que dit le log du client ? -->

2022-08-30 10:48:33 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-08-30 10:48:33 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2022-08-30 10:48:33 OpenVPN 2.5.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 21 2021
2022-08-30 10:48:33 Windows version 10.0 (Windows 10 or greater) 64bit
2022-08-30 10:48:33 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
Enter Management Password:
2022-08-30 10:48:40 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.XX.XX.XX:1194
2022-08-30 10:48:40 UDP link local: (not bound)
2022-08-30 10:48:40 UDP link remote: [AF_INET]xx.XX.XX.XX:1194


les autres type de format que pk12 ont ils été commentés  ? --> ci-dessous une copie du fichier de configuration du client openvpn

pour la connexion, il peut être demandé login/pass, certificat ou login/pass + certificat. Vérifies que le mode est bien seulement certificats.
je désire qu'une authentification se fasse avec un login et mot de passe d'un utilisateur du SME

le certificat client a t il été généré avec ou sans mot de passe ? --> sans mot de passe

as tu vérifié le contenu du pk12 (en utilisant la commande openssl) ?  --> non, comment ?

Cordialement,

Pascal

dev tap
nobind
# Uncomment the following line if your system
# support passtos (not supported on Windows)
# passtos
remote xx.xx.xx.xx
tls-client
ns-cert-type server
cipher AES-128-CBC
auth SHA256
auth-user-pass
mtu-test
comp-lzo
pull
# Uncomment and replace user.p12
# with the certificate bundle in PKCS12 format
pkcs12 pascal-ca.p12
# You can replace the pkcs12
# directive with the old ones
#ca cacert.pem
#cert user.pem
#key user-key.pem
# Alternatively you can paste your cert and private key here:
# client certificate - uncomment and paste between delimiters
#<cert>
#</cert>
# client private key - uncomment and paste between delimiters
#<key>
#</key>

# CA certificate
<ca>
-----BEGIN CERTIFICATE-----
   .... le certificat issu de la page de gestion du serveur ....
-----END CERTIFICATE-----
</ca>

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: OpenVPN SME 10, PhpKi
« Reply #5 on: August 30, 2022, 11:01:02 PM »
Quote
Je désire qu'une authentification se fasse avec un login et mot de passe d'un utilisateur du SME

You might want it but I don't believe it is currently available. We'll be happy if you offer to fix that......

Each user should get their own certificate. That should be sufficient.

In your client remove auth-user-pass.


Makes no sense that cipher is not set.

Please show:

Code: [Select]
config show openvpn-bridge
Code: [Select]
rpm -qa |grep openvpn
Code: [Select]
rpm -qa |grep phpki
Code: [Select]
grep "^[^#;]" /etc/openvpn/bridge/openvpn.conf

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline lpinux

  • 20
  • +0/-0
Re: OpenVPN SME 10, PhpKi
« Reply #6 on: August 31, 2022, 06:40:11 AM »
Thank you for the help, below the requested information,

Best regards,

Pascal

config show openvpn-bridge -->
openvpn-bridge=service
    Cipher=AES-128-CBC
    ConfigRequired=disabled
    CrlUrl=http://localhost:940/phpki/index.php?stage=dl_crl_pem
    HMAC=SHA256
    UDPPort=1194
    access=public
    clientToClient=disabled
    endPool=192.168.0.30
    management=localhost:11194:WrcmQLXX84eZu1R0fqfzEi6EFRo
    maxClients=20
    redirectGW=PerClient
    startPool=192.168.0.10
    status=enabled
    tapIf=tap0
    userAuth=CrtWithPass
   
rpm -qa |grep openvpn -->
smeserver-openvpn-bridge-2.1-18.el7.sme.noarch
openvpn-2.4.12-1.el7.x86_64

rpm -qa |grep phpki -->
phpki-ng-0.84-12.el7.sme.noarch
smeserver-phpki-ng-0.3-6.el7.sme.noarch

grep "^[^#;]" /etc/openvpn/bridge/openvpn.conf -->
port 1194
proto udp
dev tap0
user nobody
group nobody
chroot /etc/openvpn/bridge
persist-key
persist-tun
dh pub/dh.pem
ca pub/cacert.pem
cert pub/cert.pem
key priv/key.pem
tls-server
crl-verify pub/cacrl.pem
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
cipher AES-128-CBC
auth SHA256
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
server-bridge 192.168.0.200 255.255.255.0 192.168.0.10 192.168.0.30
keepalive 10 120
push "dhcp-option DOMAIN xxx.org"
push "dhcp-option DNS 192.168.0.200"
push "dhcp-option WINS 192.168.0.200"
mtu-test
passtos
nice 5
management localhost 11194 management-pass.txt
client-config-dir ccd
max-clients 20
comp-lzo adaptive
push "comp-lzo adaptive"
status-version 2
status bridge-status.txt
suppress-timestamps
verb 3

« Last Edit: August 31, 2022, 06:43:19 AM by lpinux »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: OpenVPN SME 10, PhpKi
« Reply #7 on: August 31, 2022, 05:13:05 PM »
Quote
Quote
    Je désire qu'une authentification se fasse avec un login et mot de passe d'un utilisateur du SME

You might want it but I don't believe it is currently available. We'll be happy if you offer to fix that......

Forgive me as I am an ass.

Code: [Select]
userAuth=CrtWithPass
That means you can use the PAM authentication system. It just cannot be controlled via 'VPN user' in the server-manager.

So the server loads the openvpn-plugin-auth-pam.so and the client uses auth-user-pass.

So that seems OK.

Next I can't see why your client shows:

Quote
--cipher is not set

What do your server logs say?

Look in /var/log/openvpn-bridge

Just wondering if it is due to the tls-cipher not having AES-128-CBC listed?

Can you try and modify each end to use:

AES-128-GCM

Code: [Select]
config setprop openvpn-bridge Cipher AES-128-GCM
Code: [Select]
signal-event openvpn-bridge-update
Modify it in your Client config too.

Let us know what happens.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: OpenVPN SME 10, PhpKi
« Reply #8 on: August 31, 2022, 06:47:44 PM »
le cipher est regle sur le serveur

il est aussi dans la configuration du client

mais n’est pas dans la configuration du service du client

le message d’alerte (pas d’erreur) indique qu’en l’absence de ligne de commande avec —cipher il utilise blowfish il precise que les. ipher alternatif ne sont pas renseigné. 

normalement quand il charge la configuration il lit la ligne cipher et utilise celui ci car rien n’as ete forcé en ligne de commande. 



si tu utilise la commande donné par John pour generer le takey, tu vas devoir faire un chown phpki:phpki sur le fichier obtenu

Offline lpinux

  • 20
  • +0/-0
Re: OpenVPN SME 10, PhpKi
« Reply #9 on: August 31, 2022, 09:54:10 PM »
Dans le fichier /var/log/openvpn-bridge n'apparait aucune trace.
J'ai exécuté cette commande : config setprop openvpn-bridge Cipher AES-128-GCM

Sur le client GCM n'est pas accepté. Par contre j'obtiens bien une connexion, une IP dans le réseau du SME.
Un ping du SME n'aboutit pas.

Quote
2022-08-31 21:46:52 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-08-31 21:46:52 OpenVPN 2.5.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 21 2021
2022-08-31 21:46:52 Windows version 10.0 (Windows 10 or greater) 64bit
2022-08-31 21:46:52 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
Enter Management Password:
2022-08-31 21:46:54 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
2022-08-31 21:46:54 UDP link local: (not bound)
2022-08-31 21:46:54 UDP link remote: [AF_INET]93.4.150.249:1194
2022-08-31 21:46:57 [ca-vpn-server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
2022-08-31 21:46:58 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-08-31 21:46:58 open_tun
2022-08-31 21:46:58 tap-windows6 device [Connexion au réseau local] opened
2022-08-31 21:46:58 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.0.10/255.255.255.0 on interface {D12C9A97-805B-4A76-BC5B-377C4F8A560B} [DHCP-serv: 192.168.0.0, lease-time: 31536000]
2022-08-31 21:46:58 Successful ARP Flush on interface [23] {D12C9A97-805B-4A76-BC5B-377C4F8A560B}
2022-08-31 21:46:58 IPv4 MTU set to 1500 on interface 23 using service
2022-08-31 21:47:00 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
2022-08-31 21:47:10 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-08-31 21:47:10 Initialization Sequence Completed

Je pense que je vais repartir d'une configuration vierge, faire une nouvelle installation en tenant compte des remarques.

Merci,

Pascal

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: OpenVPN SME 10, PhpKi
« Reply #10 on: August 31, 2022, 11:03:17 PM »
aes-128-cbc est parfait


le defaut blowfish-cbc est à eviter car totalement non securitaire. 


le cipher doit etre identique des deux cotés.


pour verifier que la clef pk12 est fonctionnelle cherche sur google lire fichier pk12 openssl.

Offline lpinux

  • 20
  • +0/-0
OpenVPN SME 10, PhpKi
« Reply #11 on: September 06, 2022, 05:42:02 PM »
Bonsoir,

j'ai fait une ré-installation complète du serveur SME10, ainsi que les mises à jour.
Le VPN fonctionne correctement, j'obtiens bien une IP sur le réseau privé et un accès aux ressources.

En analysant les log d'openvpn sous Windows un avertissement concernant la compression apparaît.

Warning : Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless allow-compression yes is also set.

En consultant le site community.openvpn.net il semble qu'une faille, appelée VORACLE passe par la compression.

J'ai essayé les différentes directives du fichier de configuration du client vpn, sans succès.

Quelle est la bonne directive ? Doit-on la supprimer sur le serveur SME ?

Merci pour l'aide et les différentes remarques,

cordialement,

Pascal

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: OpenVPN SME 10, PhpKi
« Reply #12 on: September 06, 2022, 06:25:34 PM »
Have you read the wiki and checked the configuration options?

What is in the server and client configuration files?

https://wiki.koozali.org/OpenVPN_Routed#Default_key_properties

Or here

https://wiki.koozali.org/OpenVPN_Bridge#Advanced_configuration
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline lpinux

  • 20
  • +0/-0
OpenVPN SME 10, PhpKi
« Reply #13 on: September 06, 2022, 09:17:22 PM »
Indeed, I did not read this wiki well. Thanks

Pascal