Page 5 of 24

Re: OpenVPN Open Beta

Posted: Mon Aug 10, 2015 1:09 pm
by kgc
I don't believe that there is a time limit on the connection to the VPN server. Is anyone else having similar issues?

Re: OpenVPN Open Beta

Posted: Tue Aug 11, 2015 5:02 pm
by joss
I find that I am disconnected each day, although I haven't noted the exact times. So I can't say if it is 24 hours. I just assumed that I was in a Beta test and should expect some rough patches.

Edit: I checked the router's logs this morning. And yes, 24 hours after connecting to the VPN, the session was terminated.

Aug 11 06:48:28 rc_service: httpd 284:notify_rc start_vpnclient1
...
Aug 12 06:48:31 openvpn[1425]: AUTH: Received control message: AUTH_FAILED,SESSION: Your session has expired, please reauthenticate
Aug 12 06:48:31 openvpn[1425]: SIGTERM received, sending exit notification to peer

Re: OpenVPN Open Beta

Posted: Wed Aug 12, 2015 11:04 am
by kgc
I was clearly wrong, but the behavior makes sense. If you need to reboot the router to get it to connect again there's a bug in the router that will need to be fixed.

Re: OpenVPN Open Beta

Posted: Sat Aug 15, 2015 6:57 pm
by svist
Anyone migrated the config to NetworkManager? (Fedora 21 here)
I thought I copied all settings there, but it won't connect -- so I must be missing something :\

Re: OpenVPN Open Beta

Posted: Sun Aug 16, 2015 12:15 am
by leeep
Has anyone had success (or even tried) to get this working on a Chromebook? ChromeOS has OpenVPN support cooked into it, but it seems it's not quite the same as what is being offered here.

We can't do a simple import of the .ovpn file on ChromeOS... been hunting around and people have cooked up some rather involved processes involving manually translating the .ovpn into a .onc file, but this sure seems a bit overboard for what should be relatively simple. :)

There are three things that are apparently needed that I don't seem to know how to obtain:

  • ca.crt (the certificate authority’s public key certificate)
  • client-cert.p12 (the clients public / private key).
  • ta.key (the TLS-auth key)

Some info:
https://docs.google.com/document/d/18TU ... rb4YLE/pub
https://www.reddit.com/r/chromeos/comme ... erplexity/
http://blog.dwolla.com/openvpn-on-chrom ... tep-guide/

Any ideas?

Re: OpenVPN Open Beta

Posted: Sun Aug 16, 2015 12:54 am
by svist
leeep wrote:
There are three things that are apparently needed that I don't seem to know how to obtain:

  • ca.crt (the certificate authority’s public key certificate)
  • client-cert.p12 (the clients public / private key).
  • ta.key (the TLS-auth key)


Download the "Yourself (user-locked profile)" -- all of those are inside it.
There's a section <ca> .. </ca> -- that's ca.crt
<cert> ... </cert> should be the client cert
<key> ... </key> should be your client key
and <tls-auth> ... </tls-auth> I'm guessing is the TLS auth

--- But I didn't get it running here yet :( ---
Edit: got it running, everything above just as expected

Re: OpenVPN Open Beta

Posted: Mon Aug 17, 2015 10:01 am
by svist
svist wrote:
Anyone migrated the config to NetworkManager? (Fedora 21 here)
I thought I copied all settings there, but it won't connect -- so I must be missing something :\


Okay, I've figured out my issue. It looks like the server-side certificate is not marked as "Server".
The option is a checkbox/dropdown combo that says "Verify peer (server) certificate usage signature" and "Remote peer certificate TLS type: Server/Client"
I had enabled the option and chosen Server

/var/log/messages didn't explicitly say anything, just

Code: Select all

Aug 17 09:52:33 mypc nm-openvpn[22027]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Aug 17 09:52:33 mypc nm-openvpn[22027]: TLS Error: TLS object -> incoming plaintext read error
Aug 17 09:52:33 mypc nm-openvpn[22027]: TLS Error: TLS handshake failed
Aug 17 09:52:33 mypc nm-openvpn[22027]: SIGUSR1[soft,tls-error] received, process restarting


to see the error, I had to run

Code: Select all

# /usr/libexec/nm-openvpn-service --debug
...
Mon Aug 17 09:55:18 2015 us=469940 BIO write tls_write_ciphertext 100 bytes
Mon Aug 17 09:55:18 2015 us=469946 Incoming Ciphertext -> TLS
Mon Aug 17 09:55:18 2015 us=470122 VERIFY OK: depth=1, CN=OpenVPN CA
Mon Aug 17 09:55:18 2015 us=470267 Certificate does not have key usage extension
Mon Aug 17 09:55:18 2015 us=470276 VERIFY KU ERROR
Mon Aug 17 09:55:18 2015 us=470290 SSL alert (write): fatal: certificate unknown
Mon Aug 17 09:55:18 2015 us=470308 PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x55db648b1bf0, ptr=(nil), ad=0x55db648b1c50, idx=0, argl=0, argp=0x7fe31a0788e3
Mon Aug 17 09:55:18 2015 us=470329 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Aug 17 09:55:18 2015 us=470337 TLS Error: TLS object -> incoming plaintext read error
Mon Aug 17 09:55:18 2015 us=470344 TLS Error: TLS handshake failed



Here's my currently-working NetworkManager-exported config:

Code: Select all

client
remote beta.vpn.sonic.net
ca /home/user/.cert/sonic.net-ca.crt
cert /home/user/.cert/sonic.net-svist-cert.crt
key /home/user/.cert/sonic.net-svist-key.key
auth-user-pass
reneg-sec 604800
cipher AES-128-CBC
comp-lzo yes
dev tun
proto udp
tls-auth /home/user/.cert/sonic.net-tls_key.key 1
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user openvpn
group openvpn


and, as expected, all 4 files were in the imported file (see message right above this one)

Re: OpenVPN Open Beta

Posted: Mon Aug 17, 2015 10:08 am
by svist
@kgc:

If you could, please update the server certificate to say it's used as a server. Currently, my config gives me this warning while connecting:

WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.


...and as I described in previous message, turning the option on makes it impossible to connect.

Also, a question: is there a limit on number of VPN connections for the same account?

Re: OpenVPN Open Beta

Posted: Mon Aug 17, 2015 11:56 am
by kgc
I'm not sure if I can update the cert without having everyone have to to import a new connection so I may wait on that. And, at this time, there is no limit on the number of connections per account. However, I expect that might change in the future.

Re: OpenVPN Open Beta

Posted: Mon Aug 17, 2015 12:56 pm
by svist
The reason I'm asking about the limit is because it enables all users to use a VPN-secured connection in a public wifi setting -- and I want all family members to have easy access to that :)
Another minor problem there is -- they all have to use primary account's password...