OpenVPN #1: Beter beveiligen

[Pippin]

In de release notes zie ik staan:

" move some Menu items to "Extra" "


Ik zit nog op versie 1.3.1 en daar zit het nog onder File.

[blbean]

Door een update van DSM mocht ik nog een keer aan de slag en heb de tut weer doorlopen. Bedankt nogmaals daarvoor!
Ik had niet goed gelezen bij het maken van het client certificaat en de velden Internel name en commonName niet voorzien van de DSM username. Beetje dom, want dat genereerde een X509 certificaat foutmelding.

Enige wat ik toe te voegen heb is dat OpenVPN voor iOS happerde door het gebruik van hoofdletters in de CA.crt. Kennelijk kan het er niet mee overweg dat er in de configuratie ca.crt staat terwijl XCA een CA.crt heeft gegenereerd. Ik heb CA in ca hernoemd en toen werkte het wel. Als je de bestanden uit stap 4 via Itunes (apps, naar beneden scrollen, OpenVPN selecteren, bestanden toevoegen) op je iOS device zet, werkt het prima.

[Pippin]

Ben een beetje laat zie ik maar bedankt voor de melding.
De beide configs zijn nu aangepast.

[@lex]

Hi,

I have followed your well documented tutorial, but it won't work on my side.
The client keeps getting a "TLS key negotiation failed to occur within 60 seconds" message.

Any clue ?

Thanks !

[Pippin]

This message means that your OpenVPN client can`t connect to your NAS.

What client OS?
Did you forward port 1194 to your NAS? That is, if you specified port 1194 in VPN Server.
Port 1194 is opened in the firewall on the NAS?

Always connect from outside your LAN with the client.

[@lex]

Client: OpenVPN GUI under W7

Used to work OK before the mod (just without server authentication).

I did not change the port forwarding, everything seems OK, I just checked.

I always test for a 3G connection to be outside my LAN as my router will not allow looping back into my LAN.

The problem is still there...

Thanks !

[Pippin]

Have a client/server log?

[@lex]

Server log:
Sun Jan 10 12:54:11 2016 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sun Jan 10 12:54:11 2016 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.140xxxxx

Client looks like everything is ok until "TLS key negotiation failed to occur within 60 seconds".

The only thing I see in the client side: using 'ta.key' as a OpenVPN static key file: there is no path, but I assume openvpn will thus look in the same directory as the conf file...

Thanks !

[Pippin]

The server states "HMAC authentication failed".

Check client config to make sure the path is correct:

Code: [Selecteer]

tls-auth ta.key 1
If still not working then try the full path:

Code: [Selecteer]

tls-auth "c:\\Program Files\\OpenVPN\\config\\ta.key 1"
Watch the double backslashes !
But as far as I know, normally this should not be necessary if you put all files in "c:\Program Files\OpenVPN\config"

Edit:
Sorry, wrong file and forgot the ""
And maybe have to do it for all files.

[@lex]

OK, I restarted the OpenVPN server (uncheck enable then check enable) and now it goes a little further, so it was not the path of the ta.key file.
I had to re-copy the ca.crt and server.crt & server.key as enabling the openvpn server had overwritten these files (under the folder /volume1/@appstroe/VPNCenter/etc/openvpn/keys).

I now have this:

Sun Jan 10 13:59:13 2016 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=xxxxxxxxxxx $private data$ xxxx
Sun Jan 10 13:59:13 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Jan 10 13:59:13 2016 TLS Error: TLS object -> incoming plaintext read error
Sun Jan 10 13:59:13 2016 TLS Error: TLS handshake failed

It seems that the server does not like my certificate ?

[Pippin]

I had to re-copy

That`s strange...some time ago I rewrote this tutorial to avoid overwriting files but maybe I made some mistake.
What version of DSM and VPN Server?
And which DS?

Normally when restarting DSM/VPN Server, the certificates get recopied from the "ssl.xxx" directories.
Did you replace them too as described in the tutorial?
Google translate still doesn`t do a perfect job :-)

If you rename "openvpn.conf" to "openvpn.conf.user" then the overwrite problem could be solved.
But you have to keep a file named "openvpn.conf" because if it`s missing OpenVPN won`t start.
So, both files need to be present for that to work.
I think I will include it in this tutorial.

TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Please check certificates/keys one by one or:
Recopy them after renaming openvpn.conf to openvpn.conf.user or:
Generate new ones using XCA.

Make sure to set correct file-permissions as described.
And shut-down/restart VPN Server when modifying things.

[Pippin]

Handleiding is nu voor een deel herschreven.
Certificaten in DSM en OpenVPN zijn nu onafhankelijk van elkaar.

[@lex]

Wel bedankt voor de update.

Het werkt nu voor mij. 

[Pippin]

Nederlands?

Your welcome.

[@lex]

Mijn system: DS1512+ met DSM 5.2-5592.

Client: W7 met openVPN gui 10.