SmallNetBuilder Forums

SmallNetBuilder Forums (http://forums.smallnetbuilder.com/index.php)
-   Asuswrt-Merlin (http://forums.smallnetbuilder.com/forumdisplay.php?f=42)
-   -   How do i correctly configure the "Allowed Clients" Table for OpenVPN ? HELP! (http://forums.smallnetbuilder.com/showthread.php?t=11330)

-KS-Silence[AU] 05-27-2013 12:36 PM

How do i correctly configure the "Allowed Clients" Table for OpenVPN ? HELP!
 
Hello guys, bit of an issue here....

I already know how to get a secured OpenVPN Server running that does NOT use a White / Blacklist and that works fine, but what i cant work out is why when i turn on Whitelisting in the GUI : "Allow Only specified clients" and fill in the field, NOT a Single client can successfuly connect, they ALL get rejected at what appears to the final stage of connecting with a PUSH Request and an Authentication Failure and some errors in the log that i dont understand.

Here is a screenshot of:
the Server settings on the left hand side
Client Log in the top right portion of the screen on the remote computer
Relevant portion of Server log in notepad in the bottom right of my screen

[IMG]ftp://74.91.122.250/VPN%20Access%20control%20not%20working.JPG[/IMG]

(If the screenshot fails to load just copy and paste the link into a new broswer tab and it will load..... its way to big to be uploaded as an attachment @ ~1920x1080 and ~500Kb)
(alternate image link: [url]https://www.dropbox.com/s/jvccxte8xl91hq8/VPN%20Access%20control%20not%20working.JPG[/url] click image to zoom)

I have no idea how to do router scripting or anything like that if any is required... Chances are its something totally obvious to you, and im totally oblivious to it....

Thanks...

-Alex

RMerlin 05-27-2013 01:33 PM

Try increasing OpeNVPN logging. Through SSH/Telnet:

[code]
nvram set vpn_loglevel=9
nvram commit
[/code]

(log level can go up to 15, but I suspect that going THAT high will generate more noise than useful info)

Then restart the OpenVPN servers. See what you get in syslog when you try to connect.

To revert it back, set loglevel to 3.

-KS-Silence[AU] 05-27-2013 01:56 PM

Heres a Very long logfile for you....
 
1 Attachment(s)
Erm is this what you want, sounds like level 9 might be a bit to Verbose??
WARNING! Very Very Very Very LONG Log in Attached file!
(thats only the relevant bit.... some 93900 Characters....)

RMerlin 05-27-2013 02:11 PM

At least it confirms that the cn part is what is being rejected:

[code]
May 28 03:45:04 openvpn[1416]: 74.111.111.111:51283 TLS Auth Error: --client-config-dir authentication failed for common name 'Win-8-VMware' file='ccd/Win-8-VMware'\
[/code]

I would try using a CN without any dash in it to see if it works better.

-KS-Silence[AU] 05-27-2013 02:28 PM

Same as before
 
Well trying new certs and stuff without a - in the CN's and other fields where possible made no effect (I made sure i updated the allowed clients table with the correct CN:

[CODE]May 28 04:25:12 openvpn[1702]: TCP connection established with [AF_INET]74.---.---.---:51339
May 28 04:25:12 openvpn[1702]: 74.---.---.---:51339 TLS: Initial packet from [AF_INET]74.---.---.---:51339, sid=b8c299aa 31b1cd57
May 28 04:25:15 kernel: printk: 1033 messages suppressed.
May 28 04:25:15 kernel: protocol 0000 is buggy, dev eth1
May 28 04:25:20 kernel: printk: 969 messages suppressed.
May 28 04:25:20 kernel: protocol 0000 is buggy, dev eth1
May 28 04:25:22 openvpn[1702]: 74.---.---.---:51339 VERIFY OK: depth=1, C=AU, ST=NSW, L=Sydney, O=Silence-Home, OU=Home-VPN, CN=RT-AC66U, name=RT-AC66U, emailAddress=POQ-Silence@live.com
May 28 04:25:22 openvpn[1702]: 74.---.---.---:51339 VERIFY OK: depth=0, C=AU, ST=NSW, L=Sydney, O=Silence, OU=HomeVPN, CN=TestPC, name=TestPC, emailAddress=POQ-Silence@live.com
May 28 04:25:25 kernel: printk: 979 messages suppressed.
May 28 04:25:25 kernel: protocol 0000 is buggy, dev eth2
May 28 04:25:25 openvpn[1702]: 74.---.---.---:51339 TLS Auth Error: --client-config-dir authentication failed for common name 'TestPC' file='ccd/TestPC'
May 28 04:25:26 openvpn[1702]: 74.---.---.---:51339 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
May 28 04:25:26 openvpn[1702]: 74.---.---.---:51339 [TestPC] Peer Connection Initiated with [AF_INET]74.---.---.---:51339
May 28 04:25:28 openvpn[1702]: 74.---.---.---:51339 PUSH: Received control message: 'PUSH_REQUEST'
May 28 04:25:28 openvpn[1702]: 74.---.---.---:51339 Delayed exit in 5 seconds
May 28 04:25:28 openvpn[1702]: 74.---.---.---:51339 SENT CONTROL [TestPC]: 'AUTH_FAILED' (status=1)
May 28 04:25:28 openvpn[1702]: 74.---.---.---:51339 Connection reset, restarting [0]
May 28 04:25:28 openvpn[1702]: 74.---.---.---:51339 SIGUSR1[soft,connection-reset] received, client-instance restarting[/CODE]

RMerlin 05-27-2013 02:55 PM

No other idea personally, as I'm not an OpenVPN expert, and I never worked with CN-based authentication.

-KS-Silence[AU] 05-27-2013 06:51 PM

Well this aint good
 
[QUOTE=RMerlin;70571]No other idea personally, as I'm not an OpenVPN expert, and I never worked with CN-based authentication.[/QUOTE]

Should i post about it on the OpenVPN forums?
Even though the VPN here is apparently based off of tomato's, i cant find anything that shows how to do it on the tomato routers (and ive got an old one laying around somewhere), even though they also have a very similar function apparently (Version specific).

The information just doesnt seem to publicly exist!

Does anyone else here know how to make this behave?

Brouno 05-29-2013 09:48 AM

Hello,

I think you get the same problem as in here : [url]http://openvpn.net/archive/openvpn-users/2006-04/msg00083.html[/url]

The openvpn server daemon doesn't find the file ''ccd/Win-8-VMware''

I'll try to be sure that the ccd folder is a the correct place.

Try to add :
client-config-dir /ccd

in the custom configuration

or replace /ccd with the correct location

-KS-Silence[AU] 06-01-2013 11:26 AM

Il give that a shot, thanks for the tip Brouno!

-KS-Silence[AU] 06-01-2013 03:10 PM

[QUOTE=Brouno;70711]Hello,

I think you get the same problem as in here : [url]http://openvpn.net/archive/openvpn-users/2006-04/msg00083.html[/url]

The openvpn server daemon doesn't find the file ''ccd/Win-8-VMware''

I'll try to be sure that the ccd folder is a the correct place.

Try to add :
client-config-dir /ccd

in the custom configuration

or replace /ccd with the correct location[/QUOTE]

i WinSCP'd my router and cant find /ccd anywhere at all....
I guess the issue is where does the folder go and what needs to go in it...
can i put it anywhere as long as i give the path to the folder?

Im gonna throw a topic on the OpenVPN forums As well to broaden my audience.


All times are GMT -4. The time now is 09:30 AM.

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2006-2014 Pudai LLC All Rights Reserved.