Connecting to the OpenVPN server / Connexion au serveur OpenVPN

,

Hello everyone,

I’m trying to replace my current VPN with an OpenVPN server - using yunohost official app.
When I install it, the log file raises not error.
The web interface is working too.

But I’m trying to connect using networkmanager (on Kubuntu).
I’m following this instructions: https://github.com/Kloadut/openvpn_ynh
But the connection to the VPN is not working, after a while it fails. And if I use a wrong password, it fails immediately - this make me think that the connection is (partly) working.

Any idea ? Is my configuration wrong ?

Thanks a lot :slight_smile:

(French version)
Bonjour à tous,
J’essaye de remplacer mon VPN actuel par un serveur OpenVPN - en utilisant l’application yunohost officielle.
Après installation, le fichier log ne me renvoie aucune erreur.
L’interface web fonctionne également (même si elle est différente de celle d’OpenVPN “classique”).

Mais je n’arrive pas à me connecter avec networkmanager (sur Kubuntu).
Je suis ces instructions: https://github.com/Kloadut/openvpn_ynh
Mais la connexion ne se fait pas, après quelques temps c’est un échec. Et si j’utilise un mauvais mot de passe, la connexion échoue directement - ce qui me fait penser que la connexion se fait partiellement.

Une idée ? Ma configuration est-elle incorrecte ?

Merci :slight_smile:

Here the error raised when I use the command line tool (Is it the good one ? openvpn myfile.ovpn)

WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Socket Buffers: R=[212992->131072] S=[212992->131072]
UDPv4 link local: [undef]
UDPv4 link remote: [AF_INET]192.168.1.6:1194
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting
Restart pause, 2 second(s)

Hi

You have to configure the file /etc/openvpn/yunohost.conf . The self-signed which was created at the time of installation should be moved to a folder (eg. /donain.tld/) then change the location of the following lines to this location.

ca /domain.tld/ca.pem
cert /domain.tld/crt.pem
key /donain.tld/key.pem
dh /domain.tld/dh.pem

Hope it helps.

Thanks for your help.

I did it, the configuration is working better now, using TLS + password. the ca, crt and key.pem files are used.
The dh.pem file is not used.

But it ask me for a password for my private key (and user name + login password). I assume it’s the same password than for the login ?

Using this password, it still fails after a while, with a connection timeout.

UP ! :wink:

Any idea ?

Uninstall openvpn then reinstall it again. copy dh.pem from /etc/yunohost/certs/domail.tld to /etc/yunohost/certs/yunohost.org
Edit the /etc/openvpn/yunohost.conf.
Change :
ca /etc/yunohost/certs/yunohost.org/ca.pem
cert /etc/yunohost/certs/yunohost.org/crt.pem
key /etc/yunohost/certs/yunohost.org/key.pem
dh /etc/yunohost/certs/yunohost.org/dh.pem

Do service openvpn restart
Import domail.tld.ovpn to openvpn client. Under vpn in authentication change the type to password.Use your username and password. Import the Ca certificate from the openvpn page.

Save and then try to connect.
Hope it works.

Thanks for your help.

Unfortunately this is still not working, again connection timeout. Even with a wrong password.

For the ca certificate, no need to import it, it’s included in the .open file.

I recently configured 2 servers like that. I don’t where is it going wrong.
What is the error message?

2 Yunohost servers ? That could make a difference.

Nothing, just that the connection process overtook the time limit. A simple connection timeout.
Is there any log where I can find some details ?

Run openvpn in command line:
sudo openvpn --config /path/to/the/ovpn/file/domail.tld.ovpn

The ca file should be in the ca.pem format and in the same folder as domail.tld.ovpn.

It get stuck after this prompt:

Sun Apr 24 18:26:44 2016 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016
Sun Apr 24 18:26:44 2016 library versions: OpenSSL 1.0.2g-fips 1 Mar 2016, LZO 2.08
Enter Auth Username:
Enter Auth Password:
Sun Apr 24 18:26:57 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Apr 24 18:26:57 2016 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Apr 24 18:26:57 2016 UDPv4 link local: [undef]
Sun Apr 24 18:26:57 2016 UDPv4 link remote: [AF_INET]X.X.X.X:1194
Sun Apr 24 18:26:57 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Apr 24 18:27:57 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Apr 24 18:27:57 2016 TLS Error: TLS handshake failed
Sun Apr 24 18:27:57 2016 SIGUSR1[soft,tls-error] received, process restarting
Sun Apr 24 18:27:57 2016 Restart pause, 2 second(s)

At least this time the line: UDPv4 link remote: [AF_INET]X.X.X.X:1194 don’t show a local address, but the good IP.

You have to put the certificate which yunohost produced itself first time in one folder and point that in openvpn/yunohost.conf file.
Try all the certificate in the folders /etc/yunohst/certs/ one by one.
I had the same error which was solved by pointing the right certificate files.
Don’t forgot to restart the openvpn after each change.

Sorry I’m not sure to understand what do you mean: is it on the server side ?
What certificate do I have to try ?
The config on the client remains the same ?

Thanks :slight_smile:

Up :slight_smile:

UP again :slight_smile:
Any idea to solve this problem ?

@kanhu: what certificate do I have to try ?
Thanks :wink:

Bonjour,
Je viens de tester l’installation, j’ai du bricoler un peu.

Notamment j’ai réutilisé les certificats autosignés sauf “dh”

J’ai également un bug pour le démarrage du service, voici la commande que j’utilise:

systemctl start openvpn@yunohost.service

Voici ma conf
> > cat /etc/openvpn/yunohost.conf

>     port 1194
>     dev tun
>     proto udp
>     ca /etc/yunohost/certs/mondom.fr.beforeLetsEncrypt/ca.pem
>     cert /etc/yunohost/certs/mondom.fr.beforeLetsEncrypt/crt.pem
>     key /etc/yunohost/certs/mondom.fr.beforeLetsEncrypt/key.pem
>     # dh /etc/yunohost/certs/yunohost_self_signed/dh.pem
>     server 10.8.0.0 255.255.255.0
>     route 10.8.0.0 255.255.255.0
>     keepalive 10 60
>     inactive 600
>     user openvpn
>     group openvpn
>     persist-tun
>     persist-key
>     verb 3
>     plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf
>     client-cert-not-required
>     status /var/log/openvpn.log
>     comp-lzo
>     push "redirect-gateway def1"
>     push "dhcp-option DNS 10.8.0.1"

Nino

Merci @nino.
Bizarrement, j’ai exactement la même conf que toi.
Comment tu configure la machine ensuite avec NetworkManager du côté client ?

edit: pour démarrer le service je passe par la moulinette, systemctl n’est pas dispo.

Lapineige,

Sur le serveur, je verifie que openvpn est bien demarré:

ps -ef | grep openvpn
openvpn 9390 1 0 May04 ? 00:00:21 /usr/sbin/openvpn --daemon ovpn-yunohost --status /run/openvpn/yunohost.status 10 --cd /etc/openvpn --config /etc/openvpn/yunohost.conf

Pour un test client je récupère le fichier .ovpn sur la page web de l’application et en mode console je lance la commande:
openvpn “fichier.ovpn”

avec networkmanager, j’ai mis la conf toute simple, import du fichier ca, lzo et authentification par password

J’ai également testé sur android avec openvpn pour android, j’ai importé le fichier .ovpn, modifié l’option “remplacer les params DNS par le serveur”.

Comme mon serveur est hébergé, j’ai une ip fixe.
Normalement la connexion s’effectue, je vérifie avec firefox sur le site monip.com (par exemple) que je suis sur l’adresse ip de mon serveur.

Nino

Ce qui me renvoie le contenu de mon deuxième post

Idem, un connection timeout.
Tu as moyen d’exporter ton fichier de conf (de networkmanager) pour que je vois le contenu, histoire de vérifier que ma config’ est là bonne ? (en virant le nom de domaine évidemment)
Merci :wink:

Voila le fichier mondom.fr.ovpn,
Que donne la commande ps -ef | grep openvpn sur le serveur ?

client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo yes
verb 3
remote mondom.fr 1194
route-delay
reneg-sec 0
redirect-gateway
script-security 2
–auth-user-pass

-----BEGIN CERTIFICATE-----
MI…
.
.
.

-----END CERTIFICATE-----