how to setup certificate authentication
Posted: Mon Feb 11, 2019 10:01 pm
Dear all,
Has anyone successfully configured authentication by certificate? I have been working on it for days but still cannot make it work. There is also insufficient references on the internet.
So basically I read the official manual and followed the instructions posted at https://github.com/SoftEtherVPN/SoftEtherVPN/pull/327. The only difference is I did it via VPN Server Manager. The steps are as follows:
1. I configured the vpn, created a user with username/password authentication, and verified the vpn works properly.
2. I created another user, set auth type to individual certificate authentication, created a self signed certificate with common name same as username.
3. I exported the certificate and key to a location, created an ovpn config file at same location and adapt it to the following content:
When I tried to the vpn, I got the following message:
The related logs on the server side is as follows:
I masked some fields with "x" but the values are correct. The only suspicious point is the username received by the server seems to be empty.
The version number is v4.28-9669-beta, running in centos 7.
What is the problem here? Any suggestion is highly appreciated!
Best regards,
Yang
Has anyone successfully configured authentication by certificate? I have been working on it for days but still cannot make it work. There is also insufficient references on the internet.
So basically I read the official manual and followed the instructions posted at https://github.com/SoftEtherVPN/SoftEtherVPN/pull/327. The only difference is I did it via VPN Server Manager. The steps are as follows:
1. I configured the vpn, created a user with username/password authentication, and verified the vpn works properly.
2. I created another user, set auth type to individual certificate authentication, created a self signed certificate with common name same as username.
3. I exported the certificate and key to a location, created an ovpn config file at same location and adapt it to the following content:
Code: Select all
dev tun
proto udp
remote xxxx 51194
cipher AES-128-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
key test.key
cert test.cer
ca server.cer
Code: Select all
[root@42a8b629ca47 ~]# openvpn --config test.ovpn
Mon Feb 11 21:37:33 2019 WARNING: file 'test.key' is group or others accessible
Mon Feb 11 21:37:33 2019 OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
Mon Feb 11 21:37:33 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Mon Feb 11 21:37:33 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Feb 11 21:37:33 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxx:51194
Mon Feb 11 21:37:33 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Feb 11 21:37:33 2019 UDP link local: (not bound)
Mon Feb 11 21:37:33 2019 UDP link remote: [AF_INET]xxxx:51194
Mon Feb 11 21:37:33 2019 TLS: Initial packet from [AF_INET]xxxx:51194, sid=cf3cf538 0dd67a33
Mon Feb 11 21:37:33 2019 VERIFY OK: depth=0, CN=x, O=x, OU=x, C=US
Mon Feb 11 21:37:33 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Feb 11 21:37:33 2019 [x] Peer Connection Initiated with [AF_INET]xxxx:51194
Mon Feb 11 21:37:35 2019 SENT CONTROL [x]: 'PUSH_REQUEST' (status=1)
Mon Feb 11 21:37:35 2019 AUTH: Received control message: AUTH_FAILED
Mon Feb 11 21:37:35 2019 SIGTERM[soft,auth-failure] received, process exiting
Code: Select all
2019-02-11 21:37:35.182 The connection "CID-4" (IP address: xxxx, Host name: xxxx, Port number: 45563, Client name: "OpenVPN Client", Version: 4.28, Build: 9669) is attempting to connect to the Virtual Hub. The auth type provided is "External server authentication" and the user name is "".
2019-02-11 21:37:35.182 Connection "CID-4": User authentication failed. The user name that has been provided was "".
The version number is v4.28-9669-beta, running in centos 7.
What is the problem here? Any suggestion is highly appreciated!
Best regards,
Yang