Configure NethServer as an OpenVPN net2net client

My set up is as follows:
Zentyal server on the cloud - This acts as the external central server for my home infrastructure
NethServer for local infrastructure - I feel like NethServer focuses a lot more for network services

I’ve downloaded the VPN bundle from the Zentyal-to-Zentyal server I created and it includes a number of crt files as well as a config file created as a csv file. The crt files i have include a ca.crt, cert.crt and privateKey.crt.

On the NethServer, I attempted to create the connection as VPN client. I pasted the contents of the ca.crt and privateKey.crt in the configuration but I’m unable to connect to the Zentyal Server.

My questions are:
Is this the right approach?
Any more detailed tips or links to help set this up?

Hi could you plese share logs from openvpn.

less /var/log/openvpn/openvpn.log

Here’s the dump:

Fri Dec 25 14:32:55 2015 OpenVPN 2.3.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun  9 2015
Fri Dec 25 14:32:55 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Fri Dec 25 14:32:55 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 25 14:32:55 2015 Cannot load private key file /var/lib/nethserver/certs/clients/central-server.pem: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Fri Dec 25 14:32:55 2015 Error: private key password verification failed
Fri Dec 25 14:32:55 2015 Exiting due to fatal error
Fri Dec 25 14:45:51 2015 OpenVPN 2.3.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun  9 2015
Fri Dec 25 14:45:51 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Fri Dec 25 14:45:51 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 25 14:45:51 2015 Cannot load certificate file /var/lib/nethserver/certs/clients/central-server.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Fri Dec 25 14:45:51 2015 Exiting due to fatal error
Fri Dec 25 14:52:44 2015 OpenVPN 2.3.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun  9 2015
Fri Dec 25 14:52:44 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Fri Dec 25 14:52:44 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 25 14:52:44 2015 Error: private key password verification failed
Fri Dec 25 14:52:44 2015 Exiting due to fatal error
Fri Dec 25 14:53:17 2015 OpenVPN 2.3.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun  9 2015
Fri Dec 25 14:53:17 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Fri Dec 25 14:53:17 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 25 14:53:17 2015 Error: private key password verification failed
Fri Dec 25 14:53:17 2015 Exiting due to fatal error

Please see the screenshot:

You need to paste all the Certificate content in field and i suppose use user password

I actually did paste the content of all 3 certificate files before hitting the error. I’ll try to add the files one at a time and output the log here.

When generating the key have you been asked for a “passphrase” ?

I actually haven’t been asked for a passphrase. I generated a key using Zentyal’s Certificate manager which obfuscates that from me.

Try to connect with Linux or Windows with GUI because maybe it is neded to enter username or password, I’m not zentyal spec, but form error message it mean that you need passphare.

I suppose you need to select Client type linux or make test user and attach there bundle from Zentyal, it maybe helpfull for all community.

I’ve spun up a new Zentyal Server to do this test. Here’s a sample file that was generated.

https://drive.google.com/open?id=0B9YRZ_HapM6TTDYyLVB4ZWNCY3M

Just to make sure that we’re on the same page - I’m using a Zentyal-to-Zentyal configuration as I think this should generate a net2net connection. I’m not sure if that’s indeed true.

I have successfully connect Zentyal (as Server) + NS (as Client)
@alefattorini @filippo_carletti @davidep @giacomo
We need to add new field to VPN Client mode :

# Verify server certificate by common name
verify-x509-name (server CN name) name

without this Zenyal and NS could not connetc to each other.
Please share your thoughts regarding this matter.

The field can be always added unconditionally?
Or do we need a property in the configuration database and a field in the server-manager page?

We need somth like checkbox [ ] Verify Common Name (Zentyal) and field where we could put it

1 Like