Configure NethServer as an OpenVPN net2net client

firsttiger · December 25, 2015, 10:20pm

My set up is as follows:
Zentyal server on the cloud - This acts as the external central server for my home infrastructure
NethServer for local infrastructure - I feel like NethServer focuses a lot more for network services

I’ve downloaded the VPN bundle from the Zentyal-to-Zentyal server I created and it includes a number of crt files as well as a config file created as a csv file. The crt files i have include a ca.crt, cert.crt and privateKey.crt.

On the NethServer, I attempted to create the connection as VPN client. I pasted the contents of the ca.crt and privateKey.crt in the configuration but I’m unable to connect to the Zentyal Server.

My questions are:
Is this the right approach?
Any more detailed tips or links to help set this up?

Nas · December 26, 2015, 8:10am

Hi could you plese share logs from openvpn.

Nas · December 26, 2015, 9:52am

less /var/log/openvpn/openvpn.log

firsttiger · December 26, 2015, 8:06pm

Here’s the dump:

Fri Dec 25 14:32:55 2015 OpenVPN 2.3.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun  9 2015
Fri Dec 25 14:32:55 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Fri Dec 25 14:32:55 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 25 14:32:55 2015 Cannot load private key file /var/lib/nethserver/certs/clients/central-server.pem: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Fri Dec 25 14:32:55 2015 Error: private key password verification failed
Fri Dec 25 14:32:55 2015 Exiting due to fatal error
Fri Dec 25 14:45:51 2015 OpenVPN 2.3.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun  9 2015
Fri Dec 25 14:45:51 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Fri Dec 25 14:45:51 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 25 14:45:51 2015 Cannot load certificate file /var/lib/nethserver/certs/clients/central-server.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Fri Dec 25 14:45:51 2015 Exiting due to fatal error
Fri Dec 25 14:52:44 2015 OpenVPN 2.3.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun  9 2015
Fri Dec 25 14:52:44 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Fri Dec 25 14:52:44 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 25 14:52:44 2015 Error: private key password verification failed
Fri Dec 25 14:52:44 2015 Exiting due to fatal error
Fri Dec 25 14:53:17 2015 OpenVPN 2.3.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun  9 2015
Fri Dec 25 14:53:17 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Fri Dec 25 14:53:17 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 25 14:53:17 2015 Error: private key password verification failed
Fri Dec 25 14:53:17 2015 Exiting due to fatal error

Nas · December 26, 2015, 8:10pm

Please see the screenshot:

You need to paste all the Certificate content in field and i suppose use user password

firsttiger · December 26, 2015, 10:00pm

I actually did paste the content of all 3 certificate files before hitting the error. I’ll try to add the files one at a time and output the log here.

Nas · December 26, 2015, 10:22pm

When generating the key have you been asked for a “passphrase” ?

firsttiger · December 27, 2015, 2:31pm

I actually haven’t been asked for a passphrase. I generated a key using Zentyal’s Certificate manager which obfuscates that from me.

Nas · December 27, 2015, 2:38pm

Try to connect with Linux or Windows with GUI because maybe it is neded to enter username or password, I’m not zentyal spec, but form error message it mean that you need passphare.

Nas · December 27, 2015, 2:50pm

I suppose you need to select Client type linux or make test user and attach there bundle from Zentyal, it maybe helpfull for all community.

firsttiger · December 28, 2015, 4:07am

I’ve spun up a new Zentyal Server to do this test. Here’s a sample file that was generated.

https://drive.google.com/open?id=0B9YRZ_HapM6TTDYyLVB4ZWNCY3M

Just to make sure that we’re on the same page - I’m using a Zentyal-to-Zentyal configuration as I think this should generate a net2net connection. I’m not sure if that’s indeed true.

Nas · December 28, 2015, 11:13pm

I have successfully connect Zentyal (as Server) + NS (as Client)
@alefattorini @filippo_carletti @davidep @giacomo
We need to add new field to VPN Client mode :

# Verify server certificate by common name
verify-x509-name (server CN name) name

without this Zenyal and NS could not connetc to each other.
Please share your thoughts regarding this matter.

filippo_carletti · December 29, 2015, 9:42am

The field can be always added unconditionally?
Or do we need a property in the configuration database and a field in the server-manager page?

Nas · December 29, 2015, 10:40am

We need somth like checkbox Verify Common Name (Zentyal) and field where we could put it