Configure NethServer as an OpenVPN net2net client


(Kelvin Kang) #1

My set up is as follows:
Zentyal server on the cloud - This acts as the external central server for my home infrastructure
NethServer for local infrastructure - I feel like NethServer focuses a lot more for network services

I’ve downloaded the VPN bundle from the Zentyal-to-Zentyal server I created and it includes a number of crt files as well as a config file created as a csv file. The crt files i have include a ca.crt, cert.crt and privateKey.crt.

On the NethServer, I attempted to create the connection as VPN client. I pasted the contents of the ca.crt and privateKey.crt in the configuration but I’m unable to connect to the Zentyal Server.

My questions are:
Is this the right approach?
Any more detailed tips or links to help set this up?


(Artem Fedai) #2

Hi could you plese share logs from openvpn.


(Artem Fedai) #3
less /var/log/openvpn/openvpn.log

(Kelvin Kang) #4

Here’s the dump:

Fri Dec 25 14:32:55 2015 OpenVPN 2.3.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun  9 2015
Fri Dec 25 14:32:55 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Fri Dec 25 14:32:55 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 25 14:32:55 2015 Cannot load private key file /var/lib/nethserver/certs/clients/central-server.pem: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Fri Dec 25 14:32:55 2015 Error: private key password verification failed
Fri Dec 25 14:32:55 2015 Exiting due to fatal error
Fri Dec 25 14:45:51 2015 OpenVPN 2.3.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun  9 2015
Fri Dec 25 14:45:51 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Fri Dec 25 14:45:51 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 25 14:45:51 2015 Cannot load certificate file /var/lib/nethserver/certs/clients/central-server.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Fri Dec 25 14:45:51 2015 Exiting due to fatal error
Fri Dec 25 14:52:44 2015 OpenVPN 2.3.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun  9 2015
Fri Dec 25 14:52:44 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Fri Dec 25 14:52:44 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 25 14:52:44 2015 Error: private key password verification failed
Fri Dec 25 14:52:44 2015 Exiting due to fatal error
Fri Dec 25 14:53:17 2015 OpenVPN 2.3.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun  9 2015
Fri Dec 25 14:53:17 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Fri Dec 25 14:53:17 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 25 14:53:17 2015 Error: private key password verification failed
Fri Dec 25 14:53:17 2015 Exiting due to fatal error

(Artem Fedai) #5

Please see the screenshot:

You need to paste all the Certificate content in field and i suppose use user password


(Kelvin Kang) #6

I actually did paste the content of all 3 certificate files before hitting the error. I’ll try to add the files one at a time and output the log here.


(Artem Fedai) #7

When generating the key have you been asked for a “passphrase” ?


(Kelvin Kang) #8

I actually haven’t been asked for a passphrase. I generated a key using Zentyal’s Certificate manager which obfuscates that from me.


(Artem Fedai) #9

Try to connect with Linux or Windows with GUI because maybe it is neded to enter username or password, I’m not zentyal spec, but form error message it mean that you need passphare.


(Artem Fedai) #10

I suppose you need to select Client type linux or make test user and attach there bundle from Zentyal, it maybe helpfull for all community.


(Kelvin Kang) #11

I’ve spun up a new Zentyal Server to do this test. Here’s a sample file that was generated.

https://drive.google.com/open?id=0B9YRZ_HapM6TTDYyLVB4ZWNCY3M

Just to make sure that we’re on the same page - I’m using a Zentyal-to-Zentyal configuration as I think this should generate a net2net connection. I’m not sure if that’s indeed true.


(Artem Fedai) #12

I have successfully connect Zentyal (as Server) + NS (as Client)
@alefattorini @filippo_carletti @davidep @giacomo
We need to add new field to VPN Client mode :

# Verify server certificate by common name
verify-x509-name (server CN name) name

without this Zenyal and NS could not connetc to each other.
Please share your thoughts regarding this matter.


(Filippo Carletti) #13

The field can be always added unconditionally?
Or do we need a property in the configuration database and a field in the server-manager page?


(Artem Fedai) #14

We need somth like checkbox [ ] Verify Common Name (Zentyal) and field where we could put it