Neth as a VPN client?

v7

(Dan) #1

NethServer Version: 7.4
Module: OpenVPN

As I mentioned in the “what are you working on” thread, I’ve just set up a Neth 7.4 instance on a Contabo VPS. However,

  • I don’t like the idea of the server manager being exposed to the whole Internet, and
  • I’m going to be wanting to send a good back of data back and forth securely between the Neth VPS and my home network (mostly Neth backups, but other stuff too).

Seems to me that the most straightforward way to do this is to have a more-or-less permanent VPN connection between the Neth instance and my home network. My home network sits behind a pfSense router, which already acts as an OpenVPN server (to allow me to connect to my home network remotely), so it seems the easiest thing for me to do would be to set up the Neth box to connect to that.

So, on pfSense, certificate manager, I created a new user cert for the Neth instance. Went to the OpenVPN client export tool and downloaded that configuration–it contains the CA cert, the user cert, and the user private key.

Then, in the server manager, I went to OpenVPN tunnels, tunnel clients, upload, and uploaded the saved config file. The screen gave a red error banner with no further detail. No problem, I thought, and clicked on Create New instead. Filled in a name (pfsense), the FQDN of my router, the port, and in the Certificate field, I pasted both the user cert and the user private key. That saved without issue, and the tunnel clients tab seems to show that it’s connected, but it isn’t:


I expect I’m doing something simple wrong, but what is it?

Edit: The docs, at least as I read them, deal a bit with running Neth as an OpenVPN server, but I don’t see that they deal with the client side, even though the GUI supports that. If this would be easier/simpler to configure with a different type of VPN (e.g., IPSec instead), I could set that up at the router as well, but I’d just as soon stick with what I know (even if I only know a little bit about it).


(Eddie Atherton) #2

What do the logs show. Not sure about tunnels, but check under /var/log/openvpn.

Because I wasn’t sure 100% how NS would set up an OpenVPN client, I opted to create the .conf file in /etc/openvpn/client and then use the command line to control it:

systemctl <operation> openvpn-client@<filename> (without the .conf suffix)

Cheers.


(Dan) #3

Nothing at all in /var/log/openvpn, but grep -i openvpn /var/log/messages returns repeated instances of this:

Jan 3 08:05:05 neth openvpn: Wed Jan 3 08:05:05 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Jan 3 08:05:05 neth openvpn: Wed Jan 3 08:05:05 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]96.68.219.29:1194 Jan 3 08:05:05 neth openvpn: Wed Jan 3 08:05:05 2018 Socket Buffers: R=[212992->212992] S=[212992->212992] Jan 3 08:05:05 neth openvpn: Wed Jan 3 08:05:05 2018 UDP link local: (not bound) Jan 3 08:05:05 neth openvpn: Wed Jan 3 08:05:05 2018 UDP link remote: [AF_INET]96.68.219.29:1194 Jan 3 08:06:05 neth openvpn: Wed Jan 3 08:06:05 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Jan 3 08:06:05 neth openvpn: Wed Jan 3 08:06:05 2018 TLS Error: TLS handshake failed Jan 3 08:06:05 neth openvpn: Wed Jan 3 08:06:05 2018 SIGUSR1[soft,tls-error] received, process restarting Jan 3 08:06:05 neth openvpn: Wed Jan 3 08:06:05 2018 Restart pause, 300 second(s)

And your post also reminded me to check the logs to see what happens when I try to upload the .ovpn file I downloaded from my pfSense box. I think this is the key line:

Jan 3 08:31:02 neth esmith::event[7197]: malformed JSON string, neither array, object, number, string or atom, at character offset 0 (before "dev tun\npersist-tun...") at /etc/e-smith/events/openvpn-tunnel-upload/S30nethserver-openvpn-upload-client line 37.

Looks like it’s expecting the upload to be in JSON format.

Edit: Looking at the help screen, that says that the “Certificate” field needs to include both the server and the client certificates–that’s hardly intuitive from the screen. But easy enough, I pasted in the CA cert as well. That field now looks like:
-----BEGIN CERTIFICATE----- (CA cert data) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (client cert data) -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- (private key data) -----END PRIVATE KEY-----

But now, here’s what’s happening in the logs:
Jan 3 08:42:54 neth systemd: Starting OpenVPN Robust And Highly Flexible Tunneling Application On pfsense... Jan 3 08:42:54 neth openvpn: Wed Jan 3 08:42:54 2018 WARNING: file '/var/lib/nethserver/certs/clients/pfsense.pem' is group or others accessible Jan 3 08:42:54 neth openvpn: Wed Jan 3 08:42:54 2018 OpenVPN 2.4.4 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017 Jan 3 08:42:54 neth openvpn: Wed Jan 3 08:42:54 2018 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06 Jan 3 08:42:54 neth openvpn: Wed Jan 3 08:42:54 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Jan 3 08:42:54 neth openvpn: Wed Jan 3 08:42:54 2018 OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch Jan 3 08:42:54 neth openvpn: Wed Jan 3 08:42:54 2018 Cannot load private key file /var/lib/nethserver/certs/clients/pfsense.pem Jan 3 08:42:54 neth openvpn: Wed Jan 3 08:42:54 2018 Error: private key password verification failed Jan 3 08:42:54 neth openvpn: Wed Jan 3 08:42:54 2018 Exiting due to fatal error Jan 3 08:42:54 neth systemd: Started OpenVPN Robust And Highly Flexible Tunneling Application On pfsense. Jan 3 08:42:54 neth systemd: openvpn@pfsense.service: main process exited, code=exited, status=1/FAILURE

Edit: And yes, /var/lib/nethserver/certs/clients.pfsense.pem is group readable:
[root@neth clients]# ll total 12 -rw-r----- 1 srvmgr srvmgr 8930 Jan 3 08:42 pfsense.pem


(Dan) #4

Well, tried the most basic of tests–sent the config file over to the Neth box via scp, and ran openvpn --config (filename). It connected right away, and is happily transferring data. So that much works. But it seems there should be a way to do this through the GUI. Or, at least, configure it to automatically connect on boot.

Edit: OK, a little more tinkering. Overwrote /etc/openvpn/pfsense.conf with the file I downloaded from my pfsense box, and did systemctl start openvpn@pfsense. That completed without errors, and again, data is transferring across that connection as expected. That obviously isn’t a long-term solution as is, since the GUI will overwrite that .conf file, but it’s progress.