And OpenVPN connect supports TAP adapter? Few OpenVPN clients support TAP only with root access.
OpenVPN Client by colucci-web.it supports TAP without root on android devices.
I use this app on my mobile and for me it’s the best I tried.
Import the config file from Nethserver and that’s it. Works perfectly.
AFAIK it’s the only android app that supports TAP without root.
BR
I tried to connect OpenVPN on the computer.
But also getting an error
Wed Aug 07 14:53:39 2019 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jan 31 2017
Wed Aug 07 14:53:39 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Aug 07 14:53:39 2019 library versions: OpenSSL 1.0.2k Jan 26, 2017, LZO 2.09
Enter Management Password:
Wed Aug 07 14:53:39 2019 MANAGEMENT: TCP Socket listening on [AF_INET] 127.0.0.1:25340
Wed Aug 07 14:53:39 2019 Need hold release from management interface, waiting …
Wed Aug 07 14:53:40 2019 MANAGEMENT: Client connected from [AF_INET] 127.0.0.1:25340
Wed Aug 07 14:53:40 2019 MANAGEMENT: CMD ‘state on’
Wed Aug 07 14:53:40 2019 MANAGEMENT: CMD ‘log all on’
Wed Aug 07 14:53:40 2019 MANAGEMENT: CMD ‘hold off’
Wed Aug 07 14:53:40 2019 MANAGEMENT: CMD ‘hold release’
Wed Aug 07 14:53:47 2019 MANAGEMENT: CMD ‘username “Auth” “admin2”’
Wed Aug 07 14:53:47 2019 MANAGEMENT: CMD ‘password […]’
Wed Aug 07 14:53:47 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Aug 07 14:53:47 2019 TCP / UDP: Preserving recently used remote address: [AF_INET] 178.212.239.XXX:1194
Wed Aug 07 14:53:47 Socket Buffers: R = [65536-> 65536] S = [65536-> 65536]
Wed Aug 07 14:53:47 2019 UDP link local: (not bound)
Wed Aug 07 14:53:47 2019 UDP link remote: [AF_INET] 178.212.239.XXX:1194
Wed Aug 07 14:53:47 2019 MANAGEMENT:> STATE: 1565178827, WAIT ,
Wed Aug 07 14:53:47 2019 MANAGEMENT:> STATE: 1565178827, AUTH ,
Wed Aug 07 14:53:47 TLS: Initial packet from [AF_INET] 178.212.239.XXX:1194, sid = ea6e0557 46b35965
Wed Aug 07 14:53:47 2019 WARNING: this configuration may cache passwords in memory - use the auth-nocache option to prevent this
Wed Aug 07 14:53:47 2019 VERIFY OK: depth = 0, CN = NethServer, O = Example Org, ST = SomeState, OU = Main, emailAddress=root@localhost.localdomain, C = -, L = Hometown
Wed Aug 07 14:53:47 2019 Control Channel: TLSv1.2, cipher TLSv1 / SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Aug 07 14:53:47 2019 [NethServer] Peer Connection Initiated with [AF_INET] 178.212.239.XXX:1194
Wed Aug 07 14:53:48 2019 MANAGEMENT:> STATE: 1565178828, GET_CONFIG ,
Wed Aug 07 14:53:48 2019 SENT CONTROL [NethServer]: ‘PUSH_REQUEST’ (status = 1)
Wed Aug 07 14:53:48 2019 AUTH: Received control message: AUTH_FAILED
Wed Aug 07 14:53:48 2019 SIGUSR1 [soft, auth-failure] received, process restarting
Wed Aug 07 14:53:48 2019 MANAGEMENT:> STATE: 1565178828, RECONNECTING, auth-failure ,
Wed Aug 07 14:53:48 2019 Restart pause, 5 second (s)
Wed Aug 07 14:54:01 2019 MANAGEMENT: Client disconnected
Wed Aug 07 14:54:01 2019 ERROR: could not read Auth username / password / ok / string from management interface
Wed Aug 07 14:54:01 2019 Exiting due to fatal error
Just a shot into the blue:
I see that you’re using version 2.4.0. There were some changes since 2.4.0
Newest client is 2.4.7. Maybe to use the newer client can help, because the connection is established AFAICS, but the credentials could not be read by the server from the interface.
I updated OpenVPN to version 2.4.7 but the problem remained.
Wed Aug 07 16:37:17 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Wed Aug 07 16:37:17 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Aug 07 16:37:17 2019 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Enter Management Password:
Wed Aug 07 16:37:17 2019 MANAGEMENT: TCP Socket listening on [AF_INET] 127.0.0.1:25340
Wed Aug 07 16:37:17 2019 Need hold release from management interface, waiting …
Wed Aug 07 16:37:18 2019 MANAGEMENT: Client connected from [AF_INET] 127.0.0.1:25340
Wed Aug 07 16:37:18 2019 MANAGEMENT: CMD ‘state on’
Wed Aug 07 16:37:18 2019 MANAGEMENT: CMD ‘log all on’
Wed Aug 07 16:37:18 2019 MANAGEMENT: CMD ‘echo all on’
Wed Aug 07 16:37:18 2019 MANAGEMENT: CMD ‘bytecount 5’
Wed Aug 07 16:37:18 2019 MANAGEMENT: CMD ‘hold off’
Wed Aug 07 16:37:18 2019 MANAGEMENT: CMD ‘hold release’
Wed Aug 07 16:37:40 2019 MANAGEMENT: CMD ‘username “Auth” “admin2@en.local”’
Wed Aug 07 16:37:40 2019 MANAGEMENT: CMD ‘password […]’
Wed Aug 07 16:37:40 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Aug 07 16:37:40 2019 TCP / UDP: Preserving recently used remote address: [AF_INET] 178.212.239.xxx:1194
Wed Aug 07 16:37:40 2019 Socket Buffers: R = [65536-> 65536] S = [65536-> 65536]
Wed Aug 07 16:37:40 2019 UDP link local: (not bound)
Wed Aug 07 16:37:40 2019 UDP link remote: [AF_INET] 178.212.239.xxx:1194
Wed Aug 07 16:37:40 2019 MANAGEMENT:> STATE: 1565185060, WAIT ,
Wed Aug 07 16:37:40 2019 MANAGEMENT:> STATE: 1565185060, AUTH ,
Wed Aug 07 16:37:40 2019 TLS: Initial packet from [AF_INET] 178.212.239.xxx:1194, sid = 5c5fd860 a587a0dd
Wed Aug 07 16:37:40 2019 WARNING: this configuration may cache passwords in memory - use the auth-nocache option to prevent this
Wed Aug 07 16:37:40 2019 VERIFY OK: depth = 0, CN = NethServer, O = Example Org, ST = SomeState, OU = Main, emailAddress=root@localhost.localdomain, C = -, L = Hometown
Wed Aug 07 16:37:43 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Aug 07 16:37:43 2019 [NethServer] Peer Connection Initiated with [AF_INET] 178.212.239.xxx:1194
Wed Aug 07 16:37:44 2019 MANAGEMENT:> STATE: 1565185064, GET_CONFIG ,
Wed Aug 07 16:37:44 2019 SENT CONTROL [NethServer]: ‘PUSH_REQUEST’ (status = 1)
Wed Aug 07 16:37:44 2019 AUTH: Received control message: AUTH_FAILED
Wed Aug 07 16:37:44 2019 SIGUSR1 [soft, auth-failure] received, process restarting
Wed Aug 07 16:37:44 2019 MANAGEMENT:> STATE: 1565185064, RECONNECTING, auth-failure ,
Wed Aug 07 16:37:44 2019 Restart pause, 5 second (s)
Wed Aug 07 16:37:49 2019 SIGTERM [hard, init_instance] received, process exiting
Wed Aug 07 16:37:49 2019 MANAGEMENT:> STATE: 1565185069, EXITING, init_instance ,
Please use only “admin2” as user without @en.local.
This is now a “normal” auth-failure, I think.
Nothing changed
Wed Aug 07 18:31:14 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Wed Aug 07 18:31:14 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Aug 07 18:31:14 2019 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Enter Management Password:
Wed Aug 07 18:31:14 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed Aug 07 18:31:14 2019 Need hold release from management interface, waiting…
Wed Aug 07 18:31:15 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed Aug 07 18:31:15 2019 MANAGEMENT: CMD ‘state on’
Wed Aug 07 18:31:15 2019 MANAGEMENT: CMD ‘log all on’
Wed Aug 07 18:31:15 2019 MANAGEMENT: CMD ‘echo all on’
Wed Aug 07 18:31:15 2019 MANAGEMENT: CMD ‘bytecount 5’
Wed Aug 07 18:31:15 2019 MANAGEMENT: CMD ‘hold off’
Wed Aug 07 18:31:15 2019 MANAGEMENT: CMD ‘hold release’
Wed Aug 07 18:31:26 2019 MANAGEMENT: CMD ‘username “Auth” “admin2”’
Wed Aug 07 18:31:26 2019 MANAGEMENT: CMD ‘password […]’
Wed Aug 07 18:31:26 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Aug 07 18:31:26 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]178.212.239.XXX:1194
Wed Aug 07 18:31:26 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Aug 07 18:31:26 2019 UDP link local: (not bound)
Wed Aug 07 18:31:26 2019 UDP link remote: [AF_INET]178.212.239.XXX:1194
Wed Aug 07 18:31:26 2019 MANAGEMENT: >STATE:1565191886,WAIT,
Wed Aug 07 18:31:26 2019 MANAGEMENT: >STATE:1565191886,AUTH,
Wed Aug 07 18:31:26 2019 TLS: Initial packet from [AF_INET]178.212.239.XXX:1194, sid=d24dc02b 04c78c35
Wed Aug 07 18:31:26 2019 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Wed Aug 07 18:31:27 2019 VERIFY OK: depth=0, CN=NethServer, O=Example Org, ST=SomeState, OU=Main, emailAddress=root@localhost.localdomain, C=–, L=Hometown
Wed Aug 07 18:31:27 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Aug 07 18:31:27 2019 [NethServer] Peer Connection Initiated with [AF_INET]178.212.239.XXX:1194
Wed Aug 07 18:31:28 2019 MANAGEMENT: >STATE:1565191888,GET_CONFIG,
Wed Aug 07 18:31:28 2019 SENT CONTROL [NethServer]: ‘PUSH_REQUEST’ (status=1)
Wed Aug 07 18:31:28 2019 AUTH: Received control message: AUTH_FAILED
Wed Aug 07 18:31:28 2019 SIGUSR1[soft,auth-failure] received, process restarting
Wed Aug 07 18:31:28 2019 MANAGEMENT: >STATE:1565191888,RECONNECTING,auth-failure,
Wed Aug 07 18:31:28 2019 Restart pause, 5 second(s)
Wed Aug 07 18:31:32 2019 SIGTERM[hard,init_instance] received, process exiting
Wed Aug 07 18:31:32 2019 MANAGEMENT: >STATE:1565191892,EXITING,init_instance,
Maybe a dumb question, but can you login with this user into Neth-GUI? Did you try?
This user is taken from Active Directory
Yes I know, it is a systemuser. But did ever login with this user to your nethserver?
On Windows Server, yes. This user cannot log in to NS.
1st Sorry for late responde.
2nd sorry, I’ve overseen that’s it not NS-AD but that this NS is joined to an MS-AD, mentioned in post 5. 
If I’m honest, I’ve no clue what else could be ATM. The Moment your machine will get the IP the auth-failure happens. But why? 
If I have any idea, I’ll ping you. But maybe someone else can help @support_team
Seems like the AD users are not synced correctly.
Following command should give back a result if the AD administrator is found:
getent passwd administrator
Example output of an NS joined to a NS AD:
[root@server ~]# getent passwd admin
admin@domain.local:*:517401105:517400513:admin:/var/lib/nethserver/home/admin:/usr/libexec/openssh/sftp-server
If there’s no output you may try to unbind/rejoin to the AD.
1 Like
What errors show up on the server log, on NS.
Cheers.
Did you try to rejoin to the AD?
You can do it in web UI with the “Unbind” button and then join again.
Please check /var/log/messages for errors after the rejoin.
I disconnected from AD
and again made a connection to AD
I see errors
Aug 9 13:31:46 neth admin-todos: [ERROR] admin-todos: /etc/nethserver/todos.d/20admin-user exit code 31744
Aug 9 13:32:04 neth httpd: [ERROR] NethServer \ Tool \ GroupProvider: Account provider generic error: SSSD exit code 1
Aug 9 13:32:04 neth httpd: [ERROR] (Connection timed out): IO :: Socket :: INET: connect: timeout
There are some threads about this error that may help you:
https://community.nethserver.org/search?q=sssd%20exit%20code%201
Does your Windows Server 2016 have more interfaces?
I tried to reproduce your issue and found that sssd may choose a wrong IP not reachable from the Nethserver and so the user sync doesn’t work.
In my tests AD DNS gives back 2 IP addresses because the Windows Server has 2 network interfaces:
[root@testserver ~]# nslookup test.local
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: test.local
Address: 192.168.12.1
Name: test.local
Address: 192.168.1.121
Tough round robin is selected on Windows Server 2016 DNS, Nethserver sssd always wants to use the wrong 192.168.12.1 instead of 192.168.1.121. The Nethserver has 192.168.1.187 and can’t reach 192.168.12.1.
sssd.log with raised debug level:
(Fri Aug 9 22:43:54 2019) [sssd[be[test.local]]] [set_server_common_status] (0x0100): Marking server 'winserver16.test.local' as 'name resolved'
(Fri Aug 9 22:43:54 2019) [sssd[be[test.local]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
(Fri Aug 9 22:43:54 2019) [sssd[be[test.local]]] [be_resolve_server_process] (0x0200): Found address for server winserver16.test.local: [192.168.12.1] TTL 2863
After removing the “wrong IP” DNS entry in DNS Manager on the Windows Server and restarting sssd with
systemctl restart sssd
the users were synced and getent passwd administrator gave back the correct output.
1 Like
nslookup on windows server 2016
shows only 1 IP
I disconnected from AD again, rebooted NS, and then connected to AD
In AD accounts I see
NetBIOS domain name: EN
LDAP server: 192.168.15.4
LDAP server name: NDC.en.local
Realm: EN.LOCAL
Bind Path: dc = EN, dc = LOCAL
LDAP port: 389
Server time: Sun, Aug 11, 2019 8:43:50 AM EEST
KDC server: 192.168.15.4
Server time offset: 215
Last machine account password change: Fri, 09 Aug 2019 13:59:14 EEST
Join is OK
but when you enter getent passwd administrator, nothing happens
You may enable debug logging, restart the sssd service and check /var/log/sssd/sssd.domain.tld.log for errors.
1 Like