I am trying to set up openvpnn on windows server 2016 with port forwarding through NethServer release 7.6.1810, but I failed (there is no connection). I also tried to configure openvn on NethServer release 7.6.1810, but I also could not. Can someone give instructions for dummies with pictures?
What kind of OpenVPN setup are you trying to configure:
Site-to-site
OpenVPN server for clients to connect to, like RoadWarrior
OpenVPN client, which NS is not really that good at (IMHO)
Please provide more details about what you are trying to achieve.
Cheers.
1 Like
I need clients to be able to connect to Windows server 2016 in front of which Nethserver is. How to set it up correctly?
Do I understand right, your Windows Server and Nethserver are at the same LAN, the clients should connect to your Windows Server over the Internet? Is the Nethserver your Gateway, Proxy, Firewall? Please tell us something about your configuration.
Yes, windows server (192.168.15.4) and Nethserver (192.168.15.3) are on the same network.
Clients should connect via the Internet using openvpn to the windows server and gain access to the internal network (internal site). Internet access is provided through Nethserver (gateway and proxy).
Made according to the instructions. But I get an error
Tue Jul 30 21:04:16 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Tue Jul 30 21:04:16 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Jul 30 21:04:16 2019 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Enter Management Password:
Tue Jul 30 21:04:16 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Tue Jul 30 21:04:16 2019 Need hold release from management interface, waiting…
Tue Jul 30 21:04:16 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Tue Jul 30 21:04:16 2019 MANAGEMENT: CMD ‘state on’
Tue Jul 30 21:04:16 2019 MANAGEMENT: CMD ‘log all on’
Tue Jul 30 21:04:16 2019 MANAGEMENT: CMD ‘echo all on’
Tue Jul 30 21:04:16 2019 MANAGEMENT: CMD ‘bytecount 5’
Tue Jul 30 21:04:16 2019 MANAGEMENT: CMD ‘hold off’
Tue Jul 30 21:04:16 2019 MANAGEMENT: CMD ‘hold release’
Tue Jul 30 21:04:16 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]178.212.xxx.xxx:49537
Tue Jul 30 21:04:16 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Jul 30 21:04:16 2019 UDP link local: (not bound)
Tue Jul 30 21:04:16 2019 UDP link remote: [AF_INET]178.212.xxx.xxx:49537
Tue Jul 30 21:04:16 2019 MANAGEMENT: >STATE:1564509856,WAIT,
Tue Jul 30 21:05:17 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jul 30 21:05:17 2019 TLS Error: TLS handshake failed
Tue Jul 30 21:05:17 2019 SIGUSR1[soft,tls-error] received, process restarting
Tue Jul 30 21:05:17 2019 MANAGEMENT: >STATE:1564509917,RECONNECTING,tls-error,
Tue Jul 30 21:05:17 2019 Restart pause, 5 second(s)
I’m going to guess that the log above is an external Windows client trying to connect to the RoadWarrior service running on your NS system at IP: 178.212.xxx.xxx. If so, the first thing that jumps out is the port being connected to: 49537. Did you manually set that in the configuration. Do you have any firewalls that might be blocking this.
What authentication are you using. If certificate, did you export that from NS and use it in the Windows client configuration.
Cheers.
UDP port 49537 is installed by default in Nethserver. Authentication is performed using a certificate that I took from NS and placed in a Windows client. On Windows, UDP port 49537 is open in the firewall.
Could you try with user password please, so we are sure it isn’t a certificate problem.
On the RoadWarrior Accounts tab, create a new user and select the System user radio button. Then use the selected user to connect.
Also verify in Network Services that the port is correct and open for the Red network.
I’m still very surprised about the port selected. The Help screen shows:
UDP port
Change server UDP port. Default is 1194.
Cheers.
I set the default UDP port to 1194.
Authentication mode chose username and password
I create the user in Roadwarrior accounts (ini are taken from AD)
What should I write to Reserved IP?
IP VPN network? 10.1.1.10?
Remote network
10.1.1.0?
Network mask
255.255.255.0?
That is only needed if you want to assign a specific IP to the user, instead of using DHCP.
Are only needed for net2net VPNs.
The “Help” button on the right contains all the information you need.
Cheers.
I try to connect via phone and get this message.
Select Certificate
This profile doesn’t include a clieent certificate. Continue connecting without a certificate or select one from the Android keychain?
In the settings, I chose a username and password. Which certificate need to be added?
IP for the user indicated 10.1.1.100
Which app are you using on the phone.
Did you re-export the ovpn file and then import that to the app.
Cheers.
I am using OpeVPN Connect application (version 3.0.5 from the Play Store)
Yes, I exported the ovpn file from NS and imported it into the phone.
And OpenVPN connect supports TAP adapter? Few OpenVPN clients support TAP only with root access.
OpenVPN Client by colucci-web.it supports TAP without root on android devices.
I use this app on my mobile and for me it’s the best I tried.
Import the config file from Nethserver and that’s it. Works perfectly.
AFAIK it’s the only android app that supports TAP without root.
BR
I tried to connect OpenVPN on the computer.
But also getting an error
Wed Aug 07 14:53:39 2019 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jan 31 2017
Wed Aug 07 14:53:39 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Aug 07 14:53:39 2019 library versions: OpenSSL 1.0.2k Jan 26, 2017, LZO 2.09
Enter Management Password:
Wed Aug 07 14:53:39 2019 MANAGEMENT: TCP Socket listening on [AF_INET] 127.0.0.1:25340
Wed Aug 07 14:53:39 2019 Need hold release from management interface, waiting …
Wed Aug 07 14:53:40 2019 MANAGEMENT: Client connected from [AF_INET] 127.0.0.1:25340
Wed Aug 07 14:53:40 2019 MANAGEMENT: CMD ‘state on’
Wed Aug 07 14:53:40 2019 MANAGEMENT: CMD ‘log all on’
Wed Aug 07 14:53:40 2019 MANAGEMENT: CMD ‘hold off’
Wed Aug 07 14:53:40 2019 MANAGEMENT: CMD ‘hold release’
Wed Aug 07 14:53:47 2019 MANAGEMENT: CMD ‘username “Auth” “admin2”’
Wed Aug 07 14:53:47 2019 MANAGEMENT: CMD ‘password […]’
Wed Aug 07 14:53:47 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Aug 07 14:53:47 2019 TCP / UDP: Preserving recently used remote address: [AF_INET] 178.212.239.XXX:1194
Wed Aug 07 14:53:47 Socket Buffers: R = [65536-> 65536] S = [65536-> 65536]
Wed Aug 07 14:53:47 2019 UDP link local: (not bound)
Wed Aug 07 14:53:47 2019 UDP link remote: [AF_INET] 178.212.239.XXX:1194
Wed Aug 07 14:53:47 2019 MANAGEMENT:> STATE: 1565178827, WAIT ,
Wed Aug 07 14:53:47 2019 MANAGEMENT:> STATE: 1565178827, AUTH ,
Wed Aug 07 14:53:47 TLS: Initial packet from [AF_INET] 178.212.239.XXX:1194, sid = ea6e0557 46b35965
Wed Aug 07 14:53:47 2019 WARNING: this configuration may cache passwords in memory - use the auth-nocache option to prevent this
Wed Aug 07 14:53:47 2019 VERIFY OK: depth = 0, CN = NethServer, O = Example Org, ST = SomeState, OU = Main, emailAddress=root@localhost.localdomain, C = -, L = Hometown
Wed Aug 07 14:53:47 2019 Control Channel: TLSv1.2, cipher TLSv1 / SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Aug 07 14:53:47 2019 [NethServer] Peer Connection Initiated with [AF_INET] 178.212.239.XXX:1194
Wed Aug 07 14:53:48 2019 MANAGEMENT:> STATE: 1565178828, GET_CONFIG ,
Wed Aug 07 14:53:48 2019 SENT CONTROL [NethServer]: ‘PUSH_REQUEST’ (status = 1)
Wed Aug 07 14:53:48 2019 AUTH: Received control message: AUTH_FAILED
Wed Aug 07 14:53:48 2019 SIGUSR1 [soft, auth-failure] received, process restarting
Wed Aug 07 14:53:48 2019 MANAGEMENT:> STATE: 1565178828, RECONNECTING, auth-failure ,
Wed Aug 07 14:53:48 2019 Restart pause, 5 second (s)
Wed Aug 07 14:54:01 2019 MANAGEMENT: Client disconnected
Wed Aug 07 14:54:01 2019 ERROR: could not read Auth username / password / ok / string from management interface
Wed Aug 07 14:54:01 2019 Exiting due to fatal error