OpenVPN

New project at work! Setting up OpenVPN. It's great fun...except when it doesn't work.

I love the Windows interface for setting up the Server. It's straight-forward, and following the tutorial at http://openvpn.net/index.php/open-source/documentation/howto.html works like a charm. Setting up the client is just as easy, and the connection can be made in a matter of minutes.

However, I started running into problems when I began trying to replicate the server over to Ubuntu 12.04. The tutorial once again was straightforward and everything SEEMED to work out. I could start up the server and everything. It was all good.

However, for some strange reason, I was unable to actually connect to the client. I would generate the certificate authority key, server key, and client key plus the Diffie Hellman number. Server again started up great. But after transferring the client keys to my Windows computer, and setting up the client configuration, I kept getting an odd error "Private key password verification failed."

Looking this error up, all I could find were forum entries on http://forum.openvpn.eu talking about making sure you didn't set a challenge password when generating keys and ensuring that the user/password authentication on your OpenVPN server was turned off. Both of these were true in my case, so no help.

Then I started thinking, could it be the age-old, infamous Unix vs. MS line ending problem? Let's find out! Opened each of the files, ca.crt, client.crt and client.key in a text editor in turn, made a slight change, undid it and saved the file to ensure they all had MS line endings.

Well....it was in this process that I found my big problem. Opening client.key (the private RSA key that the client would use when authenticating over SSL), I found that instead of a standard RSA hash, it read:


<html><head><br /><title>403
Forbidden</title></head><body><br /><h1>
Forbidden</h1>
<br />You don't have permission to access /Lynx/dp_m14x.key<br />on this server.<br />
<br /><hr />
<br /><address>
Apache/2.2.22 (Ubuntu) Server at 192.168.10.21 Port 80</address>
</body></html>


Oops.  Turns out that Ubuntu, when generating the key/cert via easy-rsa, decided to give the private key file root-only access, which, for this type of file is a *very good thing*. Thus, when attempting to access it via the standard Apache www-data user from the browser, it gave me a 403 which I did not see as I did a right-click > Save As on my directory listing of the file.

Attempted to instead copy it to my Samba folder and transfer it over to my Windows client that way. Still no go. Now I got Windows access errors "Could not read file..."

Finally decided to get smart about it.
cp /etc/openvpn/easy-rsa/keys/client.key /home/daniel/Documents
chmod 777 /home/daniel/Documents/client.key

rm /home/daniel/Documents/client.key

Now I just need to figure out how in the world to transfer it over without being so unsecured about it. Gzip?

-------------------------------
11-2014 Edit:
I recently had to rebuild my IP tables this last week due to some unforseen ISP issues. For future reference, here's what I had to input in order to allow OpenVPN clients full internet plus LAN access:

iptables -I FORWARD --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -d 192.168.10.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

It's also good to note that I did have to do a full server reboot to apply this.

No comments:

Post a Comment

Comment loud, comment often. But comment on the content!

All comments are filtered through to my email, so your spam will never make it. Unless, of course, you wanted to try injection attacks into my email, which would probably not happen since Blogger just tells me that a comment is awaiting moderation and doesn't bother to tell me what it says. I trust Blogger like that..