Главная » Linux

Missing external pki alias openvpn windows

Содержание
  1. openvpn: missing external pki alias #1059
  2. Comments
  3. NoamDev commented Dec 30, 2019
  4. chipitsine commented Dec 31, 2019
  5. NoamDev commented Dec 31, 2019 •
  6. NoamDev commented Dec 31, 2019
  7. chipitsine commented Dec 31, 2019
  8. NoamDev commented Jan 1, 2020
  9. server install:
  10. server configure (via windows, using softether server manager):
  11. openvpn connect
  12. NoamDev commented Jan 1, 2020
  13. chipitsine commented Jan 1, 2020
  14. NoamDev commented Jan 1, 2020
  15. NoamDev commented Jan 1, 2020 •
  16. chipitsine commented Jan 1, 2020
  17. chipitsine commented Jan 1, 2020
  18. chipitsine commented Jan 1, 2020
  19. NoamDev commented Jan 1, 2020
  20. NoamDev commented Jan 1, 2020 •
  21. NoamDev commented Jan 1, 2020
  22. NoamDev commented Jan 1, 2020
  23. Hub «VPN» log:
  24. Server log on «CID-5»:
  25. NoamDev commented Jan 1, 2020
  26. chipitsine commented Jan 1, 2020
  27. chipitsine commented Jan 1, 2020
  28. chipitsine commented Jan 1, 2020
  29. NoamDev commented Jan 1, 2020
  30. NoamDev commented Jan 1, 2020
  31. chipitsine commented Jan 1, 2020
  32. NoamDev commented Jan 1, 2020
  33. Openvpn: ошибка подключения: отсутствует псевдоним внешнего PKI
  34. 2 ответа
  35. Unable to connect openVPN #15
  36. Comments
  37. Rishu commented Sep 13, 2017
  38. ss-abramchuk commented Sep 13, 2017
  39. Rishu commented Sep 14, 2017
  40. JonathanDowning commented Sep 14, 2017
  41. Rishu commented Sep 14, 2017
  42. JonathanDowning commented Sep 14, 2017
  43. Rishu commented Sep 14, 2017
  44. External PKI for OpenVPN Certificates¶

openvpn: missing external pki alias #1059

Comments

NoamDev commented Dec 30, 2019

I installed softethervpn server, and I can connect to it from softhethervpn client. however, I cannot connect to it using openvpn client on windows 10.
openvpn clone is enabled.
I’m using the l3.ovpn generated by the server, but I get the error «missing external pki alias»

The text was updated successfully, but these errors were encountered:

chipitsine commented Dec 31, 2019

can you provide repro steps ?

as far as I remember openvpn windows client (community edition) is built using openssl, not mbedtls.

NoamDev commented Dec 31, 2019 •

The log above is from openvpn connect 2.7.1.
Coming to think of it, I installed openvpn connect 3 (I didn’t want to install it at first ’cause it’s still beta) and tried again, it seems like the error is different now.
It’s the opaque error auth failed.
Attaching the new log:

NoamDev commented Dec 31, 2019

I’ll try send minimal repro steps soon.
Would you like both server (ubuntu) and client (windows) steps?

chipitsine commented Dec 31, 2019

NoamDev commented Jan 1, 2020

server install:

  1. git clone https://github.com/SoftEtherVPN/SoftEtherVPN_Stable.git
  2. cd SoftEtherVPN_Stable
  3. ./configure
  4. sudo make install
  5. sudo vpnserver start

server configure (via windows, using softether server manager):

  1. download ZIP Package of vpnsmgr.exe and vpncmd.exe (without installers) (Ver 4.29, Build 9680, rtm)
  2. extract it
  3. open vpnsmgr.exe
  4. connect to the server
  5. choose new password and enter it in the prompted dialog
  6. it would ask you whether you want site to site or remote, choose remote.
  7. create new hub named VPN
  8. and a user named noam with password 123456789
  9. make sure openvpn clone is enabled
  10. generate sample openvpn config and save the zip file somwhere
  11. extract the zip file

openvpn connect

  1. download openvpn connect v3 msi installer the exact version I installed is 3.1.0.361
  2. install it.
  3. open openvpn connect
  4. choose file tab
  5. click browse and choose the file «. openvpn_remote_access_l3.ovpn» from the zip you extracted above.
  6. enter username «vpn/noam» and password 123456789
  7. save
  8. then try to connect
  9. continue without choosing a certificate
  10. you got «user authentication failed»

NoamDev commented Jan 1, 2020

openvpn connect logs:

Читайте также:  Elm identifier для windows

chipitsine commented Jan 1, 2020

you use SE VPN stable edition (numbered 4.XX), while this issue tracker is related to SE VPN developer edition (numbered 5.XX)

can you try to reproduce your issue on 5.XX ?

NoamDev commented Jan 1, 2020

I’ll try and update ASAP.

NoamDev commented Jan 1, 2020 •

I tried that, it didn’t work either, produced exactly the same error.
Btw, I hope it doesn’t matter, but I’m connecting to the vpn using a laptop through a wifi.
I don’t think it matters ’cause in the server logs you can see «User authentication failed. The user name that has been provided was «vpn/noam».».
Which means the client can talk to the server.

chipitsine commented Jan 1, 2020

ok, thank you for your report. I’ll try to find a chance to reproduce myself.

also, is there something interesting in SE VPN server logs ?

chipitsine commented Jan 1, 2020

are you using Mac OS as client ?

chipitsine commented Jan 1, 2020

fyi, if you’ll try tunnelblick, it should work

(however, we want to investigate what is wrong with openvpn connect)

NoamDev commented Jan 1, 2020

I haven’t tried Tunnelblick, but it’s only for macOs.. and I don’t own one.

NoamDev commented Jan 1, 2020 •

are you using Mac OS as client ?

no, I don’t.. weird.

NoamDev commented Jan 1, 2020

I’m using windows 10 x64 .

NoamDev commented Jan 1, 2020

Hub «VPN» log:

Server log on «CID-5»:

(Obviously I removed my ip adresses)

NoamDev commented Jan 1, 2020

Thanks for your willing to help btw!

chipitsine commented Jan 1, 2020

depending on what you are trying to achive, you can either install openvpn community from https://openvpn.net/community-downloads/ (it is known to work)

or, help us investigating issues with openvpn connect (no time estimate though)

chipitsine commented Jan 1, 2020

btw, is «vpn» the default hub ? if so, can you try noam as user name ?

chipitsine commented Jan 1, 2020

we run openvpn from CI

I do not supply hub name there.
I haven’t tried how openvpn is supposed to work with hub + username scheme, actually

NoamDev commented Jan 1, 2020

It worked! thank you very much!!
At first it didn’t, then I looked in the logs and saw that this time the authentication was successful but there was some problem with DHCP and a suggestion to enable secureNat.
After enabling secureNat it works great!

NoamDev commented Jan 1, 2020

So I think we should close this issue and open a new one about non default Hubs? It wouldn’t matter for me, cause I use only one hub, but probably will be useful for others.

chipitsine commented Jan 1, 2020

there’s a room for UX improvements.

as your personal experience is very fresh, so I hope you can come with improvement suggestion.

feel free to improve documentation, etc, .

NoamDev commented Jan 1, 2020

Ok, closing for now..

You can’t perform that action at this time.

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.

Openvpn: ошибка подключения: отсутствует псевдоним внешнего PKI

Я просто установил сервер openvpn версии 2.4.4, он хорошо работает с клиентом Openvpn в Windows и Android, но ошибка в Mac OS.

Я тестирую MacOS версии 10.4.4 и Openvpn client 2.7.1.100. Ниже client.ovpn

Есть идеи или что может вызвать эту проблему?

2 ответа

У меня была такая же проблема с клиентом OpenVPN Connect на MacOS — я переключился на клиентское программное обеспечение TunnelBlick, и, используя тот же файл.ovpn, он работал нормально. Тем не менее, не удалось найти никаких подсказок, почему OpenVPN Connect не работает.

Читайте также:  Sp3 для русской версии windows

Внешний PKI подразумевает, что клиент OpenVPN Connect использует «внешний сертификат» по сравнению с его конфигурационным «профилем», файлом.ovpn, который также может иметь встроенные сертификаты PEM. Насколько я понимаю, этот внешний PKI может быть сертификатом внутри Windows crtmgr или хранилищ сертификатов связки ключей macOS (или в мобильных устройствах). В случае с Windows это просто и работает. MacOS — совсем другое дело.

В настоящее время (по состоянию на 2020-04 год) Catalina является последней версией macOS, и в ней есть только фреймворк CryptoTokenKit (CTK), Tokend больше не существует. При использовании аппаратных модулей безопасности (HSM), смарт-карт, USB-токенов они больше не отображаются в Keychain, как это было с Tokend. Не понимаю почему. И если этот «внешний PKI» действительно ищет этот сертификат из Связки ключей, это проблема.

и исходя из остальной части страницы и того, что я читал в другом месте, я предполагаю, что этот отсутствующий псевдоним — это имя, которое сопоставило бы этот сертификат внутри Keychain с данной попыткой подключения. Не уверен, что ты.

Насколько я понимаю, настоящая проблема в том, что клиент Connect ищет сертификаты от Keychain, и переход Apple на CTK сломал его. Даже эти аппаратные токены работают в системе, они не отображаются в Связке ключей. Я искал решения, чтобы отменить это изменение, и наткнулся на keychain-pkcs11, в котором говорится:

что не совсем то, что я искал. Он предоставляет эти сертификаты Keychain за пределами плагина pkcs#11, но не заполняет сертификаты HSM для Keychain.

Немного сложно решить проблему, если вы точно уверены, правильно ли я понял реальную картину проблемы, не говоря уже о том, чтобы выяснить ее решение.:)

Unable to connect openVPN #15

Comments

Rishu commented Sep 13, 2017

We are trying to connect the VPN using .ovpn file which is working with openVPN Cli on Mac and windows. We have changed the username, password and serverAddress.

It’s disconnecting after some time from connecting state on Settings application of iPhone. Please help us to resolve this issue.

The text was updated successfully, but these errors were encountered:

ss-abramchuk commented Sep 13, 2017

Have you checked logs on both server and client sides?

Rishu commented Sep 14, 2017

We have debugged the client library and found error «Missing External PKI alias». We are using the «auth-user-pass» instead of «certificate» in .ovpn file and openVPN server version is 2.4.3.

We have tried to resolve this issue with key —client-cert-not-required in .ovpn file, but it’s stuck on connecting -> reconnecting -> resolve -> wait loop.

Please help me to resolve this issue.

JonathanDowning commented Sep 14, 2017

Have you tried setting the disableClientCert property on OpenVPNConfiguration to YES ?

Rishu commented Sep 14, 2017

Thanks for your message. After updating the property disableClientCert, it’s stuck on connecting -> reconnecting -> resolve -> wait loop.

Server log failed due to — Socket bind failed on local address [AF_INET]127.0.0.1:7505: Address already in use.

Please suggest on this.

JonathanDowning commented Sep 14, 2017

It’d seem this is a problem with your server rather than with the OpenVPNAdapter itself.

Whilst I’m not an expert on this topic, I suspect there is more than one process bound to port 7505, I would suggest talking to your server administrator about this.

Rishu commented Sep 14, 2017

As per my understanding, it’s not an server issue because it’s working with Mac and Windows openVPN3 CLI executable with admin privilege.

External PKI for OpenVPN Certificates¶

How to deploy a Certificate-based SSL VPN Server

The Aviatrix OpenVPN solution provides certificate based SSL VPN user authentication in addition to other multi factor authentication methods such as DUO, Okta, SAML and LDAP. This document describes the process of allowing users to connect to your Cloud instances via OpenVPN when the external PKI mechanism is used.

Читайте также:  32 bit linux distro

Obtain the CA certificate, server certificate (for the OpenVPN gateway) and server key from your administrator. The CA certificate will be used to sign the server certificate and user certificate. Your CA certificate will need to contain the CRL Distribution Point URI or you can manually enter it during the configuration steps.

Please note that once you enable the feature, it cannot be disabled. Please test the feature on a separate controller before trying it on a production environment

Note: Certificates, key and CRL will need to be in PEM format.

Configuration steps:

  1. From the Aviatrix Controller UI, go to Settings > Advanced > Certificates page to make sure Certificates Checking is disabled.
  2. Go to OpenVPN > Certificate. Choose the corresponding files for the CA Certificate, Server Certificate and Server Key.
  3. If your CA Certificate does not contain the CRL information, enter the CRL Distribution Point URI and the CRL Update Interval. By default, the CRL Update Interval is 60 minutes.
  4. Click Import to complete the process.
  5. Go to the Gateway page and click +New Gateway to create a new gateway. This new gateway will be created with those certificates and keys imported. Please refer to http://docs.aviatrix.com/HowTos/uservpn.html on how to create a gateway.
  6. Upon successful gateway creation, go to OpenVPN > Certificate page.
  7. In the Download VPN Configuration box, select the VPC ID (where your gateway was created) and the LB Name. Click Download to obtain the OVPN file (for example None.ovpn).

Please note: Uploading the certificate files (ca.crt, server.key, server.crt crl uri) again will not update the certificates on gateways that are already deployed.

Client OVPN file

For each OpenVPN client, you will need to generate a certificate signed by the CA private key. Note that the CSR for the certificate must have the key usage attribute set to “e0” and the directive must be set to “TLS Web Client Authentication”. X509v3 Key Usage e0 stands for Digital Signature, Non Repudiation, Key Encipherment should be enabled (No more, no less). With your client certificate and client key ready, edit the None.ovpn with a text editor.

At the bottom of the None.ovpn, insert your client certificate and client key and save the file.

—–END OpenVPN Static key V1—–

Now your None.ovpn is ready for use. Download and install OpenVPN client on your laptop.

  1. For Windows users, download the OpenVPN client from this link:
  1. For MAC users, download Tunnelblick from this link:

Once your OpenVPN client is installed, you can use the None.ovpn to connect to your SSL OpenVPN gateway.

The common name field in the certificate will be used by the controller to identify the user.

Sample scripts

The scripts provided here help you to generate client certificates with the correct attributes set

Instructions are present in the zip file.

Sample certificates for reference

To view the certificate information(Key usage bits) you can use

openssl x509 -in client.crt -text -noout

You need to expose the crl.pem over HTTP/HTTPS to the aviatrix controller and gateway so that they can retrieve them via URL

Profiles

If you wish to use the profiles feature, you need to add users in the controller (OpenVPN->VPN Users). The username should match the common Name field in the client certificate. Note that you cannot add email here during user addition since certificates are generated externally. You can now associate these users to profiles under OpenVPN->Profiles.

© Copyright 2020, Aviatrix Systems, Inc Revision afc485d9 .

Оцените статью
© 2024 Советы по настройке компьютера