Author Topic: Zentyal 5 VPN configuration  (Read 456 times)

rick95

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Zentyal 5 VPN configuration
« on: September 20, 2018, 12:28:33 pm »
Hi all, I'm having trouble configuring a VPN on a network having three Zentyal 5.1 servers used as a Gateway, Domain Controller and Mail Server respectively.
The network configuration is as follows:

Internet --- [eth0]Gateway Server[eth1]---[eth0]Domain Server[eth1]---Switch---[eth0]Mail Server
                                                                                                          |
                                                                                                          --------Local Network

The goal is to create a VPN on the Domain Server but when I try to connect it with OpenVPN I have the following error:


Code: [Select]
Thu Sep 20 11:57:30 2018 Restart pause, 2 second(s)
Thu Sep 20 11:57:32 2018 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Sep 20 11:57:32 2018 UDPv4 link local: [undef]
Thu Sep 20 11:57:32 2018 UDPv4 link remote: [AF_INET] /*my_public_address_here*/:1194
Thu Sep 20 11:57:32 2018 MANAGEMENT: >STATE:1537437452,WAIT,,,
Thu Sep 20 11:57:32 2018 MANAGEMENT: >STATE:1537437452,AUTH,,,
Thu Sep 20 11:57:32 2018 TLS: Initial packet from [AF_INET]/*my_public_address_here*/:1194, sid=4c60c9f7 ed447255
Thu Sep 20 11:57:32 2018 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /*my_certificate*/ Authority Certificate
Thu Sep 20 11:57:32 2018 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Thu Sep 20 11:57:32 2018 TLS Error: TLS object -> incoming plaintext read error
Thu Sep 20 11:57:32 2018 TLS Error: TLS handshake failed
Thu Sep 20 11:57:32 2018 SIGUSR1[soft,tls-error] received, process restarting
Thu Sep 20 11:57:32 2018 MANAGEMENT: >STATE:1537437452,RECONNECTING,tls-error,,

These are the servers configurations:
Gateway:
 --eth0 external
 --eth1 internal ip: 192.168.20.1

Domain:
--eth0 external ip: 192.168.20.254
--eth1 internal ip: 192.168.10.1
--DNS Forwarders: 192.168.20.1
--Domain: mydomain.local


Here is what I did:

  • Created a certificate for clients named VPN-Client
  • Created a VPN server named VPN-Server, configured as follows:
     Server Port: UDP 1194
     VPN Address 192.168.30.0
     Server Certificate: certificate autogenerated by Zentyal
     Client Authorization: VPN-Client
     Tun Interface, Network Address Translation, Redirect Gateway enabled
     Advertised network:
     --Network generated by Zentyal: openVPN-eth1 ...
     --Internal network called "internal"
  • Enabled the UDP service on port 1194 both ingoing and outgoing in the firewall
  • Generated the Bundle client with the following parameters:
    Client's type: Windows
    Client's certificate: VPN-Client
    Server Address: my_public_address

Advices? What did i do wrong?

Regards,
Riccardo.


expertgeeks

  • Forum Moderator
  • Zen Warrior
  • *****
  • Posts: 124
  • Karma: +11/-0
    • View Profile
Re: Zentyal 5 VPN configuration
« Reply #1 on: November 29, 2018, 02:50:19 am »
I've not tried connecting an internal domain through a gateway server, but I have successfully used OpenVPN connections on the server box successfully (Router Gateway <-> Zentyal).. so my suggestions may/may not be helpful ;)

Generating certs etc from your description look good though from the error you're getting it looks like something went screwy when the certificates were generated and OpenVPN doesn't trust them.. but from my reading of your setup it looks like there might be a forwarding issue from your Gateway server to the Domain server. Can you connect to the VPN when you're on the Domain LAN ? (N.B. you'll need to change the ip address to the local IP when generating the download bundle). If so you might need to forward 1194 from the Gateway to the Domain. FYI My working config doesn't have the TUN Interface ticked, or redirect gateway.

I know you chose a windows bundle, but are you testing with a linux host ? If so, this may be helpful; https://blog.2ndquadrant.com/cant-connect-openvpn-linux-verify_error-tls_error/ try starting openvpn with;

sudo OPENSSL_ENABLE_MD5_VERIFY=1 openvpn client.ovpn

If not, I'd suggest re-generating the certs and trying the config again. Might also be worth posting the connection attempt log from /var/log/openvpn/VPN-Server.log so we can see what's happening server side.
« Last Edit: November 29, 2018, 03:03:43 am by expertgeeks »