Zentyal Forum, Linux Small Business Server

Zentyal Server => Other modules => Topic started by: rick95 on September 20, 2018, 12:28:33 pm

Title: Zentyal 5 VPN configuration
Post by: rick95 on September 20, 2018, 12:28:33 pm
Hi all, I'm having trouble configuring a VPN on a network having three Zentyal 5.1 servers used as a Gateway, Domain Controller and Mail Server respectively.
The network configuration is as follows:

Internet --- [eth0]Gateway Server[eth1]---[eth0]Domain Server[eth1]---Switch---[eth0]Mail Server
                                                                                                          |
                                                                                                          --------Local Network

The goal is to create a VPN on the Domain Server but when I try to connect it with OpenVPN I have the following error:


Code: [Select]
Thu Sep 20 11:57:30 2018 Restart pause, 2 second(s)
Thu Sep 20 11:57:32 2018 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Sep 20 11:57:32 2018 UDPv4 link local: [undef]
Thu Sep 20 11:57:32 2018 UDPv4 link remote: [AF_INET] /*my_public_address_here*/:1194
Thu Sep 20 11:57:32 2018 MANAGEMENT: >STATE:1537437452,WAIT,,,
Thu Sep 20 11:57:32 2018 MANAGEMENT: >STATE:1537437452,AUTH,,,
Thu Sep 20 11:57:32 2018 TLS: Initial packet from [AF_INET]/*my_public_address_here*/:1194, sid=4c60c9f7 ed447255
Thu Sep 20 11:57:32 2018 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /*my_certificate*/ Authority Certificate
Thu Sep 20 11:57:32 2018 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Thu Sep 20 11:57:32 2018 TLS Error: TLS object -> incoming plaintext read error
Thu Sep 20 11:57:32 2018 TLS Error: TLS handshake failed
Thu Sep 20 11:57:32 2018 SIGUSR1[soft,tls-error] received, process restarting
Thu Sep 20 11:57:32 2018 MANAGEMENT: >STATE:1537437452,RECONNECTING,tls-error,,

These are the servers configurations:
Gateway:
 --eth0 external
 --eth1 internal ip: 192.168.20.1

Domain:
--eth0 external ip: 192.168.20.254
--eth1 internal ip: 192.168.10.1
--DNS Forwarders: 192.168.20.1
--Domain: mydomain.local


Here is what I did:


Advices? What did i do wrong?

Regards,
Riccardo.

Title: Re: Zentyal 5 VPN configuration
Post by: expertgeeks on November 29, 2018, 02:50:19 am
I've not tried connecting an internal domain through a gateway server, but I have successfully used OpenVPN connections on the server box successfully (Router Gateway <-> Zentyal).. so my suggestions may/may not be helpful ;)

Generating certs etc from your description look good though from the error you're getting it looks like something went screwy when the certificates were generated and OpenVPN doesn't trust them.. but from my reading of your setup it looks like there might be a forwarding issue from your Gateway server to the Domain server. Can you connect to the VPN when you're on the Domain LAN ? (N.B. you'll need to change the ip address to the local IP when generating the download bundle). If so you might need to forward 1194 from the Gateway to the Domain. FYI My working config doesn't have the TUN Interface ticked, or redirect gateway.

I know you chose a windows bundle, but are you testing with a linux host ? If so, this may be helpful; https://blog.2ndquadrant.com/cant-connect-openvpn-linux-verify_error-tls_error/ try starting openvpn with;

sudo OPENSSL_ENABLE_MD5_VERIFY=1 openvpn client.ovpn

If not, I'd suggest re-generating the certs and trying the config again. Might also be worth posting the connection attempt log from /var/log/openvpn/VPN-Server.log so we can see what's happening server side.