Yes, both were enabled when testing.
But getting impatient is paying off :)
It`s Apparmor, i find this in kern.log:
**************
Oct 2 18:18:39 NAS kernel: [20730.052742] type=1400 audit(1443802719.157:5):
apparmor="DENIED" operation="exec" parent=11814
profile="/volume*/@appstore/VPNCenter/sbin/openvpn"
name="/volume1/@appstore/VPNCenter/scripts/ovpnCNcheck.sh" pid=12969
comm="openvpn" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
***************
So, tomorrow will add the script to the Apparmor profile and see what I get :)
>it's in paperback format
Nice, will order this week.
Thanks
André
Subject: Re: [Openvpn-users] tls-verify script not working
To: [email protected]
CC: [email protected]
From: [email protected]
Date: Fri, 2 Oct 2015 23:34:45 +0200
Hi,
On 02/10/15 23:00, Dreetjeh D wrote:
Hallo :)
Yes, looks like it`s not executed, right?
Running it on CLI:
NAS> /volume1/@appstore/VPNCenter/scripts/ovpnCNcheck.sh
usage: ovpnCNcheck.sh userfile certificate_depth
X509_NAME_oneline
NAS> /volume1/@appstore/VPNCenter/scripts/ovpnCNcheck.sh
/volume1/@appstore/VPNCenter/scripts/userlist.txt
usage: ovpnCNcheck.sh userfile certificate_depth
X509_NAME_oneline
did you enable
script-security 2
in the server config ? It's commented out in the config you posted,
just like the 'tls-verify' line
P.S.
Last Tuesday i saw your new book is available on Bol, it`s on my
list.
Is there also a paperback available, now or future?
Don`t like E-book too much, give me headage`s :)
it's in paperback format
cheers,
JJK
Subject: Re: [Openvpn-users] tls-verify
script not working
To: [email protected]; [email protected]
From: [email protected]
Date: Fri, 2 Oct 2015 22:36:43 +0200
Hi,
On 02/10/15 18:22, Dreetjeh D wrote:
Hello all,
I`m running the OVPN server on a NAS from Synology
with self generated certificates (XCA).
A few day`s i`m trying to get a tls-verify script running
but somehow i cannot find what is wrong.
The following script, ovpnCNcheck.sh, i found on the net:
(removed comments)
************************
#!/bin/sh
[ $# -eq 3 ] || { echo usage: ovpnCNcheck.sh userfile
certificate_depth X509_NAME_oneline ; exit 255 ; }
# $2 -> certificate_depth
if [ $2 -eq 0 ] ; then
# $3 -> X509_NAME_oneline
# $1 -> cn we are looking for
grep -q "^`expr match "$3" ".*/CN=\([^/][^/]*\)"`$" "$1"
&& exit 0
exit 1
fi
exit 0
*********************
I gave the file 0755 and placed a textfile also 0755,
containing the commonname of the client, in the same
directory.
In the config from server:
tls-verify "/volume1/@appstore/VPNCenter/scripts/ovpnCNcheck.sh
/volume1/@appstore/VPNCenter/scripts/userlist.txt"
When the client connects, username/password and then
stalls, the server log gives:
*************************
WARNING: Failed running command
(--tls-verify script): could not execute external
program
^^^^^^
this line gives a pretty good hint to what's failing.
On the synology box the shell script does not seem to execute.
Can you get a login shell on the synology box and run the
script manually? once you've got that running, then attempt to
use OpenVPN again.
groetjes/cheers,
JJK
Fri Oct 2 18:18:39 2015
us=192309 192.168.11.32:1194 VERIFY SCRIPT ERROR:
depth=1, C=NL, ST=GLD, O=MMD, OU=OVPN, CN=CA,
[email protected]
Fri Oct 2 18:18:39 2015 us=192614 192.168.11.32:1194
TLS_ERROR: BIO read tls_read_plaintext error:
error:140890B2:lib(20):func(137):reason(178)
Fri Oct 2 18:18:39 2015 us=192686 192.168.11.32:1194 TLS
Error: TLS object -> incoming plaintext read error
Fri Oct 2 18:18:39 2015 us=197583 192.168.11.32:1194
SYNO_ERR_CERT
Fri Oct 2 18:18:39 2015 us=197673 192.168.11.32:1194 TLS
Error: TLS handshake failed
Fri Oct 2 18:18:39 2015 us=198050 192.168.11.32:1194
SIGUSR1[soft,tls-error] received, client-instance
restarting
***************************
As i have no understanding from the script, i still would
appriciate if someone can take a look at this.
Thanks in advance,
André
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
