Hello,
After adding:
*****************
/volume1/@appstore/VPNCenter/scripts/ovpnCNcheck.sh rix,
/volume1/@appstore/VPNCenter/scripts/userlist.txt r,
*****************
under:
*****************
/volume*/@appstore/VPNCenter/sbin/openvpn {
#include <abstractions/base>
#include <abstractions/base-cgi>
******************
to the Apparmor profile off OpenVPN, the script now runs.
But now I get this in openvpn.log
*****************
Sat Oct 3 00:37:19 2015 us=616906 MULTI: multi_create_instance called
Sat Oct 3 00:37:19 2015 us=617134 192.168.11.32:1194 Re-using SSL/TLS context
Sat Oct 3 00:37:19 2015 us=617214 192.168.11.32:1194 LZO compression
initialized
Sat Oct 3 00:37:19 2015 us=617523 192.168.11.32:1194 Control Channel MTU parms
[ L:1570 D:178 EF:78 EB:0 ET:0 EL:0 ]
Sat Oct 3 00:37:19 2015 us=617604 192.168.11.32:1194 Data Channel MTU parms [
L:1570 D:1450 EF:70 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Oct 3 00:37:19 2015 us=617750 192.168.11.32:1194 Local Options String:
'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir
0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Sat Oct 3 00:37:19 2015 us=617814 192.168.11.32:1194 Expected Remote Options
String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir
1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Sat Oct 3 00:37:19 2015 us=617911 192.168.11.32:1194 Local Options hash
(VER=V4): 'xxxxxxxx'
Sat Oct 3 00:37:19 2015 us=618004 192.168.11.32:1194 Expected Remote Options
hash (VER=V4): 'xxxxxxxx'
RSat Oct 3 00:37:19 2015 us=618164 192.168.11.32:1194 TLS: Initial packet from
[AF_INET]192.168.11.32:1194, sid=xxxxxxxx xxxxxxxx
WRRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRSat
Oct 3 00:37:19 2015 us=832285 192.168.11.32:1194 VERIFY SCRIPT OK: depth=1,
C=NL, ST=GLD, O=MMD, OU=OVPN, CN=CA, [email protected]
Sat Oct 3 00:37:19 2015 us=832423 192.168.11.32:1194 VERIFY OK: depth=1, C=NL,
ST=GLD, O=MMD, OU=OVPN, CN=CA, [email protected]
Sat Oct 3 00:37:19 2015 us=834170 192.168.11.32:1194 Validating certificate
key usage
Sat Oct 3 00:37:19 2015 us=834247 192.168.11.32:1194 ++ Certificate has key
usage 0088, expects 0080
Sat Oct 3 00:37:19 2015 us=834309 192.168.11.32:1194 ++ Certificate has key
usage 0088, expects 0008
Sat Oct 3 00:37:19 2015 us=834369 192.168.11.32:1194 ++ Certificate has key
usage 0088, expects 0088
Sat Oct 3 00:37:19 2015 us=834429 192.168.11.32:1194 VERIFY KU OK
Sat Oct 3 00:37:19 2015 us=834499 192.168.11.32:1194 Validating certificate
extended key usage
Sat Oct 3 00:37:19 2015 us=834563 192.168.11.32:1194 ++ Certificate has EKU
(str) TLS Web Client Authentication, expects TLS Web Client Authentication
Sat Oct 3 00:37:19 2015 us=834625 192.168.11.32:1194 VERIFY EKU OK
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This is standard from Synology
Sat Oct 3 00:37:19 2015 us=844018 192.168.11.32:1194 WARNING: Failed running
command (--tls-verify script): external program exited with error status: 1
Sat Oct 3 00:37:19 2015 us=844132 192.168.11.32:1194 VERIFY SCRIPT ERROR:
depth=0, C=NL, ST=GLD, O=MMD, OU=OVPN-NAS, CN=admin,
[email protected]
Sat Oct 3 00:37:19 2015 us=844403 192.168.11.32:1194 TLS_ERROR: BIO read
tls_read_plaintext error: error:140890B2:lib(20):func(137):reason(178)
Sat Oct 3 00:37:19 2015 us=844474 192.168.11.32:1194 TLS Error: TLS object ->
incoming plaintext read error
Sat Oct 3 00:37:19 2015 us=848980 192.168.11.32:1194 SYNO_ERR_CERT
Sat Oct 3 00:37:19 2015 us=849060 192.168.11.32:1194 TLS Error: TLS handshake
failed
Sat Oct 3 00:37:19 2015 us=849370 192.168.11.32:1194 SIGUSR1[soft,tls-error]
received, client-instance restarting
************************
>From what i understand the script should return 0 but exits with error status
>1.
I double checked the script and userlist.txt have 0755Paths to the files are
correct
userlist.txt one line adminadmin.crt has CN=adminca.crt has CN=CA Could it be
that the script needs to be modified to be compatible with NAS? Just to be
sure, the client config:
********************
remote 192.168.11.12 11194
#redirect-gateway
dev tun
proto udp
pull
remote-cert-tls server
auth-user-pass
tls-client
tls-auth ta.key 1
ca ca.crt
cert admin.crt
key admin.key
cipher AES-256-CBC
auth SHA256
tls-version-min 1.2 or-highest
script-security 2
comp-lzo
keepalive 20 60
reneg-sec 0
********************
And the complete script:
********************
#!/bin/sh
# ovpnCNcheck -- an OpenVPN tls-verify script
# """""""""""""""""""""""""""""""""""""""""""
# This script checks if the peer is in the allowed
# user list by checking the CN (common name) of the
# X509 certificate against a provided text file.
# For example in OpenVPN, you could use the directive
# (as one line):
# tls-verify "/usr/local/sbin/ovpnCNcheck.py
# /etc/openvpn/userlist.txt"
# This would cause the connection to be dropped unless
# the client common name is within the userlist.txt.
# Special care has been taken to ensure that this script
# also works on openwrt systems where only busybox is
# available
# Written by Robert Penz <[email protected]> under the GPL 2
# Parts are copied from the verify-cn sample OpenVPN
# tls-verify script.
[ $# -eq 3 ] || { echo usage: ovpnCNcheck.sh userfile certificate_depth
X509_NAME_oneline ; exit 255 ; }
# $2 -> certificate_depth
if [ $2 -eq 0 ] ; then
# $3 -> X509_NAME_oneline
# $1 -> cn we are looking for
grep -q "^`expr match "$3" ".*/CN=\([^/][^/]*\)"`$" "$1" && exit 0
exit 1
fi
exit 0
**********************
Any hint is welcome.
Thanks
André
om: [email protected]
To: [email protected]
CC: [email protected]
Subject: RE: [Openvpn-users] tls-verify script not working
Date: Fri, 2 Oct 2015 23:50:51 +0200
Yes, both were enabled when testing.
But getting impatient is paying off :)
It`s Apparmor, i find this in kern.log:
**************
Oct 2 18:18:39 NAS kernel: [20730.052742] type=1400 audit(1443802719.157:5):
apparmor="DENIED" operation="exec" parent=11814
profile="/volume*/@appstore/VPNCenter/sbin/openvpn"
name="/volume1/@appstore/VPNCenter/scripts/ovpnCNcheck.sh" pid=12969
comm="openvpn" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
***************
So, tomorrow will add the script to the Apparmor profile and see what I get :)
>it's in paperback format
Nice, will order this week.
Thanks
André
Subject: Re: [Openvpn-users] tls-verify script not working
To: [email protected]
CC: [email protected]
From: [email protected]
Date: Fri, 2 Oct 2015 23:34:45 +0200
Hi,
On 02/10/15 23:00, Dreetjeh D wrote:
Hallo :)
Yes, looks like it`s not executed, right?
Running it on CLI:
NAS> /volume1/@appstore/VPNCenter/scripts/ovpnCNcheck.sh
usage: ovpnCNcheck.sh userfile certificate_depth
X509_NAME_oneline
NAS> /volume1/@appstore/VPNCenter/scripts/ovpnCNcheck.sh
/volume1/@appstore/VPNCenter/scripts/userlist.txt
usage: ovpnCNcheck.sh userfile certificate_depth
X509_NAME_oneline
did you enable
script-security 2
in the server config ? It's commented out in the config you posted,
just like the 'tls-verify' line
P.S.
Last Tuesday i saw your new book is available on Bol, it`s on my
list.
Is there also a paperback available, now or future?
Don`t like E-book too much, give me headage`s :)
it's in paperback format
cheers,
JJK
Subject: Re: [Openvpn-users] tls-verify
script not working
To: [email protected]; [email protected]
From: [email protected]
Date: Fri, 2 Oct 2015 22:36:43 +0200
Hi,
On 02/10/15 18:22, Dreetjeh D wrote:
Hello all,
I`m running the OVPN server on a NAS from Synology
with self generated certificates (XCA).
A few day`s i`m trying to get a tls-verify script running
but somehow i cannot find what is wrong.
The following script, ovpnCNcheck.sh, i found on the net:
(removed comments)
************************
#!/bin/sh
[ $# -eq 3 ] || { echo usage: ovpnCNcheck.sh userfile
certificate_depth X509_NAME_oneline ; exit 255 ; }
# $2 -> certificate_depth
if [ $2 -eq 0 ] ; then
# $3 -> X509_NAME_oneline
# $1 -> cn we are looking for
grep -q "^`expr match "$3" ".*/CN=\([^/][^/]*\)"`$" "$1"
&& exit 0
exit 1
fi
exit 0
*********************
I gave the file 0755 and placed a textfile also 0755,
containing the commonname of the client, in the same
directory.
In the config from server:
tls-verify "/volume1/@appstore/VPNCenter/scripts/ovpnCNcheck.sh
/volume1/@appstore/VPNCenter/scripts/userlist.txt"
When the client connects, username/password and then
stalls, the server log gives:
*************************
WARNING: Failed running command
(--tls-verify script): could not execute external
program
^^^^^^
this line gives a pretty good hint to what's failing.
On the synology box the shell script does not seem to execute.
Can you get a login shell on the synology box and run the
script manually? once you've got that running, then attempt to
use OpenVPN again.
groetjes/cheers,
JJK
Fri Oct 2 18:18:39 2015
us=192309 192.168.11.32:1194 VERIFY SCRIPT ERROR:
depth=1, C=NL, ST=GLD, O=MMD, OU=OVPN, CN=CA,
[email protected]
Fri Oct 2 18:18:39 2015 us=192614 192.168.11.32:1194
TLS_ERROR: BIO read tls_read_plaintext error:
error:140890B2:lib(20):func(137):reason(178)
Fri Oct 2 18:18:39 2015 us=192686 192.168.11.32:1194 TLS
Error: TLS object -> incoming plaintext read error
Fri Oct 2 18:18:39 2015 us=197583 192.168.11.32:1194
SYNO_ERR_CERT
Fri Oct 2 18:18:39 2015 us=197673 192.168.11.32:1194 TLS
Error: TLS handshake failed
Fri Oct 2 18:18:39 2015 us=198050 192.168.11.32:1194
SIGUSR1[soft,tls-error] received, client-instance
restarting
***************************
As i have no understanding from the script, i still would
appriciate if someone can take a look at this.
Thanks in advance,
André
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
