Hi,
On 28/12/19 09:09, Leroy Tennison via Openvpn-users wrote:
Running OpenVPN 2.3.10 on Ubuntu 16.04 using a working configuration
with only the "script-security" and "client-connect" lines added.
Starting the OpenVPN server with systemctl starts it successfully and
a client can connect but the client-connect script doesn't run and no
error is reported in the log. Stopping the daemon with systemctl and
starting it manually with the below parameters doesn't allow a client
to connect, the log shows:
CRL: cannot read: rw-crl.pem
TLS_ERROR: BIO read tls_read_plaintext error: ...
ssl3_get_client_certificate:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Starting it manually with the *** only *** change being the removal of
the --daemon parameter produces a totally working system. Any idea
what is wrong or suggestions?
the log file snippet tells you what is failing:
CRL: cannot read: rw-crl.pem
this means that none of your clients pass verification and never reach
the 'client-connect' stage. Comment out the crl line or make the
rw-crl.pem file readable and try again.
HTH,
JJK
(The following obtained using 'egrep -v "^$|^#|^;" server.conf', it
was put into a file and the following two vi commands used to put it
into the proper format before adding /usr/sbin/openvpn and --daemon at
the front :%s/^/-- and :%s/\n/ / )
local nnn.nnn.nnn.nnn (using Internet-registered IP on the
Internet-facing device)
port 1197 (non-standard due to other OpenVPN instances passing
through the device)
proto udp
dev tun1
topology subnet
ca rw-ca.crt
cert vpnhost.crt
key vpnhost.key
dh rw-dh1024.pem
server mmm.mmm.mmm.mmm 255.255.255.128 (private IP address ranges
here and below)
ifconfig-pool-persist rw-ipp.txt
push "route mmm.mmm.aaa.0 255.255.255.0"
push "route mmm.mmm.bbb.0 255.255.255.0"
push "route vvv.vvv.0.0 255.255.0.0"
push "route vvv.uuu.0.0 255.255.0.0"
push "route vvv.ttt.0.0 255.255.0.0"
client-config-dir rw-ccd
push "dhcp-option DNS mmm.mmm.aaa.1"
push "dhcp-option DOMAIN datavoiceint.com"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-rw-status.log
log-append /var/log/openvpn-rw.log
verb 4
crl-verify rw-crl.pem
management 127.0.0.1 9711 /etc/openvpn/pwd
script-security 2
client-connect /etc/openvpn/rw-scripts/client-connect
The client-connect script is owned by root:root with 755 permissions
on the rw-scripts directory and client-connect script itself, contents
are (output sent to both /tmp and /var/log - same result, the
"Arrived" was added to insure that something would be produced when
the script ran):
#!/bin/bash
/bin/echo "Arrived" > /var/log/vpn-script-test
/bin/echo -e "Time ascii = $time_ascii\ncommon_name =
$common_name\nifconfig_pool_remote_ip =
$ifconfig_pool_remote_ip\ntrusted_ip = $trusted_ip\nuntrusted_ip =
$untrusted_ip" >> /var/log/vpn-script-test
/bin/echo "Command line parameters: first - $1, second - $2" >>
/var/log/vpn-script-test
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
