www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

OpenVPN Host-to-LAN VPN with X.509, Kerberos 5 and Radius A

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
marcus@richters-it.de



Joined: 07 Mar 2012
Posts: 28

PostPosted: Tue Nov 29, 2016 10:24 pm    Post subject: OpenVPN Host-to-LAN VPN with X.509, Kerberos 5 and Radius A Reply with quote

80.187.114.22:16145 [marcus@RICHTERS-IT.DE] Trying Kerberos 5 (Local KDC) authentication

80.187.114.22:16145 [marcus@RICHTERS-IT.DE] Kerberos 5 authentication failed for marcus@RICHTERS-IT.DE: kinit(v5): Password incorrect while getting initial credentials

80.187.114.22:16145 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 10

80.187.114.22:16145 TLS Auth Error: Auth Username/Password verification failed for peer

80.187.114.22:16145 [marcus] Peer Connection Initiated with [AF_INET]80.187.114.22:16145
Back to top
View user's profile Send private message
marcus@richters-it.de



Joined: 07 Mar 2012
Posts: 28

PostPosted: Tue Nov 29, 2016 10:26 pm    Post subject: OpenVPN Client Config Reply with quote

#============================================================================#
# Specify the Hostname or the IP, the port and the protocol (tcp or udp) #
# to reach the OpenVPN Server. #
# The Hostname can be a dynamic FQDN such as a DynDNS one. #
#============================================================================#

remote XXXX XXXX

proto udp

#============================================================================#
# You must specify this parameter if you want the Username and Password #
# request to appear. Comment it if you only use X.509 Authentication. #
#============================================================================#

auth-user-pass

#============================================================================#
# You need to specify the file which contains the certificate (PEM format) #
# of the Certification Authority that signed the OpenVPN server certificate. #
# You can export it by clicking the hyperlink CA on the login page of #
# ZeroShell. #
# Notice that you need to specify this parameter also if you use #
# "Password Only" Authentication. #
#============================================================================#

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

#============================================================================#
# If you want to use the Client X.509 Authentication you must specify #
# a client certificate and the related private key in pem format. #
# You can merge both in the same file. #
#============================================================================#

<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

</key>

#============================================================================#
# You should not need to change these settings. #
#============================================================================#

comp-lzo

verb 3

resolv-retry infinite

nobind

client

dev tap

persist-key

persist-tun


Last edited by marcus@richters-it.de on Wed Nov 30, 2016 10:46 am; edited 1 time in total
Back to top
View user's profile Send private message
marcus@richters-it.de



Joined: 07 Mar 2012
Posts: 28

PostPosted: Tue Nov 29, 2016 10:29 pm    Post subject: System Version / Information Reply with quote

Zeroshell 3.6.0

Current Kernel: 4.4.13-ZS-64

Installed Packages

NTOP - Web-based Traffic Analysis and Flow Collection 2.4
BUG FIX #00 - Captive Portal
64-Bit Kernel 4.4.13
A Kit of Utilities and Services 1.0.0
Nmap - Security Port Scanner 6.47

https://www.richters-it.de/openvpn-connect-2.1.3.110.msi
Back to top
View user's profile Send private message
marcus@richters-it.de



Joined: 07 Mar 2012
Posts: 28

PostPosted: Wed Dec 07, 2016 10:04 pm    Post subject: Reply with quote

The latest OpenVPN Connect Client (openvpn-connect-2.1.3.110.msi) won't work with Zeroshell.

I tried the latest standard OpenVPN software (openvpn-install-2.3.14-I601-x86_64.exe) and it worked exactly for one time.

Now I'm getting connection failed.

// "port check"
root@lvps...:~# echo -e "\x38\x01\x00\x00\x00\x00\x00\x00\x00" | timeout 10 nc -u XXXX.richters-it.de 1194 | cat -v

@M-^@m+:M-g#M-$}^@^@^@^@^@@M-^@m+:M-g#M-$}^@^@^@^@^@@M-^@m+:M-g#M-$}^@^@^@^@^@

Zeroshell Log:
23:02:42 lvps...:49163 TLS Error: reading acknowledgement record from packet
23:03:42 lvps...:49163 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
23:03:42 lvps...:49163 TLS Error: TLS handshake failed
23:04:35 lvps...:32987 NOTE: --mute triggered...

But Server is obviously running
Back to top
View user's profile Send private message
iulyb



Joined: 02 Jun 2016
Posts: 62

PostPosted: Fri Dec 09, 2016 4:03 pm    Post subject: Reply with quote

Hi,
I use linux client (linux mint ), and work flawless but, it was a huge pain to set it up.
There are a lot of parameters to match.
I use the simple password only. You should start with this, make it to work, and then go further.

On ZS, I am using command line option:
Code:
--float --cipher AES-128-CBC --engine padlock --push 'foreign_option_1='dhcp-option DNS 192.168.250.254''


Then on client I had to check LZO compression and TCP (because I use TCP port), default I think is UDP. This was the reason for me why I got the connection error.
Then Under the security client I picked the same cipher AES-128-CBC and hashing (HMAC Authentication) to SHA1
This was the reason for my authentication errors.. Wink

Make sure you check the instructions on the VPN board and other HowTos
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group