how to setup certificate authentication

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
yyz1989
Posts: 1
Joined: Mon Feb 11, 2019 8:42 pm

how to setup certificate authentication

Post by yyz1989 » Mon Feb 11, 2019 10:01 pm

Dear all,

Has anyone successfully configured authentication by certificate? I have been working on it for days but still cannot make it work. There is also insufficient references on the internet.

So basically I read the official manual and followed the instructions posted at https://github.com/SoftEtherVPN/SoftEtherVPN/pull/327. The only difference is I did it via VPN Server Manager. The steps are as follows:

1. I configured the vpn, created a user with username/password authentication, and verified the vpn works properly.
2. I created another user, set auth type to individual certificate authentication, created a self signed certificate with common name same as username.
3. I exported the certificate and key to a location, created an ovpn config file at same location and adapt it to the following content:

Code: Select all

dev tun
proto udp
remote xxxx 51194
cipher AES-128-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
key test.key
cert test.cer
ca server.cer
When I tried to the vpn, I got the following message:

Code: Select all

[root@42a8b629ca47 ~]# openvpn --config test.ovpn 
Mon Feb 11 21:37:33 2019 WARNING: file 'test.key' is group or others accessible
Mon Feb 11 21:37:33 2019 OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
Mon Feb 11 21:37:33 2019 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Mon Feb 11 21:37:33 2019 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Feb 11 21:37:33 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxx:51194
Mon Feb 11 21:37:33 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Feb 11 21:37:33 2019 UDP link local: (not bound)
Mon Feb 11 21:37:33 2019 UDP link remote: [AF_INET]xxxx:51194
Mon Feb 11 21:37:33 2019 TLS: Initial packet from [AF_INET]xxxx:51194, sid=cf3cf538 0dd67a33
Mon Feb 11 21:37:33 2019 VERIFY OK: depth=0, CN=x, O=x, OU=x, C=US
Mon Feb 11 21:37:33 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Feb 11 21:37:33 2019 [x] Peer Connection Initiated with [AF_INET]xxxx:51194
Mon Feb 11 21:37:35 2019 SENT CONTROL [x]: 'PUSH_REQUEST' (status=1)
Mon Feb 11 21:37:35 2019 AUTH: Received control message: AUTH_FAILED
Mon Feb 11 21:37:35 2019 SIGTERM[soft,auth-failure] received, process exiting
The related logs on the server side is as follows:

Code: Select all

2019-02-11 21:37:35.182 The connection "CID-4" (IP address: xxxx, Host name: xxxx, Port number: 45563, Client name: "OpenVPN Client", Version: 4.28, Build: 9669) is attempting to connect to the Virtual Hub. The auth type provided is "External server authentication" and the user name is "".
2019-02-11 21:37:35.182 Connection "CID-4": User authentication failed. The user name that has been provided was "".
I masked some fields with "x" but the values are correct. The only suspicious point is the username received by the server seems to be empty.

The version number is v4.28-9669-beta, running in centos 7.

What is the problem here? Any suggestion is highly appreciated!

Best regards,
Yang

ethanolson
Posts: 50
Joined: Mon Dec 02, 2019 6:29 am

Re: how to setup certificate authentication

Post by ethanolson » Mon Dec 02, 2019 6:40 am

Certificate validation of users is only supported with the SoftEther client. OpenVPN connections to a SoftEther server only work with username/password.

I also wish for certificate connections and a more complete OpenVPN profile export, including script or API calls to export a specific user's config with their certificate in it.

ocramsajor
Posts: 2
Joined: Thu Mar 19, 2020 3:40 pm

Re: how to setup certificate authentication

Post by ocramsajor » Thu Mar 19, 2020 5:03 pm

I have read in other places softether does not support certificate authentication but I am using OpenVPN GUI v11.14.0.0 and recently updated Softether server 4.32, and using the below .ovpn it does connect to my server; of course I have a user created and selected certificate authentication, created and add the corresponding certificates in my .ovpn file, below the log successfully connecting (top to bottom)

Wed Mar 18 17:47:41 2020 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Wed Mar 18 17:47:41 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Mar 18 17:47:41 2020 library versions: OpenSSL 1.1.0l 10 Sep 2019, LZO 2.10
Enter Management Password:
Wed Mar 18 17:47:41 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Wed Mar 18 17:47:41 2020 Need hold release from management interface, waiting...
Wed Mar 18 17:47:41 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Wed Mar 18 17:47:41 2020 MANAGEMENT: CMD 'state on'
Wed Mar 18 17:47:41 2020 MANAGEMENT: CMD 'log all on'
Wed Mar 18 17:47:41 2020 MANAGEMENT: CMD 'echo all on'
Wed Mar 18 17:47:41 2020 MANAGEMENT: CMD 'bytecount 5'
Wed Mar 18 17:47:41 2020 MANAGEMENT: CMD 'hold off'
Wed Mar 18 17:47:41 2020 MANAGEMENT: CMD 'hold release'
Wed Mar 18 17:47:41 2020 TCP/UDP: Preserving recently used remote address: [AF_INET][myserverip]:443
Wed Mar 18 17:47:41 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Mar 18 17:47:41 2020 Attempting to establish TCP connection with [AF_INET][myserverip]:443 [nonblock]
Wed Mar 18 17:47:41 2020 MANAGEMENT: >STATE:1584553661,TCP_CONNECT,,,,,,
Wed Mar 18 17:47:42 2020 TCP connection established with [AF_INET][myserverip]:443
Wed Mar 18 17:47:42 2020 TCP_CLIENT link local: (not bound)
Wed Mar 18 17:47:42 2020 TCP_CLIENT link remote: [AF_INET][myserverip]:443
Wed Mar 18 17:47:42 2020 MANAGEMENT: >STATE:1584553662,WAIT,,,,,,
Wed Mar 18 17:47:42 2020 MANAGEMENT: >STATE:1584553662,AUTH,,,,,,
Wed Mar 18 17:47:42 2020 TLS: Initial packet from [AF_INET][myserverip]:443, sid=504f73ba 0867b040
Wed Mar 18 17:47:43 2020 VERIFY KU OK
Wed Mar 18 17:47:43 2020 Validating certificate extended key usage
Wed Mar 18 17:47:43 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Mar 18 17:47:43 2020 VERIFY EKU OK
Wed Mar 18 17:47:43 2020 VERIFY OK: depth=0, CN=[vpnNumber].softether.net, O=[vpnNumber].softether.net, OU=[vpnNumber].softether.net, C=US
Wed Mar 18 17:47:43 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Mar 18 17:47:43 2020 [[vpnNumber].softether.net] Peer Connection Initiated with [AF_INET][myserverip]:443
Wed Mar 18 17:47:44 2020 MANAGEMENT: >STATE:1584553664,GET_CONFIG,,,,,,
Wed Mar 18 17:47:44 2020 SENT CONTROL [[vpnNumber].softether.net]: 'PUSH_REQUEST' (status=1)
Wed Mar 18 17:47:44 2020 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.168.30.21 192.168.30.22,route 192.168.30.0 255.255.255.0 vpn_gateway'
Wed Mar 18 17:47:44 2020 OPTIONS IMPORT: timers and/or timeouts modified
Wed Mar 18 17:47:44 2020 OPTIONS IMPORT: --ifconfig/up options modified
Wed Mar 18 17:47:44 2020 OPTIONS IMPORT: route options modified
Wed Mar 18 17:47:44 2020 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Mar 18 17:47:44 2020 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 18 17:47:44 2020 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Mar 18 17:47:44 2020 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 18 17:47:44 2020 interactive service msg_channel=620
Wed Mar 18 17:47:44 2020 ROUTE_GATEWAY 192.168.13.1/255.255.255.0 I=11 HWADDR=48:2a:e3:3f:5f:99
Wed Mar 18 17:47:44 2020 open_tun
Wed Mar 18 17:47:44 2020 TAP-WIN32 device [Talk2m-eCatcher] opened: \\.\Global\{418A9F47-1307-4650-9C3C-28893C93D82E}.tap
Wed Mar 18 17:47:44 2020 TAP-Windows Driver Version 9.24
Wed Mar 18 17:47:44 2020 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.30.21/255.255.255.252 on interface {418A9F47-1307-4650-9C3C-28893C93D82E} [DHCP-serv: 192.168.30.22, lease-time: 31536000]
Wed Mar 18 17:47:44 2020 Successful ARP Flush on interface [18] {418A9F47-1307-4650-9C3C-28893C93D82E}
Wed Mar 18 17:47:44 2020 MANAGEMENT: >STATE:1584553664,ASSIGN_IP,,192.168.30.21,,,,
Wed Mar 18 17:47:49 2020 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Wed Mar 18 17:47:49 2020 MANAGEMENT: >STATE:1584553669,ADD_ROUTES,,,,,,
Wed Mar 18 17:47:49 2020 C:\WINDOWS\system32\route.exe ADD 192.168.30.0 MASK 255.255.255.0 192.168.30.22
Wed Mar 18 17:47:49 2020 Route addition via service succeeded
Wed Mar 18 17:47:49 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Mar 18 17:47:49 2020 Initialization Sequence Completed
Wed Mar 18 17:47:49 2020 MANAGEMENT: >STATE:1584553669,CONNECTED,SUCCESS,192.168.30.21,[myserverip],443,192.168.13.49,62877


But when I tried the same config file in ewon router (flexy 205) I get this error (read bottom to top)

19/03/2020 16:21:10 VPN SIGTERM[soft,tls-error] received, process exiting 161585 53
19/03/2020 16:21:10 VPN TCP/UDP: Closing socket 161585 52
19/03/2020 16:21:10 VPN Fatal TLS error (check_tls_errors_co), restarting 161585 51
19/03/2020 16:21:10 VPN TLS Error: TLS handshake failed 161585 50
19/03/2020 16:21:10 VPN TLS Error: TLS object -> incoming plaintext read error 161585 49
19/03/2020 16:21:10 VPN TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 161585 48
19/03/2020 16:21:10 VPN VERIFY nsCertType ERROR: /CN=[serverNumber].softether.net/O=[serverNumber].softether.net/OU=[serverNumber].softether.net/C=US, require nsCertType=SERVER 161585 47
19/03/2020 16:21:10 VPN TLS: Initial packet from [myserverIP]:443, sid=f842da4b 13db23f0 161492 46
19/03/2020 16:21:10 VPN TCPv4_CLIENT link remote: [myserverIP]:443 161482 45
19/03/2020 16:21:10 VPN TCPv4_CLIENT link local: [undef] 161482 44
19/03/2020 16:21:10 VPN TCP connection established with [myserverIP]:443 161482 43
19/03/2020 16:21:10 VPN Attempting to establish TCP connection with [myserverIP]:443 161470 42
19/03/2020 16:21:10 VPN Expected Remote Options hash (VER=V4): '79ef4284' 161470 41
19/03/2020 16:21:10 VPN Local Options hash (VER=V4): '958c5492' 161470 40
19/03/2020 16:21:10 VPN Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ] 161470 39
19/03/2020 16:21:10 VPN Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ] 161470 38
19/03/2020 16:21:10 VPN LZO compression initialized 161470 37
19/03/2020 16:21:10 VPN OpenVPN 2.0.9 arm-ewon-linux-gnueabi [SSL] [LZO] [EPOLL] build date removed 161470 36

any ideas?

Code: Select all

client
dev tun
proto tcp

remote [my server ip]
port 443

resolv-retry infinite
nobind
persist-key
persist-tun
verb 3

remote-cert-tls server

cipher AES-256-CBC
auth SHA1

<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
...
-----END PRIVATE KEY-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>

ocramsajor
Posts: 2
Joined: Thu Mar 19, 2020 3:40 pm

Re: how to setup certificate authentication

Post by ocramsajor » Thu Mar 19, 2020 6:07 pm

Just a correction, the ewon error shows when the line
remote-cert-tls server
is not in the .ovpn file

when I remove the line and connect from my PC I get the below warning:
Thu Mar 19 17:52:41 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

However, on my PC when add to the .ovpn file:
remote-cert-tls server
or:
remote-cert-eku "TLS Web Server Authentication"
I see in the log:
Wed Mar 18 17:47:43 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
But still manages to connect

When I try any of those two on the ewon I get:
Options error: Unrecognized option or missing parameter(s) in /var/run/OpenVPN-1S3uCi:16: remote-cert-tls (2.0.9)
or
[Options error: Unrecognized option or missing parameter(s) in /var/run/OpenVPN-3FGfcs:15: remote-cert-eku (2.0.9)]

Running out of ideas...

SilverbackNet
Posts: 7
Joined: Thu Jan 30, 2020 12:24 pm

Re: how to setup certificate authentication

Post by SilverbackNet » Fri Mar 20, 2020 10:20 pm

Here's a working config file:
dev tun

proto tcp

remote server 1194

tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

cipher AES-128-CBC
auth SHA1

resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3

;auth-user-pass


<ca>
XXX
</ca>

<cert>
XXX
</cert>

<key>
XXX
</key>
Note the tls-version-min & tls-cipher options. I made the SoftEther setting the same, but that may not be necessary if they negotiate. The SoftEther OpenVPN sample file generator probably needs to be updated.

You don't need or want to verify the server certificate, unless you obtained one from a real public CA.

Post Reply