how to setup certificate authentication

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
yyz1989
Posts: 1
Joined: Mon Feb 11, 2019 8:42 pm

how to setup certificate authentication

Post by yyz1989 » Mon Feb 11, 2019 10:01 pm

Dear all,

Has anyone successfully configured authentication by certificate? I have been working on it for days but still cannot make it work. There is also insufficient references on the internet.

So basically I read the official manual and followed the instructions posted at https://github.com/SoftEtherVPN/SoftEtherVPN/pull/327. The only difference is I did it via VPN Server Manager. The steps are as follows:

1. I configured the vpn, created a user with username/password authentication, and verified the vpn works properly.
2. I created another user, set auth type to individual certificate authentication, created a self signed certificate with common name same as username.
3. I exported the certificate and key to a location, created an ovpn config file at same location and adapt it to the following content:

Code: Select all

dev tun
proto udp
remote xxxx 51194
cipher AES-128-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
key test.key
cert test.cer
ca server.cer
When I tried to the vpn, I got the following message:

Code: Select all

[root@42a8b629ca47 ~]# openvpn --config test.ovpn 
Mon Feb 11 21:37:33 2019 WARNING: file 'test.key' is group or others accessible
Mon Feb 11 21:37:33 2019 OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
Mon Feb 11 21:37:33 2019 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Mon Feb 11 21:37:33 2019 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Feb 11 21:37:33 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxx:51194
Mon Feb 11 21:37:33 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Feb 11 21:37:33 2019 UDP link local: (not bound)
Mon Feb 11 21:37:33 2019 UDP link remote: [AF_INET]xxxx:51194
Mon Feb 11 21:37:33 2019 TLS: Initial packet from [AF_INET]xxxx:51194, sid=cf3cf538 0dd67a33
Mon Feb 11 21:37:33 2019 VERIFY OK: depth=0, CN=x, O=x, OU=x, C=US
Mon Feb 11 21:37:33 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Feb 11 21:37:33 2019 [x] Peer Connection Initiated with [AF_INET]xxxx:51194
Mon Feb 11 21:37:35 2019 SENT CONTROL [x]: 'PUSH_REQUEST' (status=1)
Mon Feb 11 21:37:35 2019 AUTH: Received control message: AUTH_FAILED
Mon Feb 11 21:37:35 2019 SIGTERM[soft,auth-failure] received, process exiting
The related logs on the server side is as follows:

Code: Select all

2019-02-11 21:37:35.182 The connection "CID-4" (IP address: xxxx, Host name: xxxx, Port number: 45563, Client name: "OpenVPN Client", Version: 4.28, Build: 9669) is attempting to connect to the Virtual Hub. The auth type provided is "External server authentication" and the user name is "".
2019-02-11 21:37:35.182 Connection "CID-4": User authentication failed. The user name that has been provided was "".
I masked some fields with "x" but the values are correct. The only suspicious point is the username received by the server seems to be empty.

The version number is v4.28-9669-beta, running in centos 7.

What is the problem here? Any suggestion is highly appreciated!

Best regards,
Yang

ethanolson
Posts: 11
Joined: Mon Dec 02, 2019 6:29 am

Re: how to setup certificate authentication

Post by ethanolson » Mon Dec 02, 2019 6:40 am

Certificate validation of users is only supported with the SoftEther client. OpenVPN connections to a SoftEther server only work with username/password.

I also wish for certificate connections and a more complete OpenVPN profile export, including script or API calls to export a specific user's config with their certificate in it.

Post Reply