Posted: Tue Sep 28, 2010 20:38 Post subject: dd-wrt and openvpn cert authentication
Hi,
I have been trying to get certificate based authentication working on my openvpn server for quite awhile now. I was finally able to generate the 3 certificates I need. I have been trying to get my test client to access the vpn but so far I have no luck. What I need is for 3 clients to access the vpn at the same time. Each client will have a static IP so there is no need for DHCP. There is no need for a WINS server as the clients will access 1 server via IP.
My test setup is my windows 7 64bit PC with an IP of 10.100.159.10 trying to vpn into 10.100.159.9 public (192.168.1.1 private) and access a server 192.168.1.55 on the vpn segment. The firewall is setup to allow port 1194 in.
This is the client config
client
dev tun
proto udp
remote 10.100.159.9 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
verb 3
ifconfig 192.168.1.2 192.168.1.1
This is the server config
mode server
proto udp
port 1194
dev tun0
keepalive 10 120
verb 3
tls-server
ifconfig 192.168.1.1 192.168.1.2
ca /tmp/ca.crt
cert /tmp/cert.pem
key /tmp/key.pem
dh /tmp/dh1024.pem
This is from the client connects to the server:
Thu Sep 23 10:53:25 2010 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010
Thu Sep 23 10:53:25 2010 WARNING: using --pull/--client and --ifconfig together is probably not what you want
Thu Sep 23 10:53:25 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Sep 23 10:53:26 2010 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Sep 23 10:53:26 2010 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Sep 23 10:53:26 2010 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0EL:0 ]
Thu Sep 23 10:53:26 2010 Local Options hash (VER=V4): '3514370b'
Thu Sep 23 10:53:26 2010 Expected Remote Options hash (VER=V4): '239669a8'
Thu Sep 23 10:53:26 2010 UDPv4 link local: [undef]
Thu Sep 23 10:53:26 2010 UDPv4 link remote: 10.100.159.9:1194
Thu Sep 23 10:53:26 2010 TLS: Initial packet from 10.100.159.9:1194, sid=ee5ac20d 37e78461
Thu Sep 23 10:53:26 2010 VERIFY OK: depth=1, cert info removed
Thu Sep 23 10:53:26 2010 VERIFY OK: nsCertType=SERVER
Thu Sep 23 10:53:26 2010 VERIFY OK: depth=0, cert info removed
Thu Sep 23 10:53:26 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Sep 23 10:53:26 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 23 10:53:26 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Sep 23 10:53:26 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 23 10:53:26 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Sep 23 10:53:26 2010 [server] Peer Connection Initiated with 10.100.159.9:1194
Thu Sep 23 10:53:28 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Sep 23 10:53:28 2010 PUSH: Received control message: 'PUSH_REPLY,ping 10,ping-restart 120'
Thu Sep 23 10:53:28 2010 OPTIONS IMPORT: timers and/or timeouts modified
Thu Sep 23 10:53:28 2010 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{526052F7-972B-4E3F-9929-6D12839B40B9}.tap
Thu Sep 23 10:53:28 2010 TAP-Win32 Driver Version 9.7
Thu Sep 23 10:53:29 2010 TAP-Win32 MTU=1500
Thu Sep 23 10:53:29 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.1.2/255.255.255.252 on interface {526052F7-972B-4E3F-9929-6D12839B40B9} [DHCP-serv: 192.168.1.1, lease-time: 31536000]
Thu Sep 23 10:53:29 2010 Successful ARP Flush on interface [16] {526052F7-972B-4E3F-9929-6D12839B40B9}
Thu Sep 23 10:53:34 2010 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Thu Sep 23 10:53:34 2010 Initialization Sequence Completed
From the servers log:
Sep 23 10:38:41 dd-wrt daemon.notice openvpn[6006]: MULTI: multi_create_instance called
Sep 23 10:38:41 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 Re-using SSL/TLS context
Sep 23 10:38:41 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sep 23 10:38:41 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Sep 23 10:38:41 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 TLS: Initial packet from 10.100.159.10:51538, sid=767b5896 850803e7
Sep 23 10:38:41 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 VERIFY OK: depth=1, cert info removed
Sep 23 10:38:41 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 VERIFY OK: depth=0, cert info removed
Sep 23 10:38:42 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sep 23 10:38:42 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 23 10:38:42 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sep 23 10:38:42 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 23 10:38:42 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sep 23 10:38:42 dd-wrt daemon.notice openvpn[6006]: 10.100.159.10:51538 [test-pc1] Peer Connection Initiated with 10.100.159.10:51538
Sep 23 10:38:42 dd-wrt daemon.err openvpn[6006]: test-pc1/10.100.159.10:51538 MULTI: no dynamic or static remote --ifconfig address is available for test-pc1/10.100.159.10:51538
Sep 23 10:38:44 dd-wrt daemon.notice openvpn[6006]: test-pc1/10.100.159.10:51538 PUSH: Received control message: 'PUSH_REQUEST'
Sep 23 10:38:44 dd-wrt daemon.notice openvpn[6006]: test-pc1/10.100.159.10:51538 SENT CONTROL [test-pc1]: 'PUSH_REPLY,ping 10,ping-restart 120' (status=1)