In this recipe, we will demonstrate how to troubleshoot issues related to the use of the client-config-dir
directive. This directive can be used to specify a directory for so-called CCD files. CCD files can contain OpenVPN directives to assign a specific IP address to a client, based on the client's certificate. Experience has shown that it is easy to misconfigure this directive. In this recipe, we will make one of the common misconfigurations and then show how to troubleshoot it.
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client was running Fedora 22 Linux and OpenVPN 2.3.11. Keep the client configuration file, basic-udp-client.conf
, handy along with the configuration file, basic-udp-server.conf
, from the Server-side routing recipe from Chapter 2, Client-server IP-only Networks, as well as the client configuration file, basic-udp-client.conf
.
basic-udp-server.conf
:client-config-dir /etc/openvpn/cookbook/clients ccd-exclusive
Save it as example6-7-server.conf
.
/etc/openvpn/cookbook/clients
directory is accessible only to the root:[root@server]# chown root /etc/openvpn/cookbook/clients [root@server]# chmod 700 /etc/openvpn/cookbook/clients
[root@server]# openvpn --config example6-7-server.conf
basic-udp-client.conf
: [root@client]# openvpn --config basic-udp-client.conf
Then, the client will fail to connect with the following message:
... [openvpnserver] Peer Connection Initiated with server-ip:1194 ... AUTH: Received AUTH_FAILED control message
The server log file is a bit confusing: first; it mentions that there was a problem reading the CCD file, client1
, but then it states that the client is connected:
... client-ip:45432 TLS Auth Error: --client-config-dir authentication failed for common name 'client1' file=''/etc/openvpn/cookbook/clients/client1'' ... client-ip:45432 [client1] Peer Connection Initiated with client-ip:45432
However, the VPN connection has not been properly initiated.
The following directives are used by the OpenVPN server to look in the
/etc/openvpn/cookbook/clients
directory for a CCD file with the name (CN) of the client certificate:
client-config-dir /etc/openvpn/cookbook/clients ccd-exclusive
The purpose of the second directive, ccd-exclusive
, is to only allow clients for which a CCD file is present. If a CCD file for a client is not present, the client will be denied access. The name of the client certificate is listed in the server log:
... client-ip:45432 TLS Auth Error: --client-config-dir authentication failed for common name 'client1'
However, it can also be retrieved using the following:
openssl x509 -subject -noout -in client1.crt
Look for the first part starting with /CN=
and convert all spaces to underscores.
The OpenVPN server process is running as user nobody
. And because we have set very restrictive permissions on the /etc/openvpn/cookbook/clients
directory, this user is not capable of reading any files in that directory. When the client with the client1
certificate connects, the OpenVPN server is not capable of reading the CCD file (even though it might be there). Because of the ccd-exclusive
directive, the client is then denied access.
In this section, we will explain how to increase the logging verbosity and what some of the most common client-config-dir
mistakes are.
Increasing the verbosity of logging is often helpful when troubleshooting client-config-dir
issues. With verb 5
and the right permissions, you will see the following log file entries in the OpenVPN server log:
client1/client-ip:39814 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/cookbook/clients/client1
If this message is not present in the server log, then it is safe to assume that the CCD file has not been read.
There are a few frequent client-config-dir
mistakes:
client-config-dir
directive, for example:client-config-dir clients
This might work in some cases, but you have to be very careful when starting the server or when combining this with directives such as --chroot
or --cd
. Especially when the --chroot
directive is used, all paths, including the absolute path, will be relative to the chroot
path.
/CN= name
is of the client certificate. Also, be aware that OpenVPN rewrites some characters of the /CN= name
, such as spaces. For the full list of characters that will be remapped, refer to the manual page in the String types and remapping section.nobody
).3.16.218.216