Troubleshooting client-config-dir issues

In this recipe, we will demonstrate how to troubleshoot issues related to the use of the client-config-dir directive. This directive can be used to specify a directory for so-called CCD files. CCD files can contain OpenVPN directives to assign a specific IP address to a client, based on the client's certificate. Experience has shown that it is easy to misconfigure this directive. In this recipe, we will make one of the common misconfigurations and then show how to troubleshoot it.

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client was running Fedora 22 Linux and OpenVPN 2.3.11. Keep the client configuration file, basic-udp-client.conf, handy along with the configuration file, basic-udp-server.conf, from the Server-side routing recipe from Chapter 2Client-server IP-only Networks, as well as the client configuration file, basic-udp-client.conf.

How to do it...

  1. Append the following lines to the configuration file, basic-udp-server.conf:
            client-config-dir /etc/openvpn/cookbook/clients 
            ccd-exclusive 
    

    Save it as example6-7-server.conf.

  2. Make sure that the /etc/openvpn/cookbook/clients directory is accessible only to the root:
            [root@server]# chown root /etc/openvpn/cookbook/clients
            [root@server]# chmod 700  /etc/openvpn/cookbook/clients
    
  3. Start the server:
            [root@server]# openvpn --config example6-7-server.conf
    
  4. Next, start the client using the configuration file, basic-udp-client.conf:
            [root@client]# openvpn --config basic-udp-client.conf
    

Then, the client will fail to connect with the following message:

... [openvpnserver] Peer Connection Initiated with server-ip:1194 
... AUTH: Received AUTH_FAILED control message 

The server log file is a bit confusing: first; it mentions that there was a problem reading the CCD file, client1, but then it states that the client is connected:

... client-ip:45432 TLS Auth Error: --client-config-dir authentication failed for common name 'client1' file=''/etc/openvpn/cookbook/clients/client1'' 
... client-ip:45432 [client1] Peer Connection Initiated with client-ip:45432 

However, the VPN connection has not been properly initiated.

How it works...

The following directives are used by the OpenVPN server to look in the  /etc/openvpn/cookbook/clients directory for a CCD file with the name (CN) of the client certificate:

client-config-dir /etc/openvpn/cookbook/clients 
ccd-exclusive 

The purpose of the second directive, ccd-exclusive, is to only allow clients for which a CCD file is present. If a CCD file for a client is not present, the client will be denied access. The name of the client certificate is listed in the server log:

... client-ip:45432 TLS Auth Error: --client-config-dir authentication failed for common name 'client1' 

However, it can also be retrieved using the following:

openssl x509 -subject -noout -in client1.crt 

Look for the first part starting with /CN= and convert all spaces to underscores.

The OpenVPN server process is running as user nobody. And because we have set very restrictive permissions on the /etc/openvpn/cookbook/clients directory, this user is not capable of reading any files in that directory. When the client with the client1 certificate connects, the OpenVPN server is not capable of reading the CCD file (even though it might be there). Because of the ccd-exclusive directive, the client is then denied access.

There's more...

In this section, we will explain how to increase the logging verbosity and what some of the most common client-config-dir mistakes are.

More verbose logging

Increasing the verbosity of logging is often helpful when troubleshooting client-config-dir issues. With verb 5 and the right permissions, you will see the following log file entries in the OpenVPN server log:

client1/client-ip:39814 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/cookbook/clients/client1 

If this message is not present in the server log, then it is safe to assume that the CCD file has not been read.

Other frequent client-config-dir mistakes

There are a few frequent client-config-dir mistakes:

  • A non-absolute path is used to specify the client-config-dir directive, for example:
            client-config-dir clients
    

    This might work in some cases, but you have to be very careful when starting the server or when combining this with directives such as --chroot or --cd. Especially when the --chroot directive is used, all paths, including the absolute path, will be relative to the chroot path.

  • The CCD file itself must be correctly named, without any extension. This typically tends to confuse Windows users. Look in the server log to see what the OpenVPN server thinks; the /CN= name is of the client certificate. Also, be aware that OpenVPN rewrites some characters of the /CN= name, such as spaces. For the full list of characters that will be remapped, refer to the manual page in the String types and remapping section.
  • The CCD file and the full path to it must be readable to the user under which the OpenVPN server process is running (usually nobody).

See also

  • The Using client-config-dir files recipe from Chapter 2Client-server IP-only Networks, which explains the basic usage of client configuration files
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.137.222.30