Took me a couple of days to get back to this but removing the crl-verify line
produced a working configuration. More troubleshooting revealed that I needed
the full path to rw-crl.pem (both manually and with systemctl). Still puzzling
why systemd allowed connections but didn't run the script but, with a working
configuration I don't have the time luxury to troubleshoot that.
Thank you for your help, I certainly appreciate it.
-----Original Message-----
From: Jan Just Keijser <janj...@nikhef.nl>
To: Leroy Tennison <leroy.tenni...@verizon.net>; openvpn-users
<openvpn-users@lists.sourceforge.net>
Sent: Sun, Dec 29, 2019 10:33 am
Subject: Re: [Openvpn-users] Problems getting client-connect script to run
Hi,
On 28/12/19 09:09, Leroy Tennison via Openvpn-users wrote:
Running OpenVPN 2.3.10 on Ubuntu 16.04 using a working configuration with only
the "script-security" and "client-connect" lines added. Starting the OpenVPN
server with systemctl starts it successfully and a client can connect but the
client-connect script doesn't run and no error is reported in the log.
Stopping the daemon with systemctl and starting it manually with the below
parameters doesn't allow a client to connect, the log shows:
CRL: cannot read: rw-crl.pem TLS_ERROR: BIO read
tls_read_plaintext error: ... ssl3_get_client_certificate:certificate verify
failed TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Starting it manually with the *** only *** change being the removal of the
--daemon parameter produces a totally working system. Any idea what is wrong
or suggestions?
the log file snippet tells you what is failing:
CRL: cannot read: rw-crl.pem
this means that none of your clients pass verification and never reach the
'client-connect' stage. Comment out the crl line or make the rw-crl.pem file
readable and try again.
HTH,
JJK
(The following obtained using 'egrep -v "^$|^#|^;" server.conf', it was put
into a file and the following two vi commands used to put it into the proper
format before adding /usr/sbin/openvpn and --daemon at the front :%s/^/--
and :%s/\n/ / )
local nnn.nnn.nnn.nnn (using Internet-registered IP on the
Internet-facing device) port 1197 (non-standard due to other OpenVPN
instances passing through the device) proto udp dev tun1 topology subnet ca
rw-ca.crt cert vpnhost.crt key vpnhost.key dh rw-dh1024.pem server
mmm.mmm.mmm.mmm 255.255.255.128 (private IP address ranges here and below)
ifconfig-pool-persist rw-ipp.txt push "route mmm.mmm.aaa.0 255.255.255.0" push
"route mmm.mmm.bbb.0 255.255.255.0" push "route vvv.vvv.0.0 255.255.0.0" push
"route vvv.uuu.0.0 255.255.0.0" push "route vvv.ttt.0.0 255.255.0.0"
client-config-dir rw-ccd push "dhcp-option DNS mmm.mmm.aaa.1" push "dhcp-option
DOMAIN datavoiceint.com" keepalive 10 120 comp-lzo persist-key persist-tun
status /var/log/openvpn-rw-status.log log-append /var/log/openvpn-rw.log verb
4 crl-verify rw-crl.pem management 127.0.0.1 9711 /etc/openvpn/pwd
script-security 2 client-connect /etc/openvpn/rw-scripts/client-connect
The client-connect script is owned by root:root with 755 permissions on the
rw-scripts directory and client-connect script itself, contents are (output
sent to both /tmp and /var/log - same result, the "Arrived" was added to insure
that something would be produced when the script ran):
#!/bin/bash /bin/echo "Arrived" > /var/log/vpn-script-test /bin/echo -e
"Time ascii = $time_ascii\ncommon_name = $common_name\nifconfig_pool_remote_ip
= $ifconfig_pool_remote_ip\ntrusted_ip = $trusted_ip\nuntrusted_ip =
$untrusted_ip" >> /var/log/vpn-script-test /bin/echo "Command line parameters:
first - $1, second - $2" >> /var/log/vpn-script-test
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
