OpenVPN Signed Certificate Authentication for OpenVPN
Posted: Fri Apr 05, 2024 4:46 pm
Hello everyone!
I'm struggling with Signed Certificate Authentication for OpenVPN.
There is an OpenVPN Server installation I wish to replace with SoftEther VPN 4.42.9798. The idea is to allow existing users connect to the server after server software has been replaced. If it worked, it would be a jackpot: user's wouldn't have to reconfigure or even notice anything.
It sounds quite straight-forward: just upload CA certificate to "Trusted CA Certificates" storage and create users with "Signed Certificate Authentication". Limit by CN or SN. At least, this is the impression I've got after reading "2.2.6 Signed Certificate Authentication" of the manual.
Of course, it leaves questions, such as if OpenVPN client software is compartibe and if client and server are able to negotiate encryption options. But I've got this figured out. First I tried pasword authntication: client connects and traffic flows. Then I've tried authentication with client certificate generated by SoftEther VPN ("Individual Certificate Authentication" -> "Create Certificate"): it also worked like a charm.
The problem is, the part that sounds easy doesn't work for me: when I try to log in with Signed Certificate, I get
What I tried.
First I made sure that the right CA certificate is listed on "Trusted CA Certificates" list. Under "View Certificate" I can confirm it is. Issuer, Subject and Serial are the expected ones.
Then I've checked user certificate extracted from ovpn file can be verified with CA file. returns OK.
The next thing that caught my attention is the fact that log says while users created on "Manage Users" interface have bare user names. By searching this forum, I've found suggestion that if Virtual Hub is named after domain it might concatenate with username. I've recreated the Hub and made it say . It made no difference.
I also tried to create new PKI. Our existing CA has 4096 bits, thought it might be the reason. New PKI has CA certificate of 2048 bits. It also didn't help.
This is where I ran out of ideas.
If someone could help me with this, I'd be really grateful.
It would also help if someone explains how to get debugging information. Maybe there is a way to get more detailed log messages on why SoftEther VPN comes to the conclusion that authentication is failed. It just says and that's it. What is the reason? All I've found in config file is , but tiny_log does not log any relevant information, all it has is "Entering RPC" and "Leaving RPC" and no validation info. It gives no clue.
Thanks in advance!
I'm struggling with Signed Certificate Authentication for OpenVPN.
There is an OpenVPN Server installation I wish to replace with SoftEther VPN 4.42.9798. The idea is to allow existing users connect to the server after server software has been replaced. If it worked, it would be a jackpot: user's wouldn't have to reconfigure or even notice anything.
It sounds quite straight-forward: just upload CA certificate to "Trusted CA Certificates" storage and create users with "Signed Certificate Authentication". Limit by CN or SN. At least, this is the impression I've got after reading "2.2.6 Signed Certificate Authentication" of the manual.
Of course, it leaves questions, such as if OpenVPN client software is compartibe and if client and server are able to negotiate encryption options. But I've got this figured out. First I tried pasword authntication: client connects and traffic flows. Then I've tried authentication with client certificate generated by SoftEther VPN ("Individual Certificate Authentication" -> "Create Certificate"): it also worked like a charm.
The problem is, the part that sounds easy doesn't work for me: when I try to log in with Signed Certificate, I get
Code: Select all
User authentication failed. The user name that has been provided was "corpuser@company.tld".
First I made sure that the right CA certificate is listed on "Trusted CA Certificates" list. Under "View Certificate" I can confirm it is. Issuer, Subject and Serial are the expected ones.
Then I've checked user certificate extracted from ovpn file can be verified with CA file.
Code: Select all
openssl verify -verbose -CAfile ca.pem corpuser@company.tld.pem
The next thing that caught my attention is the fact that log says
Code: Select all
The user name that has been provided was "corpuser@company.tld".
Code: Select all
company.tld
I also tried to create new PKI. Our existing CA has 4096 bits, thought it might be the reason. New PKI has CA certificate of 2048 bits. It also didn't help.
This is where I ran out of ideas.
If someone could help me with this, I'd be really grateful.
It would also help if someone explains how to get debugging information. Maybe there is a way to get more detailed log messages on why SoftEther VPN comes to the conclusion that authentication is failed. It just says
Code: Select all
User authentication failed. The user name that has been provided was "corpuser@company.tld".
Code: Select all
SaveDebugLog
Thanks in advance!