OpenVPN Signed Certificate Authentication for OpenVPN

[lexxthefox]

Hello everyone!

I'm struggling with Signed Certificate Authentication for OpenVPN.

There is an OpenVPN Server installation I wish to replace with SoftEther VPN 4.42.9798. The idea is to allow existing users connect to the server after server software has been replaced. If it worked, it would be a jackpot: user's wouldn't have to reconfigure or even notice anything.

It sounds quite straight-forward: just upload CA certificate to "Trusted CA Certificates" storage and create users with "Signed Certificate Authentication". Limit by CN or SN. At least, this is the impression I've got after reading "2.2.6 Signed Certificate Authentication" of the manual.
Of course, it leaves questions, such as if OpenVPN client software is compartibe and if client and server are able to negotiate encryption options. But I've got this figured out. First I tried pasword authntication: client connects and traffic flows. Then I've tried authentication with client certificate generated by SoftEther VPN ("Individual Certificate Authentication" -> "Create Certificate"): it also worked like a charm.
The problem is, the part that sounds easy doesn't work for me: when I try to log in with Signed Certificate, I get

Code: Select all

User authentication failed. The user name that has been provided was "corpuser@company.tld".

What I tried.

First I made sure that the right CA certificate is listed on "Trusted CA Certificates" list. Under "View Certificate" I can confirm it is. Issuer, Subject and Serial are the expected ones.
Then I've checked user certificate extracted from ovpn file can be verified with CA file.

Code: Select all

openssl verify -verbose -CAfile ca.pem corpuser@company.tld.pem

returns OK.
The next thing that caught my attention is the fact that log says

Code: Select all

The user name that has been provided was "corpuser@company.tld".

while users created on "Manage Users" interface have bare user names. By searching this forum, I've found suggestion that if Virtual Hub is named after domain it might concatenate with username. I've recreated the Hub and made it say

Code: Select all

company.tld

. It made no difference.
I also tried to create new PKI. Our existing CA has 4096 bits, thought it might be the reason. New PKI has CA certificate of 2048 bits. It also didn't help.

This is where I ran out of ideas.

If someone could help me with this, I'd be really grateful.

It would also help if someone explains how to get debugging information. Maybe there is a way to get more detailed log messages on why SoftEther VPN comes to the conclusion that authentication is failed. It just says

Code: Select all

User authentication failed. The user name that has been provided was "corpuser@company.tld".

and that's it. What is the reason? All I've found in config file is

Code: Select all

SaveDebugLog

, but tiny_log does not log any relevant information, all it has is "Entering RPC" and "Leaving RPC" and no validation info. It gives no clue.

Thanks in advance!

[solo]

I wish to replace with SoftEther VPN 4.42.9798.

Install v5 https://dev.azure.com/SoftEther-VPN/004 ... format=zip

FYI https://github.com/SoftEtherVPN/SoftEth ... le-edition

[lexxthefox]

@solo thank you for your suggestion. I have built the latest available tag: 5.02.5182. Reinstalled. "VPN Server Information" reads: SoftEther VPN Server Developer Edition (64 bit) (Open Source), Version 5.02 Build 5182 (English).

CA certificate has been installed as Trusted CA certificate via Server Manager UI. I've also copied ca file (pem and crt formats) to /usr/libexec/softether/vpnserver/chain_certs, just in case.

User created as "corpuser", Signed Certificate Authentication. No limits (CN or SN) set.

Still getting the same error:

Code: Select all

2024-04-06 22:03:16.700 [OpenVPN] [client ip address]:2015 -> [server ip address]:1194 (UDP): Session created.
2024-04-06 22:03:16.700 OpenVPN Session 1 ([client ip address]:2015 -> [server ip address]:1194) Channel 0: A new channel is created.
2024-04-06 22:03:16.781 OpenVPN Session 1 ([client ip address]:2015 -> [server ip address]:1194) Channel 0: Option Strings Received: "V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client"
2024-04-06 22:03:16.781 OpenVPN Session 1 ([client ip address]:2015 -> [server ip address]:1194) Channel 0: Client certificate received (subject: CN="corpuser@company.tld"), will use certificate authentication.
2024-04-06 22:03:16.781 OpenVPN Session 1 ([client ip address]:2015 -> [server ip address]:1194) Channel 0: Option Strings to Send: "V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server"
2024-04-06 22:03:18.001 On the TCP Listener (Port 0), a Client (IP address [client ip address], Host name "[client ip address].[client's ISP domain]", Port number 2015) has connected.
2024-04-06 22:03:18.001 For the client (IP address: [client ip address], host name: "[client ip address].[client's ISP domain]", port number: 2015), connection "CID-12" has been created.
2024-04-06 22:03:18.001 SSL communication for connection "CID-12" has been started. The protocol version is (null). The encryption algorithm name is "(null)".
2024-04-06 22:03:18.001 [HUB "company.tld"] The connection "CID-12" (IP address: [client ip address], Host name: [client ip address].[client's ISP domain], Port number: 2015, Client name: "OpenVPN Client", Version: 5.02, Build: 5182) is attempting to connect to the Virtual Hub. The auth type provided is "OpenVPN certificate authentication" and the user name is "corpuser@company.tld".
2024-04-06 22:03:18.001 [HUB "company.tld"] Connection "CID-12": User authentication failed. The user name that has been provided was "corpuser@company.tld", from [client ip address].
2024-04-06 22:03:18.001 OpenVPN Session 1 ([client ip address]:2015 -> [server ip address]:1194) Channel 0: Failed to connect a channel.
2024-04-06 22:03:18.021 Connection "CID-12" terminated by the cause "User authentication failed." (code 9).
2024-04-06 22:03:18.021 Connection "CID-12" has been terminated.
2024-04-06 22:03:18.021 The connection with the client (IP address [client ip address], Port number 2015) has been disconnected.

Will keep scratching my head :-/

BTW, could it be so that client certificate is missing something here? :

Code: Select all

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: [sensitive]
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = company.tld
        Validity
            Not Before: Apr  3 18:12:54 2024 GMT
            Not After : Apr  3 18:13:24 2025 GMT
        Subject: CN = corpuser@company.tld
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus: [sensitive]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier: [sensitive]
            X509v3 Authority Key Identifier: [sensitive]
            Authority Information Access: 
                OCSP - URI:[sensitive]
                CA Issuers - URI:[sensitive]
            X509v3 Subject Alternative Name: 
                email:corpuser@company.tld
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI: [sensitive]
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value: [sensitive]

I kinda suspect that Key Usage might probably be missing an important bit but don't know how to check.

[solo]

Please check if existing certificates import correctly.
https://www.vpnusers.com/viewtopic.php? ... 08#p101173
Works for me. Tested on...

Code: Select all

ServerInfoGet command - Get server information
Item                            |Value
--------------------------------+----------------------------------------------------------------
Product Name                    |SoftEther VPN Server Developer Edition (64 bit) (Open Source)
Version                         |Version 5.02 Build 5374 (English)
Build                           |Compiled 2024/02/26 20:53:50 by VssAdministrator at fv-az528-706

[lexxthefox]

Please check if existing certificates import correctly.

Certificates have been imported successfullty. With some more trial and error I've narrowed down my suspects. It looks like user certificate's CN is the culprit:

Code: Select all

2024-04-08 18:57:35.104 [HUB "company.tld"] Connection "CID-81": User authentication failed. The user name that has been provided was "corpuser@company.tld", from [client IP].

It says 'The user name that has been provided was "corpuser@company.tld"'. I've tried issuing new certificate for this user. With CN that only carries user name, without the domain part: "corpuser". And it worked.

Looks like server does not ignore the domain part. And it does not help to name Hub after the domain part.

The setup:

Code: Select all

VPN Server/company.tld>HubList
HubList command - Get List of Virtual Hubs
Item              |Value
------------------+-------------------
Virtual Hub Name  |company.tld
Status            |Online
Type              |Standalone
Users             |1
Groups            |1
Sessions          |1
MAC Tables        |1
IP Tables         |1
Num Logins        |6
Last Login        |2024-04-08 19:13:31
Last Communication|2024-04-08 19:16:36
Transfer Bytes    |186,054
Transfer Packets  |2,902
The command completed successfully.

VPN Server/company.tld>UserList
UserList command - Get List of Users
Item            |Value
----------------+---------------------------------
User Name       |corpuser
Full Name       |
Group Name      |-
Description     |
Auth Method     |Signed Certificate Authentication
Num Logins      |1
Last Login      |2024-04-08 (Mon) 19:13:31
Expiration Date |No Expiration
Transfer Bytes  |3,330
Transfer Packets|1,398
The command completed successfully.

VPN Server/company.tld>UserGet corpuser
UserGet command - Get User Information
Item                         |Value
-----------------------------+---------------------------------
User Name                    |corpuser
Full Name                    |
Description                  |
Expiration Date              |(None)
Auth Type                    |Signed Certificate Authentication
-----------------------------+---------------------------------
Created on                   |2024-04-08 (Mon) 19:13:25
Updated on                   |2024-04-08 (Mon) 19:13:25
Outgoing Unicast Packets     |5 packets
Outgoing Unicast Total Size  |210 bytes
Outgoing Broadcast Packets   |6 packets
Outgoing Broadcast Total Size|1,372 bytes
Incoming Unicast Packets     |5 packets
Incoming Unicast Total Size  |210 bytes
Incoming Broadcast Packets   |16 packets
Incoming Broadcast Total Size|1,538 bytes
Number of Logins             |1
The command completed successfully.

Certificate with 'Subject: CN = corpuser' works:

Code: Select all

2024-04-08 19:13:31.526 [HUB "company.tld"] Connection "CID-98": Successfully authenticated as user "corpuser".

Certificate with 'Subject: CN = corpuser@company.tld' does not:

Code: Select all

2024-04-08 18:57:35.104 [HUB "company.tld"] Connection "CID-81": User authentication failed. The user name that has been provided was "corpuser@company.tld", from [client IP].

Both certificates belong to the same Authority, I've double-checked to make sure I haven't just messed certificate files.

Well, I't good news in general. We can keep using existing PKI. But the fact that we'd have to reissue user certificates is a problem. Not only due to the fact that users would have to update client configs. Our tooling automates certificate renewals, and it requires user certificate CNs to be in email-like form.

[lexxthefox]

This issue is quite a riddle. No experiments showed any results, so I had to start reading source code.

Turns out, certificate Subject CN is not being checked for domain part at all. It is just being compared to user name database of the default Hub as is, and as usernames can't contain the @ sign, it won't match.
I was able to patch sources to make sure that domain part is cut off. It worked, but partially. As long as there is just one Hub, there's no issue. But if infrastructure requires more then one, there's no way to specify the desired Hub to authenticate against.
So in the end this effort developed into a bit more complicated patch. And a pull-request:

https://github.com/SoftEtherVPN/SoftEtherVPN/pull/1980

Honestly, I don't believe it will pass review, Most likely, I'm missing something and probably there's a way to get the desired behavior with proper configuration. But who knows? Let's see the PR discussion.

[lexxthefox]

Wow. PR seems to have been approved. This topic can be closed I guess.

Thanks!