La única forma que conocen los humanos de llegar a alguna parte es dejando algo atrás…
Hace unos días, un cliente me comentó que actualizó sus terminales de venta (que utilizaban Fedora 23) a CentOS 7, debido a cuestiones de estabilidad; pero que tenía problemas para conectarse a su VPN.
Al intentar conectarse obtenía el error:
[root@terminal openvpn]# openvpn --config client.conf Thu Jul 04 09:13:53 2016 OpenVPN 2.3.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on May 10 2016 Thu Jul 04 09:13:53 2016 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06 Thu Jul 04 09:13:53 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Thu Jul 04 09:13:53 2016 Socket Buffers: R=[87380->87380] S=[16384->16384] Thu Jul 04 09:13:53 2016 Attempting to establish TCP connection with [AF_INET]93.184.216.34:1194 [nonblock] Thu Jul 04 09:13:54 2016 TCP connection established with [AF_INET]93.184.216.34:1194 Thu Jul 04 09:13:54 2016 TCPv4_CLIENT link local: [undef] Thu Jul 04 09:13:54 2016 TCPv4_CLIENT link remote: [AF_INET]93.184.216.34:1194 Thu Jul 04 09:13:54 2016 TLS: Initial packet from [AF_INET]93.184.216.34:1194, sid=a0dc7955 8adfd915 Thu Jul 04 09:13:55 2016 VERIFY OK: depth=1, C=MX, ST=DF, L=CDMX, O=Mi Changarrito S.A. de C.V., CN=Mi Changarrito S.A. de C.V. CA, emailAddress=seguridad@changarrito.com.mx Thu Jul 04 09:13:55 2016 VERIFY ERROR: depth=0, error=certificate signature failure: C=MX, ST=DF, L=CDMX, O=Mi Changarrito S.A. de C.V., CN=server-er, emailAddress=seguridad@changarrito.com.mx Thu Jul 04 09:13:55 2016 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Thu Jul 04 09:13:55 2016 TLS_ERROR: BIO read tls_read_plaintext error Thu Jul 04 09:13:55 2016 TLS Error: TLS object -> incoming plaintext read error Thu Jul 04 09:13:55 2016 TLS Error: TLS handshake failed Thu Jul 04 09:13:55 2016 Fatal TLS error (check_tls_errors_co), restarting Thu Jul 04 09:13:55 2016 SIGUSR1[soft,tls-error] received, process restarting Thu Jul 04 09:13:55 2016 Restart pause, 5 second(s) Thu Jul 04 09:14:00 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. ...
Al revisar el mensaje de error, se observa que el problema es el certificado de SSL que no puede ser leído. Esto se debe a que el soporte a certificados encriptados con MD5 y SHA1 fue retirado de CentOS.
Por lo que hay que setear unas variables de ambiente en el perfil de root, para agregar el soporte de MD5:
[root@terminal openvpn]# vi ~/.bash_profile export NSS_HASH_ALG_SUPPORT=+MD5 export OPENSSL_ENABLE_MD5_VERIFY=1 [root@terminal openvpn]#
Al realizar esta configuración y cargar dichas variables, la conexión se logra sin problemas:
[root@terminal openvpn]# openvpn --config client.conf Thu Jul 04 22:25:38 2016 OpenVPN 2.3.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on May 10 2016 Thu Jul 04 22:25:38 2016 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06 Thu Jul 04 22:25:38 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Thu Jul 04 22:25:38 2016 WARNING: file 'changarrin1818a.key' is group or others accessible Thu Jul 04 22:25:38 2016 Socket Buffers: R=[87380->87380] S=[16384->16384] Thu Jul 04 22:25:42 2016 Attempting to establish TCP connection with [AF_INET]93.184.216.34:1194 [nonblock] Thu Jul 04 22:25:43 2016 TCP connection established with [AF_INET]93.184.216.34:1194 Thu Jul 04 22:25:43 2016 TCPv4_CLIENT link local: [undef] Thu Jul 04 22:25:43 2016 TCPv4_CLIENT link remote: [AF_INET]93.184.216.34:1194 Thu Jul 04 22:25:43 2016 TLS: Initial packet from [AF_INET]93.184.216.34:1194, sid=bfa77b04 f30e3b9f Thu Jul 04 22:25:43 2016 VERIFY OK: depth=1, C=MX, ST=DF, L=CDMX, O=Mi Changarrito S.A. de C.V., CN=Mi Changarrito S.A. de C.V. CA, emailAddress=seguridad@changarrito.com.mx Thu Jul 04 22:25:43 2016 VERIFY OK: depth=0, C=MX, ST=DF, L=CDMX, O=Mi Changarrito S.A. de C.V., CN=server-er, emailAddress=seguridad@changarrito.com.mx Thu Jul 04 22:25:44 2016 Data Channel Encrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key Thu Jul 04 22:25:44 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Jul 04 22:25:44 2016 Data Channel Decrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key Thu Jul 04 22:25:44 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Jul 04 22:25:44 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Thu Jul 04 22:25:44 2016 [server-er] Peer Connection Initiated with [AF_INET]93.184.216.34:1194 Thu Jul 04 22:25:46 2016 SENT CONTROL [server-er]: 'PUSH_REQUEST' (status=1) Thu Jul 04 22:25:46 2016 PUSH: Received control message: 'PUSH_REPLY,route 192.168.110.0 255.255.255.0,route 192.168.170.0 255.255.255.0,route 192.168.43.0 255.255.255.0,route 192.168.70.32 255.255.255.224,route 10.20.0.0 255.255.255.0,topology net30,ping 20,ping-restart 60,ifconfig 10.20.13.205 10.20.13.206' Thu Jul 04 22:25:46 2016 OPTIONS IMPORT: timers and/or timeouts modified Thu Jul 04 22:25:46 2016 OPTIONS IMPORT: --ifconfig/up options modified Thu Jul 04 22:25:46 2016 OPTIONS IMPORT: route options modified Thu Jul 04 22:25:46 2016 ROUTE_GATEWAY 192.168.122.1/255.255.255.0 IFACE=eth0 HWADDR=52:54:00:69:6c:4b Thu Jul 04 22:25:46 2016 TUN/TAP device tun0 opened Thu Jul 04 22:25:46 2016 TUN/TAP TX queue length set to 100 Thu Jul 04 22:25:46 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Thu Jul 04 22:25:46 2016 /usr/sbin/ip link set dev tun0 up mtu 1500 Thu Jul 04 22:25:46 2016 /usr/sbin/ip addr add dev tun0 local 10.20.13.205 peer 10.20.13.206 Thu Jul 04 22:25:46 2016 /usr/sbin/ip route add 192.168.110.0/24 via 10.20.13.206 Thu Jul 04 22:25:46 2016 /usr/sbin/ip route add 192.168.170.0/24 via 10.20.13.206 Thu Jul 04 22:25:46 2016 /usr/sbin/ip route add 192.168.43.0/24 via 10.20.13.206 Thu Jul 04 22:25:46 2016 /usr/sbin/ip route add 192.168.70.32/27 via 10.20.13.206 Thu Jul 04 22:25:46 2016 /usr/sbin/ip route add 10.20.0.0/24 via 10.20.13.206 Thu Jul 04 22:25:46 2016 Initialization Sequence Completed ^CThu Jul 04 22:25:56 2016 event_wait : Interrupted system call (code=4) Thu Jul 04 22:25:56 2016 /usr/sbin/ip route del 10.20.0.0/24 Thu Jul 04 22:25:56 2016 /usr/sbin/ip route del 192.168.70.32/27 Thu Jul 04 22:25:56 2016 /usr/sbin/ip route del 192.168.43.0/24 Thu Jul 04 22:25:56 2016 /usr/sbin/ip route del 192.168.170.0/24 Thu Jul 04 22:25:56 2016 /usr/sbin/ip route del 192.168.110.0/24 Thu Jul 04 22:25:56 2016 Closing TUN/TAP interface Thu Jul 04 22:25:56 2016 /usr/sbin/ip addr del dev tun0 local 10.20.13.205 peer 10.20.13.206 Thu Jul 04 22:25:56 2016 SIGINT[hard,] received, process exiting [root@terminal openvpn]#
Sin embargo, la conexión se debe ejecutar como un usuario sin privilegios de administrador; entonces debemos realizar una configuración que le permita a este usuario crear los dispositivos y las rutas necesarias para completar la conexión. Para esto
Como root:
- Crear el script /usr/local/sbin/unpriv-ip
[root@terminal ~]# vi /usr/local/sbin/unpriv-ip #!/bin/sh sudo /sbin/ip $* [root@terminal ~]#
- Editar la configuración de sudo para otorgar permisos sobre las interfaces de red
[root@terminal ~]# visudo ... ## Allow root to run any commands anywhere root ALL=(ALL) ALL chalan ALL=(ALL) NOPASSWD: /sbin/ip ...
- Editar el archivo de configuración de cliente de la vpn como:
[root@terminal ~]# vi /etc/openvpn/client.conf client dev tun0 iproute /usr/local/sbin/unpriv-ip proto tcp remote rpv.changarrito.com.mx 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert changarrito1818a.crt key changarrito1818a.key cipher DES-EDE3-CBC comp-lzo verb 3 [root@terminal ~]#
- Crear el dispositivo persistente de conexión:
[root@terminal ~]# openvpn --mktun --dev tun0 --dev-type tun --user chalan --group wheel
- Validar la creación del dispositivo
[root@terminal ~]# ip addr show tun0 3: tun0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc pfifo_fast state DOWN qlen 100 link/none [root@terminal ~]#
Como usuario:
- Verificar los permisos de sudo
[chalan@terminal ~]$ sudo -l Matching Defaults entries for chalan on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User chalan may run the following commands on this host: (ALL) NOPASSWD: /sbin/ip [chalan@terminal ~]$
- Probar la conexión a la vpn:
[chalan@terminal ~]$ cd /etc/openvpn [chalan@terminal openvpn]$ openvpn --config client.conf Wed Jul 10 12:20:04 2016 OpenVPN 2.3.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on May 10 2016 Wed Jul 10 12:20:04 2016 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06 Wed Jul 10 12:20:04 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Wed Jul 10 12:20:04 2016 WARNING: file 'changarrito1818a.key' is group or others accessible Wed Jul 10 12:20:04 2016 Socket Buffers: R=[87380->87380] S=[16384->16384] Wed Jul 10 12:20:14 2016 Attempting to establish TCP connection with [AF_INET]93.184.216.34:1194 [nonblock] Wed Jul 10 12:20:15 2016 TCP connection established with [AF_INET]93.184.216.34:1194 Wed Jul 10 12:20:15 2016 TCPv4_CLIENT link local: [undef] Wed Jul 10 12:20:15 2016 TCPv4_CLIENT link remote: [AF_INET]93.184.216.34:1194 Wed Jul 10 12:20:15 2016 TLS: Initial packet from [AF_INET]93.184.216.34:1194, sid=bb779162 bdcacb5c Wed Jul 10 12:20:17 2016 VERIFY OK: depth=1, C=MX, ST=DF, L=CDMX, O=Mi Changarrito S.A. de C.V., CN=Mi Changarrito S.A. de C.V. CA, emailAddress=seguridad@changarrito.com.mx Wed Jul 10 12:20:17 2016 VERIFY OK: depth=0, C=MX, ST=DF, L=CDMX, O=Mi Changarrito S.A. de C.V., CN=server-er, emailAddress=seguridad@changarrito.com.mx Wed Jul 10 12:20:17 2016 Data Channel Encrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key Wed Jul 10 12:20:17 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 10 12:20:17 2016 Data Channel Decrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key Wed Jul 10 12:20:17 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 10 12:20:17 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Wed Jul 10 12:20:17 2016 [server-er] Peer Connection Initiated with [AF_INET]93.184.216.34:1194 Wed Jul 10 12:20:19 2016 SENT CONTROL [server-er]: 'PUSH_REQUEST' (status=1) Wed Jul 10 12:20:20 2016 PUSH: Received control message: 'PUSH_REPLY,route 192.168.110.0 255.255.255.0,route 192.168.170.0 255.255.255.0,route 192.168.43.0 255.255.255.0,route 192.168.70.32 255.255.255.224,route 10.20.0.0 255.255.255.0,topology net30,ping 20,ping-restart 60,ifconfig 10.20.13.205 10.20.13.206' Wed Jul 10 12:20:20 2016 OPTIONS IMPORT: timers and/or timeouts modified Wed Jul 10 12:20:20 2016 OPTIONS IMPORT: --ifconfig/up options modified Wed Jul 10 12:20:20 2016 OPTIONS IMPORT: route options modified Wed Jul 10 12:20:20 2016 ROUTE_GATEWAY 192.168.122.1/255.255.255.0 IFACE=eth0 HWADDR=52:54:00:92:cf:f5 Wed Jul 10 12:20:20 2016 TUN/TAP device tun0 opened Wed Jul 10 12:20:20 2016 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1) Wed Jul 10 12:20:20 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Wed Jul 10 12:20:20 2016 /usr/local/sbin/unpriv-ip link set dev tun0 up mtu 1500 Wed Jul 10 12:20:20 2016 /usr/local/sbin/unpriv-ip addr add dev tun0 local 10.20.13.205 peer 10.20.13.206 Wed Jul 10 12:20:20 2016 /usr/local/sbin/unpriv-ip route add 192.168.110.0/24 via 10.20.13.206 Wed Jul 10 12:20:21 2016 /usr/local/sbin/unpriv-ip route add 192.168.170.0/24 via 10.20.13.206 Wed Jul 10 12:20:22 2016 /usr/local/sbin/unpriv-ip route add 192.168.43.0/24 via 10.20.13.206 Wed Jul 10 12:20:23 2016 /usr/local/sbin/unpriv-ip route add 192.168.70.32/27 via 10.20.13.206 Wed Jul 10 12:20:23 2016 /usr/local/sbin/unpriv-ip route add 10.20.0.0/24 via 10.20.13.206 Wed Jul 10 12:20:24 2016 Initialization Sequence Completed
Una vez que se han validado las configuraciones, para conectarse únicamente se requerirá utilizar el comando:
[chalan@terminal ~]$ cd /etc/openvpn [chalan@terminal openvpn]$ openvpn --config client.conf
Espero les sirva…
Referencias
[CentOS7:OpenVPN] VERIFY ERROR: depth=0, error=certificate signature failure
muchas gracias
Que bueno que te sirva la info!
Saludos!!