{"id":1138,"date":"2014-11-12T12:32:34","date_gmt":"2014-11-12T01:32:34","guid":{"rendered":"http:\/\/howden.net.au\/thowden\/?p=1138"},"modified":"2014-11-12T12:32:34","modified_gmt":"2014-11-12T01:32:34","slug":"debian-linux-openvpn-connect-to-watchguard-vpn","status":"publish","type":"post","link":"https:\/\/howden.net.au\/thowden\/2014\/11\/debian-linux-openvpn-connect-to-watchguard-vpn\/","title":{"rendered":"Debian Linux openvpn connect to Watchguard VPN"},"content":{"rendered":"<p>I have a Debian Server that I wanted to connect to a Watchguard VPN.<\/p>\n<p>OpenVPN is the tool that I used and the following is based on <a href=\"http:\/\/jochen.kirstaetter.name\/blog\/linux\/connecting-linux-to-watchguard-firebox-ssl.html#disqus_thread\">JoKi&#8217;s excellent blog entry<\/a> with my own adjustments to address the issues that I found.<\/p>\n<p>To start you do need to install and run a connection using the Watchguard MobileVPN on your Windows box to get the configuration files in<\/p>\n<p>C:Usersyour_user_name_hereAppDataRoamingWatchGuardMobile VPN<\/p>\n<p>It took me a while to work out that I had to run it to get the config files created, installing alone is not enough.<\/p>\n<p>Installation in Debian is straightforward<\/p>\n<p><code>#apt-get install openvpn<\/code><\/p>\n<p>Once that is done go to the newly created \/etc\/openvpn and copy the files from the abovementioned Watchguard directory to it.<\/p>\n<p>ca.crt<br \/>\nclient.crt<br \/>\nclient.ovpn<br \/>\nclient.pem<\/p>\n<p>Now it should all be good to go.<\/p>\n<p><code>#openvpn --config client.ovpn<\/code><\/p>\n<p>Except that I was getting all sorts of errors and warnings&#8230;&#8230;<\/p>\n<p><code>Wed Nov 12 12:16:50 2014 VERIFY X509NAME ERROR: \/O=watchguard_technologies\/0.0=f ireware\/CN=fireware_sslvpn_server, must be \/O=watchguard_technologies\/ITU-T=fire ware\/CN=fireware_sslvpn_server<br \/>\nWed Nov 12 12:16:50 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:140 90086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed<br \/>\nWed Nov 12 12:16:50 2014 TLS Error: TLS object -&gt; incoming plaintext read error<br \/>\nWed Nov 12 12:16:50 2014 TLS Error: TLS handshake failed<br \/>\nWed Nov 12 12:16:50 2014 Fatal TLS error (check_tls_errors_co), restarting<br \/>\nWed Nov 12 12:16:50 2014 SIGUSR1[soft,tls-error] received, process restarting<br \/>\nWed Nov 12 12:16:50 2014 Restart pause, 5 second(s)<\/code><\/p>\n<p>Everything I read said that the certificate files would be the issue, but that was not logical to me as they were direct from the Watchguard device and not ones I was creating.<\/p>\n<p>But I checked them anyway with<\/p>\n<p><code>#openssl verify -CAfile ca.crt client.crt<\/code><\/p>\n<p>Next I tried addressing the verify X509 Name error by changing the client.ovpn file entry changing<\/p>\n<blockquote><p>tls-remote<\/p><\/blockquote>\n<p>to<\/p>\n<blockquote><p>verify-x509-name<\/p><\/blockquote>\n<p>and messed around with that for a while until in disgust I commented the line out to try and confirm that it was triggering the error.<\/p>\n<p>Of course, it worked first time !!!\u00a0 Argghhhh!!<\/p>\n<p>So the answer to the above is to remove the tls-remote line completely from the configuration file.<\/p>\n<blockquote><p>tls-remote &#8220;\/O=watchguard_technologies\/ITU-T=fireware\/CN=fireware_sslvpn_server&#8221;<\/p><\/blockquote>\n<p>Either comment it with # at the start of the line or delete it.<\/p>\n<p>Once that was sorted I had a working connection all that remained was to<\/p>\n<p><code>#mv client.ovpn client.conf<\/code><\/p>\n<p>create an auth.txt file with<\/p>\n<blockquote><p>myusername<br \/>\nmysecretpassword<\/p><\/blockquote>\n<p><code>#chmod to 0600 auth.txt<\/code><\/p>\n<p>Edit the client.conf file to have<\/p>\n<blockquote><p>auth-user-pass auth.txt<\/p><\/blockquote>\n<p>and finally start it\u00a0as a service<br \/>\n<code>#service openvpn start client<\/code><\/p>\n<p>and the last bit of the puzzle, to add it as a service to automatically start<\/p>\n<p><code>#update-rc.d openvpn enable<\/code><\/p>\n<p>Thanks to <a href=\"http:\/\/jochen.kirstaetter.name\">JoKi <\/a> for getting me started.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I have a Debian Server that I wanted to connect to a Watchguard VPN. OpenVPN is the tool that I used and the following is based on JoKi&#8217;s excellent blog entry with my own adjustments to address the issues that I found. To start you do need to install and run a connection using the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,14],"tags":[46,60,72,101],"class_list":["post-1138","post","type-post","status-publish","format-standard","hentry","category-linux-servers-and-software","category-security","tag-debian","tag-linux","tag-openvpn","tag-watchguard"],"_links":{"self":[{"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/posts\/1138","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/comments?post=1138"}],"version-history":[{"count":0,"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/posts\/1138\/revisions"}],"wp:attachment":[{"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/media?parent=1138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/categories?post=1138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/howden.net.au\/thowden\/wp-json\/wp\/v2\/tags?post=1138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}