Jump to content
Reminder, starting today you will no longer be able to login to the forum using your display name, to login you must now use your email address. ×

HybridVPN authentication methods XR500


Recommended Posts

@Netduma Fraser

Fraser , I am attempting to use HybridVPN to create a connection to a private OPENVPN server running OpenVPN server 2.4.3 (current version).

I have been experimenting with authentication methods with mixed results.

I can create a working connection using the local database ot the VPN server for clear text authentication.

When i use a default client.ovpn file (user , no password) HybridVPN fails to connect. This appears to be because no password is supplied.

When I create an .ovpn file with the PAM module the connection also fails.

All of these ovpn file connections work with a win10 client. 

1) So the question I have is what are the supported authentication methods for the XR500 hybridVPN ?

2) Does the XR500 support the PAM authentication module

3) can the XR500 support username , no password , certificate OVPN connections.

4) can the XR500 support no username, no password certificate OVPN connections

I hope some of that makes sense, I am looking for some more detailed documentation on the HybridVPN module.

Thanks 

 

samplePAMr.ovpn

Link to comment
Share on other sites

  • Administrators

I will have to check some of these details with the team but before I do that could you provide the ovpn file again please as that doesn't seem to be working. If you could also provide the log on HybridVPN so we can get some more details on why it fails that would be helpful. Our client is based on 2.3.4 so we may need to change the config slightly so it's backwards compatible with your server. Also most people use this with a VPN provider rather than their own server so we may also run into some trouble because of that.

Link to comment
Share on other sites

Sorry Fraser , I'll try to explain better.

Using the cureent 2.4.3 openvpn base config with the PAM module for generating encrypted passwords I get a connection failure in the log (see image).

This .ovpn file works fine with the openvpn windows client.

On a newly built openvpn server (which by default generates an ovpn file with a username but no passowrd, I also can't connect (again it does connect with the Windows open vpn client.

The only way to configure the openvpn server to create a connection file which works wit hte XR500 seems to be to generate a connection file with an unencryted username and password which is less than optimal.

"Also most people use this with a VPN provider rather than their own server so we may also run into some trouble because of that."

I'm going to take issue with you on that. Everyone is using openvpn , service providers and private users. My server is setup based on OpenVPN's install instructions and works perfectly with ovpn files of all flavours, encrypted , unencrypted , whatever flavour , it works , except when I try to use an ovpn file wiith XR500. It only seems happy with plain text username and password. I'd like to know what is actually known to work with the XR500 so I don't waste weeks of time with trying to make it work. What concerns me is that I can get the files to work fine with a cheap TP-Link router but not with my expensive gaming router 

 

AM.JPG

500xr.ovpn

Link to comment
Share on other sites

Thanks for providing more detail, we'll need to look into this further with the team.

I don't believe Fraser was saying that this won't work necessarily, it's just not a common implementation that we see so we're speculating that this may be the cause of the issue, not to say that there's an issue with your server or configuration files, but how Hybrid VPN then communicates with it. 

Is that the full logs available in Hybrid VPN or is there anything else?

Link to comment
Share on other sites

@Netduma Liam

Thanks for replying, I'm surprised you think this is not a common implementation. From what I can see its just different authentiation methods. 

PAM is very common , most VPN providers seem to use plain text user/passwords, probably backed up with a RADIUS Server for authentication.

If I have to use plain text user/password thats fine , it kinda makes sense as that seems to be the method the commercial providers use.

I'm trying to get a definative answer from you guys so I know where I stand going forward. I just find it a little strange that the very basic authentication methods are not supported on the XR500 but are on a £30 TP-Link router

Anyway let me know what you can.

Malt

Link to comment
Share on other sites

  • Administrators

Sorry I should have been clearer - the ovpn file in the first post wasn't able to be downloaded, that's what I meant by it isn't working, thanks for uploading it again. As Liam explained it's not a common implementation as most users are using the VPN to get around Geo-restrictions or to protect themselves from DDoS. I've noticed in the log you're trying to connect to a local server rather than a remote server which I thought you were trying initially - what is your use case for this out of interest? I'm wondering if it will work at all using a local server but If you could try the plain text please - as you mentioned, commercial providers which the client was intended for use this method. If it's not working we can have the devs look at it on Monday

Link to comment
Share on other sites

@Netduma Fraser

@Netduma Liam

OK, some comments. The reason that the OVPN file has a local address is because I'm not going to put a key to my OpenVPN server on the net , that would be a little dumb. In any case its an IP address it makes no difference wether its private or public IP address range as long as you can route to it.

I have actually now answered my own questions. The implementation of openvpn is a very basic default compile of the source code. It doesn't support anything other than plain text usernames and passwords. I'm guessing that it would put too much load on the CPU in the router to do anything more complex. So I know I can't use any encryption for access control. I have managed to connect using plain text passwords now that I understand the idiosyncracies of the XR500 , however it doesn''t seem to be very stable , the XR500 doesn't seem to be able to manage more than very low volumes of traffic over the VPN.

The question of ovpn files with usernames but no passwords appears to be an undocumented feature of openvpn. The answer is if you have a username of client and no password , the connection will be refused , but if you place the username in both the username and password fields , it suddenly starts working fine.

Further to the error message I posted above its meaning is very simple. Its the default response in the logs if the password is not what was expected and the connection is refused

I'm wondering if it will work at all using a local server but If you could try the plain text please - as you mentioned, commercial providers which the client was intended for use this method. If it's not working we can have the devs look at it on Monday

The codebase in use by "commercial services" is identical to the codebase anyone else uses , its very well understood. As I mentioned , using a software windows client I can connect successfully using any authentication method I wish. I wanted to use my XR500 to access my work network while I'm working from home. My system admin requires encrypted passwords and uses the PAM module to enforce access control. My only choice is to buy another router to replace the XR500 as the implementation of OpenVPN in the XR500 is too basic for my needs.

Thanks for attempting to answer the questions, its appreciated.

Link to comment
Share on other sites

Thanks for the update. Apologies we couldn't be more concise in our responses to you, we were wanting to investigate this further with devs to give you a detailed response. I'll still pass this thread over as it could be useful for future improvements to Hybrid VPN.

Sorry to hear that the XR500 isn't going to cut it for you use-case, hopefully in future we'll be able to accomodate for these sorts of implementations with improved hardware specification on future routers!

Thanks for your time and support nonetheless.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...