Fatal tls error check tls errors co openvpn - Исправление ошибок и поиск оптимальных решений проблем

tadrim: OpenVpn Newbie; Posts: 11; Joined: Mon Aug 24, 2015 3:57 pm

TLS handshake failed

Hi everyone,

I’m getting TLS errors in windows when I run the configuration on Linux it works fine so unsure what’s occurring!

The error I’m getting:

Mon Aug 24 16:48:35 2015 VERIFY OK:
Mon Aug 24 16:48:35 2015 VERIFY OK: nsCertType=SERVER
Mon Aug 24 16:48:35 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
Mon Aug 24 16:48:35 2015 TLS Error: TLS object -> incoming plaintext read error
Mon Aug 24 16:48:35 2015 TLS Error: TLS handshake failed
Mon Aug 24 16:48:35 2015 Fatal TLS error (check_tls_errors_co), restarting

It connects fine with a Linux OS but when you try to connect via Windows it just keeps repeating the error

Client config

client
dev tun
proto tcp
remote (obscured) 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert tadrim.crt
key tadrim.key
auth-nocache
ns-cert-type server
comp-lzo
verb 3

I have tried putting in the full path for the certs etc and still get the same error

maikcat: Forum Team; Posts: 4200; Joined: Wed Jan 12, 2011 9:23 am; Location: Athens,Greece; Contact:

Re: TLS handshake failed

Post

by maikcat » Tue Aug 25, 2015 8:26 am

are you using the SAME configs/certs/openvpn ver?

Michael.

tadrim: OpenVpn Newbie; Posts: 11; Joined: Mon Aug 24, 2015 3:57 pm

Re: TLS handshake failed

Post

by tadrim » Tue Aug 25, 2015 8:35 am

Hi There,

Yes I have also generated new configs/certs to see if that is the issue but still get the same error on windows — works okay on Linux, the client is using the latest openvpn ver.

tadrim: OpenVpn Newbie; Posts: 11; Joined: Mon Aug 24, 2015 3:57 pm

Re: TLS handshake failed

Post

by tadrim » Tue Aug 25, 2015 10:21 am

Hi Maikcat,

Yes I am using the same configs/certs and openvpn version — apart from changing the directory of the cert files.

maikcat: Forum Team; Posts: 4200; Joined: Wed Jan 12, 2011 9:23 am; Location: Athens,Greece; Contact:

Re: TLS handshake failed

Post

by maikcat » Tue Aug 25, 2015 11:02 am

which windows version do you have?
which openvpn version do you use on win?

please post complete server/client logs.

Michael.

tadrim: OpenVpn Newbie; Posts: 11; Joined: Mon Aug 24, 2015 3:57 pm

Re: TLS handshake failed

Post

by tadrim » Thu Aug 27, 2015 12:16 pm

Hi There,

the version is:
OpenVPN 2.3.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jul 9 2015
Thu Aug 27 12:58:02 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08

Here is the server log:

TLS: Initial packet from xxxx
VERIFY OK: details
VERIFY OK: nsCertType=SERVER
VERIFY OK: details
TLS_ERROR: BIO read tls_read_plaintext error: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting
SIGUSR1[soft,tls-error] received, process restarting
MANAGEMENT: >STATE:1440677050,RECONNECTING,tls-error,,
Restart pause, 5 second(s)

and here is the client log:

MULTI: multi_create_instance called
Re-using SSL/TLS context
LZO compression initialized
Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options hash (VER=V4): ‘c0103fa8’
Expected Remote Options hash (VER=V4): ‘69109d17’
TCP connection established with (ipaddress):64448
TCPv4_SERVER link local: [undef]
TCPv4_SERVER link remote: (ipaddress):64448
(ipaddress):64448 TLS: Initial packet from (ipaddress):64448, sid=b991999d 259a72c5
(ipaddress):64448 Connection reset, restarting [0]
(ipaddress):64448 SIGUSR1[soft,connection-reset] received, client-instance restarting
TCP/UDP: Closing socket

Traffic: OpenVPN Protagonist; Posts: 4071; Joined: Sat Aug 09, 2014 11:24 am

Re: TLS handshake failed

Post

by Traffic » Thu Aug 27, 2015 12:19 pm

tadrim wrote:Here is the server log:

TLS_ERROR: BIO read tls_read_plaintext error: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small

Please see this:
topic19384-15.html#p53874

tadrim: OpenVpn Newbie; Posts: 11; Joined: Mon Aug 24, 2015 3:57 pm

Re: TLS handshake failed

Post

by tadrim » Thu Aug 27, 2015 2:43 pm

Hi,

Thanks for the reply, unfortunately i’m not using one of the routers mentioned, it is also strange how i am able to connect with a Linux machine but not a windows 8

Traffic: OpenVPN Protagonist; Posts: 4071; Joined: Sat Aug 09, 2014 11:24 am

Re: TLS handshake failed

Post

by Traffic » Thu Aug 27, 2015 8:06 pm

I believe you have your logs back to front:

tadrim wrote:here is the client log:

MULTI: multi_create_instance called

This indicates it is a server log not client log.

tadrim wrote:the server log:

TLS: Initial packet from xxxx
VERIFY OK: details
VERIFY OK: nsCertType=SERVER

This indicates it is a client log not server log.

What is your server and what version of openvpn do you use on the server ?

Did you create your own DH file (server: /etc/openvpn/dh.pem) ?

tadrim: OpenVpn Newbie; Posts: 11; Joined: Mon Aug 24, 2015 3:57 pm

Re: TLS handshake failed

Post

by tadrim » Tue Sep 01, 2015 9:26 am

Hi There,

Yes I’m using my own DH file and the server is Centos 5.11, could you guide me on how to establish the openVPN version?
Another side question do you have to reload the configuration file after you update it? — tempted to create another dh key.

The windows client is OpenVPN 2.3.7

Traffic: OpenVPN Protagonist; Posts: 4071; Joined: Sat Aug 09, 2014 11:24 am

Re: TLS handshake failed

Post

by Traffic » Tue Sep 01, 2015 2:17 pm

tadrim wrote:server is Centos 5.11, could you guide me on how to establish the openVPN version?

tadrim wrote:do you have to reload the configuration file after you update it?

Yes .. best to stop & start openvpn completely.

tadrim wrote:Yes I’m using my own DH file

Did you edit vars file for correct parameters and source the file ?

tadrim wrote:tempted to create another dh key.

If you do I recommend using this EASY-RSA:
https://github.com/OpenVPN/easy-rsa/releases

tadrim: OpenVpn Newbie; Posts: 11; Joined: Mon Aug 24, 2015 3:57 pm

Re: TLS handshake failed

Post

by tadrim » Wed Sep 02, 2015 8:42 am

Hi there,

Unfortunately the command doesn’t appear to give anything back :

openvpn —version
-bash: openvpn: command not found

yes I edited vars and updated the .conf file with the new DH key, going to restart later at some point hopefully it goes well.

Источник

Hello,
I try to set up an openvpn server on microtik and after i fallowed all in this topic i get tls error.
I will post my configs and logs maybe someone can point me where i`m wrong.

Microtik Log :

20:20:38 ovpn,debug,error,20076,29312,60348,61328,27884,20684,58064,60344,l2tp,info,60348,debug,79,65535,critical,8976,62372,29584,20008,20760,31112,29312,20148,20144,20684,
41904,20684,packet duplicate packet, dropping
20:20:38 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=35e032ad92ca5c6b pid=1 DATA len=293
20:20:38 ovpn,debug,packet sent P_ACK kid=0 sid=9a7e849ce3139b68 [1 sid=35e032ad92ca5c6b] DATA len=0
20:20:38 ovpn,debug,packet sent P_CONTROL kid=0 sid=9a7e849ce3139b68 pid=1 DATA len=933
20:20:38 ovpn,debug <10.10.10.3>: disconnected <peer disconnected>
20:20:43 ovpn,info TCP connection established from 10.10.10.3
20:20:43 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=156fd32f2dee8e68 pid=0 DATA len=0
20:20:44 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=effd2eb77764ddc4 pid=0 DATA len=0
20:20:44 ovpn,debug,packet sent P_ACK kid=0 sid=156fd32f2dee8e68 [0 sid=effd2eb77764ddc4] DATA len=0
20:20:44 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=effd2eb77764ddc4 [0 sid=156fd32f2dee8e68] pid=0 DATA len=0
20:20:44 ovpn,debug,error,20076,29312,60348,61328,27884,20684,58064,60344,l2tp,info,60348,debug,79,65535,critical,8976,62372,29584,20008,20760,31112,29312,20148,20144,20684,
41904,20684,packet duplicate packet, dropping
20:20:44 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=effd2eb77764ddc4 pid=1 DATA len=293
20:20:44 ovpn,debug,packet sent P_ACK kid=0 sid=156fd32f2dee8e68 [1 sid=effd2eb77764ddc4] DATA len=0
20:20:44 ovpn,debug,packet sent P_CONTROL kid=0 sid=156fd32f2dee8e68 pid=1 DATA len=933
20:20:44 ovpn,debug <10.10.10.3>: disconnected <peer disconnected>
20:20:49 ovpn,info TCP connection established from 10.10.10.3
20:20:49 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=e91b8bfe5da9ee27 pid=0 DATA len=0
20:20:50 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=35efaf7d447f6c7 pid=0 DATA len=0
20:20:50 ovpn,debug,packet sent P_ACK kid=0 sid=e91b8bfe5da9ee27 [0 sid=35efaf7d447f6c7] DATA len=0
20:20:50 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=35efaf7d447f6c7 [0 sid=e91b8bfe5da9ee27] pid=0 DATA len=0
20:20:50 ovpn,debug,error,20076,29312,60348,61328,27884,20684,58064,60344,l2tp,info,60348,debug,79,65535,critical,8976,62372,29584,20008,20760,31112,29312,20148,20144,20684,
41904,20684,packet duplicate packet, dropping
20:20:50 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=35efaf7d447f6c7 pid=1 DATA len=293
20:20:50 ovpn,debug,packet sent P_ACK kid=0 sid=e91b8bfe5da9ee27 [1 sid=35efaf7d447f6c7] DATA len=0
20:20:50 ovpn,debug,packet sent P_CONTROL kid=0 sid=e91b8bfe5da9ee27 pid=1 DATA len=933
20:20:50 ovpn,debug <10.10.10.3>: disconnected <peer disconnected>
20:20:56 ovpn,info TCP connection established from 10.10.10.3
20:20:56 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=9986814ecf7f806a pid=0 DATA len=0
20:20:56 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=d899584ffaf3574 pid=0 DATA len=0
20:20:56 ovpn,debug,packet sent P_ACK kid=0 sid=9986814ecf7f806a [0 sid=d899584ffaf3574] DATA len=0
20:20:56 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=d899584ffaf3574 [0 sid=9986814ecf7f806a] pid=0 DATA len=0
20:20:56 ovpn,debug,error,20076,29312,60348,61328,27884,20684,58064,60344,l2tp,info,60348,debug,79,65535,critical,8976,62372,29584,20008,20760,31112,29312,20148,20144,20684,
41904,20684,packet duplicate packet, dropping
20:20:56 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=d899584ffaf3574 pid=1 DATA len=293
20:20:56 ovpn,debug,packet sent P_ACK kid=0 sid=9986814ecf7f806a [1 sid=d899584ffaf3574] DATA len=0
20:20:56 ovpn,debug,packet sent P_CONTROL kid=0 sid=9986814ecf7f806a pid=1 DATA len=933
20:20:57 ovpn,debug <10.10.10.3>: disconnected <peer disconnected>

Windows client config

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote kiaunel.fiberdatatelecom.ro 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don’t need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It’s best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca myCa.crt
cert client.crt
key client.key

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher AES 128

# Enable compression on the VPN link.
# Don’t enable this unless it is also
# enabled in the server config file.
;comp-lzo

# Set log file verbosity.
verb 5

# Silence repeating messages
;mute 20

Windows client log :

Sun Jan 24 20:20:31 2016 us=64211 Current Parameter Settings:
Sun Jan 24 20:20:31 2016 us=64211 config = ‘client.ovpn’
Sun Jan 24 20:20:31 2016 us=64211 mode = 0
Sun Jan 24 20:20:31 2016 us=64211 show_ciphers = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 show_digests = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 show_engines = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 genkey = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 key_pass_file = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 show_tls_ciphers = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 Connection profiles [default]:
Sun Jan 24 20:20:31 2016 us=64211 proto = tcp-client
Sun Jan 24 20:20:31 2016 us=64211 local = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 local_port = 0
Sun Jan 24 20:20:31 2016 us=64211 remote = ‘kiaunel.fiberdatatelecom.ro’
Sun Jan 24 20:20:31 2016 us=64211 remote_port = 1194
Sun Jan 24 20:20:31 2016 us=64211 remote_float = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 bind_defined = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 bind_local = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 connect_retry_seconds = 5
Sun Jan 24 20:20:31 2016 us=64211 connect_timeout = 10
Sun Jan 24 20:20:31 2016 us=64211 connect_retry_max = 0
Sun Jan 24 20:20:31 2016 us=64211 socks_proxy_server = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 socks_proxy_port = 0
Sun Jan 24 20:20:31 2016 us=64211 socks_proxy_retry = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 tun_mtu = 1500
Sun Jan 24 20:20:31 2016 us=64211 tun_mtu_defined = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 link_mtu = 1500
Sun Jan 24 20:20:31 2016 us=64211 link_mtu_defined = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 tun_mtu_extra = 0
Sun Jan 24 20:20:31 2016 us=64211 tun_mtu_extra_defined = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 mtu_discover_type = -1
Sun Jan 24 20:20:31 2016 us=64211 fragment = 0
Sun Jan 24 20:20:31 2016 us=64211 mssfix = 1450
Sun Jan 24 20:20:31 2016 us=64211 explicit_exit_notification = 0
Sun Jan 24 20:20:31 2016 us=64211 Connection profiles END
Sun Jan 24 20:20:31 2016 us=64211 remote_random = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 ipchange = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 dev = ‘tun’
Sun Jan 24 20:20:31 2016 us=64211 dev_type = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 dev_node = ‘MyTap’
Sun Jan 24 20:20:31 2016 us=64211 lladdr = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 topology = 1
Sun Jan 24 20:20:31 2016 us=64211 tun_ipv6 = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 ifconfig_local = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 ifconfig_remote_netmask = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 ifconfig_noexec = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 ifconfig_nowarn = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 ifconfig_ipv6_local = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 ifconfig_ipv6_netbits = 0
Sun Jan 24 20:20:31 2016 us=64211 ifconfig_ipv6_remote = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 shaper = 0
Sun Jan 24 20:20:31 2016 us=64211 mtu_test = 0
Sun Jan 24 20:20:31 2016 us=64211 mlock = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 keepalive_ping = 0
Sun Jan 24 20:20:31 2016 us=64211 keepalive_timeout = 0
Sun Jan 24 20:20:31 2016 us=64211 inactivity_timeout = 0
Sun Jan 24 20:20:31 2016 us=64211 ping_send_timeout = 0
Sun Jan 24 20:20:31 2016 us=64211 ping_rec_timeout = 0
Sun Jan 24 20:20:31 2016 us=64211 ping_rec_timeout_action = 0
Sun Jan 24 20:20:31 2016 us=64211 ping_timer_remote = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 remap_sigusr1 = 0
Sun Jan 24 20:20:31 2016 us=64211 persist_tun = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 persist_local_ip = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 persist_remote_ip = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 persist_key = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 passtos = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 resolve_retry_seconds = 1000000000
Sun Jan 24 20:20:31 2016 us=64211 username = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 groupname = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 chroot_dir = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 cd_dir = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 writepid = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 up_script = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 down_script = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 down_pre = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 up_restart = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 up_delay = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 daemon = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 inetd = 0
Sun Jan 24 20:20:31 2016 us=64211 log = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 suppress_timestamps = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 nice = 0
Sun Jan 24 20:20:31 2016 us=64211 verbosity = 5
Sun Jan 24 20:20:31 2016 us=64211 mute = 0
Sun Jan 24 20:20:31 2016 us=64211 gremlin = 0
Sun Jan 24 20:20:31 2016 us=64211 status_file = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 status_file_version = 1
Sun Jan 24 20:20:31 2016 us=64211 status_file_update_freq = 60
Sun Jan 24 20:20:31 2016 us=64211 occ = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 rcvbuf = 0
Sun Jan 24 20:20:31 2016 us=64211 sndbuf = 0
Sun Jan 24 20:20:31 2016 us=64211 sockflags = 0
Sun Jan 24 20:20:31 2016 us=64211 fast_io = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 lzo = 0
Sun Jan 24 20:20:31 2016 us=64211 route_script = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 route_default_gateway = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 route_default_metric = 0
Sun Jan 24 20:20:31 2016 us=64211 route_noexec = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 route_delay = 5
Sun Jan 24 20:20:31 2016 us=64211 route_delay_window = 30
Sun Jan 24 20:20:31 2016 us=64211 route_delay_defined = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 route_nopull = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 route_gateway_via_dhcp = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 max_routes = 100
Sun Jan 24 20:20:31 2016 us=64211 allow_pull_fqdn = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 management_addr = ‘127.0.0.1’
Sun Jan 24 20:20:31 2016 us=64211 management_port = 25340
Sun Jan 24 20:20:31 2016 us=64211 management_user_pass = ‘stdin’
Sun Jan 24 20:20:31 2016 us=64211 management_log_history_cache = 250
Sun Jan 24 20:20:31 2016 us=64211 management_echo_buffer_size = 100
Sun Jan 24 20:20:31 2016 us=64211 management_write_peer_info_file = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 management_client_user = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 management_client_group = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 management_flags = 6
Sun Jan 24 20:20:31 2016 us=64211 shared_secret_file = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 key_direction = 0
Sun Jan 24 20:20:31 2016 us=64211 ciphername_defined = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 ciphername = ‘BF-CBC’
Sun Jan 24 20:20:31 2016 us=64211 authname_defined = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 authname = ‘SHA1’
Sun Jan 24 20:20:31 2016 us=64211 prng_hash = ‘SHA1’
Sun Jan 24 20:20:31 2016 us=64211 prng_nonce_secret_len = 16
Sun Jan 24 20:20:31 2016 us=64211 keysize = 0
Sun Jan 24 20:20:31 2016 us=64211 engine = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 replay = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 mute_replay_warnings = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 replay_window = 64
Sun Jan 24 20:20:31 2016 us=64211 replay_time = 15
Sun Jan 24 20:20:31 2016 us=64211 packet_id_file = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 use_iv = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 test_crypto = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 tls_server = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 tls_client = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 key_method = 2
Sun Jan 24 20:20:31 2016 us=64211 ca_file = ‘myCa.crt’
Sun Jan 24 20:20:31 2016 us=64211 ca_path = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 dh_file = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 cert_file = ‘client.crt’
Sun Jan 24 20:20:31 2016 us=64211 extra_certs_file = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 priv_key_file = ‘client.key’
Sun Jan 24 20:20:31 2016 us=64211 pkcs12_file = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 cryptoapi_cert = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 cipher_list = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 tls_verify = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 tls_export_cert = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 verify_x509_type = 0
Sun Jan 24 20:20:31 2016 us=64211 verify_x509_name = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 crl_file = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 ns_cert_type = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 160
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 136
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku[i] = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku[i] = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku[i] = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku[i] = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku[i] = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku[i] = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_eku = ‘TLS Web Server Authentication’
Sun Jan 24 20:20:31 2016 us=64211 ssl_flags = 0
Sun Jan 24 20:20:31 2016 us=64211 tls_timeout = 2
Sun Jan 24 20:20:31 2016 us=64211 renegotiate_bytes = 0
Sun Jan 24 20:20:31 2016 us=64211 renegotiate_packets = 0
Sun Jan 24 20:20:31 2016 us=64211 renegotiate_seconds = 3600
Sun Jan 24 20:20:31 2016 us=64211 handshake_window = 60
Sun Jan 24 20:20:31 2016 us=64211 transition_window = 3600
Sun Jan 24 20:20:31 2016 us=64211 single_session = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 push_peer_info = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 tls_exit = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 tls_auth_file = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_pin_cache_period = -1
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_id = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_id_management = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 server_network = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=64211 server_netmask = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=81850 server_network_ipv6 = ::
Sun Jan 24 20:20:31 2016 us=81850 server_netbits_ipv6 = 0
Sun Jan 24 20:20:31 2016 us=81850 server_bridge_ip = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=81850 server_bridge_netmask = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=81850 server_bridge_pool_start = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=81850 server_bridge_pool_end = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=81850 ifconfig_pool_defined = DISABLED
Sun Jan 24 20:20:31 2016 us=81850 ifconfig_pool_start = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=81850 ifconfig_pool_end = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=81850 ifconfig_pool_netmask = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=81850 ifconfig_pool_persist_filename = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=81850 ifconfig_pool_persist_refresh_freq = 600
Sun Jan 24 20:20:31 2016 us=81850 ifconfig_ipv6_pool_defined = DISABLED
Sun Jan 24 20:20:31 2016 us=81850 ifconfig_ipv6_pool_base = ::
Sun Jan 24 20:20:31 2016 us=81850 ifconfig_ipv6_pool_netbits = 0
Sun Jan 24 20:20:31 2016 us=81850 n_bcast_buf = 256
Sun Jan 24 20:20:31 2016 us=81850 tcp_queue_limit = 64
Sun Jan 24 20:20:31 2016 us=81850 real_hash_size = 256
Sun Jan 24 20:20:31 2016 us=82351 virtual_hash_size = 256
Sun Jan 24 20:20:31 2016 us=82351 client_connect_script = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=82351 learn_address_script = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=82351 client_disconnect_script = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=82351 client_config_dir = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=82351 ccd_exclusive = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 tmp_dir = ‘C:UserskiaunelAppDataLocalTemp’
Sun Jan 24 20:20:31 2016 us=82351 push_ifconfig_defined = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 push_ifconfig_local = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=82351 push_ifconfig_remote_netmask = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=82351 push_ifconfig_ipv6_defined = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 push_ifconfig_ipv6_local = ::/0
Sun Jan 24 20:20:31 2016 us=82351 push_ifconfig_ipv6_remote = ::
Sun Jan 24 20:20:31 2016 us=82351 enable_c2c = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 duplicate_cn = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 cf_max = 0
Sun Jan 24 20:20:31 2016 us=82351 cf_per = 0
Sun Jan 24 20:20:31 2016 us=82351 max_clients = 1024
Sun Jan 24 20:20:31 2016 us=82351 max_routes_per_client = 256
Sun Jan 24 20:20:31 2016 us=82351 auth_user_pass_verify_script = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=82351 auth_user_pass_verify_script_via_file = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 client = ENABLED
Sun Jan 24 20:20:31 2016 us=82351 pull = ENABLED
Sun Jan 24 20:20:31 2016 us=82351 auth_user_pass_file = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=82351 show_net_up = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 route_method = 0
Sun Jan 24 20:20:31 2016 us=82351 block_outside_dns = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 ip_win32_defined = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 ip_win32_type = 3
Sun Jan 24 20:20:31 2016 us=82351 dhcp_masq_offset = 0
Sun Jan 24 20:20:31 2016 us=82351 dhcp_lease_time = 31536000
Sun Jan 24 20:20:31 2016 us=82351 tap_sleep = 0
Sun Jan 24 20:20:31 2016 us=82351 dhcp_options = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 dhcp_renew = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 dhcp_pre_release = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 dhcp_release = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 domain = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=82351 netbios_scope = ‘[UNDEF]’
Sun Jan 24 20:20:31 2016 us=82351 netbios_node_type = 0
Sun Jan 24 20:20:31 2016 us=82351 disable_nbt = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jan 4 2016
Sun Jan 24 20:20:31 2016 us=82851 Windows version 6.2 (Windows 8 or greater)
Sun Jan 24 20:20:31 2016 us=82851 library versions: OpenSSL 1.0.1q 3 Dec 2015, LZO 2.09
Enter Management Password:
Sun Jan 24 20:20:31 2016 us=82851 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Jan 24 20:20:31 2016 us=83351 Need hold release from management interface, waiting…
Sun Jan 24 20:20:31 2016 us=558936 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Jan 24 20:20:31 2016 us=670061 MANAGEMENT: CMD ‘state on’
Sun Jan 24 20:20:31 2016 us=670560 MANAGEMENT: CMD ‘log all on’
Sun Jan 24 20:20:31 2016 us=825697 MANAGEMENT: CMD ‘hold off’
Sun Jan 24 20:20:31 2016 us=825697 MANAGEMENT: CMD ‘hold release’
Sun Jan 24 20:20:37 2016 us=124614 MANAGEMENT: CMD ‘password […]’
Sun Jan 24 20:20:37 2016 us=125117 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
Sun Jan 24 20:20:37 2016 us=134123 Control Channel MTU parms [ L:1543 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sun Jan 24 20:20:37 2016 us=134624 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Jan 24 20:20:37 2016 us=134624 MANAGEMENT: >STATE:1453659637,RESOLVE,,,
Sun Jan 24 20:20:37 2016 us=281429 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:12 ET:0 EL:3 ]
Sun Jan 24 20:20:37 2016 us=281429 Local Options String: ‘V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client’
Sun Jan 24 20:20:37 2016 us=281429 Expected Remote Options String: ‘V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server’
Sun Jan 24 20:20:37 2016 us=281429 Local Options hash (VER=V4): ‘db02a8f8’
Sun Jan 24 20:20:37 2016 us=281429 Expected Remote Options hash (VER=V4): ‘7e068940’
Sun Jan 24 20:20:37 2016 us=281429 Attempting to establish TCP connection with [AF_INET]89.137.228.94:1194 [nonblock]
Sun Jan 24 20:20:37 2016 us=281429 MANAGEMENT: >STATE:1453659637,TCP_CONNECT,,,
Sun Jan 24 20:20:38 2016 us=313123 TCP connection established with [AF_INET]89.137.228.94:1194
Sun Jan 24 20:20:38 2016 us=313123 TCPv4_CLIENT link local: [undef]
Sun Jan 24 20:20:38 2016 us=313623 TCPv4_CLIENT link remote: [AF_INET]89.137.228.94:1194
Sun Jan 24 20:20:38 2016 us=314122 MANAGEMENT: >STATE:1453659638,WAIT,,,
Sun Jan 24 20:20:38 2016 us=315124 MANAGEMENT: >STATE:1453659638,AUTH,,,
Sun Jan 24 20:20:38 2016 us=315630 TLS: Initial packet from [AF_INET]89.137.228.94:1194, sid=9a7e849c e3139b68
Sun Jan 24 20:20:38 2016 us=632417 Validating certificate key usage
Sun Jan 24 20:20:38 2016 us=632417 ++ Certificate has key usage 0006, expects 00a0
Sun Jan 24 20:20:38 2016 us=632417 ++ Certificate has key usage 0006, expects 0088
Sun Jan 24 20:20:38 2016 us=632417 VERIFY KU ERROR
Sun Jan 24 20:20:38 2016 us=632417 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Jan 24 20:20:38 2016 us=632417 TLS Error: TLS object -> incoming plaintext read error
Sun Jan 24 20:20:38 2016 us=632417 TLS Error: TLS handshake failed
Sun Jan 24 20:20:38 2016 us=632417 Fatal TLS error (check_tls_errors_co), restarting
Sun Jan 24 20:20:38 2016 us=632417 TCP/UDP: Closing socket
Sun Jan 24 20:20:38 2016 us=632417 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 24 20:20:38 2016 us=632417 MANAGEMENT: >STATE:1453659638,RECONNECTING,tls-error,,
Sun Jan 24 20:20:38 2016 us=632417 Restart pause, 5 second(s)
Sun Jan 24 20:20:43 2016 us=656149 Re-using SSL/TLS context
Sun Jan 24 20:20:43 2016 us=656657 Control Channel MTU parms [ L:1543 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sun Jan 24 20:20:43 2016 us=657157 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Jan 24 20:20:43 2016 us=657157 MANAGEMENT: >STATE:1453659643,RESOLVE,,,
Sun Jan 24 20:20:43 2016 us=658158 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:12 ET:0 EL:3 ]
Sun Jan 24 20:20:43 2016 us=658658 Local Options String: ‘V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client’
Sun Jan 24 20:20:43 2016 us=659170 Expected Remote Options String: ‘V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server’
Sun Jan 24 20:20:43 2016 us=659664 Local Options hash (VER=V4): ‘db02a8f8’
Sun Jan 24 20:20:43 2016 us=659664 Expected Remote Options hash (VER=V4): ‘7e068940’
Sun Jan 24 20:20:43 2016 us=659664 Attempting to establish TCP connection with [AF_INET]89.137.228.94:1194 [nonblock]
Sun Jan 24 20:20:43 2016 us=660165 MANAGEMENT: >STATE:1453659643,TCP_CONNECT,,,
Sun Jan 24 20:20:44 2016 us=672632 TCP connection established with [AF_INET]89.137.228.94:1194
Sun Jan 24 20:20:44 2016 us=673120 TCPv4_CLIENT link local: [undef]
Sun Jan 24 20:20:44 2016 us=673120 TCPv4_CLIENT link remote: [AF_INET]89.137.228.94:1194
Sun Jan 24 20:20:44 2016 us=673120 MANAGEMENT: >STATE:1453659644,WAIT,,,
Sun Jan 24 20:20:44 2016 us=674127 MANAGEMENT: >STATE:1453659644,AUTH,,,
Sun Jan 24 20:20:44 2016 us=674627 TLS: Initial packet from [AF_INET]89.137.228.94:1194, sid=156fd32f 2dee8e68
Sun Jan 24 20:20:44 2016 us=727861 Validating certificate key usage
Sun Jan 24 20:20:44 2016 us=727861 ++ Certificate has key usage 0006, expects 00a0
Sun Jan 24 20:20:44 2016 us=727861 ++ Certificate has key usage 0006, expects 0088
Sun Jan 24 20:20:44 2016 us=727861 VERIFY KU ERROR
Sun Jan 24 20:20:44 2016 us=727861 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Jan 24 20:20:44 2016 us=727861 TLS Error: TLS object -> incoming plaintext read error
Sun Jan 24 20:20:44 2016 us=727861 TLS Error: TLS handshake failed
Sun Jan 24 20:20:44 2016 us=727861 Fatal TLS error (check_tls_errors_co), restarting
Sun Jan 24 20:20:44 2016 us=727861 TCP/UDP: Closing socket
Sun Jan 24 20:20:44 2016 us=727861 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 24 20:20:44 2016 us=727861 MANAGEMENT: >STATE:1453659644,RECONNECTING,tls-error,,
Sun Jan 24 20:20:44 2016 us=727861 Restart pause, 5 second(s)
Sun Jan 24 20:20:49 2016 us=761155 Re-using SSL/TLS context
Sun Jan 24 20:20:49 2016 us=761664 Control Channel MTU parms [ L:1543 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sun Jan 24 20:20:49 2016 us=761664 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Jan 24 20:20:49 2016 us=762162 MANAGEMENT: >STATE:1453659649,RESOLVE,,,
Sun Jan 24 20:20:49 2016 us=762665 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:12 ET:0 EL:3 ]
Sun Jan 24 20:20:49 2016 us=762665 Local Options String: ‘V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client’
Sun Jan 24 20:20:49 2016 us=763165 Expected Remote Options String: ‘V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server’
Sun Jan 24 20:20:49 2016 us=763165 Local Options hash (VER=V4): ‘db02a8f8’
Sun Jan 24 20:20:49 2016 us=763165 Expected Remote Options hash (VER=V4): ‘7e068940’
Sun Jan 24 20:20:49 2016 us=763165 Attempting to establish TCP connection with [AF_INET]89.137.228.94:1194 [nonblock]
Sun Jan 24 20:20:49 2016 us=763666 MANAGEMENT: >STATE:1453659649,TCP_CONNECT,,,
Sun Jan 24 20:20:50 2016 us=777603 TCP connection established with [AF_INET]89.137.228.94:1194
Sun Jan 24 20:20:50 2016 us=778104 TCPv4_CLIENT link local: [undef]
Sun Jan 24 20:20:50 2016 us=778104 TCPv4_CLIENT link remote: [AF_INET]89.137.228.94:1194
Sun Jan 24 20:20:50 2016 us=778605 MANAGEMENT: >STATE:1453659650,WAIT,,,
Sun Jan 24 20:20:50 2016 us=779608 MANAGEMENT: >STATE:1453659650,AUTH,,,
Sun Jan 24 20:20:50 2016 us=780105 TLS: Initial packet from [AF_INET]89.137.228.94:1194, sid=e91b8bfe 5da9ee27
Sun Jan 24 20:20:50 2016 us=822462 Validating certificate key usage
Sun Jan 24 20:20:50 2016 us=822462 ++ Certificate has key usage 0006, expects 00a0
Sun Jan 24 20:20:50 2016 us=822462 ++ Certificate has key usage 0006, expects 0088
Sun Jan 24 20:20:50 2016 us=822462 VERIFY KU ERROR
Sun Jan 24 20:20:50 2016 us=822462 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Jan 24 20:20:50 2016 us=822462 TLS Error: TLS object -> incoming plaintext read error
Sun Jan 24 20:20:50 2016 us=822462 TLS Error: TLS handshake failed
Sun Jan 24 20:20:50 2016 us=822462 Fatal TLS error (check_tls_errors_co), restarting
Sun Jan 24 20:20:50 2016 us=822462 TCP/UDP: Closing socket
Sun Jan 24 20:20:50 2016 us=822462 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 24 20:20:50 2016 us=822462 MANAGEMENT: >STATE:1453659650,RECONNECTING,tls-error,,
Sun Jan 24 20:20:50 2016 us=822462 Restart pause, 5 second(s)
Sun Jan 24 20:20:55 2016 us=877529 Re-using SSL/TLS context
Sun Jan 24 20:20:55 2016 us=877529 Control Channel MTU parms [ L:1543 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sun Jan 24 20:20:55 2016 us=878032 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Jan 24 20:20:55 2016 us=878530 MANAGEMENT: >STATE:1453659655,RESOLVE,,,
Sun Jan 24 20:20:55 2016 us=879528 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:12 ET:0 EL:3 ]
Sun Jan 24 20:20:55 2016 us=879528 Local Options String: ‘V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client’
Sun Jan 24 20:20:55 2016 us=880025 Expected Remote Options String: ‘V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server’
Sun Jan 24 20:20:55 2016 us=880025 Local Options hash (VER=V4): ‘db02a8f8’
Sun Jan 24 20:20:55 2016 us=880025 Expected Remote Options hash (VER=V4): ‘7e068940’
Sun Jan 24 20:20:55 2016 us=880526 Attempting to establish TCP connection with [AF_INET]89.137.228.94:1194 [nonblock]
Sun Jan 24 20:20:55 2016 us=880526 MANAGEMENT: >STATE:1453659655,TCP_CONNECT,,,
Sun Jan 24 20:20:56 2016 us=893345 TCP connection established with [AF_INET]89.137.228.94:1194
Sun Jan 24 20:20:56 2016 us=893842 TCPv4_CLIENT link local: [undef]
Sun Jan 24 20:20:56 2016 us=893842 TCPv4_CLIENT link remote: [AF_INET]89.137.228.94:1194
Sun Jan 24 20:20:56 2016 us=894343 MANAGEMENT: >STATE:1453659656,WAIT,,,
Sun Jan 24 20:20:56 2016 us=895342 MANAGEMENT: >STATE:1453659656,AUTH,,,
Sun Jan 24 20:20:56 2016 us=895843 TLS: Initial packet from [AF_INET]89.137.228.94:1194, sid=9986814e cf7f806a
Sun Jan 24 20:20:56 2016 us=946811 Validating certificate key usage
Sun Jan 24 20:20:56 2016 us=946811 ++ Certificate has key usage 0006, expects 00a0
Sun Jan 24 20:20:56 2016 us=947301 ++ Certificate has key usage 0006, expects 0088
Sun Jan 24 20:20:56 2016 us=947301 VERIFY KU ERROR
Sun Jan 24 20:20:56 2016 us=947796 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Jan 24 20:20:56 2016 us=947796 TLS Error: TLS object -> incoming plaintext read error
Sun Jan 24 20:20:56 2016 us=947796 TLS Error: TLS handshake failed
Sun Jan 24 20:20:56 2016 us=948305 Fatal TLS error (check_tls_errors_co), restarting
Sun Jan 24 20:20:56 2016 us=948305 TCP/UDP: Closing socket
Sun Jan 24 20:20:56 2016 us=948305 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 24 20:20:56 2016 us=948305 MANAGEMENT: >STATE:1453659656,RECONNECTING,tls-error,,
Sun Jan 24 20:20:56 2016 us=948305 Restart pause, 5 second(s)
Sun Jan 24 20:21:01 2016 us=966630 SIGTERM[hard,init_instance] received, process exiting
Sun Jan 24 20:21:01 2016 us=966630 MANAGEMENT: >STATE:1453659661,EXITING,init_instance,,
WRWRWRRWRWRWRRWRWRWRRWRWRWRR

Microtik server configuration

[admin@MikroTik] > cert print
Flags: K — private-key, D — dsa, L — crl, C — smart-card-key, A — authority, I — issued, R — revoked, E — expired, T — trusted
# NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT
0 microtik fiberdatatelecom.ro email:iulian.c@fiberdatatelecom.ro
1 L T certificate-response.pem_0 fiberdatatelecom.ro DNS:fiberdatatelecom.ro b99b3a15fe14c1187543797056d2a…
2 K A T myCa myCa 30ca22675721690a47d731c946570…
3 K A T server server 7604c6b2281305afb208beb35840d…
4 K A T client1 client1 e4956724a5ec3d8b1254ceb6d1ca5…
5 K A T client2 client2 2e9e5c16bbac7bb9388cf10e02247…
[admin@MikroTik] >

I`m using Ros 6.3.33.

Thanks in advance.

Источник

Доброго времени суток! Впервые сталкиваюсь с технологией OpenVPN, yе смог найти ответа на просторах всемирной сети по сложившейся проблеме, прошу помощи!
Ситуация такая:
на машине с Windows 7 64 bit развернута VirtualBox с Ubuntu 16.04 Server, сетевая карта установлена в VB в режим сетевого моста. Таким образом хостовая машина и виртуалка видят друг друга (адрес хоста 10.80.2.107, адрес виртуалки 10.80.2.133).
На VB развернут openvpn сервер а также Удостоверяющий центр, настройка производилась в соотв. с инструкцией http://howitmake.ru/blog/ubuntu/192.html. На машине с Windows установлен openvpn клиент. Подключиться с клиента не удается. Логи во вложении. Пробовал переиздать ключи неоднократно, также проверял не блокирует ли Ubuntu сетевые пакеты — tcpdump показывает прохождение как входящих так и исходящих пакетов. Уже не знаю куда копать.
сlient.txt — конфиг клиента
server.txt — конфиг сервера

Пользователь добавил сообщение 06 Февраля 2017, 13:12:55:

Извиняюсь, не разобрался как корректно крепить файлы. Прикладываю лог клиента и лог сервера.
В логе сервера:
Mon Feb 6 16:29:52 2017 us=728532 10.80.2.107:56123 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Feb 6 16:29:52 2017 us=728665 10.80.2.107:56123 TLS Error: TLS handshake failed
Mon Feb 6 16:29:52 2017 us=728847 10.80.2.107:56123 Fatal TLS error (check_tls_errors_co), restarting

Лог клиента:
Mon Feb 06 15:54:09 2017 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 27 2016
Mon Feb 06 15:54:09 2017 Windows version 6.1 (Windows 7) 64bit
Mon Feb 06 15:54:09 2017 library versions: OpenSSL 1.0.2i 22 Sep 2016, LZO 2.09
Enter Management Password:
Mon Feb 06 15:54:09 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Feb 06 15:54:09 2017 Need hold release from management interface, waiting…
Mon Feb 06 15:54:09 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Feb 06 15:54:09 2017 MANAGEMENT: CMD ‘state on’
Mon Feb 06 15:54:09 2017 MANAGEMENT: CMD ‘log all on’
Mon Feb 06 15:54:09 2017 MANAGEMENT: CMD ‘hold off’
Mon Feb 06 15:54:09 2017 MANAGEMENT: CMD ‘hold release’
Mon Feb 06 15:54:09 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Feb 06 15:54:09 2017 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Mon Feb 06 15:54:09 2017 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Mon Feb 06 15:54:09 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]10.80.2.133:1988
Mon Feb 06 15:54:09 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Feb 06 15:54:09 2017 Attempting to establish TCP connection with [AF_INET]10.80.2.133:1988 [nonblock]
Mon Feb 06 15:54:09 2017 MANAGEMENT: >STATE:1486371249,TCP_CONNECT,,,,,,
Mon Feb 06 15:54:09 2017 TCP connection established with [AF_INET]10.80.2.133:1988
Mon Feb 06 15:54:09 2017 TCP_CLIENT link local: (not bound)
Mon Feb 06 15:54:09 2017 TCP_CLIENT link remote: [AF_INET]10.80.2.133:1988
Mon Feb 06 15:54:09 2017 MANAGEMENT: >STATE:1486371249,WAIT,,,,,,
Mon Feb 06 15:54:10 2017 MANAGEMENT: >STATE:1486371250,AUTH,,,,,,
Mon Feb 06 15:54:10 2017 TLS: Initial packet from [AF_INET]10.80.2.133:1988, sid=446d4ca1 c9ed60d4
Mon Feb 06 15:54:11 2017 VERIFY OK: depth=1, CN=vpnserver
Mon Feb 06 15:54:11 2017 VERIFY OK: depth=0, CN=vpnserver
Mon Feb 06 15:55:09 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Feb 06 15:55:09 2017 TLS Error: TLS handshake failed
Mon Feb 06 15:55:09 2017 Fatal TLS error (check_tls_errors_co), restarting
Mon Feb 06 15:55:09 2017 SIGUSR1[soft,tls-error] received, process restarting
Mon Feb 06 15:55:09 2017 MANAGEMENT: >STATE:1486371309,RECONNECTING,tls-error,,,,,
Mon Feb 06 15:55:09 2017 Restart pause, 5 second(s)
Mon Feb 06 15:55:12 2017 SIGTERM[hard,init_instance] received, process exiting
Mon Feb 06 15:55:12 2017 MANAGEMENT: >STATE:1486371312,EXITING,init_instance,,,,,

Источник

OVPN сервер — микротик, OVPN клиент — венда

конфиг сервера:

[ziptar@MikroTik] > interface ovpn-server server print 
                     enabled: yes
                        port: 1194
                        mode: ip
                     netmask: 24
                 mac-address: FE:9F:0B:F7:CB:D9
                     max-mtu: 1500
           keepalive-timeout: 60
             default-profile: PPP_Server
                 certificate: cert4
  require-client-certificate: yes
                        auth: sha1
                      cipher: blowfish128

конфиг клиента:

client
dev tun
proto tcp
remote ovpn.ml.ziptar.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
verb 4
--connect-retry 60

Sun Oct 11 23:39:31 2015 us=376834 Current Parameter Settings:
список текущих параметров вырезан - больше 10000 букаф тостер ниасилил
Sun Oct 11 23:39:32 2015 us=17340 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
Sun Oct 11 23:39:32 2015 us=19342 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Enter Private Key Password:
Sun Oct 11 23:39:38 2015 us=627780 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Oct 11 23:39:38 2015 us=633773 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:3 ]
Sun Oct 11 23:39:38 2015 us=633773 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Oct 11 23:39:38 2015 us=637778 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:12 ET:0 EL:3 ]
Sun Oct 11 23:39:38 2015 us=637778 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun Oct 11 23:39:38 2015 us=638782 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun Oct 11 23:39:38 2015 us=655792 Local Options hash (VER=V4): 'db02a8f8'
Sun Oct 11 23:39:38 2015 us=656788 Expected Remote Options hash (VER=V4): '7e068940'
Sun Oct 11 23:39:38 2015 us=656788 Attempting to establish TCP connection with [AF_INET]95.31.27.23:1194 [nonblock]
Sun Oct 11 23:39:39 2015 us=663222 TCP connection established with [AF_INET]95.31.27.23:1194
Sun Oct 11 23:39:39 2015 us=663222 TCPv4_CLIENT link local: [undef]
Sun Oct 11 23:39:39 2015 us=663222 TCPv4_CLIENT link remote: [AF_INET]95.31.27.23:1194
Sun Oct 11 23:39:39 2015 us=666219 TLS: Initial packet from [AF_INET]95.31.27.23:1194, sid=0fc9eb4e dea8cee0
Sun Oct 11 23:39:39 2015 us=751116 VERIFY OK: depth=1, C=RU, O=Ziptar.Net, OU=Ziptar.Net Main Lair CA, CN=Ziptar.Net Main Lair Certification Authority
Sun Oct 11 23:39:39 2015 us=752117 Validating certificate key usage
Sun Oct 11 23:39:39 2015 us=752117 ++ Certificate has key usage  00a0, expects 00a0
Sun Oct 11 23:39:39 2015 us=755119 VERIFY KU OK
Sun Oct 11 23:39:39 2015 us=757282 Validating certificate extended key usage
Sun Oct 11 23:39:39 2015 us=759447 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Oct 11 23:39:39 2015 us=762598 VERIFY EKU OK
Sun Oct 11 23:39:39 2015 us=764603 VERIFY OK: depth=0, C=RU, O=Ziptar.Net, OU=Ziptar.Net Main Lair, CN=Ziptar.Net Main Lair OVPN Server Certificate
Sun Oct 11 23:40:40 2015 us=242140 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Oct 11 23:40:40 2015 us=242140 TLS Error: TLS handshake failed
Sun Oct 11 23:40:40 2015 us=243132 Fatal TLS error (check_tls_errors_co), restarting
Sun Oct 11 23:40:40 2015 us=247138 TCP/UDP: Closing socket
Sun Oct 11 23:40:40 2015 us=250137 SIGUSR1[soft,tls-error] received, process restarting
Sun Oct 11 23:40:40 2015 us=252138 Restart pause, 60 second(s)

на микротике-сервере коннект client-ip(внешний):1194->server-ip:1194 в состоянии established
на роутере, за которым находится венда — аналогично
netstat на венде кажет:
TCP 172.16.12.13:51360 95-31-27-23:1194 ESTABLISHED
единственно не понимаю почему через дефисы

в логе сервера идёт обмен пакетами, и оканчивается строчкой:
:using encoding BF-128-CBC/SHA1

Key usage сертификата сервера
KU 0xa0: Digital Signature, Key Encipherment
EKU TLS Web Server Authentication
то есть ровнёхонько то, что желает сам ovpn

сертификата клиента
KU Digital Signature, Key Encipherment, Data Encipherment
EKU TLS Web Client Authentication

так что же он от меня желает?

Источник

Topic: openvpn TLS handshake failed [SOLVED] (Read 9670 times)

Hello all.
i installed opnsense and everything works realy fine except the openvpn server.

when i set up a server and try to connect i always get the following messages:
TCP connection established with [AF_INET]185.248.148.13:43234
TCP_CLIENT link local (bound): [AF_INET][undef]:0
TCP_CLIENT link remote: [AF_INET]185.248.148.13:43234
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting

the rules in the firewall are set (automatically and bunch of manual tries)
i tried several different vpn-server settings and also tried to connect while the firewall was disabled.
i reinstalled openvpn-package 2.4.9_3

any suggestions what to do/try next ?

regards

server.conf

dev ovpns1 verb 1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto tcp6-server cipher AES-256-CBC auth SHA256 up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown client-connect "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_setup_cso.php server1" tls-server server 10.10.9.0 255.255.255.0 server-ipv6 fe80::/64 client-config-dir /var/etc/openvpn-csc/1 tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'testserver-cert' 1" lport 43234 management /var/etc/openvpn/server1.sock unix max-clients 5 push "route 192.168.11.9 255.255.255.255" duplicate-cn ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /usr/local/etc/dh-parameters.2048.sample tls-auth /var/etc/openvpn/server1.tls-auth 0 persist-remote-ip float
client.conf

dev tun tun-ipv6 persist-tun persist-key proto tcp-client cipher AES-256-CBC auth SHA256 client resolv-retry infinite remote de3.portmap64.net 43234 tcp lport 0 verify-x509-name "C=DE, ST=teststate, L=testcity, O=testco, emailAddress=yes@i.have, CN=testserver-cert" subject remote-cert-tls server <ca> -----BEGIN CERTIFICATE----- MIID6DCCAt... -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- MIIEgzCCA2... -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- MIIEvgIBAD... -----END PRIVATE KEY----- </key> <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- 9e0ae8c78b... -----END OpenVPN Static key V1----- </tls-auth> key-direction 1
im forced to use ipv6 becaue of my internetprovider. i used a pfsense before and die not have such issues before.

« Last Edit: July 24, 2020, 09:07:23 am by wsxws »

Logged

I remember i had similiar/ same issues when i tried to set up via portmapper.
Finally i have no longer tracked this problem, because i just wanted to set up for fallback purposes when ipv6 is not available on client site.
Oddly the VPN server worked fine when i connected via another WAN interface reachable via ipv4, so i think there are issues with the portmapper.

Does something speak against setting up the server for ipv6?
With a reachable ipv6 on your WAN, a portmapper should be used only for clients without ipv6 support

Logged

i am not an expert… just trying to help…

the portmapper should not be the problem (it just does not support udp)
fist: i used a pfsense before in the same enviroment and it worked fine
second: i have a computer in im network running an openvpn, which works fine (but that server does not have any webgui to manage the vpn and i do not want to open ports any longer, thats why i want to use the vpn on the opensense)
and i have to use the portmapper because cellphones does not have ipv6 (at least in germany).

« Last Edit: July 24, 2020, 08:23:46 am by wsxws »

Logged

SOLVED:
a strange solution but at least it is one.
the firewallrule was ipv4+ipv6 ond wan adress (as automatically set by openvpn)
i changed it to ipv6 on WAN adress (which did NOT work)
i changed WAN adress to singel hosten and put in the ipv6/128 and it worked !
afterwards i changes it back to WAN adress and it still works.

i had a similar issue by opening a port to a compunter in the network, when the alias did not work but the ip did.
now i changed that rule back to alias too and thatone works now as well.
maybe there is an issue this the aliasses

Logged

nice to know…
however, in my case i assumed the problem was issued by the portmapper, because -as said- the same server (tcp) worked fine without portmapping.
Fortunately i do not need portmapping, even not for mobile as t-mobile fully supports ipv6.
But its a shame for other providers not supporting ipv6…

Logged

i am not an expert… just trying to help…

Источник

Сгенерил все по мануалу на openvpn.net.
Сгенерировал ключи на СА, на сервер, Диффи-Халмана, на клиент. Ключи на клиент скопировал на клиентскую машину. Обе под Altlinux 4.01.
Сервер запускается нормально, но при подключении клиента пишет:

Oct 7 16:04:54 pool openvpn[4745]: MULTI: multi_create_instance called Oct 7 16:04:54 pool openvpn[4745]: Re-using SSL/TLS context Oct 7 16:04:54 pool openvpn[4745]: LZO compression initialized Oct 7 16:04:54 pool openvpn[4745]: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ] Oct 7 16:04:54 pool openvpn[4745]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Oct 7 16:04:54 pool openvpn[4745]: Local Options hash (VER=V4): 'c0103fa8' Oct 7 16:04:54 pool openvpn[4745]: Expected Remote Options hash (VER=V4): '69109d17' Oct 7 16:04:54 pool openvpn[4745]: TCP connection established with 172.16.0.2:40089 Oct 7 16:04:54 pool openvpn[4745]: TCPv4_SERVER link local: [undef] Oct 7 16:04:54 pool openvpn[4745]: TCPv4_SERVER link remote: 172.16.0.2:40089 Oct 7 16:04:54 pool openvpn[4745]: 172.16.0.2:40089 TLS: Initial packet from 172.16.0.2:40089, sid=ca04a77a 3cfe1ece Oct 7 16:04:54 pool openvpn[4745]: 172.16.0.2:40089 Connection reset, restarting [-1] Oct 7 16:04:54 pool openvpn[4745]: 172.16.0.2:40089 SIGUSR1[soft,connection-reset] received, client-instance restarting Oct 7 16:04:54 pool openvpn[4745]: TCP/UDP: Closing socket
При этом у клиента:

Feb 7 15:26:05 host openvpn[15595]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Feb 7 15:26:05 host openvpn[15595]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Feb 7 15:26:05 host openvpn[15595]: Re-using SSL/TLS context Feb 7 15:26:05 host openvpn[15595]: LZO compression initialized Feb 7 15:26:05 host openvpn[15595]: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ] Feb 7 15:26:05 host openvpn[15595]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Feb 7 15:26:05 host openvpn[15595]: Local Options hash (VER=V4): '69109d17' Feb 7 15:26:05 host openvpn[15595]: Expected Remote Options hash (VER=V4): 'c0103fa8' Feb 7 15:26:05 host openvpn[15595]: Attempting to establish TCP connection with 172.16.0.1:1194 Feb 7 15:26:05 host openvpn[15595]: TCP connection established with 172.16.0.1:1194 Feb 7 15:26:05 host openvpn[15595]: TCPv4_CLIENT link local: [undef] Feb 7 15:26:05 host openvpn[15595]: TCPv4_CLIENT link remote: 172.16.0.1:1194 Feb 7 15:26:05 host openvpn[15595]: TLS: Initial packet from 172.16.0.1:1194, sid=ee77b7f2 891994f5 Feb 7 15:26:05 host openvpn[15595]: VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=RU/ST=Kh/L=Vanino/O=ADM/OU=IKTiOS/CN=pool/emailAddress=Null Feb 7 15:26:05 host openvpn[15595]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Feb 7 15:26:05 host openvpn[15595]: TLS Error: TLS object -> incoming plaintext read error Feb 7 15:26:05 host openvpn[15595]: TLS Error: TLS handshake failed Feb 7 15:26:05 host openvpn[15595]: Fatal TLS error (check_tls_errors_co), restarting Feb 7 15:26:05 host openvpn[15595]: TCP/UDP: Closing socket Feb 7 15:26:05 host openvpn[15595]: SIGUSR1[soft,tls-error] received, process restarting Feb 7 15:26:05 host openvpn[15595]: Restart pause, 5 second(s)
Конфиг сервера:

local 172.16.0.1 port 1194 proto tcp dev tun


ca   /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/pool.crt
key  /etc/openvpn/keys/pool.key  # This file should be kept secret!
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Конфиг клиента:

client dev tun proto tcp remote 172.16.0.1 1194 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/GKH.crt key /etc/openvpn/keys/GKH.key comp-lzo verb 3
Сертификаты на клиентскую машину скопированы при помощи scp. Права стоят правильные, как на сервере.

Источник

TLS handshake failed

Re: TLS handshake failed

Re: TLS handshake failed

Re: TLS handshake failed

Re: TLS handshake failed

Re: TLS handshake failed

Re: TLS handshake failed

Re: TLS handshake failed

Re: TLS handshake failed

Re: TLS handshake failed

Re: TLS handshake failed

Re: TLS handshake failed

<img decoding="async" onError="javascript: wp_broken_images = window.wp_broken_images || function(){}; wp_broken_images(this);" src="https://forum.opnsense.org/Themes/sereno/images/topic/normal_post.gif" alt /> Topic: openvpn TLS handshake failed [SOLVED] (Read 9670 times)

Читайте также:

Topic: openvpn TLS handshake failed [SOLVED] (Read 9670 times)