Hi, please help. When I try connect to OpenVPN Server, I get error. All sertificate is valid.
Server log:
Code: Select all
Tue Aug 23 15:35:23 2022 us=164818 MULTI: multi_create_instance called
Tue Aug 23 15:35:23 2022 us=164896 217.79.14.90:58332 Re-using SSL/TLS context
Tue Aug 23 15:35:23 2022 us=164926 217.79.14.90:58332 LZO compression initializing
Tue Aug 23 15:35:23 2022 us=172875 217.79.14.90:58332 Control Channel MTU parms [ L:1622 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Tue Aug 23 15:35:23 2022 us=172900 217.79.14.90:58332 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Aug 23 15:35:23 2022 us=172966 217.79.14.90:58332 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Tue Aug 23 15:35:23 2022 us=173001 217.79.14.90:58332 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Tue Aug 23 15:35:23 2022 us=173051 217.79.14.90:58332 TLS: Initial packet from [AF_INET]217.79.14.90:58332, sid=1306e70b a8ad933d
Tue Aug 23 15:35:23 2022 us=187192 217.79.14.90:58332 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Aug 23 15:35:23 2022 us=187375 217.79.14.90:58332 VERIFY KU OK
Tue Aug 23 15:35:23 2022 us=187398 217.79.14.90:58332 Validating certificate extended key usage
Tue Aug 23 15:35:23 2022 us=187418 217.79.14.90:58332 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Server Authentication
Tue Aug 23 15:35:23 2022 us=187438 217.79.14.90:58332 ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.2, expects TLS Web Server Authentication
Tue Aug 23 15:35:23 2022 us=187455 217.79.14.90:58332 VERIFY EKU ERROR
Tue Aug 23 15:35:23 2022 us=187519 217.79.14.90:58332 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Tue Aug 23 15:35:23 2022 us=187540 217.79.14.90:58332 TLS_ERROR: BIO read tls_read_plaintext error
Tue Aug 23 15:35:23 2022 us=187562 217.79.14.90:58332 TLS Error: TLS object -> incoming plaintext read error
Tue Aug 23 15:35:23 2022 us=187580 217.79.14.90:58332 TLS Error: TLS handshake failed
Tue Aug 23 15:35:23 2022 us=187655 217.79.14.90:58332 SIGUSR1[soft,tls-error] received, client-instance restarting
Client log:
Code: Select all
...................................
2022-08-23 15:38:36 us=968000 MANAGEMENT: >STATE:1661258316,WAIT,,,,,,
2022-08-23 15:38:37 MANAGEMENT: >STATE:1661258317,AUTH,,,,,,
2022-08-23 15:38:37 TLS: Initial packet from [AF_INET]XX.XXX.XXX.X:1194, sid=2e23a989 eb707609
2022-08-23 15:38:37 us=15000 VERIFY OK: depth=1, CN=Easy-RSA CA
2022-08-23 15:38:37 us=31000 VERIFY KU OK
2022-08-23 15:38:37 us=31000 Validating certificate extended key usage
2022-08-23 15:38:37 us=31000 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-08-23 15:38:37 us=31000 VERIFY EKU OK
2022-08-23 15:38:37 us=31000 VERIFY OK: depth=0, CN=server
2022-08-23 15:38:37 us=562000 TCP/UDP: Closing socket
2022-08-23 15:38:37 us=562000 SIGTERM[hard,] received, process exiting
2022-08-23 15:38:37 us=578000 MANAGEMENT: >STATE:1661258317,EXITING,SIGTERM,,,,,
Server config
port 1194
proto udp
local XX.XXX.XXX.X
dev tun
cd /etc/openvpn
persist-key
persist-tun
tls-server
tls-timeout 120
dh /etc/openvpn/dh.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/vpn-server.crt
key /etc/openvpn/server.key
crl-verify /etc/openvpn/crl.pem
tls-auth /etc/openvpn/ta.key 0
server 10.15.0.0 255.255.255.0
client-config-dir /etc/openvpn/ccd
client-to-client
topology subnet
max-clients 5
push «dhcp-option DNS 10.15.0.1»
route 10.15.0.0 255.255.255.0
comp-lzo
keepalive 10 120
status /var/log/openvpn/openvpn-status.log 1
status-version 3
log-append /var/log/openvpn/openvpn-server.log
verb 4
mute 20
cipher AES-256-CBC
remote-cert-tls server
auth SHA256
Client config
client
dev tun
proto udp4
remote example.com
tls-client
ca ca.crt
cert dev1.crt
key client.key
tls-auth ta.key 1
comp-lzo
data-ciphers-fallback ‘AES-256-CBC’
resolv-retry infinite
nobind
float
keepalive 10 120
persist-key
persist-tun
verb 0
remote-cert-tls server
auth SHA256
-
- #1
Hi everybody,
I had OpenVPN working under OMV3 perfectly for quite a long time. After the upgrade to OMV4, I reinstalled the plugin and created new a new certificate for my client using the GUI. If I now try to connect the client, I get the error mentioned above:
What can I do?
Best,
Aiakos -
- #2
Do all the configuration you need through openmediavault webinterface.
After you are finished login with ssh and edit /etc/openvpn/server.conf and add the following to the end of the file:
remote-cert-eku "TLS Web Server Authentication"Save and close. Restart openvpn server with:
systemctl restart openvpnShould work until you do changes in openmediavault webinterface which removes those lines.
-
- #3
Hi Chone,
in the meantime — without having changed anything — I get this new error:
Tue Jun 12 19:44:58 2018 VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=*** Tue Jun 12 19:44:58 2018 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed Tue Jun 12 19:44:58 2018 TLS_ERROR: BIO read tls_read_plaintext error Tue Jun 12 19:44:58 2018 TLS Error: TLS object -> incoming plaintext read error Tue Jun 12 19:44:58 2018 TLS Error: TLS handshake failedWhat does this mean?
-
- #4
No ideas?
-
- Offizieller Beitrag
- #5
If you do not get a solution here, try the OpenVPN forum
https://forums.openvpn.net/
-
- #6
Had the same problem then I found this error in /var/log/openvpn.log
Wed Jul 18 11:46:23 2018 MYIP:46585 CRL: cannot read: /etc/openvpn/pki/crl.pem Wed Jul 18 11:46:23 2018 MYIP:46585 VERIFY ERROR: CRL not loadedso I did this in SSH and it works now.
chown nobody:nogroup /etc/openvpn/pki/crl.pem -
- #7
I tried the suggestion in the post above from dinkonin, since I also see the «CRL: cannot read : …» error. I also tried following the steps in OpenVPN — can’t log in. However, I still get the exact same error as posted 4 posts above.
Has someone found another soultion in the meantime?
- Печать
Страницы: [1] Вниз
Тема: Не могу подключиться к своему Openvpn (Прочитано 6938 раз)
0 Пользователей и 1 Гость просматривают эту тему.
S_POWER
Развернул OpenVPN на своём Ubuntu server 16.04, сделал всё по инструкции, служба работает, в ifconfig появился tun0, но клиент под windows не соеденяется. По разному менял настройки, всё равно результата нет.
Конфиг сервера
Конфиг клиента
Лог сервера
Лог клиента
Клиентские ключи, а так же ca.crt и ta.key в папке конфига клиента, серверные понятное дело на месте.
ipv4_forwarding включен
сервер за роутером, порт 1194 переброшен
openssl не трогал.
Если можно объясните попроще что не так, пользуюсь ubuntu меньше месяца,поэтому даже не понимаю в чём может быть проблема, помимо неправильных конфигов.
« Последнее редактирование: 04 Октября 2016, 07:59:49 от SATAN_POWER »
kalek
ls -l /etc/openvpn/keys/?
S_POWER
root@ubuntuserver:~# ls -l /etc/openvpn/keys/
итого 40
-rw-r--r-- 1 root root 4250 окт 3 02:14 01.pem
-rw-r--r-- 1 root root 1403 окт 3 02:13 ca.crt
-rw------- 1 root root 916 окт 3 02:13 ca.key
-rw-r--r-- 1 root root 245 окт 3 02:14 dh1024.pem
-rw-r--r-- 1 root root 4250 окт 3 02:14 server.crt
-rw-r--r-- 1 root root 733 окт 3 02:14 server.csr
-rw------- 1 root root 916 окт 3 02:14 server.key
-rw-r--r-- 1 root root 636 окт 3 02:15 ta.key
« Последнее редактирование: 04 Октября 2016, 08:01:26 от SATAN_POWER »
kalek
Еще
routeи
ifconfig
Кроме того стоит выполнить
sudo chmod 600 /etc/openvpn/keys/ta.keyчтоб на него не ругалось.
S_POWER
root@ubuntuserver:~# route
Таблица маршутизации ядра протокола IP
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 100 0 0 enp2s4
10.0.0.0 * 255.255.255.0 U 0 0 0 tun0
10.15.0.0 10.0.0.2 255.255.255.0 UG 0 0 0 tun0
link-local * 255.255.0.0 U 1000 0 0 tun0
192.168.1.0 * 255.255.255.0 U 100 0 0 enp2s4
root@ubuntuserver:~# ifconfig
enp2s4 Link encap:Ethernet HWaddr 00:16:17:b6:a0:cd
inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fd4d:2151:7a64:0:94a0:da2f:63db:be44/64 Scope:Общий
inet6 addr: fd4d:2151:7a64:0:99bd:f3a5:c1e2:19e1/64 Scope:Общий
inet6 addr: fe80::216:17ff:feb6:a0cd/64 Scope:Link
inet6 addr: fd4d:2151:7a64:0:311e:cd55:6df7:d5c4/64 Scope:Общий
inet6 addr: fd4d:2151:7a64:0:216:17ff:feb6:a0cd/64 Scope:Общий
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15516809 errors:0 dropped:0 overruns:0 frame:0
TX packets:19105302 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:17641284188 (17.6 GB) TX bytes:19876678193 (19.8 GB)
lo Link encap:Локальная петля (Loopback)
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:353323 errors:0 dropped:0 overruns:0 frame:0
TX packets:353323 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:1157858637 (1.1 GB) TX bytes:1157858637 (1.1 GB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.0.0.1 P-t-P:10.0.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
kalek
Судя по логу
Mon Oct 3 04:14:32 2016 217.118.78.105:54617 CRL: cannot read: /etc/openvpn/keys/01.pemругается на список отзыва сертификатов.
Mon Oct 3 04:14:32 2016 217.118.78.105:54617 TLS_ERROR: BIO read tls_read_plaintext error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Для проверки можно попробовать его отключить — закомментировать строчку
crl-verify /etc/openvpn/keys/01.pemЕсли заведется, дальше надо смотреть, все ли в порядке с этим файлом.
S_POWER
Спасибо!
Крайне удивлён, но заработало!
Что интересно я не генерировал список отзыва, 01.pem появился после генерации ключей сервера, 02.pem после генерации ключей клиента.
Возможно ли что в список 01 был занесён текущий клиент, из за того что я генерировал ключи 2 раза?
Можно ли где то посмотреть список всех выданных сертификатов?
- Печать
Страницы: [1] Вверх
I hope one of the VPN gurus here can give me a few hints as to what I may be doing wrong, I had my OpenVPN server working, but I recently upgraded the phone to Oreo 8.1 AND my OpenVPN certificates just expired. I thought it would be easy to just create new certs, but for some reason I am getting validation errors and the VPN won’t connect. pfSense has had a couple of updates in the year since I originally created the certificates.
In an attempt to get this thing working, I have recreated everything — Server certificate, User certificate, TLS Key, and I increased the strength of my password (since my initial setup was only intended for testing and the password was way too weak). I used the export tool, to put the info on a USB key and then imported it on my phone. The import seemed to work OK.
(I Didn’t destroy/recreate the servers-I just changed the .)
Can someone give me a hint as to what part of the process these messages refer to?
(Only the XXXXXXXXXs and —.— have been redacted — all other values are the actual contents.)
Jun 6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 VERIFY SCRIPT OK: depth=2, C=CA, ST=PRIVATE, L=PRIVATE, O=PRIVATE, emailAddress=nobody@nowhere, CN=XXXXXXXX_ROOT, OU=PRIVATE
Jun 6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 VERIFY OK: depth=2, C=CA, ST=PRIVATE, L=PRIVATE, O=PRIVATE, emailAddress=nobody@nowhere, CN=XXXXXXXX_ROOT, OU=PRIVATE
Jun 6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 VERIFY SCRIPT OK: depth=1, C=CA, ST=PRIVATE, L=PRIVATE, O=PRIVATE, emailAddress=nobody@nowhere, CN=XXXXXXXX_INTERMEDIATE_MAY2017, OU=PRIVATE
Jun 6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 VERIFY OK: depth=1, C=CA, ST=PRIVATE, L=PRIVATE, O=PRIVATE, emailAddress=nobody@nowhere, CN=XXXXXXXX_INTERMEDIATE_MAY2017, OU=PRIVATE
Jun 6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 VERIFY KU OK
Jun 6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 Validating certificate extended key usage
Jun 6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Server Authentication
Jun 6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.2, expects TLS Web Server Authentication
Jun 6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 VERIFY EKU ERROR
Jun 6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Jun 6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 TLS_ERROR: BIO read tls_read_plaintext error
Jun 6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 TLS Error: TLS object -> incoming plaintext read error
Jun 6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 TLS Error: TLS handshake failed
Jun 6 15:49:13 XXXXXXXX openvpn[48686]: 209.171.--.--:27235 SIGUSR1[soft,tls-error] received, client-instance restarting
The android log doesn’t show too much other than a printout of the certificate autority, and the server certificate — both say — Verify OK, but at the bottom of the Server Certificate it says Authentication, ??? — Then EVENT_CONNECTION_TIMEOUT.
Additional questions:
Is the Auth digest algorithm on the Server tab under cryptographic settings exported properly?
I changed it to SHA512? I just noticed this ‘Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. ‘ Since the handful of clients that I might set up will all be exported by the export tool, I was assuming that all clients would be set to match — Did I assume wrong?
Am I correct that the password hasn’t yet been evaluated?
Am I correct that the password is checked in pfSense (i.e. it isn’t certificate encryption?)
Is it OK to have a SPACE in the password?
EDIT
I just noticed that when I click the info bubble for the old user cert I see:
EKU: TLS Web Client Authentication
I just noticed that when I click the info bubble for the new user cert I see:
KU: Digital Signature, Non Repudiation, Key Encipherment
EKU: TLS Web Client Authentication
Is this a change in the way pfSense generates keys or did I do something wrong?
Could this be the problem?
Also is there any way I can conveniently list the contents of a previously generated certificate from the command line for reference?
EDIT
I found this post:
https://forum.netgate.com/topic/114387/key-usage-checks-fail-on-user-client-certificate
and this set of custom options seems to be working:
persist-key
persist-tun
reneg-sec 0
remote-cert-ku e0
remote-cert-eku "TLS Web Client Authentication"
It appears that something changed in the last year as to how pfSense generates keys because I didn’t need these options a year ago.
При установлении открытого соединения vpn я сталкиваюсь с ошибкой «TLS_ERROR: BIO прочитал ошибку tls_read_plaintext: ошибка: 14090086: процедуры SSL: ssl3_get_server_certificate: сбой проверки сертификата»
Корневым центром сертификации SSL-сертификата является « Fireware web CA »
Попытка выяснить, есть ли возможность отключить проверку сертификата.
Примечание: я пытаюсь подключиться к vpn через vpn-клиент моего маршрутизатора (Asus RT-AC55UHP). Мне удалось установить VPN-соединение, используя ту же конфигурацию в моем MacBook, используя tunnelblick
Системный журнал :
openvpn[10205]: OpenVPN 2.3.2 mips-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Dec 1 2016
openvpn[10205]: Socket Buffers: R=[87380->131072] S=[16384->131072]
openvpn[10211]: Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443 [nonblock]
openvpn[10211]: TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443
openvpn[10211]: TCPv4_CLIENT link local: [undef]
openvpn[10211]: TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
openvpn[10211]: TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:443, sid=84d506xx 088122xx
openvpn[10211]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
openvpn[10211]: VERIFY OK: depth=1, O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN (SN 80XX04868XXX3 2015-11-18 09:19:40 GMT) CA
openvpn[10211]: Validating certificate extended key usage
openvpn[10211]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS
openvpn[10211]: ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.1, expects TLS
openvpn[10211]: VERIFY EKU ERROR
openvpn[10211]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
openvpn[10211]: TLS Error: TLS object -> incoming plaintext read error
openvpn[10211]: TLS Error: TLS handshake failed
openvpn[10211]: Fatal TLS error (check_tls_errors_co), restarting
openvpn[10211]: SIGUSR1[soft,tls-error] received, process restarting
openvpn[10211]: Restart pause, 5 second(s)
client.ovpn:
dev tun
client
proto tcp
<ca>
-----BEGIN CERTIFICATE-----
--Removed--
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
--Removed--
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
--Removed--
-----END PRIVATE KEY-----
</key>
remote-cert-eku "TLS Web Server Authentication"
remote XXX.XXX.XXX.XXX 443
persist-key
persist-tun
verb 3
mute 20
keepalive 10 60
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
auth SHA1
float
reneg-sec 3660
nobind
mute-replay-warnings
auth-user-pass
;remember_connection 0
;auto_reconnect 1