[Solved] Unable to generate a functional client.ovpn

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
darksky
OpenVpn Newbie
Posts: 13
Joined: Mon Aug 01, 2016 7:13 pm

[Solved] Unable to generate a functional client.ovpn

Post by darksky » Sat Jun 24, 2017 5:18 pm

I have openvpn server running on Linux and am attempting to connect via the iOS client but I get the following on the iOS client using the ovpn file I generated:

Code: Select all

server certificate verification failed: polarssl : ssl read error : x509 - certificate verification failed e.g. CRL, CA or signature...
I should note that I have used the following process on the links given below in the past successfully before...
  • I generated the server files and client files following the guide published
    https://wiki.archlinux.org/index.php/Easy-RSA
    I created the client.ovpn using https://github.com/graysky2/ovpngen
Any suggestions are appreciated.

On the linux server, everything appears OK until the client connects:

Code: Select all

openvpn /etc/openvpn/server/ovpn.conf
Sat Jun 24 13:09:58 2017 OpenVPN 2.4.3 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 21 2017
Sat Jun 24 13:09:58 2017 library versions: OpenSSL 1.1.0f  25 May 2017, LZO 2.10
Sat Jun 24 13:09:58 2017 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sat Jun 24 13:09:58 2017 Diffie-Hellman initialized with 2048 bit key
Sat Jun 24 13:09:58 2017 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Jun 24 13:09:58 2017 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Jun 24 13:09:58 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=ee:ec:fa:e9:56:7e
Sat Jun 24 13:09:58 2017 TUN/TAP device tun0 opened
Sat Jun 24 13:09:58 2017 TUN/TAP TX queue length set to 100
Sat Jun 24 13:09:58 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Jun 24 13:09:58 2017 /usr/bin/ip link set dev tun0 up mtu 1500
Sat Jun 24 13:09:58 2017 /usr/bin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Sat Jun 24 13:09:58 2017 /usr/bin/ip route add 10.8.0.0/24 via 10.8.0.2
Sat Jun 24 13:09:58 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Jun 24 13:09:58 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Jun 24 13:09:58 2017 Listening for incoming TCP connection on [AF_INET][undef]:443
Sat Jun 24 13:09:58 2017 TCPv4_SERVER link local (bound): [AF_INET][undef]:443
Sat Jun 24 13:09:58 2017 TCPv4_SERVER link remote: [AF_UNSPEC]
Sat Jun 24 13:09:58 2017 GID set to nobody
Sat Jun 24 13:09:58 2017 UID set to nobody
Sat Jun 24 13:09:58 2017 MULTI: multi_init called, r=256 v=256
Sat Jun 24 13:09:58 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sat Jun 24 13:09:58 2017 IFCONFIG POOL LIST
Sat Jun 24 13:09:58 2017 MULTI: TCP INIT maxclients=4 maxevents=8
Sat Jun 24 13:09:58 2017 Initialization Sequence Completed

<<< client tries to connect here >>>

Sat Jun 24 13:10:03 2017 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:53814
Sat Jun 24 13:10:03 2017 xxx.xxx.xxx.xxx:53814 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:53814, sid=225125ca 902967b1
Sat Jun 24 13:10:03 2017 xxx.xxx.xxx.xxx:53814 Connection reset, restarting [0]
Sat Jun 24 13:10:03 2017 xxx.xxx.xxx.xxx:53814 SIGUSR1[soft,connection-reset] received, client-instance restarting

darksky
OpenVpn Newbie
Posts: 13
Joined: Mon Aug 01, 2016 7:13 pm

Re: Unable to generate a functional client.ovpn

Post by darksky » Sun Jun 25, 2017 11:50 am

I verified this problem is true on a linux to linux connection as well.
It seems like something isn't right with my ca.crt but I verified the ca.crt and client.

Code: Select all

openssl verify -CAfile /etc/openvpn/server/ca.crt /etc/easy-rsa/pki/signed/client.crt 
/etc/easy-rsa/pki/signed/client.crt: OK
Log on my linux client trying to connect:

Code: Select all

# openvpn /etc/openvpn/client/client.conf     
Sun Jun 25 07:37:12 2017 OpenVPN 2.4.3 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 21 2017
Sun Jun 25 07:37:12 2017 library versions: OpenSSL 1.1.0f  25 May 2017, LZO 2.10
Sun Jun 25 07:37:12 2017 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jun 25 07:37:12 2017 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jun 25 07:37:12 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:443
Sun Jun 25 07:37:12 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sun Jun 25 07:37:12 2017 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443 [nonblock]
Sun Jun 25 07:37:13 2017 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443
Sun Jun 25 07:37:13 2017 TCP_CLIENT link local: (not bound)
Sun Jun 25 07:37:13 2017 TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
Sun Jun 25 07:37:13 2017 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:443, sid=da26dcc7 994b1462
Sun Jun 25 07:37:13 2017 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=Easy-RSA CA
Sun Jun 25 07:37:13 2017 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Sun Jun 25 07:37:13 2017 TLS_ERROR: BIO read tls_read_plaintext error
Sun Jun 25 07:37:13 2017 TLS Error: TLS object -> incoming plaintext read error
Sun Jun 25 07:37:13 2017 TLS Error: TLS handshake failed
Sun Jun 25 07:37:13 2017 Fatal TLS error (check_tls_errors_co), restarting
Sun Jun 25 07:37:13 2017 SIGUSR1[soft,tls-error] received, process restarting
Sun Jun 25 07:37:13 2017 Restart pause, 5 second(s)
Here is the client.conf (under iOS client.ovpn) that I am using:

Code: Select all

client
dev tun
remote my.fqdn.org 443 tcp
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
cipher AES-256-CBC
auth SHA512
comp-lzo
remote-cert-tls server
key-direction 1
<ca>
... omitted ...
</ca>
<cert>
... omitted ...
</cert>
<key>
... omitted ...
</key>
<tls-auth>
... omitted ...
</tls-auth>

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Unable to generate a functional client.ovpn

Post by TinCanTech » Sun Jun 25, 2017 6:15 pm

darksky wrote:I generated the server files and client files following the guide published
https://wiki.archlinux.org/index.php/Easy-RSA
I created the client.ovpn using https://github.com/graysky2/ovpngen
Please report your problems to the author's of those articles.

Or use EasyRSA.

darksky
OpenVpn Newbie
Posts: 13
Joined: Mon Aug 01, 2016 7:13 pm

Re: Unable to generate a functional client.ovpn

Post by darksky » Sun Jun 25, 2017 6:32 pm

TinCanTech wrote:
darksky wrote:I generated the server files and client files following the guide published
https://wiki.archlinux.org/index.php/Easy-RSA
I created the client.ovpn using https://github.com/graysky2/ovpngen
Please report your problems to the author's of those articles.

Or use EasyRSA.
I am the primary author of the wiki article and of the ovpngen. Note that the article makes exclusive use of EasyRSA and has worked for me in the past under the 1.0.2 series of openssl. I am posting here since you guys are the OpenVPN experts and may have some suggestions for a root cause of the new error I am experiencing and hopeful something to try to fix (from the client's log):

Code: Select all

...
Sun Jun 25 07:37:13 2017 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=Easy-RSA CA
Sun Jun 25 07:37:13 2017 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Sun Jun 25 07:37:13 2017 TLS_ERROR: BIO read tls_read_plaintext error
Sun Jun 25 07:37:13 2017 TLS Error: TLS object -> incoming plaintext read error
Sun Jun 25 07:37:13 2017 TLS Error: TLS handshake failed
Sun Jun 25 07:37:13 2017 Fatal TLS error (check_tls_errors_co), restarting
Sun Jun 25 07:37:13 2017 SIGUSR1[soft,tls-error] received, process restarting
Sun Jun 25 07:37:13 2017 Restart pause, 5 second(s)

darksky
OpenVpn Newbie
Posts: 13
Joined: Mon Aug 01, 2016 7:13 pm

Re: Unable to generate a functional client.ovpn

Post by darksky » Tue Jun 27, 2017 12:14 am


TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: [Solved] Unable to generate a functional client.ovpn

Post by TinCanTech » Tue Jun 27, 2017 10:00 am

Which translates to :-
  • Double check you use the correct certificate.

Post Reply