Long running VPN failed on openvpn upgrade

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
addw
OpenVpn Newbie
Posts: 5
Joined: Wed Apr 12, 2017 8:37 am

Long running VPN failed on openvpn upgrade

Post by addw » Wed Apr 12, 2017 9:32 am

I have some machines connected with openvpn, it has been happily working for several years. With the update to centos 6.9 (bringing in openvpn-2.3.14-1) it broke.

It did not like the cipher that I was using, not enough bits, so I replaced:
old
cipher BF-CBC
with:
new
cipher AES-128-CBC
Now: every 2 seconds the server is telling me (date, pid, etc removed):

Code: Select all

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
And a client says:

Code: Select all

UDPv4 link local: [undef]
UDPv4 link remote: [AF_INET]213.138.xxx.xxx:1194
VERIFY ERROR: depth=0, error=certificate signature failure: C=GB, ST=Greater London, O=XXX Ltd, OU=XXX, CN=bytemark.phcomp.co.uk, emailAddress=addw@phcomp.co.uk
OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting
A client config:
client
client
dev tun
proto udp
remote xxx
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca BYTEMARK-PHCOMP/keys/bytemark-ca.crt
cert BYTEMARK-PHCOMP/keys/freshmint.phcomp.co.uk.crt
key BYTEMARK-PHCOMP/keys/freshmint.phcomp.co.uk.key
tls-auth BYTEMARK-PHCOMP/keys/bytemark.phcomp.co.uk-ta.key 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20
The server config:
server
local x.x.x.x
port 1194
proto udp
dev tun
ca ca.crt
cert bytemark.phcomp.co.uk.crt
key bytemark.phcomp.co.uk.key
dh dh1024.pem
tls-auth ta.key 0
server 10.200.201.0 255.255.255.0
reneg-sec 60
keepalive 10 120
ifconfig-pool-persist External-ipp.txt
status openvpn-status.log
up "/etc/openvpn/AllowRunForwarding"
comp-lzo
cipher AES-128-CBC
user nobody
group nobody
persist-key
persist-tun
verb 1
client-config-dir bytemark-ServerClients
push "route 10.200.201.0 255.255.255.0"
The client config file (in bytemark-ServerClients) contains:
client specific
ifconfig-push 10.200.201.8 10.200.201.1
Can anyone help - please.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Long running VPN failed on openvpn upgrade

Post by TinCanTech » Wed Apr 12, 2017 11:42 am

addw wrote:It did not like the cipher that I was using, not enough bits
You can still use Blow-Fish but openvpn will warn you about the SWEET32 vulnerability and take mitigating action by forcing a TLS renegotiation every 64MB of data.

Switch back to Blow-Fish and try again ..
because the error you have posted is related to certificates not --cipher.

addw
OpenVpn Newbie
Posts: 5
Joined: Wed Apr 12, 2017 8:37 am

Re: Long running VPN failed on openvpn upgrade

Post by addw » Wed Apr 12, 2017 3:01 pm

I have reverted to cipher BF-CBC and I am getting the same messages as before. Sorry: I made a change that I should not have done, but will do once I get the current problem fixed.

So, how do I get it to verify the certificate ? I looked at the link below and wasn't really helped. Part of the problem is that the documentation assumes that you really understand all the SSL options, etc - which I suspect most people do not.

I looked hard and realised that the scripts that I use to build the certificates did not have ''-extensions server'' on the openssl lines. So, I added that and it still does not work. The script lines that generate the files are below:

Code: Select all

openssl req -days 3650 -nodes -new -extensions server -keyout $ClientMachine.key -out $ClientMachine.csr -config $KEY_CONFIG
openssl ca -verbose -days 3650 -extensions server -out $ClientMachine.crt -in $ClientMachine.csr -config $KEY_CONFIG
This is not very helpful: https://openvpn.net/index.php/open-sour ... howto.html

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Long running VPN failed on openvpn upgrade

Post by TinCanTech » Wed Apr 12, 2017 4:40 pm


Post Reply