Getting ECONNREFUSED|ECONNREFUSED for an OpenVPN server, after doing easyrsa gen-crl?

thisoldjoe · Post by **thisoldjoe** » Mon Oct 16, 2023 6:22 pm

My OpenVPN server has been working perfectly fine on an Arch Linux install. I've done regular pacman -Syu updates over the past year, every now and then I've had to run:

easyrsa gen-crl

When the certificate for the only client using the server expires. I could probably have fixed this in a better way, I just never got around to it, and I'm the only one using it anyway.

It expired again, and this time I ran gen-crl like before, but now all I get is:

openvpn[484]: read UDPv4 [ECONNREFUSED|ECONNREFUSED]: Connection refused (fd=7,code=111)

I get this every time the client attempts to connect. Note that before when I ran gen-crl, I didn't need to do anything on the client. I could just use openvpn against the same .conf file as before.

I know for a fact that there is nothing from with the port being closed or that the IP is wrong. Not only can I confirm that there is a connection from seeing the "Connection refused" message show up in the log for the VPN server, but I can also just listen with netcat on the same port on the server (after stopping the VPN server) and see that indeed, the client attempts to connect and initiate the handshake.

I'm just not experienced enough to that easily figure out what the problem is here. I've never had to do anything beyond running:

easyrsa gen-crl

I have ensured that the file permissions are correct for the generated crl.pem file (this has been an issue before), that's not the issue, when that was the issue, the openvpn service failed to start.

I have remembered to do systemctl restart for the openvpn service.

I have tried to reboot.

I have tried to do a pacman -Syu update on the server.

I've also tried to regenerate the client certificate multiple times.

I've tried looking at verbosity level 9, but there's no new information, just that it can't read from the UDP socket.

The client, interestingly enough claims that the certificate is invalid.

"OpenSSL ERROR: depth=0, error=unsuitable certificate purpose: CN=my_client, serial=..."

I would expect to see the server say the same at some point in the log but I don't see it.

Note that I know for a fact I can communicate with UDP into this port, verified with a netcat client and server on the same machine I try to use as a VPN client and server, respectively.