Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

KR
OpenVpn Newbie
Posts: 12
Joined: Sat Oct 19, 2019 5:50 pm

Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by KR » Sat Oct 19, 2019 6:24 pm

Hello, everybody,

Initial situation: External Sophos UTM of a provider. A client .ovpn file is offered for download for Windows, Linux, Android and iOS.

Problem:
Connections are working fine with Windows and iOS.
But not with Linux (Ubuntu 19.04/19.10) and Android devices!

Version (Ubuntu Linux):
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 5 2019
library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.10

OpenVPN client config: (Windows version has "ip-win32 dynamic" in the first line)

Code: Select all

client
dev do
proto tcp
remote domainname.de 443
verify-x509-name "C=de, L=Dortmund, O=Vxxxxxxxxl, CN=ASG_1, emailAddress=admin@domainname.de"
route remote_host 255.255.255.255.255 net_gateway
resolv-retry infinite
noble
persist-key
persist
auth-user-pass
cipher AES-128-CBC
auth MD5
comp-lzo 
route-delay 4
verb 3
reneg-sec 0
<ca>
Certificate:
    Data:
        Version: 3 (0x2)
.....
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
......
</cert>
<key>
-----BEGIN PRIVATE KEY-----
............
</key>
Error message:
VERIFY ERROR: depth=0, error=format error in certificate's notAfter field: C=de, L=Dortmund, O=Vxxxxxxxxl, CN=ASG_1, emailAddress=admin@domainname.de

and therefore also:
OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting

and so on ....

No chance to get any help with Linux from the provider. I should install the Windows client. :-(

Others seem to have the same problem.

But I couldn't find a solution anywhere in spite of intensive search and several own attempts.

Please help me. Thanks in advance.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by TinCanTech » Sat Oct 19, 2019 7:10 pm

KR wrote:
Sat Oct 19, 2019 6:24 pm
Error message:
VERIFY ERROR: depth=0, error=format error in certificate's notAfter field: C=de, L=Dortmund, O=Vxxxxxxxxl, CN=ASG_1, emailAddress=admin@domainname.de
How did you create your certificate ?

KR
OpenVpn Newbie
Posts: 12
Joined: Sat Oct 19, 2019 5:50 pm

Re: Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by KR » Sat Oct 19, 2019 8:15 pm

Thanks for your answer.

The certificates are created on the provider's Sophos Astaro appliance and made available to customers and partners for download directly as .ovpn files for various operating systems. I have no influence on this! Unfortunately, the service provider is very stubborn. I have to get along with what I have.
I have received a link to a user account on the Sophos Astaro appliance, which I can use to download the .ovpn files after logging in with the appropriate credentials (username/password). One file each for Windows, iOS, Android and one for Linux, MacOS X, BSD or Solaris. There is also an .exe file for Windows, which can be used to install the Sophos VPN client. After all, this is just an OpenVPN client.

But as mentioned, under Windows and iOS the .ovpn files work. They can be imported and the VPN connection can be established there without any problems. But the connection does not work under Linux and Android. Tested under Linux both in GUI and on the console. I also tried to extract the certificates and the key and save them separately. Same result! Always the same error message.

According to the error message it looks like a certificate error. But it is not. Because under Windows and iOS these are not criticized.

The error messages look by the way in the error log with Linux the same as with Android! But there must be something different about the implementation of OpenVPN!
Last edited by KR on Sun Oct 20, 2019 1:55 am, edited 1 time in total.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by TinCanTech » Sat Oct 19, 2019 11:00 pm

Sorry .. you must contact your service provider.

KR
OpenVpn Newbie
Posts: 12
Joined: Sat Oct 19, 2019 5:50 pm

Re: Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by KR » Sun Oct 20, 2019 2:09 am

I've already tried that. The support wrote me that this would be due to outdated certificates of Linux. And already the case was done for them. The support wrote that they can't give support for Linux. I would have to use Windows because everything would work there.

I then imported the .ovpn file for testing on an iPhone and immediately got a working VPN access. With exactly the same file it doesn't work under Linux and not under Android. The log of the OpenVPN client returns exactly the same error messages under Android as under Linux.
Last edited by KR on Sun Oct 20, 2019 8:33 am, edited 1 time in total.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by TinCanTech » Sun Oct 20, 2019 4:24 am

Your certificates are bogus and also compromised ..

KR
OpenVpn Newbie
Posts: 12
Joined: Sat Oct 19, 2019 5:50 pm

Re: Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by KR » Sun Oct 20, 2019 9:16 am

Okay. Thank you again.

Assume the certificate is invalid. Why is it then accepted as valid by the OpenVPN client on the iPhone and Windows? That' s what I don't understand.

Here is the log of the OpenVPN client on the iPhone:

Code: Select all

2019-04-20 10:04:37 ----- OpenVPN Start -----
OpenVPN core 3.git::728733ae ios arm64 64-bit PT_PROXY built on Aug 15 2019 06:21:05

2019-04-20 10:04:37 OpenVPN core 3.git::728733ae ios arm64 64-bit PT_PROXY built on Aug 15 2019 06:21:05

2019-04-20 10:04:37 Frame=512/2048/512 mssfix-ctrl=1250

2019-04-20 10:04:37 UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
12 [route-delay] [4] 
13 [verb] [3] 

2019-04-20 10:04:37 EVENT: RESOLVE

2019-04-20 10:04:37 Contacting [ipv4-address]:443/TCP via TCPv4

2019-04-20 10:04:37 EVENT: WAIT

2019-04-20 10:04:37 Connecting to [domain]:443 (ipv4-address) via TCPv4

2019-04-20 10:04:37 EVENT: CONNECTING

2019-04-20 10:04:37 Tunnel Options:V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth MD5,keysize 128,key-method 2,tls-client

2019-04-20 10:04:37 Creds: Username/Password

2019-04-20 10:04:37 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.3-2104
IV_VER=3.git::728733ae
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1


2019-04-20 10:04:37 VERIFY OK : depth=1
cert. version    : 3
serial number    : C6:04:31:6C:D0:32:1E:D0
issuer name      : C=de, L=Dortmund, O=Vxxxxxxl, CN=Vxxxxxxl VPN CA, emailAddress=admin@domain
subject name      : C=de, L=Dortmund, O=Vxxxxxxl, CN=Vxxxxxxl VPN CA, emailAddress=admin@domain
issued  on        : 2009-10-22 13:28:29
expires on        : 2037-03-08 13:28:29
signed using      : RSA with SHA1
RSA key size      : 1024 bits
basic constraints : CA=true
subject alt name  : 


2019-04-20 10:04:37 VERIFY OK : depth=0
cert. version    : 3
serial number    : C6:04:31:6C:D0:32:1E:D1
issuer name      : C=de, L=Dortmund, O=Vxxxxxxl, CN=Vxxxxxxl VPN CA, emailAddress=admin@domain
subject name      : C=de, L=Dortmund, O=Vxxxxxxl, CN=ASG_1, emailAddress=admin@domain
issued  on        : 2009-10-22 13:28:29
expires on        : 2037-03-08 13:28:08
signed using      : RSA with SHA1
RSA key size      : 1024 bits
basic constraints : CA=false
subject alt name  : ASG_1
key usage        : Digital Signature, Non Repudiation, Key Encipherment


2019-04-20 10:04:37 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

2019-04-20 10:04:37 Session is ACTIVE
As you can see, a connection is established, certificates are accepted and the VPN tunnel is established.

What does "basic constraints : CA=false" mean?

Note: The same .ovon file, the same certificates and keys. This would mean that Windows and iOS would not take it too seriously with the validity of the certificates and also accept incorrect and compromised certificates.

But can this really be?

KR
OpenVpn Newbie
Posts: 12
Joined: Sat Oct 19, 2019 5:50 pm

Re: Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by KR » Thu Oct 24, 2019 7:52 pm

TinCanTech wrote:
Sun Oct 20, 2019 4:24 am
Your certificates are bogus and also compromised ..
I would like to learn to understand this statement.

Why can I successfully establish an OpenVPN connection with a fake and compromised certificate under Windows and iOS but not with Linux or Android? Can someone please explain the difference to me?

This is a serious question! I would like to understand it. Thank you!

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by TinCanTech » Thu Oct 24, 2019 8:31 pm

KR wrote:
Sat Oct 19, 2019 8:15 pm
There is also an .exe file for Windows, which can be used to install the Sophos VPN client. After all, this is just an OpenVPN client
We know nothing about this.
KR wrote:
Sat Oct 19, 2019 8:15 pm
The certificates are created on the provider's Sophos Astaro appliance and made available to customers and partners for download
And I am sorry but we do not get paid to support this, either.

Use OpenVPN as published by OpenVPN and we can help.

KR
OpenVpn Newbie
Posts: 12
Joined: Sat Oct 19, 2019 5:50 pm

Re: Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by KR » Fri Oct 25, 2019 12:21 pm

Okay, thanks!

Let me sum it up:

1.) Windows 7 Prof..:
OpenVPN GUI Client: works
Sophos OpenVPN GUI client: works

2) iOS (iPhone 6s):
OpenVPN client App: works

3.) Ubuntu Linux 19.10:
OpenVPN client on command line: fails
OpenVPN client managed by Network Manager: fails

4.) Android
OpenVPN client App: fails

The same .ovpn config file was used for all client connections. Therefore all connections have the same ca.cert, client.cert and private.key.

With Linux and Android the VPN tunnel could not be established due to the TLS error. Windows and iOS do not report any errors.

The important part of the log for Windows and iOS:

Code: Select all

Fri Oct 25 13:20:21 2019 VERIFY OK: depth=1, C=de, L=Dortmund, O=Vxxxxxxl, CN=Vxxxxxxl VPN CA, emailAddress=admin@xxxxxxxxx.de
Fri Oct 25 13:20:21 2019 VERIFY X509NAME OK: C=de, L=Dortmund, O=Vxxxxxxl, CN=ASG_1, emailAddress=admin@xxxxxxxxx.de
Fri Oct 25 13:20:21 2019 VERIFY OK: depth=0, C=de, L=Dortmund, O=Vxxxxxxl, CN=ASG_1, emailAddress=admin@xxxxxxxxx.de
And with Linux and Android:

Code: Select all

Fri Oct 25 14:12:35 2019 VERIFY OK: depth=1, C=de, L=Dortmund, O=Vxxxxxxl, CN=Vxxxxxxl VPN CA, emailAddress=admin@xxxxxxxxx.de
Fri Oct 25 14:12:35 2019 VERIFY ERROR: depth=0, error=format error in certificate's notAfter field: C=de, L=Dortmund, O=Vxxxxxxl, CN=ASG_1, emailAddress=admin@xxxxxxxxx.de
Fri Oct 25 14:12:35 2019 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
But where ist the difference?

Thanks in advance.

User avatar
Pippin
Forum Team
Posts: 1200
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by Pippin » Fri Oct 25, 2019 12:38 pm

Take the original *.ovpn file
Open it in a Unix capable editor
Set line ending to Unix
Set Encoding to Unicode UTF-8
Save the file.

Do the same with the keys and certs and try again.

KR
OpenVpn Newbie
Posts: 12
Joined: Sat Oct 19, 2019 5:50 pm

Re: Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by KR » Fri Oct 25, 2019 2:05 pm

Thanks for your help. I appreciate that.

Unfortunately it doesn't work.

I made a copy of the config file and then edited it in Kate, changed the character set to UTF-8 and the line ends to Unix style and saved it.

That was too uncertain for me. That's why I edited the config in vi. There I deleted all lines ending (DEL) and manually set a new line ending (ENTER). I haven't looked at it with the hex editor yet, but it should be enough.

Then I've tried to establish a connection again. Unfortunately the same result. :-(

BTW: The certificates are included in the .ovpn file. I had already extracted them in earlier attempts and saved them separately. Unfortunately without success.

I then tested it with the changed file under Windows. It also works with the edited file.

I think the OpenVPN parser can handle different end-of-line markers and character sets. But it was worth a try.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by TinCanTech » Fri Oct 25, 2019 2:35 pm

You could temporarily paste your certificate (Which is a public file anyway).

https://paste.fedoraproject.org/

KR
OpenVpn Newbie
Posts: 12
Joined: Sat Oct 19, 2019 5:50 pm

Re: Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by KR » Fri Oct 25, 2019 5:21 pm

I don't like to post the complete .ovpn config with the CA and private key to the public. Anyone who has the file can use it to connect to this network. Only the username and password would be missing.

But I think I have come a step further:

It must definitely be the version of the OpenVPN client: Until now I had installed OpenVPN 2.3.8-I601 on my Windows notebook. So it worked as I said.

Now I installed version 2.4.7-I607 from the OpenVPN community page on the Windows notebook and what do I see, it doesn't work anymore. There are exactly the same error messages as with Linux and Android!

So I uninstalled the 2.4.7 again and got a 2.3.8-I601 from build/openvpn.net/downsloads/releases/ and installed it again. Now it works under Windows as usual again!

So there is a correlation with the version number of OpenVPN!

Probably it would also work under Linux with an outdated version of the client! But I wouldn't like to go back to a completely outdated version under Linux.

But what has been changed? Is it a bug or a feature?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by TinCanTech » Fri Oct 25, 2019 6:15 pm

KR wrote:
Fri Oct 25, 2019 5:21 pm
I don't like to post the complete .ovpn config with the CA and private key to the public
Read what I wrote ...
TinCanTech wrote:
Fri Oct 25, 2019 2:35 pm
You could temporarily paste your certificate (Which is a public file anyway).
KR wrote:
Fri Oct 25, 2019 5:21 pm
So I uninstalled the 2.4.7 again and got a 2.3.8-I601 from build/openvpn.net/downsloads/releases/ and installed it again. Now it works under Windows as usual again!
I'm sure ..... logs please.

KR
OpenVpn Newbie
Posts: 12
Joined: Sat Oct 19, 2019 5:50 pm

Re: Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by KR » Sun Oct 27, 2019 3:30 pm

Her comes the OpenVPN Log for windows 7 Prof. OenVPN 2.4.7:

Code: Select all

Sun Oct 27 15:29:49 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Sun Oct 27 15:29:49 2019 Windows version 6.1 (Windows 7) 64bit
Sun Oct 27 15:29:49 2019 library versions: OpenSSL 1.1.0j  20 Nov 2018, LZO 2.10
Enter Management Password:
[...]
Sun Oct 27 15:29:59 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]ip-address:443
Sun Oct 27 15:29:59 2019 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Oct 27 15:29:59 2019 Attempting to establish TCP connection with [AF_INET]]ip-address:443 [nonblock]
Sun Oct 27 15:29:59 2019 MANAGEMENT: >STATE:1572186599,TCP_CONNECT,,,,,,
Sun Oct 27 15:30:00 2019 TCP connection established with [AF_INET]]ip-address:443
Sun Oct 27 15:30:00 2019 TCP_CLIENT link local: (not bound)
Sun Oct 27 15:30:00 2019 TCP_CLIENT link remote: [AF_INET]]ip-address:443
Sun Oct 27 15:30:00 2019 MANAGEMENT: >STATE:1572186600,WAIT,,,,,,
Sun Oct 27 15:30:00 2019 MANAGEMENT: >STATE:1572186600,AUTH,,,,,,
Sun Oct 27 15:30:00 2019 TLS: Initial packet from [AF_INET]]ip-address:443, sid=43f985a3 253cd5a9
Sun Oct 27 15:30:00 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Oct 27 15:30:00 2019 VERIFY OK: depth=1, C=de, L=Dortmund, O=Vxxxxxxl, CN=Vxxxxxxl VPN CA, emailAddress=admin@domainname.de
Sun Oct 27 15:30:00 2019 VERIFY ERROR: depth=0, error=format error in certificate's notAfter field: C=de, L=Dortmund, O=Vxxxxxxl, CN=ASG_1, emailAddress=admin@domainname.de
Sun Oct 27 15:30:00 2019 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Sun Oct 27 15:30:00 2019 TLS_ERROR: BIO read tls_read_plaintext error
Sun Oct 27 15:30:00 2019 TLS Error: TLS object -> incoming plaintext read error
Sun Oct 27 15:30:00 2019 TLS Error: TLS handshake failed
Sun Oct 27 15:30:00 2019 Fatal TLS error (check_tls_errors_co), restarting
Sun Oct 27 15:30:00 2019 SIGUSR1[soft,tls-error] received, process restarting
and so on.

As you can see, the same error messages as in Linux and Android.

With OpenVPN 2.3.8-I601 in Windows it's working fine as described above. No errors!

The certs:

https://paste.fedoraproject.org/paste/- ... nQ4J~iuCRw

I'm getting no further with this problem. Thanks for any help.


KR
OpenVpn Newbie
Posts: 12
Joined: Sat Oct 19, 2019 5:50 pm

Re: Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by KR » Sun Oct 27, 2019 6:52 pm

Thank you for your advice. However, I can't classify the tips from the link correctly. I think this is a different configuration. In my case there is no tls-auth. There is a private key and a username/password authentication. Or did I misunderstand that?

Apart from that, my configuration in the OpenVPN client 2.3.8 works fine (in this version only tested under Windows). Only in the newer versions under Windows/Linux/Android not anymore.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by TinCanTech » Sun Oct 27, 2019 7:59 pm

KR wrote:
Sat Oct 19, 2019 8:15 pm
The certificates are created on the provider's Sophos Astaro appliance and made available to customers and partners for download directly as .ovpn files for various operating systems. I have no influence on this! Unfortunately, the service provider is very stubborn. I have to get along with what I have.
We do not support your appliance or your service provider or your customers.

However,
KR wrote:
Fri Oct 25, 2019 12:21 pm
And with Linux and Android:

Code: Select all

Fri Oct 25 14:12:35 2019 VERIFY OK: depth=1, C=de, L=Dortmund, O=Vxxxxxxl, CN=Vxxxxxxl VPN CA, emailAddress=admin@xxxxxxxxx.de
Fri Oct 25 14:12:35 2019 VERIFY ERROR: depth=0, error=format error in certificate's notAfter field: C=de, L=Dortmund, O=Vxxxxxxl, CN=ASG_1, emailAddress=admin@xxxxxxxxx.de
Fri Oct 25 14:12:35 2019 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Then your service provider does not support those platforms.

And there is nothing we can do to help because you get your certificates from your service provider.

I can help but, because this has nothing to do with openvpn, for a fee: tincanteksup <at> gmail

KR
OpenVpn Newbie
Posts: 12
Joined: Sat Oct 19, 2019 5:50 pm

Re: Connecting error: OpenVPN (Sophos UTM) with Linux and Android OpenVPN Clients

Post by KR » Sun Oct 27, 2019 10:30 pm

TinCanTech, I didn't want support for the Sophos appliance.
It's nothing more than an ordinary OpenVPN server. But that's really not the point. Everything works fine with the old OpenVPN client.

Ultimately, I would just like to have answered the question why it is possible to establish a VPN connection with the OpenVPN client in version 2.3.8, but not with version 2.4.7? Tested under Windows. But it is independent of the operating system!

With the older version the connection succeeds at the first attempt, with the current version not any more. What is the difference? Is there even one allowed? This even looks like a bug to me.

I would simply be happy if someone could answer this question for me.

Thanks anyway.

Post Reply