DD-WRT / OpenVPN AS : Certificate does not have key usage extension

Post Reply
JmL
OpenVpn Newbie
Posts: 4
Joined: Thu Jun 04, 2020 8:06 pm

DD-WRT / OpenVPN AS : Certificate does not have key usage extension

Post by JmL » Thu Jun 04, 2020 8:11 pm

Hello,

I cannot find a way to solve my problem.

I installed OpenVPN AS on a VPS server. I try to configure a router with DD-WRT OS to use OpenVPN client on it.

OpenVPN AS was installed with basic configuration, i just add a new user "user" with autologin activated.

On my DD-WRT router, i configure the OpenVPN client and i get this error : CA certificate does not have key usage extension.

Logs :

Code: Select all

20200604 21:52:40 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
20200604 21:52:40 I TCP/UDP: Preserving recently used remote address: [AF_INET]192.99.245.185:1194 
20200604 21:52:40 Socket Buffers: R=[180224->180224] S=[180224->180224] 
20200604 21:52:40 I UDPv4 link local: (not bound) 
20200604 21:52:40 I UDPv4 link remote: [AF_INET]192.99.245.185:1194 
20200604 21:52:40 TLS: Initial packet from [AF_INET]192.99.245.185:1194 sid=eb13b1f7 408aafc7 
20200604 21:52:41 VERIFY OK: depth=1 CN=OpenVPN CA 
20200604 21:52:41 N Certificate does not have key usage extension 
20200604 21:52:41 VERIFY KU ERROR 
20200604 21:52:41 N OpenSSL: error:1416F086:lib(20):func(367):reason(134) 
20200604 21:52:41 N TLS_ERROR: BIO read tls_read_plaintext error 
20200604 21:52:41 N TLS Error: TLS object -> incoming plaintext read error 
20200604 21:52:41 NOTE: --mute triggered... 
20200604 21:52:41 1 variation(s) on previous 3 message(s) suppressed by --mute 
20200604 21:52:41 I SIGUSR1[soft tls-error] received process restarting 
20200604 21:52:41 Restart pause 300 second(s) 
20200604 21:54:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20200604 21:54:35 D MANAGEMENT: CMD 'state' 
20200604 21:54:35 MANAGEMENT: Client disconnected 
20200604 21:54:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20200604 21:54:35 D MANAGEMENT: CMD 'state' 
20200604 21:54:35 MANAGEMENT: Client disconnected 
20200604 21:54:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20200604 21:54:35 D MANAGEMENT: CMD 'state' 
20200604 21:54:35 MANAGEMENT: Client disconnected 
20200604 21:54:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20200604 21:54:35 D MANAGEMENT: CMD 'status 2' 
20200604 21:54:35 MANAGEMENT: Client disconnected 
20200604 21:54:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 
20200604 21:54:35 D MANAGEMENT: CMD 'log 500' 
Can you help me ?

Thanks

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7342
Joined: Fri Jun 03, 2016 1:17 pm

Re: DD-WRT / OpenVPN AS : Certificate does not have key usage extension

Post by TinCanTech » Thu Jun 04, 2020 8:15 pm

See --remote-cert-ku in the manual.

JmL
OpenVpn Newbie
Posts: 4
Joined: Thu Jun 04, 2020 8:06 pm

Re: DD-WRT / OpenVPN AS : Certificate does not have key usage extension

Post by JmL » Thu Jun 04, 2020 9:26 pm

Hi, thanks,

Should i add this command on the client, just ? : –remote-cert-ku [v…]

thanks

JmL
OpenVpn Newbie
Posts: 4
Joined: Thu Jun 04, 2020 8:06 pm

Re: DD-WRT / OpenVPN AS : Certificate does not have key usage extension

Post by JmL » Fri Jun 05, 2020 6:34 am

I give you my client.conf :

Code: Select all

ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
management 127.0.0.1 16
management-log-cache 100
verb 3
mute 3
syslog
writepid /var/run/openvpncl.pid
client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
dev tun1
proto udp4
cipher bf-cbc
auth sha1
remote XX.XX.XX.XX 1194
comp-lzo yes
tls-client
tun-mtu 1500
mtu-disc yes
remote-cert-tls server
fast-io
tls-auth /tmp/openvpncl/ta.key 1
tls-cipher TLS-RSA-WITH-AES-256-CBC-SHA256
route-up /tmp/openvpncl/route-up.sh
route-pre-down /tmp/openvpncl/route-down.sh



JmL
OpenVpn Newbie
Posts: 4
Joined: Thu Jun 04, 2020 8:06 pm

Re: DD-WRT / OpenVPN AS : Certificate does not have key usage extension

Post by JmL » Sat Jun 06, 2020 11:47 am

Hello, solved, disabled server cert verification

Post Reply