OVPN Profile Works on Windows but not on Android

Post Reply
eduardoferrari
OpenVpn Newbie
Posts: 3
Joined: Thu Aug 23, 2018 9:23 am

OVPN Profile Works on Windows but not on Android

Post by eduardoferrari » Thu Aug 23, 2018 9:30 am

Hello guys,

I tried to found a solution here on the forums but I didn't have success...

I have open VPN profile working perfectly on my Windows machine, and now I'm trying to configure the same VPN on my Android Device, I have copied all the files from config folder from windows to my SD card (the certificates and the .ovpn file)

But when I try to connect on android I got this error message and the log below:
11:20:06.947 -- VERIFY FAIL -- bad ns-cert-type in leaf certificate

11:20:06.950 -- Transport Error: mbed TLS: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

11:20:06.952 -- EVENT: CERT_VERIFY_FAIL info='mbed TLS: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed'
Full Log:
11:20:06.191 -- ----- OpenVPN Start -----

11:20:06.193 -- EVENT: CORE_THREAD_ACTIVE

11:20:06.228 -- Frame=512/2048/512 mssfix-ctrl=1250

11:20:06.233 -- UNUSED OPTIONS
8 [tls-cipher] [TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-1...]
11 [resolv-retry] [infinite]
12 [auth-retry] [none]
13 [nobind]
14 [persist-key]
15 [persist-tun]
18 [verb] [3]
19 [tls-client]


11:20:06.245 -- EVENT: RESOLVE

11:20:06.252 -- Contacting XXX.XXX.XXX.XXX:1194 via UDP

11:20:06.254 -- EVENT: WAIT

11:20:06.267 -- Connecting to [XXX.XXX.XXX.XXX]:1194 (XXX.XXX.XXX.XXX) via UDPv4

11:20:06.627 -- EVENT: CONNECTING

11:20:06.636 -- Tunnel Options:V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client

11:20:06.640 -- Creds: UsernameEmpty/PasswordEmpty

11:20:06.644 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.2
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_AUTO_SESS=1


11:20:06.935 -- VERIFY OK : depth=1
cert. version : 3
serial number : DA:5A:7A:62:9F:12:04:BF
issuer name : CN=MY_VPN_NAME
subject name : CN=MY_VPN_NAME
issued on : 2018-08-14 19:33:00
expires on : 2028-08-11 19:33:00
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign


11:20:06.941 -- VERIFY OK : depth=0
cert. version : 3
serial number : C0:91:35:E3:02:F0:C8:75:D6:FE:CD:57:A3:29:31:5D
issuer name : CN=MY_VPN_NAME
subject name : CN=server
issued on : 2018-08-14 19:35:19
expires on : 2028-08-11 19:35:19
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication


11:20:06.947 -- VERIFY FAIL -- bad ns-cert-type in leaf certificate

11:20:06.950 -- Transport Error: mbed TLS: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

11:20:06.952 -- EVENT: CERT_VERIFY_FAIL info='mbed TLS: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed'

11:20:06.962 -- EVENT: DISCONNECTED

11:20:06.970 -- EVENT: CORE_THREAD_INACTIVE

11:20:06.972 -- Tunnel bytes per CPU second: 0

11:20:06.973 -- ----- OpenVPN Stop -----
I'm using the OpenVPN android version 3.0.5.(1816)

Thanks a lot for the help

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7175
Joined: Fri Jun 03, 2016 1:17 pm

Re: OVPN Profile Works on Windows but not on Android

Post by TinCanTech » Thu Aug 23, 2018 12:45 pm

eduardoferrari wrote:
Thu Aug 23, 2018 9:30 am
I have open VPN profile working perfectly on my Windows machine, and now I'm trying to configure the same VPN on my Android Device, I have copied all the files from config folder from windows to my SD card (the certificates and the .ovpn file)
Please post your client config files .. Windows and Android.

eduardoferrari
OpenVpn Newbie
Posts: 3
Joined: Thu Aug 23, 2018 9:23 am

Re: OVPN Profile Works on Windows but not on Android

Post by eduardoferrari » Thu Aug 23, 2018 6:04 pm

Hi TinCanTech,

All the files, keys and certificates are in the same folder, I´m using the same files for Windows and Android

This is the content of client.ovpn file:
client
dev tun
proto udp
remote XXX.XXX.XXX.XXX
ca ca.crt
cert client.crt
key client.key
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
cipher AES-256-CBC
auth SHA512
resolv-retry infinite
auth-retry none
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
tls-client
tls-auth pfs.key

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7175
Joined: Fri Jun 03, 2016 1:17 pm

Re: OVPN Profile Works on Windows but not on Android

Post by TinCanTech » Thu Aug 23, 2018 6:47 pm

eduardoferrari wrote:
Thu Aug 23, 2018 6:04 pm
ns-cert-type server
This is deprecated.

See --ns-cert-type in The Manual v24x

Your log:
eduardoferrari wrote:
Thu Aug 23, 2018 6:04 pm
11:20:06.947 -- VERIFY FAIL -- bad ns-cert-type in leaf certificate
shows that the server certificate does not have this key usage set.
eduardoferrari wrote:
Thu Aug 23, 2018 9:30 am
I have open VPN profile working perfectly on my Windows machine, and now I'm trying to configure the same VPN on my Android Device, I have copied all the files from config folder from windows to my SD card (the certificates and the .ovpn file)
I am surprised that windows works ..

eduardoferrari
OpenVpn Newbie
Posts: 3
Joined: Thu Aug 23, 2018 9:23 am

Re: OVPN Profile Works on Windows but not on Android

Post by eduardoferrari » Fri Aug 24, 2018 6:14 am

TinCanTech wrote:
Thu Aug 23, 2018 6:47 pm
eduardoferrari wrote:
Thu Aug 23, 2018 6:04 pm
ns-cert-type server
This is deprecated.

See --ns-cert-type in The Manual v24x

Your log:
eduardoferrari wrote:
Thu Aug 23, 2018 6:04 pm
11:20:06.947 -- VERIFY FAIL -- bad ns-cert-type in leaf certificate
shows that the server certificate does not have this key usage set.
eduardoferrari wrote:
Thu Aug 23, 2018 9:30 am
I have open VPN profile working perfectly on my Windows machine, and now I'm trying to configure the same VPN on my Android Device, I have copied all the files from config folder from windows to my SD card (the certificates and the .ovpn file)
I am surprised that windows works ..
Hahaha,

This the full windows log before the connection and disconnection:
Thu Aug 23 23:11:38 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Thu Aug 23 23:11:38 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Aug 23 23:11:38 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Thu Aug 23 23:11:38 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Aug 23 23:11:38 2018 Need hold release from management interface, waiting...
Thu Aug 23 23:11:39 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Aug 23 23:11:39 2018 MANAGEMENT: CMD 'state on'
Thu Aug 23 23:11:39 2018 MANAGEMENT: CMD 'log all on'
Thu Aug 23 23:11:39 2018 MANAGEMENT: CMD 'echo all on'
Thu Aug 23 23:11:39 2018 MANAGEMENT: CMD 'bytecount 5'
Thu Aug 23 23:11:39 2018 MANAGEMENT: CMD 'hold off'
Thu Aug 23 23:11:39 2018 MANAGEMENT: CMD 'hold release'
Thu Aug 23 23:11:39 2018 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Thu Aug 23 23:11:39 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Aug 23 23:11:39 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Aug 23 23:11:39 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Thu Aug 23 23:11:39 2018 Socket Buffers: R=[65536->65536] S=[64512->64512]
Thu Aug 23 23:11:39 2018 UDP link local: (not bound)
Thu Aug 23 23:11:39 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Thu Aug 23 23:11:39 2018 MANAGEMENT: >STATE:1535058699,WAIT,,,,,,
Thu Aug 23 23:11:39 2018 MANAGEMENT: >STATE:1535058699,AUTH,,,,,,
Thu Aug 23 23:11:39 2018 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=4004bc87 cc4521a6
Thu Aug 23 23:11:39 2018 VERIFY OK: depth=1, CN=MY_VPN_NAME
Thu Aug 23 23:11:39 2018 VERIFY OK: nsCertType=SERVER
Thu Aug 23 23:11:39 2018 VERIFY OK: depth=0, CN=server
Thu Aug 23 23:11:42 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Aug 23 23:11:42 2018 [server] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
Thu Aug 23 23:11:43 2018 MANAGEMENT: >STATE:1535058703,GET_CONFIG,,,,,,
Thu Aug 23 23:11:43 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Aug 23 23:11:43 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Thu Aug 23 23:11:43 2018 OPTIONS IMPORT: timers and/or timeouts modified
Thu Aug 23 23:11:43 2018 OPTIONS IMPORT: --ifconfig/up options modified
Thu Aug 23 23:11:43 2018 OPTIONS IMPORT: route options modified
Thu Aug 23 23:11:43 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Aug 23 23:11:43 2018 OPTIONS IMPORT: peer-id set
Thu Aug 23 23:11:43 2018 OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Aug 23 23:11:43 2018 OPTIONS IMPORT: data channel crypto options modified
Thu Aug 23 23:11:43 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Aug 23 23:11:43 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Aug 23 23:11:43 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Aug 23 23:11:43 2018 interactive service msg_channel=632
Thu Aug 23 23:11:43 2018 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=25 HWADDR=80:ce:62:d6:88:bd
Thu Aug 23 23:11:43 2018 open_tun
Thu Aug 23 23:11:43 2018 TAP-WIN32 device [Ethernet 6] opened: \\.\Global\{C153900B-1EF7-4129-9167-5B8BD8107BE5}.tap
Thu Aug 23 23:11:43 2018 TAP-Windows Driver Version 9.21
Thu Aug 23 23:11:43 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {C153900B-1EF7-4129-9167-5B8BD8107BE5} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Thu Aug 23 23:11:43 2018 Successful ARP Flush on interface [29] {C153900B-1EF7-4129-9167-5B8BD8107BE5}
Thu Aug 23 23:11:43 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Aug 23 23:11:43 2018 MANAGEMENT: >STATE:1535058703,ASSIGN_IP,,10.8.0.6,,,,
Thu Aug 23 23:11:48 2018 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Thu Aug 23 23:11:48 2018 C:\WINDOWS\system32\route.exe ADD XXX.XXX.XXX.XXX MASK 255.255.255.255 192.168.1.1
Thu Aug 23 23:11:48 2018 Route addition via service succeeded
Thu Aug 23 23:11:48 2018 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Thu Aug 23 23:11:48 2018 Route addition via service succeeded
Thu Aug 23 23:11:48 2018 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Thu Aug 23 23:11:48 2018 Route addition via service succeeded
Thu Aug 23 23:11:48 2018 MANAGEMENT: >STATE:1535058708,ADD_ROUTES,,,,,,
Thu Aug 23 23:11:48 2018 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Thu Aug 23 23:11:48 2018 Route addition via service succeeded
Thu Aug 23 23:11:48 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Aug 23 23:11:48 2018 Initialization Sequence Completed
Thu Aug 23 23:11:48 2018 MANAGEMENT: >STATE:1535058708,CONNECTED,SUCCESS,10.8.0.6,XXX.XXX.XXX.XXX,1194,,
Thu Aug 23 23:12:59 2018 C:\WINDOWS\system32\route.exe DELETE 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Thu Aug 23 23:12:59 2018 Route deletion via service succeeded
Thu Aug 23 23:12:59 2018 C:\WINDOWS\system32\route.exe DELETE XXX.XXX.XXX.XXX MASK 255.255.255.255 192.168.1.1
Thu Aug 23 23:12:59 2018 Route deletion via service succeeded
Thu Aug 23 23:12:59 2018 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Thu Aug 23 23:12:59 2018 Route deletion via service succeeded
Thu Aug 23 23:12:59 2018 C:\WINDOWS\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Thu Aug 23 23:12:59 2018 Route deletion via service succeeded
Thu Aug 23 23:12:59 2018 Closing TUN/TAP interface
Thu Aug 23 23:12:59 2018 TAP: DHCP address released
Thu Aug 23 23:12:59 2018 SIGTERM[hard,] received, process exiting
Thu Aug 23 23:12:59 2018 MANAGEMENT: >STATE:1535058779,EXITING,SIGTERM,,,,,
I saw that I got a warning from windows about the "ns-cert-type server" but the connection works fine. I replaced the config on Android for the new one, but sill not connecting.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7175
Joined: Fri Jun 03, 2016 1:17 pm

Re: OVPN Profile Works on Windows but not on Android

Post by TinCanTech » Fri Aug 24, 2018 1:08 pm

Since you know --ns-cert-type is deprecated .. now! would be a good time to make a new server certificate.

I would create an entirely new PKI:
https://github.com/OpenVPN/easy-rsa/releases

Post Reply