TLS Error. Can't connect server to some clients

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
simozz
OpenVpn Newbie
Posts: 1
Joined: Thu Sep 21, 2017 10:27 am

TLS Error. Can't connect server to some clients

Post by simozz » Thu Sep 21, 2017 12:19 pm

Hello,

I am facing with a strange problem between the openvpn server and a few clients.
The situation is the typical one with one server and multiple clients that connect from the public network.

The client config file is as follows:

Code: Select all

client
dev tap0
proto udp
remote <SERVER PUBLIC> 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nogroup
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert sazzalin.crt
key sazzalin.key
ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
;mute 20
while the server config file is:

Code: Select all

port 1194
proto udp
server-bridge 192.168.16.252 255.255.255.0 192.168.16.230 192.168.16.240
dev tap0
ca ca.crt
cert <SERVER NAME>.crt
tun-mtu 1454
key <SERVER NAME>.key 
dh dh2048.pem
script-security 2
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
ifconfig-pool-persist ipp.txt
keepalive 10 600
comp-lzo
persist-key
persist-tun
verb 3
mute 20
status openvpn-status.log
log-append openvpn.log
client-config-dir /etc/openvpn/ccd
client-to-client
The configuration works just for some clients (one actually the computer I am writing from) while not for others I am trying to create right now.
The same configuration file is used for all the clients, but after creating the certificate for one new client with:

Code: Select all

build-key <client name>
and passing the files to the client's host computer, I cannot connect and I can see the following errors from openvpn server log file:

Code: Select all

TLS: Initial packet from [AF_INET]<CLIENT PUBLIC IP>:54102, sid=8f93faa1 18460998
Thu Sep 21 13:23:53 2017 <CLIENT PUBLIC IP>:54102 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=ES, ST=B, L=Barcelona, O=AD Telecom, OU=ADVPN, CN=<client name>, name=ADVPN, emailAddress=<email address>
Thu Sep 21 13:23:53 2017 <CLIENT PUBLIC IP>:54102 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Thu Sep 21 13:23:53 2017 <CLIENT PUBLIC IP>:54102 TLS Error: TLS object -> incoming plaintext read error
Thu Sep 21 13:23:53 2017 <CLIENT PUBLIC IP>:54102 TLS Error: TLS handshake failed
Thu Sep 21 13:23:53 2017 <CLIENT PUBLIC IP>:54102 SIGUSR1[soft,tls-error] received, client-instance restarting
It's strange that for some clients I don't have any problem while I do for new ones. The test for this new client has been made with a Linux client and a Windows client. Both fail.

What is causing this error ?
How can I solve this issue ?

Thank you in advance.
Regards,
Simon

Post Reply