Cannot connect using OpenVPN for Windows

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
atranmisc
OpenVpn Newbie
Posts: 6
Joined: Mon Jan 17, 2022 10:01 pm

Cannot connect using OpenVPN for Windows

Post by atranmisc » Mon Jan 17, 2022 10:17 pm

I have an OpenVPN server running on my EdgeRouter and can connect to it using both Android and IOS OpenVPN clients without any problem. I cannot however connect to it using the Windows OpenVPN client on my Windows 10 computer. Note I'm using the same set of .ovpn and cert files on all three platforms: Android, IOS and Windows. For the Windows OpenVPN client, the OpenVPN server log shows there is an initial attempt to connect but nothing else gets through after that until a retry (again and again) by the client. Below is what shows in the Windows OpenVPN client log. This error repeats itself with each retry by the Windows OpenVPN client. I have also tried both versions 2.5.0 and 2.5.5 of the Windows OpenVPN Client and they both result in the same errors. Any helps will be appreciated.

022-01-17 16:48:04 OpenVPN 2.5.5 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 15 2021
2022-01-17 16:48:04 Windows version 10.0 (Windows 10 or greater) 64bit
2022-01-17 16:48:04 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
2022-01-17 16:48:04 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-17 16:48:04 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-17 16:48:04 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.1:443
2022-01-17 16:48:04 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-01-17 16:48:04 UDP link local: (not bound)
2022-01-17 16:48:04 UDP link remote: [AF_INET]192.168.80.1:443
2022-01-17 16:48:04 TLS: Initial packet from [AF_INET]192.168.80.1:443, sid=1f7147dd d20d449a
2022-01-17 16:48:04 VERIFY OK: <!!! MY OPENVPN SERVER CERT DN IS SHOWING HERE - REMOVED BEFORE POSTING LOG FILE !!!>
2022-01-17 16:48:04 Certificate does not have key usage extension
2022-01-17 16:48:04 VERIFY KU ERROR
2022-01-17 16:48:04 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2022-01-17 16:48:04 TLS_ERROR: BIO read tls_read_plaintext error
2022-01-17 16:48:04 TLS Error: TLS object -> incoming plaintext read error
2022-01-17 16:48:04 TLS Error: TLS handshake failed
2022-01-17 16:48:04 SIGUSR1[soft,tls-error] received, process restarting
2022-01-17 16:48:04 Restart pause, 5 second(s)
Last edited by atranmisc on Mon Jan 17, 2022 10:51 pm, edited 1 time in total.

User avatar
TinCanTech
Forum Team
Posts: 10716
Joined: Fri Jun 03, 2016 1:17 pm

Re: Cannot connect using OpenVPN for Windows

Post by TinCanTech » Mon Jan 17, 2022 10:41 pm

atranmisc wrote:
Mon Jan 17, 2022 10:17 pm
2022-01-17 16:48:04 Certificate does not have key usage extension
2022-01-17 16:48:04 VERIFY KU ERROR
Your server certificate is not suitable for OpenVPN 2.5.5

atranmisc
OpenVpn Newbie
Posts: 6
Joined: Mon Jan 17, 2022 10:01 pm

Re: Cannot connect using OpenVPN for Windows

Post by atranmisc » Mon Jan 17, 2022 11:03 pm

TinCanTech wrote:
Mon Jan 17, 2022 10:41 pm
atranmisc wrote:
Mon Jan 17, 2022 10:17 pm
2022-01-17 16:48:04 Certificate does not have key usage extension
2022-01-17 16:48:04 VERIFY KU ERROR
Your server certificate is not suitable for OpenVPN 2.5.5
I did try with OpenVPN 2.5.0 and got the same errors. I generally don't like to run an older software version but liked to check and confirm as I don't have problem with my Android and IOS clients. Is there anything you can suggest for me to check regarding my server cert? What "key usage extension" is it expecting? Do you know of an older version of the Windows OpenVPN Client that does NOT care about usage extension for me to test out - just for the purpose of checking before I remake my server cert? Thanks.

User avatar
TinCanTech
Forum Team
Posts: 10716
Joined: Fri Jun 03, 2016 1:17 pm

Re: Cannot connect using OpenVPN for Windows

Post by TinCanTech » Mon Jan 17, 2022 11:26 pm

Paste your client config (without the certs and keys).

Also see viewtopic.php?f=30&t=22603#p68963

atranmisc
OpenVpn Newbie
Posts: 6
Joined: Mon Jan 17, 2022 10:01 pm

Re: Cannot connect using OpenVPN for Windows

Post by atranmisc » Tue Jan 18, 2022 1:52 am

TinCanTech wrote:
Mon Jan 17, 2022 11:26 pm
Paste your client config (without the certs and keys).

Also see viewtopic.php?f=30&t=22603#p68963
Please see my OpenVPN server and client config files below. Let me know if you still need me to send verb 4 log as indicated in the other post. The only difference in the Windows vs Android/IOS configurations is the addition of the askpass entry in the .ovpn file. I add askpass to the Windows .ovpn file as I don't know where else to provide/type it in otherwise. Thanks again.

** SERVER **
description openvpn
mode server
openvpn-option --persist-key
openvpn-option --persist-tun
openvpn-option "--keepalive 10 120"
openvpn-option "--user nobody"
openvpn-option "--group nogroup"
openvpn-option "--cipher AES-256-CBC"
openvpn-option "--auth SHA256"
openvpn-option "--port 443"
openvpn-option "--tls-auth /config/auth/ta.key 0"
openvpn-option --tls-server
openvpn-option "--proto udp"
openvpn-option "--ifconfig-pool-persist ipp.txt"
openvpn-option "--mute 10"
openvpn-option "--dev vtun0"
server {
name-server 192.168.80.1
subnet 10.8.0.0/24
}
tls {
ca-cert-file /config/auth/cacert.pem
cert-file /config/auth/server.pem
dh-file /config/auth/dh.pem
key-file /config/auth/server.key
}

** CLIENT **
client
cipher AES-256-CBC
data-ciphers AES-256-CBC
auth SHA256
dev tun
proto udp
redirect-gateway def1
key-direction 1
remote 192.168.80.1 443
remote-cert-tls server
resolv-retry infinite
nobind
float
auth-nocache
persist-key
persist-tun
verb 4
askpass "C:\\Program Files\\OpenVPN\\config-auto\\pass.txt"
ca "C:\\Program Files\\OpenVPN\\config-auto\\cacert.pem"
cert "C:\\Program Files\\OpenVPN\\config-auto\\atran.pem"
key "C:\\Program Files\\OpenVPN\\config-auto\\atran_pw.key"
tls-auth "C:\\Program Files\\OpenVPN\\config-auto\\ta.key" 1

User avatar
TinCanTech
Forum Team
Posts: 10716
Joined: Fri Jun 03, 2016 1:17 pm

Re: Cannot connect using OpenVPN for Windows

Post by TinCanTech » Tue Jan 18, 2022 3:08 am

atranmisc wrote:
Tue Jan 18, 2022 1:52 am
** CLIENT **

<s>

remote-cert-tls server
Your server certificate does not have this attribute.

atranmisc
OpenVpn Newbie
Posts: 6
Joined: Mon Jan 17, 2022 10:01 pm

Re: Cannot connect using OpenVPN for Windows

Post by atranmisc » Tue Jan 18, 2022 3:58 am

TinCanTech wrote:
Tue Jan 18, 2022 3:08 am
atranmisc wrote:
Tue Jan 18, 2022 1:52 am
** CLIENT **

<s>

remote-cert-tls server
Your server certificate does not have this attribute.
Nice. I removed that line from the client config and it starts working. Interesting to know the Android and IOS OpenVPN apps don't check on this. Do you know which exact x509 key usage extension that corresponds to? Is that the same as "X509v3 Extended Key Usage: TLS Web Server Authentication" or is it something else? Thanks a bunch!!!

User avatar
TinCanTech
Forum Team
Posts: 10716
Joined: Fri Jun 03, 2016 1:17 pm

Re: Cannot connect using OpenVPN for Windows

Post by TinCanTech » Tue Jan 18, 2022 2:56 pm

atranmisc wrote:
Tue Jan 18, 2022 3:58 am
Is that the same as "X509v3 Extended Key Usage: TLS Web Server Authentication"
Yes. Use Easy-RSA v3 to build a new server cert.

atranmisc
OpenVpn Newbie
Posts: 6
Joined: Mon Jan 17, 2022 10:01 pm

Re: Cannot connect using OpenVPN for Windows

Post by atranmisc » Sat Jan 22, 2022 1:47 pm

TinCanTech wrote:
Tue Jan 18, 2022 2:56 pm
atranmisc wrote:
Tue Jan 18, 2022 3:58 am
Is that the same as "X509v3 Extended Key Usage: TLS Web Server Authentication"
Yes. Use Easy-RSA v3 to build a new server cert.
This may be an unfair question but what do you think about Let's Encrypt vs Easy-RSA v3 besides the fact that there is a bit more works to be done by the user with Easy-RSA v3? Thanks again.

User avatar
TinCanTech
Forum Team
Posts: 10716
Joined: Fri Jun 03, 2016 1:17 pm

Re: Cannot connect using OpenVPN for Windows

Post by TinCanTech » Sat Jan 22, 2022 4:03 pm

If you use Easy-RSA to build your PKI then you and only you have access to your root CA.

What use is Letsencrypt to me ?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 660
Joined: Tue Feb 16, 2021 10:41 am

Re: Cannot connect using OpenVPN for Windows

Post by openvpn_inc » Sat Jan 22, 2022 6:54 pm

atranmisc wrote:
Sat Jan 22, 2022 1:47 pm
TinCanTech wrote:
Tue Jan 18, 2022 2:56 pm
atranmisc wrote:
Tue Jan 18, 2022 3:58 am
Is that the same as "X509v3 Extended Key Usage: TLS Web Server Authentication"
Yes. Use Easy-RSA v3 to build a new server cert.
This may be an unfair question but what do you think about Let's Encrypt vs Easy-RSA v3 besides the fact that there is a bit more works to be done by the user with Easy-RSA v3? Thanks again.
Hi atran,

Whether fair or not, it is a crazy question. You would NEVER use a public CA for your openvpn PKI. Do you want to allow every Let's Encrypt user to connect to your VPN?

I guess you failed to understand that your PKI is used for authentication. No worries, you were not the first and you will not be the last to have this idea. But no, let's not use LE for our VPN.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

atranmisc
OpenVpn Newbie
Posts: 6
Joined: Mon Jan 17, 2022 10:01 pm

Re: Cannot connect using OpenVPN for Windows

Post by atranmisc » Sat Jan 22, 2022 8:00 pm

openvpn_inc wrote:
Sat Jan 22, 2022 6:54 pm
atranmisc wrote:
Sat Jan 22, 2022 1:47 pm
TinCanTech wrote:
Tue Jan 18, 2022 2:56 pm
Yes. Use Easy-RSA v3 to build a new server cert.
This may be an unfair question but what do you think about Let's Encrypt vs Easy-RSA v3 besides the fact that there is a bit more works to be done by the user with Easy-RSA v3? Thanks again.
I guess you failed to understand that your PKI is used for authentication.
I was thinking about encryption when I popped that question and forgot the authentication. What a shame :roll:

Post Reply