OpenNPV, PI, Andriod and windows 7

[richiec86]

Hi all,

fairly new to both Linux and networking in general and could use some assistance as im stumped.

Recently set up a VPN using my Raspberry Pi B+, and (after many hours of setup and re-setup) managed to get a working VPN server in place and certificate/keys generated.

I have exported one set of user keys to my android phone and connected to the VPN using the OpenVPN client with no issues.

However when attempting to do the same on a windows 7 laptop and the OpenVPN client, i keep getting an error:

TLS: Initial packet from [AF_INET]xxxxxxxxxx, sid=f688d8a3 840ff62c
Certificate does not have key usage extension
VERIFY KU ERROR
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I have done some digging around on these forums and can see that this related to the Key Usage, and that either the server or client side certificates are missing this.

However, both user certs and the server cert were created at the same time with the same details, and having been able to successfully connect using the first user certs with my Android phone, which would suggest that neither client or server certs are missing any information, so i do not know what the issue could be.

Does Windows need additional information within the certs that the andriod does not?

Happy to provide server.conf details or logs if needed, but hoping someone can help.

Thanks.

[Traffic]

set up a VPN using my Raspberry Pi B+,

What version of openvpn do you use ?

[richiec86]

2.3.4 on the pi, and 2.3.10 on win7

[Traffic]

Please see the Forum rules (top of page)

[richiec86]

thanks, and apologies on missing the rules.

ok server conf details are:

Code: Select all

port 1194

proto udp
dev tun

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/ca.crt
key /etc/openvpn/easy-rsa/keys/ca.key 
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/easy-rsa/ipp.txt

push "route 10.8.0.1 255.255.255.255"

push "route 10.8.0.0 255.255.255.0"

push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120

cipher AES-256-CBC
auth SHA512
tls-cipher DHE-RSA-AES256-SHA

comp-lzo

max-clients 5

user nobody
group nogroup

persist-key
persist-tun

status /var/log/openvpn-status.log 300
log /var/log/openvpn.log
verb 1
mute 20

and the OVPN config details on client side are:

Code: Select all

client
dev tun
proto udp

remote richiec86.ddns.net 1194

resolv-retry infinite

nobind
persist-key
persist-tun


ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1

cipher AES-256-CBC
auth SHA512

comp-lzo

mute-replay-warnings
verb 3
mute 20

client log:

Code: Select all

Mon Feb 15 20:26:41 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Feb  1 2016
Mon Feb 15 20:26:41 2016 Windows version 6.2 (Windows 8 or greater)
Mon Feb 15 20:26:41 2016 library versions: OpenSSL 1.0.1r  28 Jan 2016, LZO 2.09
Enter Management Password:
Mon Feb 15 20:26:41 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Feb 15 20:26:41 2016 Need hold release from management interface, waiting...
Mon Feb 15 20:26:41 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Feb 15 20:26:41 2016 MANAGEMENT: CMD 'state on'
Mon Feb 15 20:26:41 2016 MANAGEMENT: CMD 'log all on'
Mon Feb 15 20:26:41 2016 MANAGEMENT: CMD 'hold off'
Mon Feb 15 20:26:41 2016 MANAGEMENT: CMD 'hold release'
Mon Feb 15 20:26:42 2016 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Feb 15 20:26:42 2016 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Feb 15 20:26:42 2016 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Feb 15 20:26:42 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Feb 15 20:26:42 2016 MANAGEMENT: >STATE:1455568002,RESOLVE,,,
Mon Feb 15 20:26:43 2016 UDPv4 link local: [undef]
Mon Feb 15 20:26:43 2016 UDPv4 link remote: [AF_INET]82.7.86.155:1194
Mon Feb 15 20:26:43 2016 MANAGEMENT: >STATE:1455568003,WAIT,,,
Mon Feb 15 20:26:43 2016 MANAGEMENT: >STATE:1455568003,AUTH,,,
Mon Feb 15 20:26:43 2016 TLS: Initial packet from [AF_INET]82.7.86.155:1194, sid=86e23e57 fa65677d
Mon Feb 15 20:26:44 2016 Certificate does not have key usage extension
Mon Feb 15 20:26:44 2016 VERIFY KU ERROR
Mon Feb 15 20:26:44 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Feb 15 20:26:44 2016 TLS Error: TLS object -> incoming plaintext read error
Mon Feb 15 20:26:44 2016 TLS Error: TLS handshake failed
Mon Feb 15 20:26:44 2016 SIGUSR1[soft,tls-error] received, process restarting

having trouble finding the server side log, if someone can assist with this i will post.

im trying to understand why the client config works on an android device, but not on others (tried win 10, 7 and linux mint) when client keys were created the same (maybe that's the issue?)

Thanks

[Traffic]

For testing remove this:

remote-cert-tls server

from your client config ..

[richiec86]

hi,

thanks for the reply, this seems to have worked and can now connect via both android and desktop.

However, i'm a little concerned on certificate verification.

looking at this how-to https://openvpn.net/index.php/open-sour ... .html#mitm seems to suggest that the build-key-server command (with the addition of the now-removed "remote-cert-tls server" line at client side) would combat this.

However, this is what i had done initially, so unsure what the problem was here?

any suggestions?

[Traffic]

Create a new server cert/key pair and try again.