Hi all,
fairly new to both Linux and networking in general and could use some assistance as im stumped.
Recently set up a VPN using my Raspberry Pi B+, and (after many hours of setup and re-setup) managed to get a working VPN server in place and certificate/keys generated.
I have exported one set of user keys to my android phone and connected to the VPN using the OpenVPN client with no issues.
However when attempting to do the same on a windows 7 laptop and the OpenVPN client, i keep getting an error:
TLS: Initial packet from [AF_INET]xxxxxxxxxx, sid=f688d8a3 840ff62c
Certificate does not have key usage extension
VERIFY KU ERROR
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I have done some digging around on these forums and can see that this related to the Key Usage, and that either the server or client side certificates are missing this.
However, both user certs and the server cert were created at the same time with the same details, and having been able to successfully connect using the first user certs with my Android phone, which would suggest that neither client or server certs are missing any information, so i do not know what the issue could be.
Does Windows need additional information within the certs that the andriod does not?
Happy to provide server.conf details or logs if needed, but hoping someone can help.
Thanks.
OpenNPV, PI, Andriod and windows 7
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Feb 15, 2016 3:17 pm
- Traffic
- OpenVPN Protagonist
- Posts: 4081
- Joined: Sat Aug 09, 2014 11:24 am
Re: OpenNPV, PI, Andriod and windows 7
What version of openvpn do you use ?richiec86 wrote:set up a VPN using my Raspberry Pi B+,
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Feb 15, 2016 3:17 pm
Re: OpenNPV, PI, Andriod and windows 7
2.3.4 on the pi, and 2.3.10 on win7
- Traffic
- OpenVPN Protagonist
- Posts: 4081
- Joined: Sat Aug 09, 2014 11:24 am
Re: OpenNPV, PI, Andriod and windows 7
Please see the Forum rules (top of page)
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Feb 15, 2016 3:17 pm
Re: OpenNPV, PI, Andriod and windows 7
thanks, and apologies on missing the rules.
ok server conf details are:
and the OVPN config details on client side are:
client log:
having trouble finding the server side log, if someone can assist with this i will post.
im trying to understand why the client config works on an android device, but not on others (tried win 10, 7 and linux mint) when client keys were created the same (maybe that's the issue?)
Thanks
ok server conf details are:
Code: Select all
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/ca.crt
key /etc/openvpn/easy-rsa/keys/ca.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/easy-rsa/ipp.txt
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
cipher AES-256-CBC
auth SHA512
tls-cipher DHE-RSA-AES256-SHA
comp-lzo
max-clients 5
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 300
log /var/log/openvpn.log
verb 1
mute 20
Code: Select all
client
dev tun
proto udp
remote richiec86.ddns.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA512
comp-lzo
mute-replay-warnings
verb 3
mute 20
client log:
Code: Select all
Mon Feb 15 20:26:41 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Feb 1 2016
Mon Feb 15 20:26:41 2016 Windows version 6.2 (Windows 8 or greater)
Mon Feb 15 20:26:41 2016 library versions: OpenSSL 1.0.1r 28 Jan 2016, LZO 2.09
Enter Management Password:
Mon Feb 15 20:26:41 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Feb 15 20:26:41 2016 Need hold release from management interface, waiting...
Mon Feb 15 20:26:41 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Feb 15 20:26:41 2016 MANAGEMENT: CMD 'state on'
Mon Feb 15 20:26:41 2016 MANAGEMENT: CMD 'log all on'
Mon Feb 15 20:26:41 2016 MANAGEMENT: CMD 'hold off'
Mon Feb 15 20:26:41 2016 MANAGEMENT: CMD 'hold release'
Mon Feb 15 20:26:42 2016 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Feb 15 20:26:42 2016 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Feb 15 20:26:42 2016 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Feb 15 20:26:42 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Feb 15 20:26:42 2016 MANAGEMENT: >STATE:1455568002,RESOLVE,,,
Mon Feb 15 20:26:43 2016 UDPv4 link local: [undef]
Mon Feb 15 20:26:43 2016 UDPv4 link remote: [AF_INET]82.7.86.155:1194
Mon Feb 15 20:26:43 2016 MANAGEMENT: >STATE:1455568003,WAIT,,,
Mon Feb 15 20:26:43 2016 MANAGEMENT: >STATE:1455568003,AUTH,,,
Mon Feb 15 20:26:43 2016 TLS: Initial packet from [AF_INET]82.7.86.155:1194, sid=86e23e57 fa65677d
Mon Feb 15 20:26:44 2016 Certificate does not have key usage extension
Mon Feb 15 20:26:44 2016 VERIFY KU ERROR
Mon Feb 15 20:26:44 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Feb 15 20:26:44 2016 TLS Error: TLS object -> incoming plaintext read error
Mon Feb 15 20:26:44 2016 TLS Error: TLS handshake failed
Mon Feb 15 20:26:44 2016 SIGUSR1[soft,tls-error] received, process restarting
im trying to understand why the client config works on an android device, but not on others (tried win 10, 7 and linux mint) when client keys were created the same (maybe that's the issue?)
Thanks
- Traffic
- OpenVPN Protagonist
- Posts: 4081
- Joined: Sat Aug 09, 2014 11:24 am
Re: OpenNPV, PI, Andriod and windows 7
For testing remove this:
from your client config ..richiec86 wrote:remote-cert-tls server
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Feb 15, 2016 3:17 pm
Re: OpenNPV, PI, Andriod and windows 7
hi,
thanks for the reply, this seems to have worked and can now connect via both android and desktop.
However, i'm a little concerned on certificate verification.
looking at this how-to https://openvpn.net/index.php/open-sour ... .html#mitm seems to suggest that the build-key-server command (with the addition of the now-removed "remote-cert-tls server" line at client side) would combat this.
However, this is what i had done initially, so unsure what the problem was here?
any suggestions?
thanks for the reply, this seems to have worked and can now connect via both android and desktop.
However, i'm a little concerned on certificate verification.
looking at this how-to https://openvpn.net/index.php/open-sour ... .html#mitm seems to suggest that the build-key-server command (with the addition of the now-removed "remote-cert-tls server" line at client side) would combat this.
However, this is what i had done initially, so unsure what the problem was here?
any suggestions?
- Traffic
- OpenVPN Protagonist
- Posts: 4081
- Joined: Sat Aug 09, 2014 11:24 am
Re: OpenNPV, PI, Andriod and windows 7
Create a new server cert/key pair and try again.