Cannot connect using OpenVPN for Windows
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 6
- Joined: Mon Jan 17, 2022 10:01 pm
Cannot connect using OpenVPN for Windows
I have an OpenVPN server running on my EdgeRouter and can connect to it using both Android and IOS OpenVPN clients without any problem. I cannot however connect to it using the Windows OpenVPN client on my Windows 10 computer. Note I'm using the same set of .ovpn and cert files on all three platforms: Android, IOS and Windows. For the Windows OpenVPN client, the OpenVPN server log shows there is an initial attempt to connect but nothing else gets through after that until a retry (again and again) by the client. Below is what shows in the Windows OpenVPN client log. This error repeats itself with each retry by the Windows OpenVPN client. I have also tried both versions 2.5.0 and 2.5.5 of the Windows OpenVPN Client and they both result in the same errors. Any helps will be appreciated.
022-01-17 16:48:04 OpenVPN 2.5.5 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 15 2021
2022-01-17 16:48:04 Windows version 10.0 (Windows 10 or greater) 64bit
2022-01-17 16:48:04 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
2022-01-17 16:48:04 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-17 16:48:04 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-17 16:48:04 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.1:443
2022-01-17 16:48:04 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-01-17 16:48:04 UDP link local: (not bound)
2022-01-17 16:48:04 UDP link remote: [AF_INET]192.168.80.1:443
2022-01-17 16:48:04 TLS: Initial packet from [AF_INET]192.168.80.1:443, sid=1f7147dd d20d449a
2022-01-17 16:48:04 VERIFY OK: <!!! MY OPENVPN SERVER CERT DN IS SHOWING HERE - REMOVED BEFORE POSTING LOG FILE !!!>
2022-01-17 16:48:04 Certificate does not have key usage extension
2022-01-17 16:48:04 VERIFY KU ERROR
2022-01-17 16:48:04 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2022-01-17 16:48:04 TLS_ERROR: BIO read tls_read_plaintext error
2022-01-17 16:48:04 TLS Error: TLS object -> incoming plaintext read error
2022-01-17 16:48:04 TLS Error: TLS handshake failed
2022-01-17 16:48:04 SIGUSR1[soft,tls-error] received, process restarting
2022-01-17 16:48:04 Restart pause, 5 second(s)
022-01-17 16:48:04 OpenVPN 2.5.5 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 15 2021
2022-01-17 16:48:04 Windows version 10.0 (Windows 10 or greater) 64bit
2022-01-17 16:48:04 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
2022-01-17 16:48:04 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-17 16:48:04 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-17 16:48:04 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.1:443
2022-01-17 16:48:04 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-01-17 16:48:04 UDP link local: (not bound)
2022-01-17 16:48:04 UDP link remote: [AF_INET]192.168.80.1:443
2022-01-17 16:48:04 TLS: Initial packet from [AF_INET]192.168.80.1:443, sid=1f7147dd d20d449a
2022-01-17 16:48:04 VERIFY OK: <!!! MY OPENVPN SERVER CERT DN IS SHOWING HERE - REMOVED BEFORE POSTING LOG FILE !!!>
2022-01-17 16:48:04 Certificate does not have key usage extension
2022-01-17 16:48:04 VERIFY KU ERROR
2022-01-17 16:48:04 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2022-01-17 16:48:04 TLS_ERROR: BIO read tls_read_plaintext error
2022-01-17 16:48:04 TLS Error: TLS object -> incoming plaintext read error
2022-01-17 16:48:04 TLS Error: TLS handshake failed
2022-01-17 16:48:04 SIGUSR1[soft,tls-error] received, process restarting
2022-01-17 16:48:04 Restart pause, 5 second(s)
Last edited by atranmisc on Mon Jan 17, 2022 10:51 pm, edited 1 time in total.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 6
- Joined: Mon Jan 17, 2022 10:01 pm
Re: Cannot connect using OpenVPN for Windows
I did try with OpenVPN 2.5.0 and got the same errors. I generally don't like to run an older software version but liked to check and confirm as I don't have problem with my Android and IOS clients. Is there anything you can suggest for me to check regarding my server cert? What "key usage extension" is it expecting? Do you know of an older version of the Windows OpenVPN Client that does NOT care about usage extension for me to test out - just for the purpose of checking before I remake my server cert? Thanks.TinCanTech wrote: ↑Mon Jan 17, 2022 10:41 pmYour server certificate is not suitable for OpenVPN 2.5.5
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 6
- Joined: Mon Jan 17, 2022 10:01 pm
Re: Cannot connect using OpenVPN for Windows
Please see my OpenVPN server and client config files below. Let me know if you still need me to send verb 4 log as indicated in the other post. The only difference in the Windows vs Android/IOS configurations is the addition of the askpass entry in the .ovpn file. I add askpass to the Windows .ovpn file as I don't know where else to provide/type it in otherwise. Thanks again.TinCanTech wrote: ↑Mon Jan 17, 2022 11:26 pmPaste your client config (without the certs and keys).
Also see viewtopic.php?f=30&t=22603#p68963
** SERVER **
description openvpn
mode server
openvpn-option --persist-key
openvpn-option --persist-tun
openvpn-option "--keepalive 10 120"
openvpn-option "--user nobody"
openvpn-option "--group nogroup"
openvpn-option "--cipher AES-256-CBC"
openvpn-option "--auth SHA256"
openvpn-option "--port 443"
openvpn-option "--tls-auth /config/auth/ta.key 0"
openvpn-option --tls-server
openvpn-option "--proto udp"
openvpn-option "--ifconfig-pool-persist ipp.txt"
openvpn-option "--mute 10"
openvpn-option "--dev vtun0"
server {
name-server 192.168.80.1
subnet 10.8.0.0/24
}
tls {
ca-cert-file /config/auth/cacert.pem
cert-file /config/auth/server.pem
dh-file /config/auth/dh.pem
key-file /config/auth/server.key
}
** CLIENT **
client
cipher AES-256-CBC
data-ciphers AES-256-CBC
auth SHA256
dev tun
proto udp
redirect-gateway def1
key-direction 1
remote 192.168.80.1 443
remote-cert-tls server
resolv-retry infinite
nobind
float
auth-nocache
persist-key
persist-tun
verb 4
askpass "C:\\Program Files\\OpenVPN\\config-auto\\pass.txt"
ca "C:\\Program Files\\OpenVPN\\config-auto\\cacert.pem"
cert "C:\\Program Files\\OpenVPN\\config-auto\\atran.pem"
key "C:\\Program Files\\OpenVPN\\config-auto\\atran_pw.key"
tls-auth "C:\\Program Files\\OpenVPN\\config-auto\\ta.key" 1
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 6
- Joined: Mon Jan 17, 2022 10:01 pm
Re: Cannot connect using OpenVPN for Windows
Nice. I removed that line from the client config and it starts working. Interesting to know the Android and IOS OpenVPN apps don't check on this. Do you know which exact x509 key usage extension that corresponds to? Is that the same as "X509v3 Extended Key Usage: TLS Web Server Authentication" or is it something else? Thanks a bunch!!!
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 6
- Joined: Mon Jan 17, 2022 10:01 pm
Re: Cannot connect using OpenVPN for Windows
This may be an unfair question but what do you think about Let's Encrypt vs Easy-RSA v3 besides the fact that there is a bit more works to be done by the user with Easy-RSA v3? Thanks again.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Cannot connect using OpenVPN for Windows
If you use Easy-RSA to build your PKI then you and only you have access to your root CA.
What use is Letsencrypt to me ?
What use is Letsencrypt to me ?
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Cannot connect using OpenVPN for Windows
Hi atran,atranmisc wrote: ↑Sat Jan 22, 2022 1:47 pmThis may be an unfair question but what do you think about Let's Encrypt vs Easy-RSA v3 besides the fact that there is a bit more works to be done by the user with Easy-RSA v3? Thanks again.
Whether fair or not, it is a crazy question. You would NEVER use a public CA for your openvpn PKI. Do you want to allow every Let's Encrypt user to connect to your VPN?
I guess you failed to understand that your PKI is used for authentication. No worries, you were not the first and you will not be the last to have this idea. But no, let's not use LE for our VPN.
regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVpn Newbie
- Posts: 6
- Joined: Mon Jan 17, 2022 10:01 pm
Re: Cannot connect using OpenVPN for Windows
I was thinking about encryption when I popped that question and forgot the authentication. What a shameopenvpn_inc wrote: ↑Sat Jan 22, 2022 6:54 pmI guess you failed to understand that your PKI is used for authentication.