it was all working well, then it didn't.
I setup my openvpn server about a year and a half ago, maybe 2. It's setup on a Debian 10 server.
I created several configuration files for several devices and accesses. All working very well, until this morning, when I got this error on my iPhone, iPad, and my partner's mac computer.
I create configuration files than contain all information needed for the connection: certs, etc.There was an error attempting to conncet to the selected server .
Error message:
OpenSSLContext::SSL::read_cleartext:
BIO_read failed, cap=2576 status=-1: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
Here are the several config files and logs.
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/wisbit-server.crt
key /etc/openvpn/server/wisbit-server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher ****************************************
#tls-auth /etc/openvpn/server/ta.key
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
# we'll check that later on
#comp-lz0
daemon
user nobody
group nogroup
log-append /var/log/openvpn.log
verb 3
dev tun
proto udp
remote wisbit.hopto.org 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
# THESE FILES WILL BE INCORPORATED IN THE CLIENT CONFIG FILE
#ca ca.crt
#cert client.crt
#key client.key
remote-cert-tls server
# THIS FILE WILL BE INCORPORATED IN THE CLIENT CONFIG FILE
#tls-auth ta.key 1
cipher AES-256-CBC
auth SHA512
# CHECK THIS LATER enabled in the server config file.
# compress lzo
verb 3
key-direction 1
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
server logs:
Code: Select all
Thu Dec 9 09:24:10 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
Thu Dec 9 09:24:10 2021 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Thu Dec 9 09:24:10 2021 Diffie-Hellman initialized with 2048 bit key
Thu Dec 9 09:24:12 2021 WARNING: Your certificate has expired!
Thu Dec 9 09:24:12 2021 ROUTE_GATEWAY 192.168.5.1/255.255.255.0 IFACE=enp63s0 HWADDR=00:23:7d:16:51:58
Thu Dec 9 09:24:12 2021 TUN/TAP device tun0 opened
Thu Dec 9 09:24:12 2021 TUN/TAP TX queue length set to 100
Thu Dec 9 09:24:12 2021 /sbin/ip link set dev tun0 up mtu 1500
Thu Dec 9 09:24:12 2021 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Thu Dec 9 09:24:12 2021 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Thu Dec 9 09:24:12 2021 Could not determine IPv4/IPv6 protocol. Using AF_INET
Thu Dec 9 09:24:12 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Dec 9 09:24:12 2021 UDPv4 link local (bound): [AF_INET][undef]:1194
Thu Dec 9 09:24:12 2021 UDPv4 link remote: [AF_UNSPEC]
Thu Dec 9 09:24:12 2021 GID set to nogroup
Thu Dec 9 09:24:12 2021 UID set to nobody
Thu Dec 9 09:24:12 2021 MULTI: multi_init called, r=256 v=256
Thu Dec 9 09:24:12 2021 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Thu Dec 9 09:24:12 2021 Initialization Sequence Completed
Thu Dec 9 09:28:56 2021 91.86.42.88:62417 TLS: Initial packet from [AF_INET]91.86.42.88:62417, sid=c36734a0 68f72a17
Thu Dec 9 09:29:56 2021 91.86.42.88:62417 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Dec 9 09:29:56 2021 91.86.42.88:62417 TLS Error: TLS handshake failed
Thu Dec 9 09:29:56 2021 91.86.42.88:62417 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Dec 9 09:34:25 2021 91.86.42.88:65146 TLS: Initial packet from [AF_INET]91.86.42.88:65146, sid=222ace1d 2d88a20b
Thu Dec 9 09:35:25 2021 91.86.42.88:65146 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Dec 9 09:35:25 2021 91.86.42.88:65146 TLS Error: TLS handshake failed
Thu Dec 9 09:35:25 2021 91.86.42.88:65146 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Dec 9 09:40:52 2021 91.86.42.88:56821 TLS: Initial packet from [AF_INET]91.86.42.88:56821, sid=19f5bca9 6f54d6c4
Thu Dec 9 09:41:52 2021 91.86.42.88:56821 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Dec 9 09:41:52 2021 91.86.42.88:56821 TLS Error: TLS handshake failed
Thu Dec 9 09:41:52 2021 91.86.42.88:56821 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Dec 9 09:43:54 2021 event_wait : Interrupted system call (code=4)
Code: Select all
#!/bin/bash
# First argument: Client identifier
CLIENT_KEY_DIR=/etc/openvpn/client/client-keys
SERVER_KEY_DIR=/etc/openvpn/client/server-keys
OUTPUT_DIR=/etc/openvpn/client/files
BASE_CONFIG=/etc/openvpn/client/base.conf
touch ${CLIENT_KEY_DIR}/${1}_name
echo ${1} > ${CLIENT_KEY_DIR}/${1}_name
cat ${CLIENT_KEY_DIR}/${1}_name \
${BASE_CONFIG} \
<(echo -e '<ca>') \
${SERVER_KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${CLIENT_KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${CLIENT_KEY_DIR}/${1}.key \
<(echo -e '</key>') \
> ${OUTPUT_DIR}/${1}.ovpn
WB
Let me know if there is anything else needed.