Please Help: "No server certificate verification method"

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
tscon
OpenVpn Newbie
Posts: 10
Joined: Tue Mar 01, 2011 10:51 pm

Please Help: "No server certificate verification method"

Post by tscon » Tue Apr 19, 2011 1:52 pm

Hello,

I have OpenVZ Virtuozzo on Centos 5.5..

Everything was already setup and working, from time to time I got Iptables wiped out

(cleaned for some reason),

so I have to run script to set IP tables again (firewall script).. This time in the morning I have same problem

OpenVPN stop working so, I login to the Server run firewall script to setup IP Tables, then

restart VPN service.. Now I'm able to establish connection but got Error:

"WARNING: No server certificate verification method has been enabled." while login.

I checked all the files Certificates and Key files everything in place as usual

I DIDN'T Touched ANYTHING.. What could cause this??? Here is the Log File

==========================================
Tue Apr 19 09:13:57 2011 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 8 2010
Tue Apr 19 09:13:57 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Apr 19 09:13:57 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Apr 19 09:13:57 2011 LZO compression initialized
Tue Apr 19 09:13:57 2011 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Apr 19 09:13:57 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Apr 19 09:13:57 2011 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Apr 19 09:13:57 2011 Local Options hash (VER=V4): '66096c33'
Tue Apr 19 09:13:57 2011 Expected Remote Options hash (VER=V4): '691e95c7'
Tue Apr 19 09:13:57 2011 UDPv4 link local: [undef]
Tue Apr 19 09:13:57 2011 UDPv4 link remote: 20.20.16.20:1194
Tue Apr 19 09:13:57 2011 TLS: Initial packet from 20.20.16.20:1194, sid=425c6dfa 1f19934c
Tue Apr 19 09:14:00 2011 VERIFY OK: depth=1, /C=US/ST=NY/L=MewYork/O=Net***.inc/OU=prod/CN=skyvpn/name=Alex23/emailAddress=web***@alt***.org
Tue Apr 19 09:14:00 2011 VERIFY OK: depth=0, /C=US/ST=NY/L=NewYork/O=Net***.inc/OU=prod/CN=skyvpn/name=Alex23/emailAddress=web***@alt***.org
Tue Apr 19 09:14:01 2011 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Apr 19 09:14:01 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 19 09:14:01 2011 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Apr 19 09:14:01 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 19 09:14:01 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Apr 19 09:14:01 2011 [skyvpn] Peer Connection Initiated with 20.20.16.20:1194
Tue Apr 19 09:14:03 2011 SENT CONTROL [skyvpn]: 'PUSH_REQUEST' (status=1)
Tue Apr 19 09:14:03 2011 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Tue Apr 19 09:14:03 2011 OPTIONS IMPORT: timers and/or timeouts modified
Tue Apr 19 09:14:03 2011 OPTIONS IMPORT: --ifconfig/up options modified
Tue Apr 19 09:14:03 2011 OPTIONS IMPORT: route options modified
Tue Apr 19 09:14:03 2011 ROUTE default_gateway=192.168.1.1
Tue Apr 19 09:14:03 2011 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{33029ADD-46AC-4F3A-B775-C9238B12FD9B}.tap
Tue Apr 19 09:14:03 2011 TAP-Win32 Driver Version 9.7
Tue Apr 19 09:14:03 2011 TAP-Win32 MTU=1500
Tue Apr 19 09:14:03 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {33029ADD-46AC-4F3A-B775-C9238B12FD9B} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Tue Apr 19 09:14:03 2011 Successful ARP Flush on interface [2] {33029ADD-46AC-4F3A-B775-C9238B12FD9B}
Tue Apr 19 09:14:08 2011 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Tue Apr 19 09:14:08 2011 C:\WINDOWS\system32\route.exe ADD 205.209.162.21 MASK 255.255.255.255 192.168.1.1
Tue Apr 19 09:14:08 2011 Route addition via IPAPI succeeded [adaptive]
Tue Apr 19 09:14:08 2011 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Apr 19 09:14:08 2011 Route addition via IPAPI succeeded [adaptive]
Tue Apr 19 09:14:08 2011 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Apr 19 09:14:08 2011 Route addition via IPAPI succeeded [adaptive]
Tue Apr 19 09:14:08 2011 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Tue Apr 19 09:14:08 2011 Route addition via IPAPI succeeded [adaptive]
Tue Apr 19 09:14:08 2011 Initialization Sequence Completed

=======================================================

Connection with the VPN server get established, but I cannot browse anything on the web..

What should I check?

Please help.

Thank you.

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: Please Help: "No server certificate verification method"

Post by janjust » Tue Apr 19, 2011 1:59 pm

the warning is merely a warning - it means you did not specify 'ns-cert-type server' or 'remote-cert-tls server' ; the fact that you cannot browse the internet via the tunnel is most likely a routing issue.

check that you
* can ping the VPN server IP
* have enabled IP forwarding on the server
* have set up either a return route from the server-side GW/router back to the VPN server for the VPN IP range
or
* have set up NATting/Masquerading on the server
* made sure no firewalls (iptables?) are blockin access.

tscon
OpenVpn Newbie
Posts: 10
Joined: Tue Mar 01, 2011 10:51 pm

Re: Please Help: "No server certificate verification method"

Post by tscon » Tue Apr 19, 2011 3:31 pm

Here is Iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp dpts:traceroute:33523
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:openvpn

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 10.8.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
===================================================

Trying to contact my Server provider, maybe they change anything on the network?

What command should I use to check if Firewall is not blocking anything?

For some reason after Server reboot I got IPtables cleaned out again, it happens from

time to time, very strange.. Can you please show me some commands to run and for diagnostic

purpose.. Server IP pinging ok while connected to VPN.. Just nothing cannot be accessed outside the Server..

Thank you

tscon
OpenVpn Newbie
Posts: 10
Joined: Tue Mar 01, 2011 10:51 pm

Re: Please Help: "No server certificate verification method"

Post by tscon » Tue Apr 19, 2011 3:53 pm

Besides I'm using same exact client configuration file and I didn't have that

Warning before

"WARNING: No server certificate verification method has been enabled."

Why it's appearing now?

Thanks.

tscon
OpenVpn Newbie
Posts: 10
Joined: Tue Mar 01, 2011 10:51 pm

Re: Please Help: "No server certificate verification method"

Post by tscon » Tue Apr 19, 2011 4:09 pm

I found the problem

Nat Tables got disabled some how

iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 2**.2**.1**.2*

iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Anybody know how to enable Nat Tables? Somehow my support did it last time, but they

are not responding for now..

Thanks.

tscon
OpenVpn Newbie
Posts: 10
Joined: Tue Mar 01, 2011 10:51 pm

Re: Please Help: "No server certificate verification method"

Post by tscon » Tue Apr 19, 2011 5:09 pm

Ok, Thank you

problem solved, support just reload iptable_nat module on the host machine

Everything back to normal :)

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: Please Help: "No server certificate verification method"

Post by janjust » Wed Apr 20, 2011 6:25 am

Exellent, sounds like you've found your way out.
VPS and natting something can be difficult - I've read posts about natting working differently from what you'd expect.

Topic closed.

Post Reply