Help with configuration

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
dodge
OpenVpn Newbie
Posts: 1
Joined: Mon Oct 02, 2023 4:58 pm

Help with configuration

Post by dodge » Mon Oct 02, 2023 5:13 pm

Hello! I need some help with the configuration of OpenVPN. The interesting thing is that with OpenVPN 2.4.6 it worked but when using newer versions that that the connection fails with:

[olog]

2023-10-02 19:41:28 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-10-02 19:41:28 OpenVPN 2.6.6 [git:v2.6.6/c9540130121bfc21] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Aug 15 2023
2023-10-02 19:41:28 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-10-02 19:41:28 library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10
2023-10-02 19:41:28 DCO version: v0
2023-10-02 19:41:29 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:XXXX
2023-10-02 19:41:29 Attempting to establish TCP connection with [AF_INET]X.X.X.X:XXXX
2023-10-02 19:41:29 TCP connection established with [AF_INET]X.X.X.X:XXXX
2023-10-02 19:41:29 TCPv4_CLIENT link local: (not bound)
2023-10-02 19:41:29 TCPv4_CLIENT link remote: [AF_INET]X.X.X.X:XXXX
2023-10-02 19:41:29 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-10-02 19:41:29 VERIFY ERROR: depth=0, error=self-signed certificate: C=XX, ST=X, L=X, O=XX, OU=XX, CN=DDDD, serial=666666666666
2023-10-02 19:41:29 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2023-10-02 19:41:29 TLS_ERROR: BIO read tls_read_plaintext error
2023-10-02 19:41:29 TLS Error: TLS object -> incoming plaintext read error
2023-10-02 19:41:29 TLS Error: TLS handshake failed
2023-10-02 19:41:29 Fatal TLS error (check_tls_errors_co), restarting
2023-10-02 19:41:29 SIGUSR1[soft,tls-error] received, process restarting
2023-10-02 19:41:30 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:XXXX
2023-10-02 19:41:30 Attempting to establish TCP connection with [AF_INET]X.X.X.X:XXXX
2023-10-02 19:41:30 TCP connection established with [AF_INET]X.X.X.X:XXXX
2023-10-02 19:41:30 TCPv4_CLIENT link local: (not bound)
2023-10-02 19:41:30 TCPv4_CLIENT link remote: [AF_INET]X.X.X.X:XXXX

[/olog]

I have the following openvpn server configuration:
server
dev tun

management 127.0.0.1 1195

server 10.8.0.0 255.255.255.0

push "route 10.8.0.0 255.255.255.0"

dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh3072.pem
ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key

max-clients 5

comp-lzo

persist-tun
persist-key

verb 3

#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf
client-cert-not-required
username-as-common-name
duplicate-cn

status /tmp/ovpn_status_2_result 30
status-version 2
proto udp6



I am having the following client configuration:
client
dev tun
tls-client

#verb 4
remote X.X.X.X XXXX

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

#redirect-gateway def1

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

#dhcp-option DNS DNS_IP_ADDRESS

pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto tcp-client

script-security 2


comp-lzo

reneg-sec 0

data-ciphers 'AES-256-CBC:AES-256-GCM:AES-128-GCM'
cipher AES-256-CBC
#data-ciphers-fallback 'BF-CBC'
#tls-cipher "DEFAULT:@SECLEVEL=0"
#tls-cert-profile insecure
#providers legacy default

remote-cert-tls server
auth SHA512

auth-user-pass auth.txt
<ca>
-----BEGIN CERTIFICATE-----
RICK ROLL
-----END CERTIFICATE-----

</ca>


I have used the following script to generate the certificates:

Code: Select all

openssl x509 -req -extfile _server.cnf  -extensions req_ext  -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 -set_serial "$SERIAL"
openssl x509 -noout -text -in server.crt

echo "Check CA equality"
echo -n "CSR"
openssl req -noout -modulus -in ca.csr  | openssl md5
openssl x509 -noout -modulus -in ca.crt | openssl md5
openssl rsa -noout -modulus -in ca.key  | openssl md5
echo "Check SRV equality"
echo -n "CSR"
openssl req -noout -modulus -in server.csr  | openssl md5
openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key  | openssl md5
Where is the problem? I am still a noob when it comes to how the certificates interact :D .
Top
Post Reply

Return to “Configuration”