Hi,
I have OpenVPN server configured and running on a Synology DS1511+ and now I'm trying to setup my Nexus 5 Android phone to connect to it but I'm getting this error when I attempt to connect:
Certificate does not have key usage extension
VERIFY KU ERROR
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
TCP/UDP: Closing socket
SIGUSR1[soft,tls-error] received, process restarting
I'm new to VPN/certs so I'm not exactly sure what this means or how to correct it. I have the full log if needed.
Thanks,
->g.
TLS error preventing connection
-
glc650
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Nov 29, 2013 9:17 pm
-
glc650
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Nov 29, 2013 9:17 pm
Re: TLS error preventing connection
That did the trick
thanks,
->g.
thanks,
->g.
-
glc650
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Nov 29, 2013 9:17 pm
Re: TLS error preventing connection
Tried to connect the client remotely (the testing above was with the client and server inside my network) and the connection just times out. Does OpenVPN require some sort of VPN pass through on the router to work? I have UDP 1194 forwarded by my router to my OpenVPN server.
-
glc650
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Nov 29, 2013 9:17 pm
Re: TLS error preventing connection
Running on Nexus 5 (hammerhead) google, Android API 19, version 0.6.0, official build
Log cleared.
Building configuration…
started Socket Thread
P:Initializing Google Breakpad!
Current Parameter Settings:
config = '/data/data/de.blinkt.openvpn/cache/android.conf'
mode = 0
show_ciphers = DISABLED
show_digests = DISABLED
show_engines = DISABLED
genkey = DISABLED
key_pass_file = '[UNDEF]'
show_tls_ciphers = DISABLED
connect_retry_max = 5
Connection profiles [default]:
proto = udp
local = '[UNDEF]'
local_port = '1194'
remote = '[UNDEF]'
remote_port = '1194'
remote_float = DISABLED
bind_defined = DISABLED
bind_local = ENABLED
connect_retry_seconds = 5
connect_timeout = 10
socks_proxy_server = '[UNDEF]'
socks_proxy_port = '[UNDEF]'
socks_proxy_retry = DISABLED
tun_mtu = 1500
tun_mtu_defined = DISABLED
link_mtu = 1500
link_mtu_defined = DISABLED
tun_mtu_extra = 0
tun_mtu_extra_defined = DISABLED
mtu_discover_type = -1
fragment = 0
mssfix = 1450
explicit_exit_notification = 0
Connection profiles [0]:
proto = udp
local = '[UNDEF]'
local_port = '1194'
remote = 'mydomain.gotdns.com'
remote_port = '15175'
remote_float = DISABLED
bind_defined = DISABLED
bind_local = ENABLED
connect_retry_seconds = 5
connect_timeout = 10
socks_proxy_server = '[UNDEF]'
socks_proxy_port = '[UNDEF]'
socks_proxy_retry = DISABLED
tun_mtu = 1500
tun_mtu_defined = ENABLED
link_mtu = 1500
link_mtu_defined = DISABLED
tun_mtu_extra = 0
tun_mtu_extra_defined = DISABLED
mtu_discover_type = -1
fragment = 0
mssfix = 1450
explicit_exit_notification = 0
Connection profiles END
remote_random = DISABLED
ipchange = '[UNDEF]'
dev = 'tun'
dev_type = '[UNDEF]'
dev_node = '[UNDEF]'
lladdr = '[UNDEF]'
topology = 1
tun_ipv6 = DISABLED
ifconfig_local = '[UNDEF]'
ifconfig_remote_netmask = '[UNDEF]'
ifconfig_noexec = DISABLED
ifconfig_nowarn = DISABLED
ifconfig_ipv6_local = '[UNDEF]'
ifconfig_ipv6_netbits = 0
ifconfig_ipv6_remote = '[UNDEF]'
shaper = 0
mtu_test = 0
mlock = DISABLED
keepalive_ping = 0
keepalive_timeout = 0
inactivity_timeout = 0
ping_send_timeout = 0
ping_rec_timeout = 0
ping_rec_timeout_action = 0
ping_timer_remote = DISABLED
remap_sigusr1 = 0
persist_tun = DISABLED
persist_local_ip = DISABLED
persist_remote_ip = DISABLED
persist_key = DISABLED
passtos = DISABLED
resolve_retry_seconds = 60
username = '[UNDEF]'
groupname = '[UNDEF]'
chroot_dir = '[UNDEF]'
cd_dir = '[UNDEF]'
Network Status: CONNECTED to WIFI "MYCOMPANY"
writepid = '[UNDEF]'
up_script = '[UNDEF]'
down_script = '[UNDEF]'
down_pre = DISABLED
up_restart = DISABLED
up_delay = DISABLED
daemon = DISABLED
inetd = 0
log = DISABLED
suppress_timestamps = DISABLED
parsable_output = ENABLED
nice = 0
verbosity = 4
mute = 0
gremlin = 0
status_file = '[UNDEF]'
status_file_version = 1
status_file_update_freq = 60
occ = ENABLED
rcvbuf = 65536
sndbuf = 65536
sockflags = 0
fast_io = DISABLED
comp.alg = 2
comp.flags = 1
route_script = '[UNDEF]'
route_default_gateway = '[UNDEF]'
route_default_metric = 0
route_noexec = DISABLED
route_delay = 0
route_delay_window = 30
route_delay_defined = DISABLED
route_nopull = DISABLED
route_gateway_via_dhcp = DISABLED
max_routes = 100
allow_pull_fqdn = DISABLED
route 0.0.0.0/0.0.0.0/nil/nil
management_addr = '/data/data/de.blinkt.openvpn/cache/mgmtsocket'
management_port = 'unix'
management_user_pass = '[UNDEF]'
management_log_history_cache = 250
management_echo_buffer_size = 100
management_write_peer_info_file = '[UNDEF]'
management_client_user = '[UNDEF]'
management_client_group = '[UNDEF]'
management_flags = 4390
shared_secret_file = '[UNDEF]'
key_direction = 2
ciphername_defined = ENABLED
ciphername = 'BF-CBC'
authname_defined = ENABLED
authname = 'SHA1'
prng_hash = 'SHA1'
prng_nonce_secret_len = 16
keysize = 0
engine = DISABLED
replay = ENABLED
mute_replay_warnings = DISABLED
replay_window = 64
replay_time = 15
packet_id_file = '[UNDEF]'
use_iv = ENABLED
test_crypto = DISABLED
tls_server = DISABLED
tls_client = ENABLED
key_method = 2
ca_file = '[[INLINE]]'
ca_path = '[UNDEF]'
dh_file = '[UNDEF]'
cert_file = '[[INLINE]]'
priv_key_file = '[[INLINE]]'
pkcs12_file = '[UNDEF]'
cipher_list = '[UNDEF]'
tls_verify = '[UNDEF]'
tls_export_cert = '[UNDEF]'
verify_x509_type = 0
verify_x509_name = '[UNDEF]'
crl_file = '[UNDEF]'
ns_cert_type = 0
remote_cert_ku = 0
remote_cert_ku = 0
remote_cert_ku = 0
remote_cert_ku = 0
remote_cert_ku = 0
remote_cert_ku = 0
remote_cert_ku = 0
remote_cert_ku = 0
remote_cert_ku = 0
remote_cert_ku = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_eku = '[UNDEF]'
ssl_flags = 0
tls_timeout = 2
renegotiate_bytes = 0
renegotiate_packets = 0
renegotiate_seconds = 0
handshake_window = 60
transition_window = 3600
single_session = DISABLED
push_peer_info = DISABLED
tls_exit = DISABLED
tls_auth_file = '[[INLINE]]'
client = ENABLED
pull = ENABLED
auth_user_pass_file = 'stdin'
OpenVPN 2.3.2+dspatch4 android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [SNAPPY] [EPOLL] [MH] [IPv6] built on Nov 21 2013
MANAGEMENT: Connected to management server at /data/data/de.blinkt.openvpn/cache/mgmtsocket
MANAGEMENT: CMD 'hold release'
MANAGEMENT: CMD 'username 'Auth' garrett'
MANAGEMENT: CMD 'bytecount 2'
MANAGEMENT: CMD 'password [...]'
MANAGEMENT: CMD 'state on'
MANAGEMENT: CMD 'proxy NONE'
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Control Channel Authentication: tls-auth using INLINE static key file
Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
LZO compression initializing
Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
MANAGEMENT: >STATE:1386018874,RESOLVE,,,
Socket Buffers: R=[163840->131072] S=[163840->131072]
Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:393 ET:0 EL:0 ]
Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Local Options hash (VER=V4): '504e774e'
Expected Remote Options hash (VER=V4): '14168603'
Protecting socket fd 4
MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
UDP link local (bound): [AF_INET][undef]:1194
UDP link remote: [AF_INET]76.102.26.21:1194
MANAGEMENT: >STATE:1386018874,WAIT,,,
Log cleared.
Building configuration…
started Socket Thread
P:Initializing Google Breakpad!
Current Parameter Settings:
config = '/data/data/de.blinkt.openvpn/cache/android.conf'
mode = 0
show_ciphers = DISABLED
show_digests = DISABLED
show_engines = DISABLED
genkey = DISABLED
key_pass_file = '[UNDEF]'
show_tls_ciphers = DISABLED
connect_retry_max = 5
Connection profiles [default]:
proto = udp
local = '[UNDEF]'
local_port = '1194'
remote = '[UNDEF]'
remote_port = '1194'
remote_float = DISABLED
bind_defined = DISABLED
bind_local = ENABLED
connect_retry_seconds = 5
connect_timeout = 10
socks_proxy_server = '[UNDEF]'
socks_proxy_port = '[UNDEF]'
socks_proxy_retry = DISABLED
tun_mtu = 1500
tun_mtu_defined = DISABLED
link_mtu = 1500
link_mtu_defined = DISABLED
tun_mtu_extra = 0
tun_mtu_extra_defined = DISABLED
mtu_discover_type = -1
fragment = 0
mssfix = 1450
explicit_exit_notification = 0
Connection profiles [0]:
proto = udp
local = '[UNDEF]'
local_port = '1194'
remote = 'mydomain.gotdns.com'
remote_port = '15175'
remote_float = DISABLED
bind_defined = DISABLED
bind_local = ENABLED
connect_retry_seconds = 5
connect_timeout = 10
socks_proxy_server = '[UNDEF]'
socks_proxy_port = '[UNDEF]'
socks_proxy_retry = DISABLED
tun_mtu = 1500
tun_mtu_defined = ENABLED
link_mtu = 1500
link_mtu_defined = DISABLED
tun_mtu_extra = 0
tun_mtu_extra_defined = DISABLED
mtu_discover_type = -1
fragment = 0
mssfix = 1450
explicit_exit_notification = 0
Connection profiles END
remote_random = DISABLED
ipchange = '[UNDEF]'
dev = 'tun'
dev_type = '[UNDEF]'
dev_node = '[UNDEF]'
lladdr = '[UNDEF]'
topology = 1
tun_ipv6 = DISABLED
ifconfig_local = '[UNDEF]'
ifconfig_remote_netmask = '[UNDEF]'
ifconfig_noexec = DISABLED
ifconfig_nowarn = DISABLED
ifconfig_ipv6_local = '[UNDEF]'
ifconfig_ipv6_netbits = 0
ifconfig_ipv6_remote = '[UNDEF]'
shaper = 0
mtu_test = 0
mlock = DISABLED
keepalive_ping = 0
keepalive_timeout = 0
inactivity_timeout = 0
ping_send_timeout = 0
ping_rec_timeout = 0
ping_rec_timeout_action = 0
ping_timer_remote = DISABLED
remap_sigusr1 = 0
persist_tun = DISABLED
persist_local_ip = DISABLED
persist_remote_ip = DISABLED
persist_key = DISABLED
passtos = DISABLED
resolve_retry_seconds = 60
username = '[UNDEF]'
groupname = '[UNDEF]'
chroot_dir = '[UNDEF]'
cd_dir = '[UNDEF]'
Network Status: CONNECTED to WIFI "MYCOMPANY"
writepid = '[UNDEF]'
up_script = '[UNDEF]'
down_script = '[UNDEF]'
down_pre = DISABLED
up_restart = DISABLED
up_delay = DISABLED
daemon = DISABLED
inetd = 0
log = DISABLED
suppress_timestamps = DISABLED
parsable_output = ENABLED
nice = 0
verbosity = 4
mute = 0
gremlin = 0
status_file = '[UNDEF]'
status_file_version = 1
status_file_update_freq = 60
occ = ENABLED
rcvbuf = 65536
sndbuf = 65536
sockflags = 0
fast_io = DISABLED
comp.alg = 2
comp.flags = 1
route_script = '[UNDEF]'
route_default_gateway = '[UNDEF]'
route_default_metric = 0
route_noexec = DISABLED
route_delay = 0
route_delay_window = 30
route_delay_defined = DISABLED
route_nopull = DISABLED
route_gateway_via_dhcp = DISABLED
max_routes = 100
allow_pull_fqdn = DISABLED
route 0.0.0.0/0.0.0.0/nil/nil
management_addr = '/data/data/de.blinkt.openvpn/cache/mgmtsocket'
management_port = 'unix'
management_user_pass = '[UNDEF]'
management_log_history_cache = 250
management_echo_buffer_size = 100
management_write_peer_info_file = '[UNDEF]'
management_client_user = '[UNDEF]'
management_client_group = '[UNDEF]'
management_flags = 4390
shared_secret_file = '[UNDEF]'
key_direction = 2
ciphername_defined = ENABLED
ciphername = 'BF-CBC'
authname_defined = ENABLED
authname = 'SHA1'
prng_hash = 'SHA1'
prng_nonce_secret_len = 16
keysize = 0
engine = DISABLED
replay = ENABLED
mute_replay_warnings = DISABLED
replay_window = 64
replay_time = 15
packet_id_file = '[UNDEF]'
use_iv = ENABLED
test_crypto = DISABLED
tls_server = DISABLED
tls_client = ENABLED
key_method = 2
ca_file = '[[INLINE]]'
ca_path = '[UNDEF]'
dh_file = '[UNDEF]'
cert_file = '[[INLINE]]'
priv_key_file = '[[INLINE]]'
pkcs12_file = '[UNDEF]'
cipher_list = '[UNDEF]'
tls_verify = '[UNDEF]'
tls_export_cert = '[UNDEF]'
verify_x509_type = 0
verify_x509_name = '[UNDEF]'
crl_file = '[UNDEF]'
ns_cert_type = 0
remote_cert_ku = 0
remote_cert_ku = 0
remote_cert_ku = 0
remote_cert_ku = 0
remote_cert_ku = 0
remote_cert_ku = 0
remote_cert_ku = 0
remote_cert_ku = 0
remote_cert_ku = 0
remote_cert_ku = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_eku = '[UNDEF]'
ssl_flags = 0
tls_timeout = 2
renegotiate_bytes = 0
renegotiate_packets = 0
renegotiate_seconds = 0
handshake_window = 60
transition_window = 3600
single_session = DISABLED
push_peer_info = DISABLED
tls_exit = DISABLED
tls_auth_file = '[[INLINE]]'
client = ENABLED
pull = ENABLED
auth_user_pass_file = 'stdin'
OpenVPN 2.3.2+dspatch4 android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [SNAPPY] [EPOLL] [MH] [IPv6] built on Nov 21 2013
MANAGEMENT: Connected to management server at /data/data/de.blinkt.openvpn/cache/mgmtsocket
MANAGEMENT: CMD 'hold release'
MANAGEMENT: CMD 'username 'Auth' garrett'
MANAGEMENT: CMD 'bytecount 2'
MANAGEMENT: CMD 'password [...]'
MANAGEMENT: CMD 'state on'
MANAGEMENT: CMD 'proxy NONE'
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Control Channel Authentication: tls-auth using INLINE static key file
Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
LZO compression initializing
Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
MANAGEMENT: >STATE:1386018874,RESOLVE,,,
Socket Buffers: R=[163840->131072] S=[163840->131072]
Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:393 ET:0 EL:0 ]
Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Local Options hash (VER=V4): '504e774e'
Expected Remote Options hash (VER=V4): '14168603'
Protecting socket fd 4
MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
UDP link local (bound): [AF_INET][undef]:1194
UDP link remote: [AF_INET]76.102.26.21:1194
MANAGEMENT: >STATE:1386018874,WAIT,,,
-
glc650
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Nov 29, 2013 9:17 pm
Re: TLS error preventing connection
Code: Select all
Client config:
# Enables connection to GUI
management /data/data/de.blinkt.openvpn/cache/mgmtsocket unix
management-client
management-query-passwords
management-hold
setenv IV_OPENVPN_GUI_VERSION "de.blinkt.openvpn 0.6.0"
parsable-output
client
verb 4
connect-retry-max 5
connect-retry 5
resolv-retry 60
dev tun
remote mydomain.gotdns.com 1194 udp
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
<REMOVED>
-----END CERTIFICATE-----
</ca>
<key>
-----BEGIN PRIVATE KEY-----
<REMOVED>
-----END PRIVATE KEY-----
</key>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=California, L=Redwood City, O=none, CN=My Name/emailAddress=me@somewhere.com
Validity
Not Before: Nov 29 20:03:29 2013 GMT
Not After : Nov 5 20:03:29 2113 GMT
Subject: C=US, ST=California, O=none, CN=My Name/emailAddress=me@somewhere.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:bd:ac:05:87:6c:47:73:a4:cf:9b:e2:df:b4:1a:
1b:bd:0a:78:96:97:58:3a:cf:75:f7:6a:6f:b4:1b:
8e:6d:5e:ad:67:fb:c6:b0:c6:b9:5f:c7:fd:3e:66:
ae:7b:73:5a:00:d9:53:dc:1c:65:fb:75:06:94:01:
fd:1f:6c:f8:05:8e:4c:4e:9e:5f:3f:9c:6d:5c:c7:
a3:90:95:d0:c0:f4:87:f0:58:d6:f7:3a:d7:88:a3:
ed:db:a7:e4:8e:55:89:15:35:31:d2:09:38:1c:7a:
ff:8f:8d:d1:f3:4e:29:ba:ab:3f:f9:91:0a:f0:df:
97:a8:97:ed:22:58:a0:e6:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E2:9B:95:6C:FB:C4:79:EF:D5:D8:2E:4B:96:93:35:A7:80:5F:A0:DF
X509v3 Authority Key Identifier:
keyid:61:F8:DA:C1:9D:62:12:7C:43:DB:C2:D0:39:1B:5D:1D:99:4F:A0:6A
DirName:/C=US/ST=California/L=My City/O=none/CN=My Name/emailAddress=me@somewhere.com
serial:D9:02:4B:8A:FC:AB:A0:32
Signature Algorithm: md5WithRSAEncryption
5f:75:9e:e0:7f:fa:67:46:76:d1:59:06:99:15:6f:51:2f:83:
78:1f:0c:78:b3:dd:07:cb:3d:e6:15:61:60:3f:7c:45:00:0c:
43:05:3b:8e:00:f6:be:a0:25:d9:52:d6:29:09:03:21:6c:47:
ab:ae:2f:c2:ba:b0:43:da:7a:fb:2e:ed:5d:7b:65:4d:f8:b1:
bc:4a:cc:6e:ab:c6:d0:0d:d1:d8:91:88:ba:ea:ec:04:fa:a1:
87:48:84:b1:14:0f:22:e3:d9:a2:9e:7a:33:22:6e:99:60:84:
31:41:f6:94:1e:6c:0a:53:80:36:bc:55:01:27:80:f9:ad:9b:
20:ac
-----BEGIN CERTIFICATE-----
<REMOVED>
-----END CERTIFICATE-----
</cert>
comp-lzo
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
<REMOVED>
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
route 0.0.0.0 0.0.0.0
# Use system proxy setting
management-query-proxy
# Custom configuration options
# You are on your on own here :)
# These Options were found in the config file do not map to config settings:
reneg-sec 0
Last edited by glc650 on Tue Dec 03, 2013 1:00 am, edited 2 times in total.
-
glc650
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Nov 29, 2013 9:17 pm
Re: TLS error preventing connection
Code: Select all
push "route 10.1.0.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
dev tun
management 127.0.0.1 1195
server 10.8.0.0 255.255.255.0
dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh1024.pem
#ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
ca /var/packages/VPNCenter/target/etc/openvpn/keys/my-ca.crt
#cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/syn.crt
#key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key
key /var/packages/VPNCenter/target/etc/openvpn/keys/syn.key
max-clients 5
comp-lzo
persist-tun
persist-key
verb 3
#log-append /var/log/openvpn.log
keepalive 10 60
reneg-sec 0
#plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf
#client-cert-not-required
#username-as-common-name
duplicate-cn
user nobody
group nobody
-
glc650
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Nov 29, 2013 9:17 pm
Re: TLS error preventing connection
Ops sorry it does. That was an older config file copied from my backups. It was missing this line:debbie10t wrote:Your sever does not have any TLS key settings ?
Probably worth reading this:
http://openvpn.net/index.php/open-sourc ... l#security
tls-auth /var/packages/VPNCenter/target/etc/openvpn/keys/ta.key 0 # This file is secret
This is a copy directly from the server:
Code: Select all
push "route 10.1.0.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
dev tun
management 127.0.0.1 1195
server 10.8.0.0 255.255.255.0
dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh1024.pem
#ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
ca /var/packages/VPNCenter/target/etc/openvpn/keys/my-ca.crt
#cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/syn.crt
#key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key
key /var/packages/VPNCenter/target/etc/openvpn/keys/syn.key
tls-auth /var/packages/VPNCenter/target/etc/openvpn/keys/ta.key 0 # This file is secret
max-clients 5
comp-lzo
persist-tun
persist-key
verb 3
#log-append /var/log/openvpn.log
keepalive 10 60
reneg-sec 0
#plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf
#client-cert-not-required
#username-as-common-name
duplicate-cn
user nobody
group nobody
-
glc650
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Nov 29, 2013 9:17 pm
Re: TLS error preventing connection
Ok so I've restarted my OpenVPN server, gone through the server and client config and checked my port forwarding. I'm stumped. Here's the log from the client (Android 4.4):
which it just repeats over and over again. The notification bar on the phone just says waiting for server response. Connects just fine from my home wifi but when I try from outside my network (work WiFi, 4G data) this is what I get.
Thanks,
->g.
Code: Select all
Running on Nexus 5 (hammerhead) google, Android API 19, version 0.6.0, official build
Building configuration…
started Socket Thread
P:Initializing Google Breakpad!
Current Parameter Settings:
config = '/data/data/de.blinkt.openvpn/cache/android.conf'
mode = 0
show_ciphers = DISABLED
show_digests = DISABLED
show_engines = DISABLED
genkey = DISABLED
key_pass_file = '[UNDEF]'
show_tls_ciphers = DISABLED
connect_retry_max = 5
Connection profiles [default]:
proto = udp
local = '[UNDEF]'
local_port = '1194'
remote = '[UNDEF]'
remote_port = '1194'
remote_float = DISABLED
bind_defined = DISABLED
bind_local = ENABLED
connect_retry_seconds = 5
connect_timeout = 10
socks_proxy_server = '[UNDEF]'
socks_proxy_port = '[UNDEF]'
socks_proxy_retry = DISABLED
tun_mtu = 1500
tun_mtu_defined = DISABLED
link_mtu = 1500
link_mtu_defined = DISABLED
tun_mtu_extra = 0
tun_mtu_extra_defined = DISABLED
mtu_discover_type = -1
fragment = 0
mssfix = 1450
explicit_exit_notification = 0
Connection profiles [0]:
proto = udp
local = '[UNDEF]'
local_port = '1194'
remote = 'MYDOMAN.gotdns.com'
remote_port = '1194'
remote_float = DISABLED
bind_defined = DISABLED
bind_local = ENABLED
connect_retry_seconds = 5
connect_timeout = 10
socks_proxy_server = '[UNDEF]'
socks_proxy_port = '[UNDEF]'
socks_proxy_retry = DISABLED
tun_mtu = 1500
tun_mtu_defined = ENABLED
link_mtu = 1500
link_mtu_defined = DISABLED
tun_mtu_extra = 0
tun_mtu_extra_defined = DISABLED
mtu_discover_type = -1
fragment = 0
mssfix = 1450
explicit_exit_notification = 0
Connection profiles END
remote_random = DISABLED
ipchange = '[UNDEF]'
dev = 'tun'
dev_type = '[UNDEF]'
dev_node = '[UNDEF]'
lladdr = '[UNDEF]'
topology = 1
tun_ipv6 = DISABLED
ifconfig_local = '[UNDEF]'
ifconfig_remote_netmask = '[UNDEF]'
ifconfig_noexec = DISABLED
ifconfig_nowarn = DISABLED
ifconfig_ipv6_local = '[UNDEF]'
Network Status: CONNECTED EDGE to mobile fast.t-mobile.com
ifconfig_ipv6_netbits = 0
ifconfig_ipv6_remote = '[UNDEF]'
shaper = 0
mtu_test = 0
mlock = DISABLED
keepalive_ping = 0
keepalive_timeout = 0
inactivity_timeout = 0
ping_send_timeout = 0
ping_rec_timeout = 0
ping_rec_timeout_action = 0
ping_timer_remote = DISABLED
remap_sigusr1 = 0
persist_tun = DISABLED
persist_local_ip = DISABLED
persist_remote_ip = DISABLED
persist_key = DISABLED
passtos = DISABLED
resolve_retry_seconds = 60
username = '[UNDEF]'
groupname = '[UNDEF]'
chroot_dir = '[UNDEF]'
cd_dir = '[UNDEF]'
writepid = '[UNDEF]'
up_script = '[UNDEF]'
down_script = '[UNDEF]'
down_pre = DISABLED
up_restart = DISABLED
up_delay = DISABLED
daemon = DISABLED
inetd = 0
log = DISABLED
suppress_timestamps = DISABLED
parsable_output = ENABLED
nice = 0
verbosity = 4
mute = 0
gremlin = 0
status_file = '[UNDEF]'
status_file_version = 1
status_file_update_freq = 60
occ = ENABLED
rcvbuf = 65536
sndbuf = 65536
sockflags = 0
fast_io = DISABLED
comp.alg = 2
comp.flags = 1
route_script = '[UNDEF]'
route_default_gateway = '[UNDEF]'
route_default_metric = 0
route_noexec = DISABLED
route_delay = 0
route_delay_window = 30
route_delay_defined = DISABLED
route_nopull = DISABLED
route_gateway_via_dhcp = DISABLED
max_routes = 100
allow_pull_fqdn = DISABLED
route 0.0.0.0/0.0.0.0/nil/nil
management_addr = '/data/data/de.blinkt.openvpn/cache/mgmtsocket'
management_port = 'unix'
management_user_pass = '[UNDEF]'
management_log_history_cache = 250
management_echo_buffer_size = 100
management_write_peer_info_file = '[UNDEF]'
management_client_user = '[UNDEF]'
management_client_group = '[UNDEF]'
management_flags = 4390
shared_secret_file = '[UNDEF]'
key_direction = 2
ciphername_defined = ENABLED
ciphername = 'BF-CBC'
authname_defined = ENABLED
authname = 'SHA1'
prng_hash = 'SHA1'
prng_nonce_secret_len = 16
keysize = 0
engine = DISABLED
replay = ENABLED
mute_replay_warnings = DISABLED
replay_window = 64
replay_time = 15
packet_id_file = '[UNDEF]'
use_iv = ENABLED
test_crypto = DISABLED
tls_server = DISABLED
tls_client = ENABLED
key_method = 2
ca_file = '[[INLINE]]'
ca_path = '[UNDEF]'
dh_file = '[UNDEF]'
cert_file = '[[INLINE]]'
priv_key_file = '[[INLINE]]'
pkcs12_file = '[UNDEF]'
cipher_list = '[UNDEF]'
tls_verify = '[UNDEF]'
tls_export_cert = '[UNDEF]'
verify_x509_type = 0
verify_x509_name = '[UNDEF]'
crl_file = '[UNDEF]'
ns_cert_type = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_ku[i] = 0
remote_cert_eku = '[UNDEF]'
ssl_flags = 0
tls_timeout = 2
renegotiate_bytes = 0
renegotiate_packets = 0
renegotiate_seconds = 0
handshake_window = 60
transition_window = 3600
single_session = DISABLED
push_peer_info = DISABLED
tls_exit = DISABLED
tls_auth_file = '[[INLINE]]'
client = ENABLED
pull = ENABLED
auth_user_pass_file = '[UNDEF]'
OpenVPN 2.3.2+dspatch4 android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [SNAPPY] [EPOLL] [MH] [IPv6] built on Nov 21 2013
MANAGEMENT: Connected to management server at /data/data/de.blinkt.openvpn/cache/mgmtsocket
MANAGEMENT: CMD 'hold release'
MANAGEMENT: CMD 'bytecount 2'
MANAGEMENT: CMD 'state on'
MANAGEMENT: CMD 'proxy NONE'
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Control Channel Authentication: tls-auth using INLINE static key file
Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
LZO compression initializing
Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
MANAGEMENT: >STATE:1386222808,RESOLVE,,,
Socket Buffers: R=[163840->131072] S=[163840->131072]
Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:393 ET:0 EL:0 ]
Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Local Options hash (VER=V4): '504e774e'
Expected Remote Options hash (VER=V4): '14168603'
Protecting socket fd 4
MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
UDP link local (bound): [AF_INET6][undef]:1194
UDP link remote: [AF_INET6]2607:7700:0:9::4c66:1a15:1194
MANAGEMENT: >STATE:1386222809,WAIT,,,
Thanks,
->g.
-
glc650
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Nov 29, 2013 9:17 pm
Re: TLS error preventing connection
And here's my config again (just copied from server and client):
client:
I noticed the redirect-gateway df1 command is missing from the client's config above and I have it in my config backup. Plus the "Use default route" box is checked in the client's settings. But I don't think that has any bearing on the timeout issue above?
Thanks,
->g.
Code: Select all
push "route 10.1.0.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
dev tun
management 127.0.0.1 1195
server 10.8.0.0 255.255.255.0
dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh1024.pem
#ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
ca /var/packages/VPNCenter/target/etc/openvpn/keys/my-ca.crt
#cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/syn.crt
#key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key
key /var/packages/VPNCenter/target/etc/openvpn/keys/syn.key
tls-auth /var/packages/VPNCenter/target/etc/openvpn/keys/ta.key 0 # This file is secret
max-clients 5
comp-lzo
persist-tun
persist-key
verb 3
#log-append /var/log/openvpn.log
keepalive 10 60
reneg-sec 0
#plugin /var/packages/VPNCenter/target/lib/radiusplugin.so /var/packages/VPNCenter/target/etc/openvpn/radiusplugin.cnf
#client-cert-not-required
#username-as-common-name
duplicate-cn
user nobody
group nobody
Code: Select all
# Enables connection to GUI
management /data/data/de.blinkt.openvpn/cache/mgmtsocket unix
management-client
management-query-passwords
management-hold
setenv IV_OPENVPN_GUI_VERSION "de.blinkt.openvpn 0.6.0"
parsable-output
client
verb 4
connect-retry-max 5
connect-retry 5
resolv-retry 60
dev tun
remote MYDOMAIN.gotdns.com 1194 udp
<ca>
-----BEGIN CERTIFICATE-----
<REMOVED>
-----END CERTIFICATE-----
</ca>
<key>
-----BEGIN PRIVATE KEY-----
<REMOVED>
-----END PRIVATE KEY-----
</key>
<cert>
Certificate:
<REMOVED>
-----BEGIN CERTIFICATE-----
<REMOVED>
-----END CERTIFICATE-----
</cert>
comp-lzo
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
<REMOVED>
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
route 0.0.0.0 0.0.0.0
# Use system proxy setting
management-query-proxy
# Custom configuration options
# You are on your on own here :)
# These Options were found in the config file do not map to config settings:
setenv IV_OPENVPN_GUI_VERSION "de.blinkt.openvpn 0.6.0"
management-query-proxy
reneg-sec 0
resolv-retry 60
management-client
Thanks,
->g.
-
glc650
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Nov 29, 2013 9:17 pm
Re: TLS error preventing connection
Where is that log located?debbie10t wrote:How about the server log .. does it show any attempted connections ?
-
glc650
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Nov 29, 2013 9:17 pm
Re: TLS error preventing connection
Code: Select all
Thu Dec 5 16:20:03 2013 OpenVPN 2.1.4 i686-linux-gnu [SSL] [LZO2] [EPOLL] built on May 31 2013
Thu Dec 5 16:20:03 2013 MANAGEMENT: TCP Socket listening on 127.0.0.1:1195
Thu Dec 5 16:20:03 2013 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and
Thu Dec 5 16:20:03 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Dec 5 16:20:03 2013 Diffie-Hellman initialized with 1024 bit key
Thu Dec 5 16:20:03 2013 Control Channel Authentication: using '/var/packages/VPNCenter/target/etc/openvpn/keys/ta.key' as a OpenVPN static key file
Thu Dec 5 16:20:03 2013 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 5 16:20:03 2013 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 5 16:20:03 2013 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Dec 5 16:20:03 2013 Socket Buffers: R=[229376->131072] S=[229376->131072]
Thu Dec 5 16:20:03 2013 ROUTE default_gateway=10.0.0.254
Thu Dec 5 16:20:03 2013 TUN/TAP device tun0 opened
Thu Dec 5 16:20:03 2013 TUN/TAP TX queue length set to 100
Thu Dec 5 16:20:03 2013 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Thu Dec 5 16:20:03 2013 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Thu Dec 5 16:20:03 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Dec 5 16:20:03 2013 GID set to nobody
Thu Dec 5 16:20:03 2013 UID set to nobody
Thu Dec 5 16:20:03 2013 UDPv4 link local (bound): [undef]:1194
Thu Dec 5 16:20:03 2013 UDPv4 link remote: [undef]
Thu Dec 5 16:20:03 2013 MULTI: multi_init called, r=256 v=256
Thu Dec 5 16:20:03 2013 IFCONFIG POOL: base=10.8.0.4 size=62
Thu Dec 5 16:20:03 2013 Initialization Sequence Completed
Thu Dec 5 16:20:55 2013 MULTI: multi_create_instance called
Thu Dec 5 16:20:55 2013 10.0.0.12:1194 Re-using SSL/TLS context
Thu Dec 5 16:20:55 2013 10.0.0.12:1194 LZO compression initialized
Thu Dec 5 16:20:55 2013 10.0.0.12:1194 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu Dec 5 16:20:55 2013 10.0.0.12:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Dec 5 16:20:55 2013 10.0.0.12:1194 Local Options hash (VER=V4): '14168603'
Thu Dec 5 16:20:55 2013 10.0.0.12:1194 Expected Remote Options hash (VER=V4): '504e774e'
Thu Dec 5 16:20:55 2013 10.0.0.12:1194 TLS: Initial packet from 10.0.0.12:1194, sid=e3b716ce 7763f34d
Thu Dec 5 16:20:55 2013 10.0.0.12:1194 VERIFY OK: depth=1, /C=US/ST=California/L=Redwood_City/O=none/CN=My_Name/emailAddress=myemail@mydomain.com
Thu Dec 5 16:20:55 2013 10.0.0.12:1194 VERIFY OK: depth=0, /C=US/ST=California/O=none/CN=My_Name/emailAddress=myemail@mydomain.com
Thu Dec 5 16:20:55 2013 10.0.0.12:1194 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Dec 5 16:20:55 2013 10.0.0.12:1194 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 5 16:20:55 2013 10.0.0.12:1194 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Dec 5 16:20:55 2013 10.0.0.12:1194 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 5 16:20:55 2013 10.0.0.12:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Dec 5 16:20:55 2013 10.0.0.12:1194 [My_Name] Peer Connection Initiated with 10.0.0.12:1194
Thu Dec 5 16:20:55 2013 My_Name/10.0.0.12:1194 MULTI: Learn: 10.8.0.6 -> My_Name/10.0.0.12:1194
Thu Dec 5 16:20:55 2013 My_Name/10.0.0.12:1194 MULTI: primary virtual IP for My_Name/10.0.0.12:1194: 10.8.0.6
Thu Dec 5 16:20:57 2013 My_Name/10.0.0.12:1194 PUSH: Received control message: 'PUSH_REQUEST'
Thu Dec 5 16:20:57 2013 My_Name/10.0.0.12:1194 SENT CONTROL [My_Name]: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,route 10.8.0.0 255.255.255.0,ro
Thu Dec 5 16:23:02 2013 SYNO_ERR_HOST
Thu Dec 5 16:23:02 2013 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Thu Dec 5 16:23:46 2013 read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
Thu Dec 5 16:23:56 2013 read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
Thu Dec 5 16:24:06 2013 read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
Thu Dec 5 16:24:16 2013 read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
Thu Dec 5 16:24:26 2013 read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
Thu Dec 5 16:24:37 2013 read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
Thu Dec 5 16:24:47 2013 read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
Thu Dec 5 16:24:52 2013 My_Name/10.0.0.12:1194 [My_Name] Inactivity timeout (--ping-restart), restarting
Thu Dec 5 16:24:52 2013 My_Name/10.0.0.12:1194 SIGUSR1[soft,ping-restart] received, client-instance restarting
-
glc650
- OpenVpn Newbie
- Posts: 16
- Joined: Fri Nov 29, 2013 9:17 pm
Re: TLS error preventing connection
Just tried a couple more connection attempts from outside my network and there was no change reflected in the log.