Difficulty creating unified .ovpn file from certs

[starlessblack]

Netgear recently released a firmware update with smartphone (iOS & Android) support for the built in OpenVPN server. I was able to successfully download and install the .ovpn, ca, client and key certs from my router, onto my iOS devices via the iTunes app file transfer.

What I’ve been unsuccessful with, however, is creating a unified .ovpn file that contains the three certs embedded directly in the .ovpn text. Netgear even provides some guidance on this in the form of a KB article (https://kb.netgear.com/app/answers/deta ... ZDbQ%3D%3D), which I used in addition to the OpenVPN iOS FAQ. But when I transfer the unified .ovpn file to the iOS devices, I’m getting a PolarSSL error regarding certificate verification (validation?) failure. Being new to OpenVPN, I’m not sure what this means, but it would almost sound as though OpenVPN is doing some check of my ca.crt against a database of known trusted certificate authorities.

Can anyone shed some light on this for me? Thank you very much.

[Traffic]

it would almost sound as though OpenVPN is doing some check of my ca.crt against a database of known trusted certificate authorities

Please post your log file.

[starlessblack]

015-12-01 20:37:18 VERIFY FAIL CERT_NOT_TRUSTED : depth=1
cert. version    : 3
serial number    : routerserialnumber
issuer name      : C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
subject name      : C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
issued  on        : 2015-08-13 19:35:30
expires on        : 2025-08-10 19:35:30
signed using      : RSA with MD5
RSA key size      : 1024 bits
basic constraints : CA=true

2015-12-01 20:37:18 VERIFY OK: depth=0
cert. version    : 3
serial number    : 01
issuer name      : C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
subject name      : C=TW, ST=TW, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
issued  on        : 2015-08-13 19:35:33
expires on        : 2025-08-10 19:35:33
signed using      : RSA with MD5
RSA key size      : 1024 bits
basic constraints : CA=false
cert. type        : SSL Server

2015-12-01 20:37:18 Transport Error: PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
2015-12-01 20:37:18 EVENT: CERT_VERIFY_FAIL PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed [ERR]
2015-12-01 20:37:18 EVENT: DISCONNECTED
2015-12-01 20:37:18 Raw stats on disconnect:
 BYTES_IN : 2226
 BYTES_OUT : 524
 PACKETS_IN : 21
 PACKETS_OUT : 21
 SSL_ERROR : 1
 CERT_VERIFY_FAIL : 1
2015-12-01 20:37:18 Performance stats on disconnect:
 CPU usage (microseconds): 31968
 Network bytes per CPU second: 86023
 Tunnel bytes per CPU second: 0
2015-12-01 20:37:18 EVENT: DISCONNECT_PENDING
2015-12-01 20:37:18 ----- OpenVPN Stop -----

[starlessblack]

I guess each post you make on these forums has to be approved by a moderator, so that's why there's a delay in submission to post?

[markn62]

Include the items below in a single txt file named *.ovpn.

client configs
<ca>
-----BEGIN CERTIFICATE-----
ks#lf9OAS9f8...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
eus&l3(23kv*...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
xs%id8@nd~...
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static Key V1-----
uxld6$le8&...
-----END OpenVPN Static Key V1-----
</tls-auth>
key-direction 1

[starlessblack]

I guess each post I make has to be approved by a mod? That must be why these are taking so long to post?
Anyway, here's the log:

015-12-01 20:37:18 VERIFY FAIL CERT_NOT_TRUSTED : depth=1
cert. version    : 3
serial number    : routerserialnumber
issuer name      : C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
subject name      : C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
issued  on        : 2015-08-13 19:35:30
expires on        : 2025-08-10 19:35:30
signed using      : RSA with MD5
RSA key size      : 1024 bits
basic constraints : CA=true

2015-12-01 20:37:18 VERIFY OK: depth=0
cert. version    : 3
serial number    : 01
issuer name      : C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
subject name      : C=TW, ST=TW, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
issued  on        : 2015-08-13 19:35:33
expires on        : 2025-08-10 19:35:33
signed using      : RSA with MD5
RSA key size      : 1024 bits
basic constraints : CA=false
cert. type        : SSL Server

2015-12-01 20:37:18 Transport Error: PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
2015-12-01 20:37:18 EVENT: CERT_VERIFY_FAIL PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed [ERR]
2015-12-01 20:37:18 EVENT: DISCONNECTED
2015-12-01 20:37:18 Raw stats on disconnect:
 BYTES_IN : 2226
 BYTES_OUT : 524
 PACKETS_IN : 21
 PACKETS_OUT : 21
 SSL_ERROR : 1
 CERT_VERIFY_FAIL : 1
2015-12-01 20:37:18 Performance stats on disconnect:
 CPU usage (microseconds): 31968
 Network bytes per CPU second: 86023
 Tunnel bytes per CPU second: 0
2015-12-01 20:37:18 EVENT: DISCONNECT_PENDING
2015-12-01 20:37:18 ----- OpenVPN Stop -----

[starlessblack]

Include the items below in a single txt file named *.ovpn.
<tls-auth>
-----BEGIN OpenVPN Static Key V1-----
uxld6$le8&...
-----END OpenVPN Static Key V1-----
</tls-auth>
key-direction 1

When I download the VPN certs and .ovpn file from the router, there is no OpenVPN static key, and their paltry documentation never makes mention of one, nor does their .ovpn file have any tls-auth or key-direction fields in it. Color me baffled.