I have serached the forum and also read the how-to's. So much that my Android client used to work fine until the ADSL line was upgraded at the server side.
To keep it short, I removed OpenVPN from the Server and reinstalled. Created a brand new PKI. Then created 2 client certificates, one for my Windows PC and one for my Android phone. Copied the CA and client keys to the appropriate locations in both devices. Windows connects, Android doesn't. Below the log (note the '??' at the 'issuer name' and 'subject name' lines: those are not replacements: they are exactly like this in the log file; not sure if relevant, though):
Code: Select all
18:21:07.216 -- ----- OpenVPN Start -----
18:21:07.217 -- EVENT: CORE_THREAD_ACTIVE
18:21:07.221 -- OpenVPN core 3.git::728733ae:Release android arm64 64-bit PT_PROXY built on Aug 14 2019 14:13:26
18:21:07.245 -- Frame=512/2048/512 mssfix-ctrl=1250
18:21:07.254 -- UNUSED OPTIONS
5 [nobind]
6 [persist-key]
7 [persist-tun]
14 [verb] [4]
15 [explicit-exit-notify] [3]
18:21:07.262 -- EVENT: RESOLVE
18:21:07.642 -- Contacting xxx.xx.xxx.xx:xxxx via UDP
18:21:07.645 -- EVENT: WAIT
18:21:07.654 -- Connecting to [xxxxxxxx.xxx.xxx]:xxxx (xxx.xx.xxx.xx) via UDPv4
18:21:07.682 -- EVENT: CONNECTING
18:21:07.687 -- Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client
18:21:07.688 -- Creds: UsernameEmpty/PasswordEmpty
18:21:07.690 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.git::728733ae:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1
18:21:08.143 -- VERIFY FAIL -- The certificate is signed with an unacceptable hash. : depth=0
cert. version : 3
serial number : 01
issuer name : C=BR, ST=RS, L=CCCCCCC, O=MMMMMM, OU=MMMMMM, CN=SSSSSSS, ??=MMMMMM, emailAddress=sssss@ssss.com.br
subject name : C=BR, ST=RS, L=CCCCCCC, O=MMMMMM, OU=MMMMMM, CN=SSSSSSS, ??=MMMMMM, emailAddress=sssss@ssss.com.br
issued on : 2019-11-15 19:14:04
expires on : 2039-11-10 19:14:04
signed using : RSA with MD5
RSA key size : 4096 bits
basic constraints : CA=false
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication
18:21:08.263 -- Transport Error: mbed TLS: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
18:21:08.264 -- EVENT: CERT_VERIFY_FAIL info='mbed TLS: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed'
18:21:08.281 -- EVENT: CORE_THREAD_INACTIVE
18:21:08.282 -- Tunnel bytes per CPU second: 0
18:21:08.282 -- ----- OpenVPN Stop -----
Code: Select all
port 1194
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\SSSSSSS.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\SSSSSSS.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh4096.pem"
topology subnet
server 172.16.116.0 255.255.252.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
keepalive 30 60
cipher AES-256-CBC
comp-lzo
max-clients 10
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 4
Code: Select all
client
dev tun
proto udp
remote xxxxxxxx.xxx.xxx xxxx
keepalive 30 60
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\SSSS\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\SSSS\\keys\\DDDDD.crt"
key "C:\\Program Files\\OpenVPN\\config\\SSSS\\keys\\DDDDD.key"
cipher AES-256-CBC
comp-lzo
verb 3
explicit-exit-notify 3
Thanks
Serginho