openvpn server .. very cryptic file cert open error. help?

[netweaver]

Hi,
I'm trying to convert a working tun config into a tap config due to problematic and inconsistent routing from virtual networkinterfaces in my Xen server back to the remote clients. I'm hoping that the bridging might solve the issue.

the openvpn 2.1 rc20 server soft is running on a DD-WRT v24SP2 equiped Linksys WRT54G, with wireless part is deactivated. Also the role is switched from gateway to router, as it will only be used as a dedicated vpn server. I followed this guide : http://www.dd-wrt.com/wiki/index.php/VP ... r_Bridging

openvpn server config:

mode server
proto udp
port 1194
dev tap0
server-bridge 10.110.0.1 255.255.255.0 10.110.0.200 10.110.0.250
keepalive 10 120
daemon
verb 6
client-to-client
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

relevant part of the messages.log:

Jan 1 00:00:48 vpn user.info syslog: WAN is up. IP: x.xx.xxx.xx
Jan 1 00:00:48 vpn daemon.notice openvpn[1059]: OpenVPN 2.1_rc20 mipsel-unknown-linux-gnu [SSL] [LZO1] [EPOLL] built on Oct 10 2009
Jan 1 00:00:48 vpn daemon.warn openvpn[1059]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Jan 1 00:00:50 vpn daemon.notice openvpn[1059]: Diffie-Hellman initialized with 2048 bit key
Jan 1 00:00:50 vpn daemon.err openvpn[1059]: Cannot load certificate file /tmp/openvpn/cert.pem: error:0906D066:lib(9):func(109):reason(102): error:140AD009:lib(20):func(173):reason(9)
Jan 1 00:00:50 vpn daemon.notice openvpn[1059]: Exiting

Anyone has an idea what might be wrong? The error message is not exactly helpfull.
When I logon via ssh, I can see and cat the file contents fine.

Any hints are welcome.

Thanks,
Geert

[maikcat]

can you please post all the commands you used to create certificates?

cheers,

michael.

[janjust]

copy the certificate to a regular machine that has openssl installed, then try running
openssl x509 -text -noout -in cert.pem

If that fails the certificate on the dd-wrt router has gotten corrupted somehow.

[netweaver]

ai, the exact commands ? That was years ago, no possibility to retrieve those. Anyway, I followed this guide quite literally:
http://www.dd-wrt.com/wiki/index.php/VP ... untu_Linux

Update, I've checked a bit more careful the cert.pem file and it was not complete, it was missing a few lines at the bottom. In dd-wrt, the keys/certificates needed to be entered in a web frontend, maybe something got lost there. Anyway I re-copied the file from the original location (I still had them, from back in 2009) and now at least the server starts fine. My fault in bad checking.

Now the next problem, the connecting of the client of course. After providing an accessible NTP server -my company filters out the outbound (internet directed) NTP requests- I got a proper date and the certificates were valid again. The client connects fine, receives an IP address from the defined range and I can ping myself and the VPN "gateway". I can't see my servers because I'm not home, I'm just doing this in some spare time in the office.

Mission accomplished, it all works in my simulated environment in the office. Hopefully it works this evening at home as well.

Thanks for hinting towards the cert file quality.