I am running a server for home use with a self-signed CA and a bunch of client certificates. The server is running on Debian stable and I have not touched the configuration for many years now (but I have kept everything up to date). Most of my clients can connect without issues, but there is one particular certificate that is giving me headaches. It is the only mobile client, using OpenVPN for Android. The only difference in respect to a working setup is that in this case I have bundled together the various certificates by embedding them in a single .ovpn configuration file and then I imported the .ovpn file with the Android client app. When I try to connect I get "Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication", while on server side I see on the log:
Code: Select all
Fri Apr 2 19:03:21 2021 84.226.168.177:51382 OpenSSL: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate
Fri Apr 2 19:03:21 2021 84.226.168.177:51382 TLS_ERROR: BIO read tls_read_plaintext error
Fri Apr 2 19:03:21 2021 84.226.168.177:51382 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 2 19:03:21 2021 84.226.168.177:51382 TLS Error: TLS handshake failed
Code: Select all
# my client cert
# basic client configuration
client
remote 99.99.99.99 1194
dev tun
proto udp
nobind
# authentication and security
cipher AES-256-CBC
auth SHA512
remote-cert-tls server
key-direction 1
# other options
comp-lzo yes
auth-nocache
script-security 2
persist-key
persist-tun
replay-window 256 #experimental? default is 64
# logging
mute-replay-warnings
verb 3
mute 5
<ca>
-----BEGIN CERTIFICATE-----
SOMECERTIFICATEINBASE64==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
SOMEotherCERTinBASE64
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,FFFFFFINGERPRINT
RANdomSTuff==
-----END EC PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
0xstuff_in_hex
-----END OpenVPN Static key V1-----
</tls-auth>
Code: Select all
# basic server configuration
local 99.99.99.99
port 1194
proto udp
dev tun
server 10.0.0.0 255.255.255.0
# authentication and security
ca ./cacert.pem
cert ./servercert.pem
key ./private/serverkey.pem
dh ./dh.pem
tls-auth ./private/ta.key 0
crl-verify ./crl.pem
auth SHA512
cipher AES-256-CBC
# network configuration
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.1.2.2"
ifconfig-pool-persist ./ipp.txt
client-to-client
keepalive 10 120
replay-window 256 #experimental?
# other options
comp-lzo yes
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
# logging
status ./vpn-status.log
log ./vpn.log
verb 3
mute 5