openvpn on centos vm, bad cert issue

[vpn_charles]

Hi,

I'm trying to get the OpenVPN Server installed on a vm which is sitting on ESXi 5.1 and I'm having a hard go at it. I had OpenVPN running on a dedicated server previously and decided to use this dedicated server to host multiple vms instead. When I try to log in using PAM, the message "logging in" just stays there and never really returns anything. My setup is that my traffic is getting port forwarded to port 1234 on my gateway to my local vm server.

One more note is that on the client machine, I just copied the new ca.crt that I generated on the server.

On the server, ran:
./build-ca (common name was vpn.mysite.com)
./build-key-server server (cn was server)
./build-dh

Also have this rule in my iptables:
-A POSTROUTING -s 10.8.0.0/255.255.255.0 -j SNAT --to-source 192.168.1.103

Here's my openvpn config:

port 1234 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.1"
keepalive 5 30
cipher AES-128-CBC
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3
push "explicit-exit-notify 3"
status server.log

Here's my client config:

client
dev tun
proto udp
remote vpn.mysite.com 1234 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
verb 3

Log from Server when I log in:

Nov 30 09:19:50 mysandbox openvpn[16594]: Initialization Sequence Completed
Nov 30 09:19:51 mysandbox openvpn[16594]: MULTI: multi_create_instance called
Nov 30 09:19:51 mysandbox openvpn[16594]: 192.168.1.1:54283 Re-using SSL/TLS context
Nov 30 09:19:51 mysandbox openvpn[16594]: 192.168.1.1:54283 LZO compression initialized
Nov 30 09:19:51 mysandbox openvpn[16594]: 192.168.1.1:54283 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Nov 30 09:19:51 mysandbox openvpn[16594]: 192.168.1.1:54283 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Nov 30 09:19:51 mysandbox openvpn[16594]: 192.168.1.1:54283 Local Options hash (VER=V4): 'e5730046'
Nov 30 09:19:51 mysandbox openvpn[16594]: 192.168.1.1:54283 Expected Remote Options hash (VER=V4): '89e98467'
Nov 30 09:19:51 mysandbox openvpn[16594]: 192.168.1.1:54283 TLS: Initial packet from 192.168.1.1:54283, sid=466dd537 b8241ea5

Log from Client:

Fri Nov 30 09:43:15 2012 Note: option http-proxy-fallback ignored because no TCP-based connection profiles are defined
Fri Nov 30 09:43:15 2012 OpenVPNAS 2.1.1oOAS Win32-MSVC++ [SSL] [LZO2] built on Jul 29 2010
Fri Nov 30 09:43:15 2012 MANAGEMENT: Connected to management server at 127.0.0.1:57095
Fri Nov 30 09:43:15 2012 MANAGEMENT: CMD 'log on'
Fri Nov 30 09:43:15 2012 MANAGEMENT: CMD 'state on'
Fri Nov 30 09:43:15 2012 MANAGEMENT: CMD 'echo on'
Fri Nov 30 09:43:15 2012 MANAGEMENT: CMD 'bytecount 5'
Fri Nov 30 09:43:15 2012 MANAGEMENT: CMD 'hold off'
Fri Nov 30 09:43:15 2012 MANAGEMENT: CMD 'hold release'
Fri Nov 30 09:43:21 2012 MANAGEMENT: CMD 'username "Auth" "charles.r"'
Fri Nov 30 09:43:21 2012 MANAGEMENT: CMD 'password [...]'
Fri Nov 30 09:43:21 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Nov 30 09:43:21 2012 NOTE: OpenVPNAS 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Nov 30 09:43:21 2012 LZO compression initialized
Fri Nov 30 09:43:21 2012 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Nov 30 09:43:21 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Nov 30 09:43:21 2012 MANAGEMENT: >STATE:1354283001,RESOLVE,,,
Fri Nov 30 09:43:21 2012 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Nov 30 09:43:21 2012 Local Options hash (VER=V4): 'd3a7571a'
Fri Nov 30 09:43:21 2012 Expected Remote Options hash (VER=V4): '5b1533a2'
Fri Nov 30 09:43:21 2012 UDPv4 link local: [undef]
Fri Nov 30 09:43:21 2012 UDPv4 link remote: 208.124.237.54:1234
Fri Nov 30 09:43:21 2012 MANAGEMENT: >STATE:1354283001,WAIT,,,
Fri Nov 30 09:43:21 2012 MANAGEMENT: >STATE:1354283001,AUTH,,,
Fri Nov 30 09:43:21 2012 TLS: Initial packet from 208.124.237.54:1234, sid=47481733 8290fc98
Fri Nov 30 09:43:21 2012 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=CA/ST=New_Brunswick/L=Fredericton/O=The_Learning_Bar_Inc./OU=changeme/CN=vpn.tellthemfromme.com/name=changeme/emailAddress=support@thelearningbar.com
Fri Nov 30 09:43:21 2012 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fri Nov 30 09:43:21 2012 TLS Error: TLS object -> incoming plaintext read error
Fri Nov 30 09:43:21 2012 TLS Error: TLS handshake failed
Fri Nov 30 09:43:21 2012 TCP/UDP: Closing socket
Fri Nov 30 09:43:21 2012 SIGUSR1[soft,tls-error] received, process restarting
Fri Nov 30 09:43:21 2012 MANAGEMENT: >STATE:1354283001,RECONNECTING,tls-error,,
Fri Nov 30 09:43:21 2012 Restart pause, 2 second(s)
Fri Nov 30 09:43:23 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Nov 30 09:43:23 2012 NOTE: OpenVPNAS 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Nov 30 09:43:23 2012 Re-using SSL/TLS context
Fri Nov 30 09:43:23 2012 LZO compression initialized
Fri Nov 30 09:43:23 2012 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Nov 30 09:43:23 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Nov 30 09:43:23 2012 MANAGEMENT: >STATE:1354283003,RESOLVE,,,
Fri Nov 30 09:43:23 2012 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Nov 30 09:43:23 2012 Local Options hash (VER=V4): 'd3a7571a'
Fri Nov 30 09:43:23 2012 Expected Remote Options hash (VER=V4): '5b1533a2'
Fri Nov 30 09:43:23 2012 UDPv4 link local: [undef]
Fri Nov 30 09:43:23 2012 UDPv4 link remote: 208.124.237.54:1234
Fri Nov 30 09:43:23 2012 MANAGEMENT: >STATE:1354283003,WAIT,,,
Fri Nov 30 09:43:23 2012 MANAGEMENT: >STATE:1354283003,AUTH,,,
Fri Nov 30 09:43:23 2012 TLS: Initial packet from 208.124.237.54:1234, sid=13ba535a 6446147d
Fri Nov 30 09:43:23 2012 MANAGEMENT: CMD 'username "Auth" "charles.r"'
Fri Nov 30 09:43:23 2012 MANAGEMENT: CMD 'password [...]'
Fri Nov 30 09:43:23 2012 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=CA/ST=New_Brunswick/L=Fredericton/O=The_Learning_Bar_Inc./OU=changeme/CN=vpn.tellthemfromme.com/name=changeme/emailAddress=support@thelearningbar.com
Fri Nov 30 09:43:23 2012 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fri Nov 30 09:43:23 2012 TLS Error: TLS object -> incoming plaintext read error
Fri Nov 30 09:43:23 2012 TLS Error: TLS handshake failed
Fri Nov 30 09:43:23 2012 TCP/UDP: Closing socket
Fri Nov 30 09:43:23 2012 SIGUSR1[soft,tls-error] received, process restarting
Fri Nov 30 09:43:23 2012 MANAGEMENT: >STATE:1354283003,RECONNECTING,tls-error,,
Fri Nov 30 09:43:23 2012 Restart pause, 2 second(s)
Fri Nov 30 09:43:25 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Nov 30 09:43:25 2012 NOTE: OpenVPNAS 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Nov 30 09:43:25 2012 Re-using SSL/TLS context
Fri Nov 30 09:43:25 2012 LZO compression initialized
Fri Nov 30 09:43:25 2012 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Nov 30 09:43:25 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Nov 30 09:43:25 2012 MANAGEMENT: >STATE:1354283005,RESOLVE,,,
Fri Nov 30 09:43:25 2012 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Nov 30 09:43:25 2012 Local Options hash (VER=V4): 'd3a7571a'
Fri Nov 30 09:43:25 2012 Expected Remote Options hash (VER=V4): '5b1533a2'
Fri Nov 30 09:43:25 2012 UDPv4 link local: [undef]
Fri Nov 30 09:43:25 2012 UDPv4 link remote: 208.124.237.54:1234
Fri Nov 30 09:43:25 2012 MANAGEMENT: >STATE:1354283005,WAIT,,,
Fri Nov 30 09:43:25 2012 MANAGEMENT: >STATE:1354283005,AUTH,,,
Fri Nov 30 09:43:25 2012 TLS: Initial packet from 208.124.237.54:1234, sid=f3c9b174 d49ffa7a
Fri Nov 30 09:43:25 2012 MANAGEMENT: CMD 'username "Auth" "charles.r"'
Fri Nov 30 09:43:25 2012 MANAGEMENT: CMD 'password [...]'
Fri Nov 30 09:43:25 2012 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=CA/ST=New_Brunswick/L=Fredericton/O=The_Learning_Bar_Inc./OU=changeme/CN=vpn.tellthemfromme.com/name=changeme/emailAddress=support@thelearningbar.com
Fri Nov 30 09:43:25 2012 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fri Nov 30 09:43:25 2012 TLS Error: TLS object -> incoming plaintext read error
Fri Nov 30 09:43:25 2012 TLS Error: TLS handshake failed
Fri Nov 30 09:43:25 2012 TCP/UDP: Closing socket
Fri Nov 30 09:43:25 2012 SIGUSR1[soft,tls-error] received, process restarting
Fri Nov 30 09:43:25 2012 MANAGEMENT: >STATE:1354283005,RECONNECTING,tls-error,,
Fri Nov 30 09:43:25 2012 Restart pause, 2 second(s)

Please help! Probably lack of sleep is stopping me from seeing this clearly but I don't see what the issue is.

Thanks,
Charles

[maikcat]

hi there,

some things i noticed...

your client runs AS client version not opensource one...
if you want to connect only with username/pass add to your server config

client-cert-not-required

also you must use the same cipher in both client/server (reminding you that default is blowfish)

Michael.

[vpn_charles]

Hi Michael,

Thanks for the help!

I guess I'm a bit confused about the openvpn client as i thought I had read that the "old" one which is here:

http://openvpn.se/

Was not to be used anymore and that the right client was the one I had which incidentally worked before. I tried adding client-cert-not-required and removing the cipher line and that still didn't work.

If you can send me a link to the openvpn client if it's not the link above, that would be much appreciated! In the meantime, I'll try the one above again but seem to recall that I couldn't install it last time I tried.

Thanks,
Charles

[maikcat]

download the openvpn binary for openvpn.net downloads (open source edition)

version 2.2.2....

Michael.

[vpn_charles]

Ok,

Here's what I have found that leads me to believe I have some kind of routing issue (reminder that openvpn server is being installed on a vmware vm):

- When i connect to openvpn from a client with my local network on which the server is on, i connect to the openvpn server without any issues.
- If i try to connect to openvpn from a client on a different network, it doesn't work but I do see from my server log that it sees the attempt.

My client is connecting to the same outside public ip in both instances.

Thanks,
Charles

[vpn_charles]

Actually,

Figured out my issues, one problem was i had 2 nics with 192.168.1.0 routes and openvpn traffic was taking the route with the other interface instead of the one i should have taken. Other issue i honestly don't remember, too much head bashing used to solve this issue

Cheers,
Charles