TLS error with OpenVPN /Zerina - IPCOP

[jordixip]

Hello!

I've got an IPCOP proxy/firewall with Zerina; from my clients I'm using openvpn. The problem is in this case with two different computers. With the same certificate, and the same usb modem, in one of the computers there are no connection.

The errors are:

VERIFY ERROR: depth=1 error=self signed certificate in certificate chain.
TLS ERROR BIO read tls_read_plaintext error
TLS ERROR TLS object -> incoming plaintext read error
TLS ERROR TLS handshake failed

I assume that there is no certificate error nor in Server nor in laptop, because with other computers I establish a connection. Furthermore, with the firewall turned off in the client.

Any idea?

Thanks.

[maikcat]

VERIFY ERROR: depth=1 error=self signed certificate in certificate chain.

please post your client config used...

are you using the SAME ca.crt for all of your clients?

Michael.

[jordixip]

#OpenVPN Server conf
tls-client
client
dev tun
proto tcp
tun-mtu 1400
comp-lzo
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
push "route 192.168.0.0 255.255.255.0"
verb 3
remote xxxxxxx 1194
pkcs12 xyz.p12
cipher BF-CBC
ns-cert-type server

[jordixip]

In the client, config folder of openvpn I have xxxx.ovpn and xxxx.p12

In this laptop, It works fine... so I think the problem is not in the certificates...

But.. I accept suggestions. I'm lost!!!

[jordixip]

And in my zerina-openvpn ipcop I've got..

Certificado Raíz C=CO, O=xxxxxxxxx, CN=xxxxxxxxxx CA
Certificado de Anfitrión C=CO, O=xxxxxx, CN=192.168.0.2

[maikcat]

about your posted config...

#OpenVPN Server conf

its a server config...

tls-client
client

its a client config...

push "route 192.168.0.0 255.255.255.0"

you are pushing options...server config?

remote xxxxxxx 1194
pkcs12 xyz.p12
cipher BF-CBC
ns-cert-type server

no, client config...

please post FULL client server log.
.p12 files usually contains both ca.crt & client key

Michael.

[jordixip]

Hello Michael,

that's the file generated by Zerina. I only added route options.

Remember, that this certificate is working in some laptops.... so I don't understand.

Thanks.

[jordixip]

Actually I'm connected with my laptop, and this's the log,

Mon Apr 01 10:05:06 2013 OpenVPN 2.2.0 Win32-MSVC++ [SSL] [LZO2] built on Apr 26 2011
Mon Apr 01 10:05:06 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Apr 01 10:05:09 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Apr 01 10:05:09 2013 LZO compression initialized
Mon Apr 01 10:05:09 2013 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Mon Apr 01 10:05:09 2013 Control Channel MTU parms [ L:1444 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon Apr 01 10:05:09 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Apr 01 10:05:09 2013 Data Channel MTU parms [ L:1444 D:1444 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Apr 01 10:05:10 2013 Local Options hash (VER=V4): '7dfc3732'
Mon Apr 01 10:05:10 2013 Expected Remote Options hash (VER=V4): '347277f0'
Mon Apr 01 10:05:10 2013 Attempting to establish TCP connection with xxxxxxxxxx:1194
Mon Apr 01 10:05:10 2013 TCP connection established with xxxxxxxxxx:1194
Mon Apr 01 10:05:10 2013 TCPv4_CLIENT link local: [undef]
Mon Apr 01 10:05:10 2013 TCPv4_CLIENT link remote: xxxxxxxxxx:1194
Mon Apr 01 10:05:10 2013 TLS: Initial packet from xxxxxxxxxx:1194, sid=fb8c6d26 8a085a15
Mon Apr 01 10:05:10 2013 VERIFY OK: depth=1, /C=CO/O=xxxxxxxxxx/CN=xxxxxxxxxx_CA
Mon Apr 01 10:05:10 2013 VERIFY OK: nsCertType=SERVER
Mon Apr 01 10:05:10 2013 VERIFY OK: depth=0, /C=CO/O=xxxxxxxxxx/CN=192.168.0.2
Mon Apr 01 10:05:11 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Apr 01 10:05:11 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 01 10:05:11 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Apr 01 10:05:11 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 01 10:05:11 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 01 10:05:11 2013 [192.168.0.2] Peer Connection Initiated with 201.245.105.243:1194
Mon Apr 01 10:05:14 2013 SENT CONTROL [192.168.0.2]: 'PUSH_REQUEST' (status=1)
Mon Apr 01 10:05:14 2013 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,route 10.12.4.1,ping 10,ping-restart 60,ifconfig 10.12.4.14 10.12.4.13'
Mon Apr 01 10:05:14 2013 OPTIONS IMPORT: timers and/or timeouts modified
Mon Apr 01 10:05:14 2013 OPTIONS IMPORT: --ifconfig/up options modified
Mon Apr 01 10:05:14 2013 OPTIONS IMPORT: route options modified
Mon Apr 01 10:05:16 2013 ROUTE default_gateway=172.18.1.1
Mon Apr 01 10:05:16 2013 TAP-WIN32 device [Conexión de área local 12] opened: \\.\Global\{C52E6C6A-9FC7-4BCA-A9A5-005AC2DB5978}.tap
Mon Apr 01 10:05:16 2013 TAP-Win32 Driver Version 9.8
Mon Apr 01 10:05:16 2013 TAP-Win32 MTU=1500
Mon Apr 01 10:05:16 2013 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.12.4.14/255.255.255.252 on interface {C52E6C6A-9FC7-4BCA-A9A5-005AC2DB5978} [DHCP-serv: 10.12.4.13, lease-time: 31536000]
Mon Apr 01 10:05:16 2013 Successful ARP Flush on interface [4] {C52E6C6A-9FC7-4BCA-A9A5-005AC2DB5978}
Mon Apr 01 10:05:21 2013 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Mon Apr 01 10:05:21 2013 C:\WINDOWS\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 10.12.4.13
Mon Apr 01 10:05:21 2013 Route addition via IPAPI succeeded [adaptive]
Mon Apr 01 10:05:21 2013 C:\WINDOWS\system32\route.exe ADD 10.12.4.1 MASK 255.255.255.255 10.12.4.13
Mon Apr 01 10:05:21 2013 Route addition via IPAPI succeeded [adaptive]
Mon Apr 01 10:05:21 2013 Initialization Sequence Completed

[jordixip]

If I try with one of the five laptops, in the same place, with the same certificate... there is no connectoin.


And this's the remote log, from one connection, in the sample place, with the same certificate... is not a laptop:

10:14:31 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped
10:31:06 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped
10:36:19 openvpnserver Cliente_1/190.84.231.174:1157 TLS: tls_process: killed expiring key
10:36:22 openvpnserver Cliente_1/190.84.231.174:1157 TLS: soft reset sec=0 bytes=1727532/0 pkts=6320/0
10:36:23 openvpnserver Cliente_1/190.84.231.174:1157 VERIFY SCRIPT OK: depth=1, /C=CO/O=xxxxxx/CN=xxxxxx_CA
10:36:23 openvpnserver Cliente_1/190.84.231.174:1157 CRL CHECK OK: /C=CO/O=xxxxxx/CN=xxxxxx_CA
10:36:23 openvpnserver Cliente_1/190.84.231.174:1157 VERIFY OK: depth=1, /C=CO/O=xxxxxx/CN=xxxxxx_CA
10:36:23 openvpnserver Cliente_1/190.84.231.174:1157 VERIFY SCRIPT OK: depth=0, /C=CO/O=xxxxxx/CN=Cliente_1
10:36:23 openvpnserver Cliente_1/190.84.231.174:1157 CRL CHECK OK: /C=CO/O=xxxxxx/CN=Cliente_1
10:36:23 openvpnserver Cliente_1/190.84.231.174:1157 VERIFY OK: depth=0, /C=CO/O=xxxxxx/CN=Cliente_1
10:36:24 openvpnserver Cliente_1/190.84.231.174:1157 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
10:36:24 openvpnserver Cliente_1/190.84.231.174:1157 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
10:36:24 openvpnserver Cliente_1/190.84.231.174:1157 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
10:36:24 openvpnserver Cliente_1/190.84.231.174:1157 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
10:36:24 openvpnserver Cliente_1/190.84.231.174:1157 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
10:37:47 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped
10:42:35 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped
10:42:40 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped
10:42:47 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped
10:48:19 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped
10:48:23 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped
10:48:30 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped
10:50:57 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped
10:51:11 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped
10:51:15 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped
10:51:23 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped
10:52:37 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped
10:52:40 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped
10:52:48 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped
10:53:20 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped
10:53:23 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped
10:53:32 openvpnserver Cliente_1/190.84.231.174:1157 MULTI: bad source address from client [192.168.0.17], packet dropped

[jordixip]

Solved!! I did a 'breakpoint', and I found the line that did the problem. So, I actually can connect with that laptops.

Thanks.