VERIFY ERROR: depth=1, error=self signed certificate in cert

[QuincyDK]

Okay, so I am getting the following error in my log

Code: Select all

Mon Apr 08 03:31:06 2013 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain:

Which is true, because I signed my server, clients and CA certs myself.. How could I work around this?

[maikcat]

the ca.crt is self signed...ONLY

are you using the SAME ca.crt on server/clients?

also post whole client log.

Michael.

[QuincyDK]

the ca.crt is self signed...ONLY

are you using the SAME ca.crt on server/clients?

also post whole client log.

Michael.

Hi there,

Yes, the ca.crt is the same on both server and client(s). That's something I've verified.

Here is the whole client-side log

Code: Select all

Mon Apr 08 03:31:00 2013 Note: option http-proxy-fallback ignored because no TCP-based connection profiles are defined
Mon Apr 08 03:31:00 2013 OpenVPNAS 2.1.1oOAS Win32-MSVC++ [SSL] [LZO2] built on Jul 29 2010
Mon Apr 08 03:31:00 2013 MANAGEMENT: Connected to management server at 127.0.0.1:59202
Mon Apr 08 03:31:00 2013 MANAGEMENT: CMD 'log on'
Mon Apr 08 03:31:00 2013 MANAGEMENT: CMD 'state on'
Mon Apr 08 03:31:00 2013 MANAGEMENT: CMD 'echo on'
Mon Apr 08 03:31:00 2013 MANAGEMENT: CMD 'bytecount 5'
Mon Apr 08 03:31:00 2013 MANAGEMENT: CMD 'hold off'
Mon Apr 08 03:31:00 2013 MANAGEMENT: CMD 'hold release'
Mon Apr 08 03:31:00 2013 NOTE: OpenVPNAS 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Apr 08 03:31:00 2013 LZO compression initialized
Mon Apr 08 03:31:00 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Apr 08 03:31:00 2013 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Apr 08 03:31:00 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Apr 08 03:31:00 2013 Local Options hash (VER=V4): '41690919'
Mon Apr 08 03:31:00 2013 Expected Remote Options hash (VER=V4): '530fdded'
Mon Apr 08 03:31:00 2013 UDPv4 link local: [undef]
Mon Apr 08 03:31:00 2013 UDPv4 link remote: 192.168.1.200:1194
Mon Apr 08 03:31:00 2013 MANAGEMENT: >STATE:1365384660,WAIT,,,
Mon Apr 08 03:31:06 2013 MANAGEMENT: >STATE:1365384666,AUTH,,,
Mon Apr 08 03:31:06 2013 TLS: Initial packet from 192.168.1.200:1194, sid=8f21f78b 343a7d89
Mon Apr 08 03:31:06 2013 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=NL/ST=UT/L=Utrecht/O=VPN/OU=OU/CN=13VPN/name=NameVPN/emailAddress=kosterkont@hotmail.com
Mon Apr 08 03:31:06 2013 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Apr 08 03:31:06 2013 TLS Error: TLS object -> incoming plaintext read error
Mon Apr 08 03:31:06 2013 TLS Error: TLS handshake failed
Mon Apr 08 03:31:06 2013 TCP/UDP: Closing socket
Mon Apr 08 03:31:06 2013 SIGUSR1[soft,tls-error] received, process restarting
Mon Apr 08 03:31:06 2013 MANAGEMENT: >STATE:1365384666,RECONNECTING,tls-error,,
Mon Apr 08 03:31:06 2013 Restart pause, 2 second(s)
Mon Apr 08 03:31:08 2013 NOTE: OpenVPNAS 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Apr 08 03:31:08 2013 Re-using SSL/TLS context
Mon Apr 08 03:31:08 2013 LZO compression initialized
Mon Apr 08 03:31:08 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Apr 08 03:31:08 2013 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Apr 08 03:31:08 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Apr 08 03:31:08 2013 Local Options hash (VER=V4): '41690919'
Mon Apr 08 03:31:08 2013 Expected Remote Options hash (VER=V4): '530fdded'
Mon Apr 08 03:31:08 2013 UDPv4 link local: [undef]
Mon Apr 08 03:31:08 2013 UDPv4 link remote: 192.168.1.200:1194
Mon Apr 08 03:31:08 2013 MANAGEMENT: >STATE:1365384668,WAIT,,,
Mon Apr 08 03:31:08 2013 MANAGEMENT: >STATE:1365384668,AUTH,,,
Mon Apr 08 03:31:08 2013 TLS: Initial packet from 192.168.1.200:1194, sid=fe863daf 62801fc3
Mon Apr 08 03:31:08 2013 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=NL/ST=UT/L=Utrecht/O=VPN/OU=OU/CN=13VPN/name=NameVPN/emailAddress=kosterkont@hotmail.com
Mon Apr 08 03:31:08 2013 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Apr 08 03:31:08 2013 TLS Error: TLS object -> incoming plaintext read error
Mon Apr 08 03:31:08 2013 TLS Error: TLS handshake failed
Mon Apr 08 03:31:08 2013 TCP/UDP: Closing socket
Mon Apr 08 03:31:08 2013 SIGUSR1[soft,tls-error] received, process restarting
Mon Apr 08 03:31:08 2013 MANAGEMENT: >STATE:1365384668,RECONNECTING,tls-error,,
Mon Apr 08 03:31:08 2013 Restart pause, 2 second(s)
Mon Apr 08 03:31:10 2013 NOTE: OpenVPNAS 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Apr 08 03:31:10 2013 Re-using SSL/TLS context
Mon Apr 08 03:31:10 2013 LZO compression initialized
Mon Apr 08 03:31:10 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Apr 08 03:31:10 2013 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Apr 08 03:31:10 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Apr 08 03:31:10 2013 Local Options hash (VER=V4): '41690919'
Mon Apr 08 03:31:10 2013 Expected Remote Options hash (VER=V4): '530fdded'
Mon Apr 08 03:31:10 2013 UDPv4 link local: [undef]
Mon Apr 08 03:31:10 2013 UDPv4 link remote: 192.168.1.200:1194
Mon Apr 08 03:31:10 2013 MANAGEMENT: >STATE:1365384670,WAIT,,,
Mon Apr 08 03:31:10 2013 MANAGEMENT: >STATE:1365384670,AUTH,,,
Mon Apr 08 03:31:10 2013 TLS: Initial packet from 192.168.1.200:1194, sid=dc145f5a 0abaebe8
Mon Apr 08 03:31:10 2013 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=NL/ST=UT/L=Utrecht/O=VPN/OU=OU/CN=13VPN/name=NameVPN/emailAddress=kosterkont@hotmail.com
Mon Apr 08 03:31:10 2013 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Apr 08 03:31:10 2013 TLS Error: TLS object -> incoming plaintext read error
Mon Apr 08 03:31:10 2013 TLS Error: TLS handshake failed
Mon Apr 08 03:31:10 2013 TCP/UDP: Closing socket
Mon Apr 08 03:31:10 2013 SIGUSR1[soft,tls-error] received, process restarting
Mon Apr 08 03:31:10 2013 MANAGEMENT: >STATE:1365384670,RECONNECTING,tls-error,,
Mon Apr 08 03:31:10 2013 Restart pause, 2 second(s)
Mon Apr 08 03:31:12 2013 NOTE: OpenVPNAS 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Apr 08 03:31:12 2013 Re-using SSL/TLS context
Mon Apr 08 03:31:12 2013 LZO compression initialized
Mon Apr 08 03:31:12 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Apr 08 03:31:12 2013 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Apr 08 03:31:12 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Apr 08 03:31:12 2013 Local Options hash (VER=V4): '41690919'
Mon Apr 08 03:31:12 2013 Expected Remote Options hash (VER=V4): '530fdded'
Mon Apr 08 03:31:12 2013 UDPv4 link local: [undef]
Mon Apr 08 03:31:12 2013 UDPv4 link remote: 192.168.1.200:1194
Mon Apr 08 03:31:12 2013 MANAGEMENT: >STATE:1365384672,WAIT,,,
Mon Apr 08 03:31:12 2013 MANAGEMENT: >STATE:1365384672,AUTH,,,
Mon Apr 08 03:31:12 2013 TLS: Initial packet from 192.168.1.200:1194, sid=6d1c1acc f9776316
Mon Apr 08 03:31:12 2013 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=NL/ST=UT/L=Utrecht/O=VPN/OU=OU/CN=13VPN/name=NameVPN/emailAddress=kosterkont@hotmail.com
Mon Apr 08 03:31:12 2013 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Apr 08 03:31:12 2013 TLS Error: TLS object -> incoming plaintext read error
Mon Apr 08 03:31:12 2013 TLS Error: TLS handshake failed
Mon Apr 08 03:31:12 2013 TCP/UDP: Closing socket
Mon Apr 08 03:31:12 2013 SIGUSR1[soft,tls-error] received, process restarting
Mon Apr 08 03:31:12 2013 MANAGEMENT: >STATE:1365384672,RECONNECTING,tls-error,,
Mon Apr 08 03:31:12 2013 Restart pause, 2 second(s)
Mon Apr 08 03:31:14 2013 NOTE: OpenVPNAS 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Apr 08 03:31:14 2013 Re-using SSL/TLS context
Mon Apr 08 03:31:14 2013 LZO compression initialized
Mon Apr 08 03:31:14 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Apr 08 03:31:14 2013 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Apr 08 03:31:14 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Apr 08 03:31:14 2013 Local Options hash (VER=V4): '41690919'
Mon Apr 08 03:31:14 2013 Expected Remote Options hash (VER=V4): '530fdded'
Mon Apr 08 03:31:14 2013 UDPv4 link local: [undef]
Mon Apr 08 03:31:14 2013 UDPv4 link remote: 192.168.1.200:1194
Mon Apr 08 03:31:14 2013 MANAGEMENT: >STATE:1365384674,WAIT,,,
Mon Apr 08 03:31:14 2013 MANAGEMENT: >STATE:1365384674,AUTH,,,
Mon Apr 08 03:31:14 2013 TLS: Initial packet from 192.168.1.200:1194, sid=b94b4790 97443a1d
Mon Apr 08 03:31:14 2013 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=NL/ST=UT/L=Utrecht/O=VPN/OU=OU/CN=13VPN/name=NameVPN/emailAddress=kosterkont@hotmail.com
Mon Apr 08 03:31:14 2013 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Apr 08 03:31:14 2013 TLS Error: TLS object -> incoming plaintext read error
Mon Apr 08 03:31:14 2013 TLS Error: TLS handshake failed
Mon Apr 08 03:31:14 2013 TCP/UDP: Closing socket
Mon Apr 08 03:31:14 2013 SIGUSR1[soft,tls-error] received, process restarting
Mon Apr 08 03:31:14 2013 MANAGEMENT: >STATE:1365384674,RECONNECTING,tls-error,,
Mon Apr 08 03:31:14 2013 Restart pause, 2 second(s)
Mon Apr 08 03:31:16 2013 NOTE: OpenVPNAS 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Apr 08 03:31:16 2013 Re-using SSL/TLS context
Mon Apr 08 03:31:16 2013 LZO compression initialized
Mon Apr 08 03:31:16 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Apr 08 03:31:16 2013 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Apr 08 03:31:16 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Apr 08 03:31:16 2013 Local Options hash (VER=V4): '41690919'
Mon Apr 08 03:31:16 2013 Expected Remote Options hash (VER=V4): '530fdded'
Mon Apr 08 03:31:16 2013 UDPv4 link local: [undef]
Mon Apr 08 03:31:16 2013 UDPv4 link remote: 192.168.1.200:1194
Mon Apr 08 03:31:16 2013 MANAGEMENT: >STATE:1365384676,WAIT,,,
Mon Apr 08 03:31:16 2013 MANAGEMENT: >STATE:1365384676,AUTH,,,
Mon Apr 08 03:31:16 2013 TLS: Initial packet from 192.168.1.200:1194, sid=233b0db5 3c9270df
Mon Apr 08 03:31:16 2013 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=NL/ST=UT/L=Utrecht/O=VPN/OU=OU/CN=13VPN/name=NameVPN/emailAddress=kosterkont@hotmail.com
Mon Apr 08 03:31:16 2013 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Apr 08 03:31:16 2013 TLS Error: TLS object -> incoming plaintext read error
Mon Apr 08 03:31:16 2013 TLS Error: TLS handshake failed
Mon Apr 08 03:31:16 2013 TCP/UDP: Closing socket
Mon Apr 08 03:31:16 2013 SIGUSR1[soft,tls-error] received, process restarting
Mon Apr 08 03:31:16 2013 MANAGEMENT: >STATE:1365384676,RECONNECTING,tls-error,,
Mon Apr 08 03:31:16 2013 Restart pause, 2 second(s)

[maikcat]

can you describe how did you created your certs?

can you post client config?

Code: Select all

OpenVPNAS 2.1.1oOAS Win32-MSVC++ [SSL] [LZO2] built on Jul 29 2010

openvpn AS???

are you using access server or community edition?

Michael.

[QuincyDK]

can you describe how did you created your certs?

can you post client config?

Code: Select all

OpenVPNAS 2.1.1oOAS Win32-MSVC++ [SSL] [LZO2] built on Jul 29 2010

openvpn AS???

are you using access server or community edition?

Michael.

Hi

I just downloaded the OpenVPN software on http://openvpn.net/index.php/open-source/downloads.html that page.

I have set up the key cert using

init-config
-edit vars.bat-
vars
clean-all
build-ca
build-key-server server
build-key clientx where x corresponds to the client number
build-dh


Client config:

Code: Select all

client
dev tun
proto udp
remote 192.168.1.200 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client\prism\ca.crt"
cert client2.crt
key client2.key
ns-cert-type server
comp-lzo
verb 3

[maikcat]

hi there,

this path:

Code: Select all

C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client\

is NOT community based edition...

please uninstall openvpn and install open source version...

Michael.

[QuincyDK]

hi there,

this path:

Code: Select all

C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client\

is NOT community based edition...

please uninstall openvpn and install open source version...

Michael.

That is just the client, not OpenVPN itself. Does that make a difference? I just use that to connect...

[QuincyDK]

Well, it does make a difference, I just found out. But now it just verifies okay and gives an TLS error D:

Code: Select all

Tue Apr 09 08:39:33 2013 Warning: cannot open --log file: C:\Program Files\OpenVPN\log\client.log: Toegang geweigerd.   (errno=5)
Tue Apr 09 08:39:33 2013 OpenVPN 2.3.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Mar 28 2013
Tue Apr 09 08:39:33 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Apr 09 08:39:33 2013 Need hold release from management interface, waiting...
Tue Apr 09 08:39:34 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Apr 09 08:39:34 2013 MANAGEMENT: CMD 'state on'
Tue Apr 09 08:39:34 2013 MANAGEMENT: CMD 'log all on'
Tue Apr 09 08:39:34 2013 MANAGEMENT: CMD 'hold off'
Tue Apr 09 08:39:34 2013 MANAGEMENT: CMD 'hold release'
Tue Apr 09 08:39:34 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Apr 09 08:39:34 2013 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Apr 09 08:39:34 2013 MANAGEMENT: >STATE:1365489574,RESOLVE,,,
Tue Apr 09 08:39:34 2013 UDPv4 link local: [undef]
Tue Apr 09 08:39:34 2013 UDPv4 link remote: [AF_INET]83.80.207.82:1194
Tue Apr 09 08:39:34 2013 MANAGEMENT: >STATE:1365489574,WAIT,,,
Tue Apr 09 08:39:35 2013 MANAGEMENT: >STATE:1365489575,AUTH,,,
Tue Apr 09 08:39:35 2013 TLS: Initial packet from [AF_INET]83.80.207.82:1194, sid=393d6e0e dd8e7660
Tue Apr 09 08:39:37 2013 VERIFY OK: depth=1, C=NL, ST=UT, L=Utrecht, O=VPN, OU=OU, CN=13VPN, name=NameVPN, emailAddress=kosterkont@hotmail.com
Tue Apr 09 08:39:37 2013 VERIFY OK: nsCertType=SERVER
Tue Apr 09 08:39:37 2013 VERIFY OK: depth=0, C=NL, ST=UT, L=Utrecht, O=VPN, OU=OU, CN=server, name=NameVPN, emailAddress=kosterkont@hotmail.com
Tue Apr 09 08:40:34 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Apr 09 08:40:34 2013 TLS Error: TLS handshake failed
Tue Apr 09 08:40:34 2013 SIGUSR1[soft,tls-error] received, process restarting
Tue Apr 09 08:40:34 2013 MANAGEMENT: >STATE:1365489634,RECONNECTING,tls-error,,
Tue Apr 09 08:40:34 2013 Restart pause, 2 second(s)
Tue Apr 09 08:40:36 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Apr 09 08:40:36 2013 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Apr 09 08:40:36 2013 MANAGEMENT: >STATE:1365489636,RESOLVE,,,
Tue Apr 09 08:40:36 2013 UDPv4 link local: [undef]
Tue Apr 09 08:40:36 2013 UDPv4 link remote: [AF_INET]83.80.207.82:1194
Tue Apr 09 08:40:36 2013 MANAGEMENT: >STATE:1365489636,WAIT,,,
Tue Apr 09 08:40:36 2013 MANAGEMENT: >STATE:1365489636,AUTH,,,
Tue Apr 09 08:40:36 2013 TLS: Initial packet from [AF_INET]83.80.207.82:1194, sid=507a12fa b51c19b4
Tue Apr 09 08:40:38 2013 VERIFY OK: depth=1, C=NL, ST=UT, L=Utrecht, O=VPN, OU=OU, CN=13VPN, name=NameVPN, emailAddress=kosterkont@hotmail.com
Tue Apr 09 08:40:38 2013 VERIFY OK: nsCertType=SERVER
Tue Apr 09 08:40:38 2013 VERIFY OK: depth=0, C=NL, ST=UT, L=Utrecht, O=VPN, OU=OU, CN=server, name=NameVPN, emailAddress=kosterkont@hotmail.com

[QuincyDK]

Sorry for the multiposts, but i've got quite an interesting error server-side

See the log:

Code: Select all

Tue Apr 09 11:07:01 2013 OpenVPN 2.3.1 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Mar 28 2013
Tue Apr 09 11:07:01 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Apr 09 11:07:01 2013 Need hold release from management interface, waiting...
Tue Apr 09 11:07:01 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Apr 09 11:07:01 2013 MANAGEMENT: CMD 'state on'
Tue Apr 09 11:07:01 2013 MANAGEMENT: CMD 'log all on'
Tue Apr 09 11:07:01 2013 MANAGEMENT: CMD 'hold off'
Tue Apr 09 11:07:01 2013 MANAGEMENT: CMD 'hold release'
Tue Apr 09 11:07:01 2013 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Tue Apr 09 11:07:01 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Apr 09 11:07:02 2013 Diffie-Hellman initialized with 1024 bit key
Tue Apr 09 11:07:02 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Apr 09 11:07:02 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Apr 09 11:07:02 2013 MANAGEMENT: >STATE:1365498422,ASSIGN_IP,,10.8.0.1,
Tue Apr 09 11:07:02 2013 open_tun, tt->ipv6=0
Tue Apr 09 11:07:02 2013 TAP-WIN32 device [LAN-verbinding 4] opened: \\.\Global\{B8E291A0-DB4C-409B-98AC-54F445CB537A}.tap
Tue Apr 09 11:07:02 2013 TAP-Windows Driver Version 9.9 
Tue Apr 09 11:07:02 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.1/255.255.255.252 on interface {B8E291A0-DB4C-409B-98AC-54F445CB537A} [DHCP-serv: 10.8.0.2, lease-time: 31536000]
Tue Apr 09 11:07:02 2013 Sleeping for 10 seconds...
Tue Apr 09 11:07:12 2013 Successful ARP Flush on interface [15] {B8E291A0-DB4C-409B-98AC-54F445CB537A}
Tue Apr 09 11:07:12 2013 MANAGEMENT: >STATE:1365498432,ADD_ROUTES,,,
Tue Apr 09 11:07:12 2013 C:\Windows\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.2
Tue Apr 09 11:07:12 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Tue Apr 09 11:07:12 2013 Route addition via IPAPI succeeded [adaptive]
Tue Apr 09 11:07:12 2013 UDPv4 link local (bound): [undef]
Tue Apr 09 11:07:12 2013 UDPv4 link remote: [undef]
Tue Apr 09 11:07:12 2013 MULTI: multi_init called, r=256 v=256
Tue Apr 09 11:07:12 2013 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Tue Apr 09 11:07:12 2013 IFCONFIG POOL LIST
Tue Apr 09 11:07:12 2013 Initialization Sequence Completed
Tue Apr 09 11:07:12 2013 MANAGEMENT: >STATE:1365498432,CONNECTED,SUCCESS,10.8.0.1,
Tue Apr 09 11:07:12 2013 145.120.193.16:57866 TLS: Initial packet from [AF_INET]145.120.193.16:57866, sid=73e3fdca b5df568a
Tue Apr 09 11:07:12 2013 145.120.193.16:57866 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=NL, ST=Utrecht, L=Utrecht, O=13S, OU=VPN, CN=client1, name=QDK, emailAddress=Quincy@13steps2glory.tk
Tue Apr 09 11:07:12 2013 145.120.193.16:57866 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Tue Apr 09 11:07:12 2013 145.120.193.16:57866 TLS Error: TLS object -> incoming plaintext read error
Tue Apr 09 11:07:12 2013 145.120.193.16:57866 TLS Error: TLS handshake failed
Tue Apr 09 11:07:12 2013 145.120.193.16:57866 SIGUSR1[soft,tls-error] received, client-instance restarting
Tue Apr 09 11:07:24 2013 192.168.1.103:63093 TLS: Initial packet from [AF_INET]192.168.1.103:63093, sid=e3a7553f 65a2368f
Tue Apr 09 11:07:32 2013 192.168.1.103:63094 TLS: Initial packet from [AF_INET]192.168.1.103:63094, sid=591e5d96 04ccca09
Tue Apr 09 11:07:34 2013 192.168.1.103:63095 TLS: Initial packet from [AF_INET]192.168.1.103:63095, sid=7af55978 92a236f0
Tue Apr 09 11:07:36 2013 192.168.1.103:63096 TLS: Initial packet from [AF_INET]192.168.1.103:63096, sid=25d7cb45 5082ba1d
Tue Apr 09 11:07:38 2013 192.168.1.103:63097 TLS: Initial packet from [AF_INET]192.168.1.103:63097, sid=27689da4 002831d8
Tue Apr 09 11:07:40 2013 192.168.1.103:63098 TLS: Initial packet from [AF_INET]192.168.1.103:63098, sid=97e1f6fd aff4a60b
Tue Apr 09 11:07:42 2013 192.168.1.103:63099 TLS: Initial packet from [AF_INET]192.168.1.103:63099, sid=5c315445 3a9f1b69
Tue Apr 09 11:07:44 2013 192.168.1.103:63100 TLS: Initial packet from [AF_INET]192.168.1.103:63100, sid=9cca9364 19a4fb08
Tue Apr 09 11:07:46 2013 192.168.1.103:63101 TLS: Initial packet from [AF_INET]192.168.1.103:63101, sid=09fcaaa0 6cd56255
Tue Apr 09 11:07:48 2013 192.168.1.103:63102 TLS: Initial packet from [AF_INET]192.168.1.103:63102, sid=cff5364c 7da8dfb9
Tue Apr 09 11:07:50 2013 192.168.1.103:63103 TLS: Initial packet from [AF_INET]192.168.1.103:63103, sid=180db0d6 c3c482f2
Tue Apr 09 11:07:52 2013 192.168.1.103:63104 TLS: Initial packet from [AF_INET]192.168.1.103:63104, sid=36be3e64 59b30ca4
Tue Apr 09 11:07:54 2013 192.168.1.103:63105 TLS: Initial packet from [AF_INET]192.168.1.103:63105, sid=3809e237 3080ad58
Tue Apr 09 11:07:56 2013 192.168.1.103:63106 TLS: Initial packet from [AF_INET]192.168.1.103:63106, sid=6ee70dd2 6d97ce01
Tue Apr 09 11:07:58 2013 192.168.1.103:63107 TLS: Initial packet from [AF_INET]192.168.1.103:63107, sid=743c82d5 442262d6
Tue Apr 09 11:08:00 2013 192.168.1.103:63108 TLS: Initial packet from [AF_INET]192.168.1.103:63108, sid=b0785d87 595cb24c
Tue Apr 09 11:08:02 2013 192.168.1.103:63109 TLS: Initial packet from [AF_INET]192.168.1.103:63109, sid=60673625 a9f942cd
Tue Apr 09 11:08:04 2013 192.168.1.103:63110 TLS: Initial packet from [AF_INET]192.168.1.103:63110, sid=b21a9587 8b53c3fb
Tue Apr 09 11:08:06 2013 192.168.1.103:63111 TLS: Initial packet from [AF_INET]192.168.1.103:63111, sid=bf06d817 860fdc20
Tue Apr 09 11:08:08 2013 192.168.1.103:63112 TLS: Initial packet from [AF_INET]192.168.1.103:63112, sid=e6d749b6 414c853e
Tue Apr 09 11:08:10 2013 192.168.1.103:63113 TLS: Initial packet from [AF_INET]192.168.1.103:63113, sid=a3e3d7e6 a199c225
Tue Apr 09 11:08:12 2013 192.168.1.103:63114 TLS: Initial packet from [AF_INET]192.168.1.103:63114, sid=ef134de9 ae2cb055
Tue Apr 09 11:08:14 2013 192.168.1.103:63115 TLS: Initial packet from [AF_INET]192.168.1.103:63115, sid=6c95ba20 d1254878
Tue Apr 09 11:08:16 2013 192.168.1.103:63116 TLS: Initial packet from [AF_INET]192.168.1.103:63116, sid=34872616 5906e00e
Tue Apr 09 11:08:18 2013 192.168.1.103:63117 TLS: Initial packet from [AF_INET]192.168.1.103:63117, sid=f6ebf4d2 e7f28694
Tue Apr 09 11:08:20 2013 192.168.1.103:63118 TLS: Initial packet from [AF_INET]192.168.1.103:63118, sid=1e0071cf 8d84e49e
Tue Apr 09 11:08:22 2013 192.168.1.103:63119 TLS: Initial packet from [AF_INET]192.168.1.103:63119, sid=eefb256d 4d111767
Tue Apr 09 11:08:24 2013 192.168.1.103:63093 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Apr 09 11:08:24 2013 192.168.1.103:63093 TLS Error: TLS handshake failed
Tue Apr 09 11:08:24 2013 192.168.1.103:63093 SIGUSR1[soft,tls-error] received, client-instance restarting

Checking the certs gives an okay for all certs ...

Code: Select all

C:\Program Files\OpenVPN\config>openssl verify -CAfile ca.crt server.crt
server.crt: OK

C:\Program Files\OpenVPN\config>openssl verify -CAfile ca.crt client1.crt
client1.crt: OK

C:\Program Files\OpenVPN\config>openssl verify -CAfile ca.crt client2.crt
client2.crt: OK

[maikcat]

Checking the certs gives an okay for all certs ...

where did you checked the certs? client or server?

can you please post both configs?

also can you try using version 2.2.2?

Michael.

[janjust]

you say

init-config
-edit vars.bat-
vars
clean-all
build-ca
build-key-server server
build-key clientx where x corresponds to the client number
build-dh

yet your server cert DN is

Code: Select all

C=NL, ST=UT, L=Utrecht, O=VPN, OU=OU, CN=server, name=NameVPN, emailAddress=kosterkont@hotmail.com

and your client cert DN is

Code: Select all

C=NL, ST=Utrecht, L=Utrecht, O=13S, OU=VPN, CN=client1, name=QDK, emailAddress=Quincy@13steps2glory.tk

(look at the order of the 'O=' terms)
So either you modified the 'vars' file after generating your first cert or you are not using the right client cert or server cert.

I'd recommend regenerating all certs using a community edition of OpenVPN

HTH,

JJK

[QuincyDK]

you say

init-config
-edit vars.bat-
vars
clean-all
build-ca
build-key-server server
build-key clientx where x corresponds to the client number
build-dh

yet your server cert DN is

Code: Select all

C=NL, ST=UT, L=Utrecht, O=VPN, OU=OU, CN=server, name=NameVPN, emailAddress=kosterkont@hotmail.com

and your client cert DN is

Code: Select all

C=NL, ST=Utrecht, L=Utrecht, O=13S, OU=VPN, CN=client1, name=QDK, emailAddress=Quincy@13steps2glory.tk

(look at the order of the 'O=' terms)
So either you modified the 'vars' file after generating your first cert or you are not using the right client cert or server cert.

I'd recommend regenerating all certs using a community edition of OpenVPN

HTH,

JJK

This indeed was the issue! I have had my old certs from a previous attempt (that also failed) on my laptop. I've regenerated this clients certs, and ta da

Now another issue resides. I get an 10.8.x.x IP fine, but I can't ping to my internal network (server ip 192.168.1.200, RTR IP .1.1, other internal clients (vary from .1.100 to .1.150) are all unreachable over the tunnel..)

[janjust]

that's a common routing issue; the easiest solution in your setup (windows server) is to add a route on your LAN router to state that the VPN traffic (10.8/x) needs to go back to the VPN server (the windows machine).
Without this route your VPN clients will send traffic with a source IP (10.8.0.x) that your LAN does not know (and will thus discard).

[maikcat]

Hi there,

Yes, the ca.crt is the same on both server and client(s). That's something I've verified.

This indeed was the issue! I have had my old certs from a previous attempt (that also failed) on my laptop. I've regenerated this clients certs, and ta da

usually the problem hides in small details...

Michael.

[QuincyDK]

Hi there,

Yes, the ca.crt is the same on both server and client(s). That's something I've verified.

This indeed was the issue! I have had my old certs from a previous attempt (that also failed) on my laptop. I've regenerated this clients certs, and ta da

usually the problem hides in small details...

Michael.

Hi Micheal, it wasn't the ca cert but the client cert

Once again thank you both for the wonderful help!

[QuincyDK]

that's a common routing issue; the easiest solution in your setup (windows server) is to add a route on your LAN router to state that the VPN traffic (10.8/x) needs to go back to the VPN server (the windows machine).
Without this route your VPN clients will send traffic with a source IP (10.8.0.x) that your LAN does not know (and will thus discard).

Now I've set up my static (advanced) routing like this



However, this does not work. What could be the issue? Server ip: x.200, router x.1...

[janjust]

can you show the routing table with the new routes on the LAN router/gw? ("routing tabel weergeven")

[QuincyDK]

can you show the routing table with the new routes on the LAN router/gw? ("routing tabel weergeven")

Hi Jan, it's a pleasure that you speak Dutch ^^

Here is the routing table:

[janjust]

that looks OK; but wait, your server is running on Windows, right? then you have to enable IP forwarding on the Windows machine; this is most easily done using a registry key

Code: Select all

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter : DWORD = 1