2.3.3 upgrade problems.

This forum is for all inquiries relating to the installation of OpenVPN from source and with binaries.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please visit (and READ) the OpenVPN HowTo http://openvpn.net/howto prior to asking any questions in here!
Locked
imtrobin
OpenVpn Newbie
Posts: 4
Joined: Thu Nov 01, 2012 8:52 am

2.3.3 upgrade problems.

Post by imtrobin » Tue Apr 29, 2014 10:37 am

Hi,

I've been using 2.2.2 for a long time without problems, so decided to upgrade to 2.3.3 recently. I also installed EasyRSA 3.0 rc1 and decided to recreate the certs. The certs were recreated fine but had a few issues.

1. The server asks for a password when starting. I cannot generate with it blank password. It means when I try to use run as service, it will fail.

2. the new certs keeps failing. I'm testing on a local lan. I tried a couple of times to recreate the certs, it fails. The old certs work fine.

Code: Select all

Server log
Tue Apr 29 18:04:59 2014 OpenVPN 2.3.3 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [P
KCS11] [IPv6] built on Apr 14 2014
Tue Apr 29 18:04:59 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:
7505
Tue Apr 29 18:04:59 2014 NOTE: your local LAN uses the extremely common subnet a
ddress 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conf
licts if you connect to the VPN server from public locations such as internet ca
fes that use the same subnet.
Tue Apr 29 18:04:59 2014 Diffie-Hellman initialized with 1024 bit key
Enter Private Key Password:
Tue Apr 29 18:05:04 2014 WARNING: this configuration may cache passwords in memo
ry -- use the auth-nocache option to prevent this
Tue Apr 29 18:05:04 2014 Control Channel Authentication: using 'ta.key' as a Ope
nVPN static key file
Tue Apr 29 18:05:04 2014 Outgoing Control Channel Authentication: Using 160 bit
message hash 'SHA1' for HMAC authentication
Tue Apr 29 18:05:04 2014 Incoming Control Channel Authentication: Using 160 bit
message hash 'SHA1' for HMAC authentication
Tue Apr 29 18:05:04 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Apr 29 18:05:04 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Apr 29 18:05:04 2014 open_tun, tt->ipv6=0
Tue Apr 29 18:05:04 2014 TAP-WIN32 device [Local Area Connection 4] opened: \\.\
Global\{CEFC6C9D-05B0-47F3-8BF4-71B1D2E47AB8}.tap
Tue Apr 29 18:05:04 2014 TAP-Windows Driver Version 9.9
Tue Apr 29 18:05:04 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of
 10.8.0.1/255.255.255.252 on interface {CEFC6C9D-05B0-47F3-8BF4-71B1D2E47AB8} [D
HCP-serv: 10.8.0.2, lease-time: 31536000]
Tue Apr 29 18:05:04 2014 Sleeping for 10 seconds...
Tue Apr 29 18:05:14 2014 Successful ARP Flush on interface [65542] {CEFC6C9D-05B
0-47F3-8BF4-71B1D2E47AB8}
Tue Apr 29 18:05:14 2014 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255
.255.0 10.8.0.2
Tue Apr 29 18:05:14 2014 Route addition via IPAPI succeeded [adaptive]
Tue Apr 29 18:05:14 2014 UDPv4 link local (bound): [undef]
Tue Apr 29 18:05:14 2014 UDPv4 link remote: [undef]
Tue Apr 29 18:05:14 2014 MULTI: multi_init called, r=256 v=256
Tue Apr 29 18:05:14 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Tue Apr 29 18:05:14 2014 IFCONFIG POOL LIST
Tue Apr 29 18:05:15 2014 Initialization Sequence Completed
Tue Apr 29 18:06:36 2014 192.168.0.101:1490 TLS: Initial packet from [AF_INET]19
2.168.0.101:1490, sid=1bc1984d 3de3e018
Tue Apr 29 18:06:38 2014 192.168.0.101:1491 TLS: Initial packet from [AF_INET]19
2.168.0.101:1491, sid=80a3b15e 84fdb2ac
Tue Apr 29 18:06:38 2014 read UDPv4: Connection reset by peer (WSAECONNRESET) (c
ode=10054)
Client log

Code: Select all

Tue Apr 29 18:06:20 2014 OpenVPN 2.3.3 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Apr 14 2014
Tue Apr 29 18:06:20 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Apr 29 18:06:20 2014 Need hold release from management interface, waiting...
Tue Apr 29 18:06:21 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Apr 29 18:06:21 2014 MANAGEMENT: CMD 'state on'
Tue Apr 29 18:06:21 2014 MANAGEMENT: CMD 'log all on'
Tue Apr 29 18:06:21 2014 MANAGEMENT: CMD 'hold off'
Tue Apr 29 18:06:21 2014 MANAGEMENT: CMD 'hold release'
Tue Apr 29 18:06:25 2014 MANAGEMENT: CMD 'password [...]'
Tue Apr 29 18:06:25 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Apr 29 18:06:25 2014 SIGUSR1[soft,private-key-password-failure] received, process restarting
Tue Apr 29 18:06:25 2014 MANAGEMENT: >STATE:1398765985,RECONNECTING,private-key-password-failure,,
Tue Apr 29 18:06:25 2014 Restart pause, 2 second(s)
Tue Apr 29 18:06:32 2014 MANAGEMENT: CMD 'password [...]'
Tue Apr 29 18:06:32 2014 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Tue Apr 29 18:06:32 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 29 18:06:32 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 29 18:06:32 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Apr 29 18:06:32 2014 UDPv4 link local: [undef]
Tue Apr 29 18:06:32 2014 UDPv4 link remote: [AF_INET]192.168.0.5:11194
Tue Apr 29 18:06:32 2014 MANAGEMENT: >STATE:1398765992,WAIT,,,
Tue Apr 29 18:06:32 2014 MANAGEMENT: >STATE:1398765992,AUTH,,,
Tue Apr 29 18:06:32 2014 TLS: Initial packet from [AF_INET]192.168.0.5:11194, sid=f43d7438 0c7142f5
Tue Apr 29 18:06:33 2014 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Apr 29 18:06:33 2014 VERIFY nsCertType ERROR: CN=ibmserver, require nsCertType=SERVER
Tue Apr 29 18:06:33 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Apr 29 18:06:33 2014 TLS Error: TLS object -> incoming plaintext read error
Tue Apr 29 18:06:33 2014 TLS Error: TLS handshake failed
Tue Apr 29 18:06:33 2014 SIGUSR1[soft,tls-error] received, process restarting
Tue Apr 29 18:06:33 2014 MANAGEMENT: >STATE:1398765993,RECONNECTING,tls-error,,
Tue Apr 29 18:06:33 2014 Restart pause, 2 second(s)
The config files are the same from 2.2.2
server

Code: Select all

port 11194
proto udp
dev tun
ca ca.crt
cert ibmserver.crt
key ibmserver.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
max-clients 8
persist-key
persist-tun
status openvpn-status.log
verb 3
tun-mtu  1500
fragment 1415
mssfix 1410
management localhost 7505
Client config

Code: Select all

client
dev tun
proto udp
remote  192.168.0.5 11194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
float
tun-mtu  1500
fragment 1415
mssfix 1410
Top
imtrobin
OpenVpn Newbie
Posts: 4
Joined: Thu Nov 01, 2012 8:52 am

Re: 2.3.3 upgrade problems.

Post by imtrobin » Tue Apr 29, 2014 4:08 pm

debbie10t wrote:When creating the server cert/key use the easy-rsa script build-key-server server-name
there is no such command in the easyrsa 3, there is only build-server-full , which I used
Top
imtrobin
OpenVpn Newbie
Posts: 4
Joined: Thu Nov 01, 2012 8:52 am

Re: 2.3.3 upgrade problems.

Post by imtrobin » Wed Apr 30, 2014 2:59 am

I downloaded EasyRSA from github, as suggested from the Download page. It said, it is not longer packaged.

https://github.com/OpenVPN/easy-rsa
http://openvpn.net/index.php/open-source/downloads.html

Ok I see there is an optional RSA install, so I will try that instead.
Top
imtrobin
OpenVpn Newbie
Posts: 4
Joined: Thu Nov 01, 2012 8:52 am

Re: 2.3.3 upgrade problems.

Post by imtrobin » Wed Apr 30, 2014 3:20 am

Ok, works now with default rsa install. Thanks!
Top
Locked

Return to “Installation Help”