Error--profile doesn't include a client certificate

[jcarerra]

When using OpenVPN Connect, after successfully importing the profile, I get this pop-up:
"This profile doesn't include a client certificate. Continue connecting without a certificate or select one from the Android keychain?"

The ovpn looks like this

client
dev tun
proto udp
remote --ip addrress and port here--
float
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
--removed--
-----END CERTIFICATE-----
</ca>
resolv-retry infinite
nobind

I have options then to continue or to select from Android keychain. One time, selecting continue seemed to go on through to connection (though as a neophyte I wonder how it ran without a certificate!), but some other times it has failed.

Since the ovpn clearly has the ca in it, just what is it that is missing? And where do I put it in android device?

[Traffic]

Is this for use with #1: your own private VPN server .. or #2: a public VPN provider ?

If:

• #1: please post full server config ..
  #2: you will need to search the help files of the provider ..

[jcarerra]

Is this for use with #1: your own private VPN server .. or #2: a public VPN provider ?
If:

• #1: please post full server config ..
  #2: you will need to search the help files of the provider ..

1. Using OpenVPN server in ASUS router RT-AC66R, flashed with Merlin's latest firmware.

With that, "we" never mess with the server config. Options are set in the VPN tab (would atch a pic, but don't see a control to do that). Usernames and passwords are created there in the router VPN interface. Then an export button is pushed that creates a client1.ovpn file that is placed in client directory (for laptops) or imported into OpenVPN Connect android app.
Here is the client ovpn...
client
dev tun
proto udp
remote ipaddressand port <<<here
float
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
----deleted----
-----END CERTIFICATE-----
</ca>
resolv-retry infinite
nobind

2. Have done that. Think I've done all said in those.

I believe the line in the options that says "Username/password Auth. Only" means that it is creating a config that runs without encryption! And that is the reason no procedures for creating cert and key files are covered.

[jcarerra]

Is this for use with #1: your own private VPN server .. or #2: a public VPN provider ?
If:

• #1: please post full server config ..
  #2: you will need to search the help files of the provider ..

I previously entered a reply to the above and received the "in moderation" notice--but it never appeared???

Now I am on to other issues that have cropped up...
The situation I described (the notice about there being no client cerificate, which as true) was essentially ignored, and successful connect was achieved (for awhile) -- so my conclusion is that while it was working, I had an unencrypted VPN tunnel running since there was no client cert or key anywhere I saw (not inside the client ovpn nor referenced there as files client.crt, clent.key).

The problem now though is that the connection no longer will establish due to a TLS error. The log shows the non-connect is due to TLS issue...
192.168.0.227:39125 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
192.168.0.227:39125 TLS Error: TLS handshake failed

I have no idea why this has happened as when it first presented, I had changed nothing. Since then, I have rebooted router. I have deleted everything on the tablet client, including the OpenVPN Connect app, and reinstalled it all--same problem persists. Done multiple times. Oh, the same ovpn in an OpenVPN config on a laptop still work connecting from the same net being vpn'ed into (on the router/wifi that hosts the vpn server). I am stymied.

LATER: I continued to try to re-establish the initial success, trying to start from scratch and re-create it all just as I originally did, but I get nothing but the same error every time.

Any ideas? And does anybody know how to 'see' the config file the server in the router is using?

[Traffic]

192.168.0.227:39125 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
192.168.0.227:39125 TLS Error: TLS handshake failed

This is 99.99% a Firewall blocking you from connecting.

[jcarerra]

I switched to a full certificate and key based VPN, and now it connects.

[jcarerra]

I switched to a full certificate and key based VPN, and now it connects.

..and suddenly, it doesn't.

Wow. This is hard. Analyzing problems seems ever so difficult (impossible so far).
Error in server log is
Feb 20 11:47:31 openvpn[24029]: Authenticate/Decrypt packet error: packet HMAC authentication failed

but why? I haven't changed any certificates or keys!

I will post a client config ovpn (typical of all three I use)
-------------------------------
client
dev tun
proto udp
remote 50.88.131.153 1194
float
cipher AES-256-CBC
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
MIID...bVuaz140=
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIID...JptLJAw==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIC...SzaAiY
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
458457...a743
-----END OpenVPN Static key V1-----
</tls-auth>
resolv-retry infinite
nobind

key-direction bidirectional
route 0.0.0.0 0.0.0.0 vpn_gateway
dhcp-option DNS 192.168.0.1
dhcp-option DNS 192.168.0.1
dhcp-option DOMAIN google.com
-------------------------------

[jcarerra]

AND THERE IS NO EDIT NOR A DELETE FUNCTION
GOOD GRIEF.

[Traffic]

AND THERE IS NO EDIT NOR A DELETE FUNCTION
GOOD GRIEF.

Thank the Spam Monkeys for this ...

key-direction bidirectional

Where did you get "bidirectional" from ?

Try:

Code: Select all

key-direction 1 # For the client config

Code: Select all

key-direction 0 # For the server config

[jcarerra]

key-direction bidirectional

Where did you get "bidirectional" from ?

From one of the 30 or so places I read when trying to get it all to work. Could never find one that described set ups for MY situation--server in ASUS router using OpenVPN server built into Merlin firmware load. As you read, you find config after config that people say "this worked for me." And an inability to directly write lines into the server config (see below).

bidirectional did work, until my last try to connect a few days ago--when something had gone astray.

I do not get to see the server ovpn file. There is a GUI screen with selections to make. Some of them no doubt determine what goes into server config, some no doubt what goes into client config (which it exported as a file, and it CAN be edited before placing into client), and some which no doubt affects lines in both. Bidirectional DID work, and if I change it now (the GUI selection which can be bi, 0 or 1), I won't know if I've fixed the original stopper or if THIS CHANGE is "not set quite right."

If I change that line in the GUI, I don't know what it is doing--is it setting the server ovpn to x and client file to y? or both to what I put into that GUI? or what? Unknown.

Since bidirectional worked and has not been changed, I'd rather not tinker with it until I find what killed a working configuration. Obviously I changed something, but it is not in my head that I did. I do know that 'bidirectional' is still in the GUI and in the client ovpn's, so that for sure has not changed.

[jcarerra]

Found something else in the server log while running tries...
"Feb 20 15:15:23 openvpn[25141]: RESOLVE: Cannot resolve host address: net_gateway&#-17;&#-69;&#-65;: Name or service not known
Feb 20 15:15:23 openvpn[25141]: OpenVPN ROUTE: failed to parse/resolve route for host/network: remote_host"

This likely is coming from an entry in the "custom configuration" section of the VPN setup GUI, and I assume it is simply putting these lines into the server config file, which cannot be directly edited..

push "dhcp-option DNS 192.168.0.1"
route remote_host 255.255.255.255 net_gateway&#-17;&#-69;&#-65;

Again, these came from my MANY readings and someone saying, when I put these in, it worked--and it had been working for me. But the log now is showing an objection.

I have no idea what that config line does.

I would add that testing changes to see if they solve the problem is a very slow process as I have to leave the house when I make a change and go to a foreign, public wifi to try. When my config was working, it still would never connect to my home VPN when "on" the home wifi, but ALWAYS connected when on a foreign wifi--though some of them were slow.

[jcarerra]

I am inundating myself..

The server is exporting the client ovpn with this section..

<secret>
-----BEGIN OpenVPN Static key V1-----
4584...a743
-----END OpenVPN Static key V1-----
</secret>

But in my configs, I have
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
4584...743
-----END OpenVPN Static key V1-----
</tls-auth>

I assume that I went to the "tls-auth" header when I changed to a full cert and key based setup. I should point out that it WAS working with it as I have it; I am just confused why the server GUI outputs the file with a different header. There is SOoooo much about this I do not understand.

Can you confirm that it should be "tls-auth" and not "secret" as the GUI is exporting?