OpenVPN Support Forum

Hello Community,

I have an Asus RT-AC87R which CLAIMS it run as an OpenVPN Server. I turn it on and export a configuration client.ovpn file that contains this information.


client
dev tun
proto udp
remote DELETED.asuscomm.com 1194
float
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----

DELETED FOR SECURITY

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

DELETED FOR SECURITY

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

DELETED FOR SECURITY

-----END PRIVATE KEY-----
</key>
resolv-retry infinite
nobind

I take this configuration file "client.ovpn" and copy it into the "config" folder of open VPN.

I then open the ovpn client as an administrator and when the client tries to connect it asks for a Username and Password as it should, and I enter the requested information that I have setup on the server. I then precede to get this error message.

VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed

I am totally befuddled by what I am doing wrong. Am I suppose to change the name of the "client.ovpn" file to something else? Such as "(client-name).ovpn"? I am just so lost here, I checked firewalls

On the router/server side this is the error message I get in the system log.

01:45:13 openvpn[8252]: 70.193.209.217:8541 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Aug 30 01:45:13 openvpn[8252]: 70.193.209.217:8541 TLS Error: TLS handshake failed
Aug 30 01:45:13 openvpn[8252]: 70.193.209.217:8541 SIGUSR1[soft,tls-error] received, client-instance restarting
Aug 30 01:45:15 openvpn[8252]: 70.193.209.217:8520 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Aug 30 01:45:15 openvpn[8252]: 70.193.209.217:8520 TLS Error: TLS handshake failed
Aug 30 01:45:15 openvpn[8252]: 70.193.209.217:8520 SIGUSR1[soft,tls-error] received, client-instance restarting
Aug 30 01:45:18 openvpn[8252]: 70.193.209.217:8527 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Aug 30 01:45:18 openvpn[8252]: 70.193.209.217:8527 TLS Error: TLS handshake failed
Aug 30 01:45:18 openvpn[8252]: 70.193.209.217:8527 SIGUSR1[soft,tls-error] received, client-instance restarting

Thank you for taking the time to read this and I eagerly await a response.

How did you create your PKI (ie: your ca, certs & keys) is it done automatically by the router or do you have to upload them from a pc ?

It's SUPPOSE to be done automatically through the router because it exports the .opvn file with all the keys that are pre-generated and based off the configuration set in the router. This is all suppose to be done through a router by the way, not a PC. It should Serve independently of any PC Server tools.

Here is a picture of my routers configuration.

https://www.facebook.com/photo.php?fbid ... =3&theater

Hello I have exactly the same issue only the only way I can get to the stage you are at is that I have to DISABLE Windows Firewall, otherwise it gets stuck at:

OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 4 2015
library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
UDPv4 link local: [undef]
UDPv4 link remote: [AF_INET]2.102.96.180:1194

Just out of interest how did you manage to get it to get to that stage without having to disable windows firewall? Not that it works but I am guessing I must be having more issues than you have if I get the same error messages if I disable windows firewall.

I guess my last post didn't go through.

The router is suppose to generate all the certs and keys for itself independently of the computer and should act as a stand alone Open VPN server, it then generates the client cert as I posted above to insert into the config folder. Here is a screenshot of my server configuration.

https://www.facebook.com/photo.php?fbid ... age_bubble

Sorry for the delay in relying, I don't know if anything is getting through constantly waiting for these Admins to approve the posts. I tried to submit a screenshot of my settings but I guess that is what is prevent the message from getting through.

Regardless the PKI is SUPPOSEDLY generated by the router then a .OPVN config file is exported to be placed in the config folder of the OVPN client to then connect. This router should work independly of a computer as an OVPN server.

It is done automatically through the router. The router acts as an independent OVPN server separate from the computer.

Your client config expects the server to to use Netscape extension to identify it as a server:

Mcatanio wrote:ns-cert-type server

But it looks like the server certificate has not been created with the correct field:

Mcatanio wrote:VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I do not know how Asus RT-AC87R would go about creating the certificates but it looks like you may have made an error creating them.

I am honestly out of ideas, I just generated my own set of keys with Easy RSA and put them into the server and I'm still getting the exact same error.

Tried doing it on my phone also and got the same error after I enter the user name and password.

OpenVPN Server Certificate Verification failed: PolarSSL: SSL read error : X509 - Certificate verification failed, e.g CRL, CA or signature check failed.

I get this message if I create my own key or if i use the servers key.

Funny thing though is this only happens with TLS, if I use a Static Key I think it connects. It doesn't ask for credentials for some reason and I don't think it's on the network because I can't ping anything but it says it connects.

Mcatanio wrote:OpenVPN Server Certificate Verification failed: PolarSSL: SSL read error : X509 - Certificate verification failed, e.g CRL, CA or signature check failed

PolarSSL has some quirks which I am unfamiliar with .. take it out of the equation until you get something working (IE: don't use your phone)

Mcatanio wrote:this only happens with TLS, if I use a Static Key I think it connects

That is because a static key does not implement any SSL/TLS protocols .. don't use it.

Using a PC with OpenVPN installed, try to connect using your full PKI but remove "ns-cert-type server" from the client config .. it will throw a warning but that is not important at this stage.