Page 1 of 1

Difficulty creating unified .ovpn file from certs

Posted: Tue Dec 01, 2015 3:22 am
by starlessblack
Netgear recently released a firmware update with smartphone (iOS & Android) support for the built in OpenVPN server. I was able to successfully download and install the .ovpn, ca, client and key certs from my router, onto my iOS devices via the iTunes app file transfer.

What I’ve been unsuccessful with, however, is creating a unified .ovpn file that contains the three certs embedded directly in the .ovpn text. Netgear even provides some guidance on this in the form of a KB article (https://kb.netgear.com/app/answers/deta ... ZDbQ%3D%3D), which I used in addition to the OpenVPN iOS FAQ. But when I transfer the unified .ovpn file to the iOS devices, I’m getting a PolarSSL error regarding certificate verification (validation?) failure. Being new to OpenVPN, I’m not sure what this means, but it would almost sound as though OpenVPN is doing some check of my ca.crt against a database of known trusted certificate authorities.

Can anyone shed some light on this for me? Thank you very much.

Re: Difficulty creating unified .ovpn file from certs

Posted: Tue Dec 01, 2015 7:33 pm
by Traffic
starlessblack wrote:it would almost sound as though OpenVPN is doing some check of my ca.crt against a database of known trusted certificate authorities
Please post your log file.

Re: Difficulty creating unified .ovpn file from certs

Posted: Wed Dec 02, 2015 1:50 am
by starlessblack
015-12-01 20:37:18 VERIFY FAIL CERT_NOT_TRUSTED : depth=1
cert. version    : 3
serial number    : routerserialnumber
issuer name      : C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
subject name      : C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
issued  on        : 2015-08-13 19:35:30
expires on        : 2025-08-10 19:35:30
signed using      : RSA with MD5
RSA key size      : 1024 bits
basic constraints : CA=true

2015-12-01 20:37:18 VERIFY OK: depth=0
cert. version    : 3
serial number    : 01
issuer name      : C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
subject name      : C=TW, ST=TW, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
issued  on        : 2015-08-13 19:35:33
expires on        : 2025-08-10 19:35:33
signed using      : RSA with MD5
RSA key size      : 1024 bits
basic constraints : CA=false
cert. type        : SSL Server

2015-12-01 20:37:18 Transport Error: PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
2015-12-01 20:37:18 EVENT: CERT_VERIFY_FAIL PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed [ERR]
2015-12-01 20:37:18 EVENT: DISCONNECTED
2015-12-01 20:37:18 Raw stats on disconnect:
 BYTES_IN : 2226
 BYTES_OUT : 524
 PACKETS_IN : 21
 PACKETS_OUT : 21
 SSL_ERROR : 1
 CERT_VERIFY_FAIL : 1
2015-12-01 20:37:18 Performance stats on disconnect:
 CPU usage (microseconds): 31968
 Network bytes per CPU second: 86023
 Tunnel bytes per CPU second: 0
2015-12-01 20:37:18 EVENT: DISCONNECT_PENDING
2015-12-01 20:37:18 ----- OpenVPN Stop -----

Re: Difficulty creating unified .ovpn file from certs

Posted: Wed Dec 02, 2015 7:50 pm
by starlessblack
I guess each post you make on these forums has to be approved by a moderator, so that's why there's a delay in submission to post?

Re: Difficulty creating unified .ovpn file from certs

Posted: Wed Dec 02, 2015 8:49 pm
by markn62
Include the items below in a single txt file named *.ovpn.

client configs
<ca>
-----BEGIN CERTIFICATE-----
ks#lf9OAS9f8...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
eus&l3(23kv*...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
xs%id8@nd~...
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static Key V1-----
uxld6$le8&...
-----END OpenVPN Static Key V1-----
</tls-auth>
key-direction 1

Re: Difficulty creating unified .ovpn file from certs

Posted: Wed Dec 02, 2015 10:21 pm
by starlessblack
I guess each post I make has to be approved by a mod? That must be why these are taking so long to post?
Anyway, here's the log:

015-12-01 20:37:18 VERIFY FAIL CERT_NOT_TRUSTED : depth=1
cert. version    : 3
serial number    : routerserialnumber
issuer name      : C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
subject name      : C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
issued  on        : 2015-08-13 19:35:30
expires on        : 2025-08-10 19:35:30
signed using      : RSA with MD5
RSA key size      : 1024 bits
basic constraints : CA=true

2015-12-01 20:37:18 VERIFY OK: depth=0
cert. version    : 3
serial number    : 01
issuer name      : C=TW, ST=TW, L=Taipei, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
subject name      : C=TW, ST=TW, O=netgear, OU=netgear, CN=netgear, emailAddress=mail@netgear.com
issued  on        : 2015-08-13 19:35:33
expires on        : 2025-08-10 19:35:33
signed using      : RSA with MD5
RSA key size      : 1024 bits
basic constraints : CA=false
cert. type        : SSL Server

2015-12-01 20:37:18 Transport Error: PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
2015-12-01 20:37:18 EVENT: CERT_VERIFY_FAIL PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed [ERR]
2015-12-01 20:37:18 EVENT: DISCONNECTED
2015-12-01 20:37:18 Raw stats on disconnect:
 BYTES_IN : 2226
 BYTES_OUT : 524
 PACKETS_IN : 21
 PACKETS_OUT : 21
 SSL_ERROR : 1
 CERT_VERIFY_FAIL : 1
2015-12-01 20:37:18 Performance stats on disconnect:
 CPU usage (microseconds): 31968
 Network bytes per CPU second: 86023
 Tunnel bytes per CPU second: 0
2015-12-01 20:37:18 EVENT: DISCONNECT_PENDING
2015-12-01 20:37:18 ----- OpenVPN Stop -----

Re: Difficulty creating unified .ovpn file from certs

Posted: Thu Dec 03, 2015 2:56 am
by starlessblack
markn62 wrote:Include the items below in a single txt file named *.ovpn.
<tls-auth>
-----BEGIN OpenVPN Static Key V1-----
uxld6$le8&...
-----END OpenVPN Static Key V1-----
</tls-auth>
key-direction 1
When I download the VPN certs and .ovpn file from the router, there is no OpenVPN static key, and their paltry documentation never makes mention of one, nor does their .ovpn file have any tls-auth or key-direction fields in it. Color me baffled.