OpenVPN Support Forum

My user is trying to connect via host-to-lan VPN to my Zeroshell 3.0 router.
They are getting the errors as in the log below:
We followed the instructions at http://www.zeroshell.org/openvpn-client/ and downloaded the sample config file http://www.zeroshell.org/download/zeroshell.ovpn and exported CA.pem file from the router login page. The user placed the config file and CA.pem into the

What are we doing wrong?

What do we need to do to troubleshoot this issue?
Is there anything in the certificate that I should look at?

nulluse wrote:Sat Apr 09 19:32:54 2016 VERIFY OK: depth=1, /C=IT/O=Zeroshell.net/OU=Example/CN=ZeroShell_Example_CA/emailAddress=Fulvio.Ricciardi@zeroshell.net
Sat Apr 09 19:32:54 2016 VERIFY nsCertType ERROR: /OU=Hosts/CN=router.domain.ca, require nsCertType=SERVER
Sat Apr 09 19:32:54 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I would say that you have not created your server certificate correctly.

Of course .. you have only posted 1 of 4 requirements ..

Please see the Forum rules (top of this page)

nulluse wrote:We followed the instructions at .......

I would also suggest you read the OpenVPN Official HOWTO:
HOWTO: For OpenVPN Community Edition

Sorry, this is too cryptic for me: I posted 1 out of 4... what exactly?
If you are referring to the config file, than it is the one I linked above. The only difference of the actual file used is the external IP of the router box.

If you are referring to out certificate, than this is exactly what I am asking: what specifically in the certificate should I look at? The certificate is large and has lots of info. Posting it entirely for the world to see would defeat the purpose of VPN as anyone would be able to connect using that cert. So I have to post something from the cert, but don't know which parts. Do you agree?

You have pointed me at a 41 page document which I may not be able to follow, as it talks about running command-line tools, whereas in Zeroshell I only have a link on the log in page to download a CA.pem file that is generated when Zeroshell starts up for the 1st time.

Traffic wrote:Of course .. you have only posted 1 of 4 requirements ..

Please see the Forum rules (top of this page)

nulluse wrote:Sorry, this is too cryptic for me: I posted 1 out of 4... what exactly?

The rules are there to save this sort of banta ..

I suggest you read the EasyRSA README (included with easyrsa)

Traffic wrote:

Traffic wrote:Of course .. you have only posted 1 of 4 requirements ..

Please see the Forum rules (top of this page)

nulluse wrote:Sorry, this is too cryptic for me: I posted 1 out of 4... what exactly?

The rules are there to save this sort of banta ..

I suggest you read the EasyRSA README (included with easyrsa)

This was very rude and totally uncalled for.

Give a man a fish .. vs .. teach a man to fish ..

There are two ways to designate a certificate as a server:

• nscerttype server (deprecated)
• remote-cert-tls server

There may be more but these are documented by EasyRSA .. so read the README/vars file for EasyRSA

I suspect you are using the wrong designation in your config. (which you have not posted)

Traffic wrote:There are two ways to designate a certificate as a server:

• nscerttype server (deprecated)
• remote-cert-tls server

There may be more but these are documented by EasyRSA .. so read the README/vars file for EasyRSA

I suspect you are using the wrong designation in your config. (which you have not posted)

Thanks for the tip, but the last part is not true.
There is a link in the original post: http://www.zeroshell.org/download/zeroshell.ovpn
The Zeroshell users are only supposed to change the server IP address as per the 1st link in the original post. That is what we have done.

Sorry .. I am not debugging Zeroshell tutorials .. I suggest you ask on Zeroshell Forum ..

Regards

The certificate seems to have netscape server purpose included.
Is that what you are talking about?
Is that certificate not good to be used with OpenVpn?

Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No

Traffic wrote:Sorry .. I am not debugging Zeroshell tutorials .. I suggest you ask on Zeroshell Forum ..

Regards

No one ever asked you to debug a Zeroshell tutorial. I never even posted a link to one.
Here's a config I am using, here's OpenVpn error log - I was asking what specifically was OpenVpn not happy about.

nulluse wrote:No one ever asked you to debug a Zeroshell tutorial. I never even posted a link to one.

nulluse wrote:We followed the instructions at http://www.zeroshell.org/openvpn-client/

On my HD monitor that Tutorial runs to about 12 pages.

nulluse wrote:The certificate seems to have netscape server purpose included.

Traffic wrote:There are two ways to designate a certificate as a server:

• --ns-cert-type server (deprecated)
• --remote-cert-tls server

See --those options in The Manual v23x

Good luck.

The user is running OpenVPN GUI. Is OpenVpn GUI using those parameters by default?

Never mind! This was resolved by making some changes to the server configuration.
The error message was very misleading as there was nothing wrong with the certificate or config file.

Which changes did you make? I am getting this error when connection MAC clients with Tunnelblick, but not when using OpenVPN client on Windows.

Server cert was build with ./easyrsa build-server-full <servername> nopass

Regards, LArs.

Please see:
HOWTO: Request Help !