OpenVPN Support Forum

I have an OpenVPN server running on my EdgeRouter and can connect to it using both Android and IOS OpenVPN clients without any problem. I cannot however connect to it using the Windows OpenVPN client on my Windows 10 computer. Note I'm using the same set of .ovpn and cert files on all three platforms: Android, IOS and Windows. For the Windows OpenVPN client, the OpenVPN server log shows there is an initial attempt to connect but nothing else gets through after that until a retry (again and again) by the client. Below is what shows in the Windows OpenVPN client log. This error repeats itself with each retry by the Windows OpenVPN client. I have also tried both versions 2.5.0 and 2.5.5 of the Windows OpenVPN Client and they both result in the same errors. Any helps will be appreciated.

022-01-17 16:48:04 OpenVPN 2.5.5 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 15 2021
2022-01-17 16:48:04 Windows version 10.0 (Windows 10 or greater) 64bit
2022-01-17 16:48:04 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
2022-01-17 16:48:04 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-17 16:48:04 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-17 16:48:04 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.1:443
2022-01-17 16:48:04 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-01-17 16:48:04 UDP link local: (not bound)
2022-01-17 16:48:04 UDP link remote: [AF_INET]192.168.80.1:443
2022-01-17 16:48:04 TLS: Initial packet from [AF_INET]192.168.80.1:443, sid=1f7147dd d20d449a
2022-01-17 16:48:04 VERIFY OK: <!!! MY OPENVPN SERVER CERT DN IS SHOWING HERE - REMOVED BEFORE POSTING LOG FILE !!!>
2022-01-17 16:48:04 Certificate does not have key usage extension
2022-01-17 16:48:04 VERIFY KU ERROR
2022-01-17 16:48:04 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2022-01-17 16:48:04 TLS_ERROR: BIO read tls_read_plaintext error
2022-01-17 16:48:04 TLS Error: TLS object -> incoming plaintext read error
2022-01-17 16:48:04 TLS Error: TLS handshake failed
2022-01-17 16:48:04 SIGUSR1[soft,tls-error] received, process restarting
2022-01-17 16:48:04 Restart pause, 5 second(s)

atranmisc wrote: ↑

Mon Jan 17, 2022 10:17 pm

2022-01-17 16:48:04 Certificate does not have key usage extension
2022-01-17 16:48:04 VERIFY KU ERROR

Your server certificate is not suitable for OpenVPN 2.5.5

TinCanTech wrote: ↑

Mon Jan 17, 2022 10:41 pm

atranmisc wrote: ↑

Mon Jan 17, 2022 10:17 pm

2022-01-17 16:48:04 Certificate does not have key usage extension
2022-01-17 16:48:04 VERIFY KU ERROR

Your server certificate is not suitable for OpenVPN 2.5.5

I did try with OpenVPN 2.5.0 and got the same errors. I generally don't like to run an older software version but liked to check and confirm as I don't have problem with my Android and IOS clients. Is there anything you can suggest for me to check regarding my server cert? What "key usage extension" is it expecting? Do you know of an older version of the Windows OpenVPN Client that does NOT care about usage extension for me to test out - just for the purpose of checking before I remake my server cert? Thanks.

Paste your client config (without the certs and keys).

Also see viewtopic.php?f=30&t=22603#p68963

TinCanTech wrote: ↑

Mon Jan 17, 2022 11:26 pm

Paste your client config (without the certs and keys).

Also see viewtopic.php?f=30&t=22603#p68963

Please see my OpenVPN server and client config files below. Let me know if you still need me to send verb 4 log as indicated in the other post. The only difference in the Windows vs Android/IOS configurations is the addition of the askpass entry in the .ovpn file. I add askpass to the Windows .ovpn file as I don't know where else to provide/type it in otherwise. Thanks again.

** SERVER **
description openvpn
mode server
openvpn-option --persist-key
openvpn-option --persist-tun
openvpn-option "--keepalive 10 120"
openvpn-option "--user nobody"
openvpn-option "--group nogroup"
openvpn-option "--cipher AES-256-CBC"
openvpn-option "--auth SHA256"
openvpn-option "--port 443"
openvpn-option "--tls-auth /config/auth/ta.key 0"
openvpn-option --tls-server
openvpn-option "--proto udp"
openvpn-option "--ifconfig-pool-persist ipp.txt"
openvpn-option "--mute 10"
openvpn-option "--dev vtun0"
server {
name-server 192.168.80.1
subnet 10.8.0.0/24
}
tls {
ca-cert-file /config/auth/cacert.pem
cert-file /config/auth/server.pem
dh-file /config/auth/dh.pem
key-file /config/auth/server.key
}

** CLIENT **
client
cipher AES-256-CBC
data-ciphers AES-256-CBC
auth SHA256
dev tun
proto udp
redirect-gateway def1
key-direction 1
remote 192.168.80.1 443
remote-cert-tls server
resolv-retry infinite
nobind
float
auth-nocache
persist-key
persist-tun
verb 4
askpass "C:\\Program Files\\OpenVPN\\config-auto\\pass.txt"
ca "C:\\Program Files\\OpenVPN\\config-auto\\cacert.pem"
cert "C:\\Program Files\\OpenVPN\\config-auto\\atran.pem"
key "C:\\Program Files\\OpenVPN\\config-auto\\atran_pw.key"
tls-auth "C:\\Program Files\\OpenVPN\\config-auto\\ta.key" 1

atranmisc wrote: ↑

Tue Jan 18, 2022 1:52 am

** CLIENT **

<s>

remote-cert-tls server

Your server certificate does not have this attribute.

TinCanTech wrote: ↑

Tue Jan 18, 2022 3:08 am

atranmisc wrote: ↑

Tue Jan 18, 2022 1:52 am

** CLIENT **

<s>

remote-cert-tls server

Your server certificate does not have this attribute.

Nice. I removed that line from the client config and it starts working. Interesting to know the Android and IOS OpenVPN apps don't check on this. Do you know which exact x509 key usage extension that corresponds to? Is that the same as "X509v3 Extended Key Usage: TLS Web Server Authentication" or is it something else? Thanks a bunch!!!

atranmisc wrote: ↑

Tue Jan 18, 2022 3:58 am

Is that the same as "X509v3 Extended Key Usage: TLS Web Server Authentication"

Yes. Use Easy-RSA v3 to build a new server cert.

TinCanTech wrote: ↑

Tue Jan 18, 2022 2:56 pm

atranmisc wrote: ↑

Tue Jan 18, 2022 3:58 am

Is that the same as "X509v3 Extended Key Usage: TLS Web Server Authentication"

Yes. Use Easy-RSA v3 to build a new server cert.

This may be an unfair question but what do you think about Let's Encrypt vs Easy-RSA v3 besides the fact that there is a bit more works to be done by the user with Easy-RSA v3? Thanks again.

If you use Easy-RSA to build your PKI then you and only you have access to your root CA.

What use is Letsencrypt to me ?

atranmisc wrote: ↑

Sat Jan 22, 2022 1:47 pm

TinCanTech wrote: ↑

Tue Jan 18, 2022 2:56 pm

atranmisc wrote: ↑

Tue Jan 18, 2022 3:58 am

Is that the same as "X509v3 Extended Key Usage: TLS Web Server Authentication"

Yes. Use Easy-RSA v3 to build a new server cert.

This may be an unfair question but what do you think about Let's Encrypt vs Easy-RSA v3 besides the fact that there is a bit more works to be done by the user with Easy-RSA v3? Thanks again.

Hi atran,

Whether fair or not, it is a crazy question. You would NEVER use a public CA for your openvpn PKI. Do you want to allow every Let's Encrypt user to connect to your VPN?

I guess you failed to understand that your PKI is used for authentication. No worries, you were not the first and you will not be the last to have this idea. But no, let's not use LE for our VPN.

regards, rob0

openvpn_inc wrote: ↑

Sat Jan 22, 2022 6:54 pm

atranmisc wrote: ↑

Sat Jan 22, 2022 1:47 pm

TinCanTech wrote: ↑

Tue Jan 18, 2022 2:56 pm

Yes. Use Easy-RSA v3 to build a new server cert.

This may be an unfair question but what do you think about Let's Encrypt vs Easy-RSA v3 besides the fact that there is a bit more works to be done by the user with Easy-RSA v3? Thanks again.

I guess you failed to understand that your PKI is used for authentication.

I was thinking about encryption when I popped that question and forgot the authentication. What a shame