Details:
VPC CIDR: 10.2.4.0/22
AZ1 subnet: 10.2.4.0/24
AZ2 subnet: 10.2.5/0/24
AZ3 subnet: 10.2.6.0/24
EC2 instance is at 10.2.5.168 in the private VPC.
EC2 instance has elastic IP assigned to it and DNS record 'my-openvpn-server.example.com' points to it.
I used my local laptop to create a CA with a self-signed cert, and then to create keys and certs for the client and for the server with that CA. I copied the server's cert, the server's private key, and the CA's cert to the server.
Server conf file:
Code: Select all
tls-server
key openvpn_privatekey.pem
cert openvpn_cert.pem
ca ca_cert.pem
dh dh2048.pem
remote-cert-eku "TLS Web Client Authentication"
dev openvpn-tunnel
dev-type tun
topology subnet
server 10.255.255.0 255.255.255.0
push "route 10.2.4.0 255.255.252.0"
Code: Select all
tls-client
key /usr/bin/local-ca/openvpn-client/openvpn-client_privatekey.pem
cert /usr/bin/local-ca/openvpn-client/openvpn-client.pem
ca /usr/bin/local-ca/cacert.pem
remote-cert-eku "TSL Web Server Authentication"
dev openvpn-tunnel
dev-type tun
topology subnet
pull
remote my-openvpn-server.example.com
Code: Select all
sudo openvpn ./openvpn-server.conf
<date> 17:01:38 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
<date> 17:01:38 WARNING: file 'openvpn_privatekey.pem' is group or others accessible
<date> 17:01:38 OpenVPN 2.5.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 29 2023
<date> 17:01:38 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
<date> 17:01:38 WARNING: --keepalive option is missing from server config
🔐 Enter Private Key Password: *******
<date> 17:01:40 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
<date> 17:01:40 TUN/TAP device openvpn-tunnel opened
<date> 17:01:40 net_iface_mtu_set: mtu 1500 for openvpn-tunnel
<date> 17:01:40 net_iface_up: set openvpn-tunnel up
<date> 17:01:40 net_addr_v4_add: 10.255.255.1/24 dev openvpn-tunnel
<date> 17:01:40 Could not determine IPv4/IPv6 protocol. Using AF_INET
<date> 17:01:40 UDPv4 link local (bound): [AF_INET][undef]:1194
<date> 17:01:40 UDPv4 link remote: [AF_UNSPEC]
<date> 17:01:40 Initialization Sequence Completed
<date> 17:11:35 47.185.112.95:53384 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
<date> 17:11:35 47.185.112.95:53384 TLS Error: TLS handshake failed
<date> 17:12:50 47.185.112.95:53384 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
<date> 17:12:50 47.185.112.95:53384 TLS Error: TLS handshake failed
<date> 17:14:27 47.185.112.95:53384 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
<date> 17:14:27 47.185.112.95:53384 TLS Error: TLS handshake failed
^C
<date> 17:30:02 event_wait : Interrupted system call (code=4)
<date> 17:30:02 net_addr_v4_del: 10.255.255.1 dev openvpn-tunnel
<date> 17:30:02 SIGINT[hard,] received, process exiting
Code: Select all
[11:10:32] me@mymachine:~$ sudo openvpn ./openvpn-client.conf
<date> 11:10:34 2024 WARNING: file '/usr/bin/local-ca/openvpn-client/openvpn-client_privatekey.pem' is group or others accessible
<date> 11:10:34 2024 OpenVPN 2.4.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Aug 21 2023
<date> 11:10:34 2024 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Enter Private Key Password:
<date> 11:10:37 2024 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
<date> 11:10:37 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:10:37 2024 UDP link local (bound): [AF_INET][undef]:1194
<date> 11:10:37 2024 UDP link remote: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:10:37 2024 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
<date> 11:10:37 2024 TLS_ERROR: BIO read tls_read_plaintext error
<date> 11:10:37 2024 TLS Error: TLS object -> incoming plaintext read error
<date> 11:10:37 2024 TLS Error: TLS handshake failed
<date> 11:10:37 2024 SIGUSR1[soft,tls-error] received, process restarting
<date> 11:10:42 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:10:42 2024 UDP link local (bound): [AF_INET][undef]:1194
<date> 11:10:42 2024 UDP link remote: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:10:42 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:10:42 2024 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
<date> 11:10:42 2024 TLS_ERROR: BIO read tls_read_plaintext error
<date> 11:10:42 2024 TLS Error: TLS object -> incoming plaintext read error
<date> 11:10:42 2024 TLS Error: TLS handshake failed
<date> 11:10:42 2024 SIGUSR1[soft,tls-error] received, process restarting
<date> 11:10:47 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:10:47 2024 UDP link local (bound): [AF_INET][undef]:1194
<date> 11:10:47 2024 UDP link remote: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:10:47 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:10:48 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:10:50 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:10:51 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:10:54 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:10:56 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:11:03 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:11:07 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:11:13 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:11:18 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:11:47 2024 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
<date> 11:11:47 2024 TLS Error: TLS handshake failed
<date> 11:11:47 2024 SIGUSR1[soft,tls-error] received, process restarting
<date> 11:11:52 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:11:52 2024 UDP link local (bound): [AF_INET][undef]:1194
<date> 11:11:52 2024 UDP link remote: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:11:52 2024 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
<date> 11:11:52 2024 TLS_ERROR: BIO read tls_read_plaintext error
<date> 11:11:52 2024 TLS Error: TLS object -> incoming plaintext read error
<date> 11:11:52 2024 TLS Error: TLS handshake failed
<date> 11:11:52 2024 SIGUSR1[soft,tls-error] received, process restarting
<date> 11:11:57 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:11:57 2024 UDP link local (bound): [AF_INET][undef]:1194
<date> 11:11:57 2024 UDP link remote: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:11:57 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:11:57 2024 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
<date> 11:11:57 2024 TLS_ERROR: BIO read tls_read_plaintext error
<date> 11:11:57 2024 TLS Error: TLS object -> incoming plaintext read error
<date> 11:11:57 2024 TLS Error: TLS handshake failed
<date> 11:11:57 2024 SIGUSR1[soft,tls-error] received, process restarting
<date> 11:12:07 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:12:07 2024 UDP link local (bound): [AF_INET][undef]:1194
<date> 11:12:07 2024 UDP link remote: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:12:07 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:12:09 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:12:11 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:12:14 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:12:22 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:12:22 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:12:27 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:12:38 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:13:07 2024 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
<date> 11:13:07 2024 TLS Error: TLS handshake failed
<date> 11:13:07 2024 SIGUSR1[soft,tls-error] received, process restarting
<date> 11:13:28 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:13:28 2024 UDP link local (bound): [AF_INET][undef]:1194
<date> 11:13:28 2024 UDP link remote: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:13:28 2024 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
<date> 11:13:28 2024 TLS_ERROR: BIO read tls_read_plaintext error
<date> 11:13:28 2024 TLS Error: TLS object -> incoming plaintext read error
<date> 11:13:28 2024 TLS Error: TLS handshake failed
<date> 11:13:28 2024 SIGUSR1[soft,tls-error] received, process restarting
<date> 11:14:08 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:14:08 2024 UDP link local (bound): [AF_INET][undef]:1194
<date> 11:14:08 2024 UDP link remote: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:14:08 2024 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
<date> 11:14:08 2024 TLS_ERROR: BIO read tls_read_plaintext error
<date> 11:14:08 2024 TLS Error: TLS object -> incoming plaintext read error
<date> 11:14:08 2024 TLS Error: TLS handshake failed
<date> 11:14:08 2024 SIGUSR1[soft,tls-error] received, process restarting
^C
<date> 11:14:50 2024 SIGINT[hard,init_instance] received, process exiting