Hello guys:
I bought a VPS and built my own OpenVPN server. I want to use it to fulfill some of my needs.
Then I configured the client through various channels (including but not limited to official documents, Google, etc.).
It worked fine on Windows, but when I used the same method (same client certificate issuance, same configuration file) to configure my Linux machine there was a problem.
My Linux machine system is Rocky Linux 9.
I first thought that some of my operations were wrong (after all, this is a bit cumbersome and I am not very familiar with it), and then I configured the client of my Windows machine (unchanged, it works normally on Windows) When I got it to use on a Linux machine, I found that the error still persisted.
I checked a lot of information but still can't find the problem.
The system of my VPS server is Ubuntu 22.04, and I use OpenVPN 2.6.9 source code to compile and install it.
My Linux machine (Rocky Linux 9) uses the same set of source code compilation and installation as the server.
Windows uses OpenVPN Connect.
Related configuration information
OpenVPN server configuration
The following is my OpenVPN server configuration:
Code: Select all
$ grep -Pv '^$|^#|^;' /opt/openvpn/conf/server_strict-ca.conf
port 21222
proto udp
dev tun
topology subnet
ca /opt/openvpn/ssl/strict-ca/A_B-chain.crt
cert /opt/openvpn/ssl/strict-ca/server.crt
key /opt/openvpn/ssl/strict-ca/server.key
dh none
server 172.16.110.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-crypt /opt/openvpn/ssl/ta.key
cipher AES-256-GCM
data-ciphers AES-256-GCM:AES-128-GCM
auth SHA384
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
user nobody
group nogroup
persist-key
persist-tun
client-to-client
crl-verify /opt/openvpn/ssl/strict-ca/crl/crl.pem
status /var/log/openvpn/openvpn-status.log
verb 3
log-append /var/log/openvpn/openvpn-info.log
explicit-exit-notify 1
Below is my OpenVPN client configuration:
Code: Select all
$ grep -Pv '^$|^#|^;' client.ovpn
client
dev tun
proto udp
remote 1.2.3.4 21222 # I have randomly replaced the IP address here.
resolv-retry infinite
nobind
user nobody
group nobody # This item is nogroup in Windows.
persist-key
persist-tun
ca A_B-chain.crt
cert client.crt
key client.key
tls-crypt ta.key
cipher AES-256-GCM
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA384
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
verb 3
script-security 2
keepalive 10 120
CAs
Below is the part of my certificate:
A is root CA.
Code: Select all
$ openssl x509 -text -noout -in A.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1f:12:fa:84:28:68:d0:78:e5:90:22:19:2f:60:ce:78:c9:8d:92:18
Signature Algorithm: ecdsa-with-SHA384
Issuer: (A.crt, self-signed)
Validity
Not Before: Dec 18 12:54:52 2023 GMT
Not After : Jan 18 12:54:52 2033 GMT
Subject: (A.crt, self-signed)
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:f0:d2:70:b1:dd:88:7d:45:8e:da:7a:30:c7:84:
e0:5e:20:c6:86:27:0a:61:69:b1:72:d6:ef:1b:e5:
00:21:09:8f:53:6b:a3:43:80:af:10:0e:69:49:d0:
fe:f2:fb:2e:48:e3:be:d2:7e:fd:8e:64:32:c1:11:
b8:92:81:dd:f8:6e:33:1c:78:d3:ee:98:8a:db:80:
3a:57:3e:13:0e:1b:43:dc:25:89:29:b4:11:d4:28:
97:d2:bd:22:08:ef:bb
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Subject Key Identifier:
97:21:6A:46:A0:F4:AA:95:D2:9B:6F:86:FB:4D:13:49:FA:59:95:97
X509v3 Authority Key Identifier:
keyid:97:21:6A:46:A0:F4:AA:95:D2:9B:6F:86:FB:4D:13:49:FA:59:95:97
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: ecdsa-with-SHA384
30:64:02:30:7f:3a:2f:85:42:bf:09:df:f7:7b:44:bb:b9:cd:
18:2f:67:83:14:6a:1f:d6:cb:7c:bd:b1:55:a0:ce:e6:b5:8f:
d3:cf:11:43:4d:fd:a5:6b:e1:14:d1:35:af:44:3d:f3:02:30:
74:b4:6a:09:4b:3e:1d:67:ec:2e:69:99:5c:59:d4:19:61:02:
57:23:e8:a1:33:9a:99:0d:23:7b:88:0a:89:93:a9:da:6a:3c:
16:fa:76:5c:ef:4f:10:f7:41:c1:e2:c9
B is a subordinate CA,
which is only responsible for issuing OpenVPN related certificates.
Code: Select all
$ openssl x509 -text -noout -in B.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
09:fc:6c:73:25:7d:aa:8b:41:d6:cf:1f:91:68:a4:02:94:98:17:c0
Signature Algorithm: ecdsa-with-SHA256
Issuer: (A.crt)
Validity
Not Before: Mar 13 15:25:55 2024 GMT
Not After : Mar 14 15:25:55 2029 GMT
Subject: (B.crt)
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:ef:c9:fa:cb:61:37:54:82:e6:bc:a1:66:e8:be:
df:88:08:23:1a:f9:6e:94:29:30:b8:81:29:01:50:
be:e1:a9:82:48:fa:28:03:06:2c:8b:65:3d:d0:35:
d4:50:10:1b:33:f9:6d:a4:6b:ce:5e:f4:61:6c:31:
16:7f:70:a3:08:ae:90:0c:a2:c1:49:ca:e4:6b:80:
ea:f4:96:82:e8:ff:bb:f7:9b:d0:2d:37:80:0a:d1:
c7:0f:b1:1d:73:aa:2a
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
AE:50:63:28:D1:4B:01:A4:CC:B3:7C:7B:58:09:1C:19:2B:B7:62:89
X509v3 Authority Key Identifier:
keyid:97:21:6A:46:A0:F4:AA:95:D2:9B:6F:86:FB:4D:13:49:FA:59:95:97
Signature Algorithm: ecdsa-with-SHA256
30:64:02:30:76:ce:62:23:0e:41:df:2a:0c:50:71:93:e6:58:
1b:4a:06:94:71:e5:a4:4a:a1:a2:9f:ee:aa:5c:0b:8f:5d:83:
d7:8d:f4:b6:f3:c8:bd:0b:ef:2c:0f:1c:65:76:74:3d:02:30:
47:74:84:74:e7:b2:10:26:b0:48:35:b4:f7:30:7d:9d:87:a3:
fd:46:be:fa:18:4b:e7:c5:c3:06:6f:fd:09:ac:cb:25:8b:8c:
68:81:a6:70:cc:26:ed:68:33:73:4b:f1
OpenVPN server certificate
Code: Select all
$ openssl x509 -text -noout -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: ecdsa-with-SHA256
Issuer: (B.crt)
Validity
Not Before: Mar 13 15:32:58 2024 GMT
Not After : Mar 13 15:32:58 2028 GMT
Subject: (Server.crt)
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:ff:91:e0:be:f4:d6:fc:99:f4:c5:9a:05:0e:0d:
87:e5:9b:e1:9f:1b:60:b8:b1:12:75:99:7b:0a:c3:
27:df:2b:5e:44:b4:5e:f0:fd:ec:27:d4:37:2c:ea:
1c:77:e8:06:e3:71:bc:41:1f:fa:82:52:29:4a:33:
a6:df:93:9f:63:25:41:e3:99:ce:9b:24:92:97:d4:
3b:56:e5:f2:8d:2a:ff:e9:af:6c:75:c5:4c:3f:e4:
75:60:b6:e6:c8:aa:ff
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
96:16:D5:02:57:F3:0D:23:C2:D5:94:11:5A:C5:0F:15:3A:2F:32:B5
X509v3 Authority Key Identifier:
AE:50:63:28:D1:4B:01:A4:CC:B3:7C:7B:58:09:1C:19:2B:B7:62:89
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:66:02:31:00:bf:80:59:d2:c1:7b:d8:b3:74:e0:e8:ea:2c:
09:ac:68:22:a6:ba:e9:13:e8:72:00:a4:82:0d:be:fe:30:d1:
be:2f:46:4f:a2:c1:fb:64:ff:e4:09:1c:1c:9b:70:6d:3c:02:
31:00:95:84:93:6a:e4:7e:e0:3a:78:ee:14:d9:4c:b1:e6:85:
ca:22:36:48:60:39:40:38:be:98:0c:43:2d:33:50:00:c4:8f:
5d:76:96:64:e4:a2:66:ca:f7:1d:43:5a:9d:57
Code: Select all
$ openssl x509 -text -noout -in client.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4097 (0x1001)
Signature Algorithm: ecdsa-with-SHA256
Issuer: (B.crt)
Validity
Not Before: Mar 13 15:35:37 2024 GMT
Not After : Jun 13 15:35:37 2024 GMT
Subject: (client.crt)
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:23:89:52:7c:0e:e7:e5:35:18:65:f6:5b:eb:53:
a1:c6:05:ed:c3:94:5f:98:5e:d1:49:bc:4a:48:b9:
07:a8:f3:a8:75:d3:00:9a:f4:56:69:08:f9:56:af:
ea:7e:d5:38:22:03:d9:4b:5b:fa:b8:1f:c0:ee:8a:
5c:bd:e0:46:8a
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
E1:64:90:F7:FB:42:A9:23:FB:E2:9F:91:FB:E1:21:1A:BC:C0:56:2C
X509v3 Authority Key Identifier:
AE:50:63:28:D1:4B:01:A4:CC:B3:7C:7B:58:09:1C:19:2B:B7:62:89
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:66:02:31:00:cf:51:17:83:0c:24:ba:e5:b8:93:c6:d9:42:
ae:a8:49:b1:82:72:e3:70:b4:4c:43:df:cb:57:b2:cc:a0:ab:
0e:39:ef:9b:98:8b:90:55:b0:f6:d7:af:f3:5a:65:44:14:02:
31:00:b9:e0:88:88:c1:5a:c5:ef:1c:75:38:46:3c:0d:04:fb:
46:ec:55:ad:fa:79:8b:8e:c3:25:0d:7b:04:e1:84:86:7a:29:
c8:76:c8:3d:cd:1b:94:f2:95:ce:f2:c2:3a:ce
The error log I encountered when I connected using `openvpn --client --config cliet.ovpn`
This is client:
Code: Select all
$ /opt/openvpn-2.6.9/sbin/openvpn --client --config client-chain.ovpn
2024-03-16 15:25:23 Note: Treating option '--ncp-ciphers' as '--data-ciphers' (renamed in OpenVPN 2.5).
2024-03-16 15:25:23 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2024-03-16 15:25:23 OpenVPN 2.6.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
2024-03-16 15:25:23 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
2024-03-16 15:25:23 DCO version: N/A
2024-03-16 15:25:23 TCP/UDP: Preserving recently used remote address: [AF_INET]1.2.3.4:21222
2024-03-16 15:25:23 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-03-16 15:25:23 UDPv4 link local: (not bound)
2024-03-16 15:25:23 UDPv4 link remote: [AF_INET]1.2.3.4:21222
2024-03-16 15:25:23 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2024-03-16 15:25:23 TLS: Initial packet from [AF_INET]1.2.3.4:21222, sid=ea0416e2 1f7df5e8
2024-03-16 15:25:23 VERIFY OK: (A.crt)
2024-03-16 15:25:23 VERIFY OK: (B.crt)
2024-03-16 15:25:23 Certificate does not have key usage extension
2024-03-16 15:25:23 VERIFY KU ERROR
2024-03-16 15:25:23 Sent fatal SSL alert: internal error
2024-03-16 15:25:23 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-03-16 15:25:23 TLS_ERROR: BIO read tls_read_plaintext error
2024-03-16 15:25:23 TLS Error: TLS object -> incoming plaintext read error
2024-03-16 15:25:23 TLS Error: TLS handshake failed
2024-03-16 15:25:23 SIGUSR1[soft,tls-error] received, process restarting
2024-03-16 15:25:23 Restart pause, 1 second(s)
2024-03-16 15:25:23 SIGINT[hard,init_instance] received, process exiting
Code: Select all
# Assume the client IP is 5.6.7.8
2024-03-16 15:25:23 5.6.7.8:14601 CRL: loaded 1 CRLs from file /opt/openvpn/ssl/strict-ca/crl/crl.pem
2024-03-16 15:25:25 read UDPv4 [ECONNREFUSED]: Connection refused (fd=6,code=111)
2024-03-16 15:25:29 read UDPv4 [ECONNREFUSED]: Connection refused (fd=6,code=111)
2024-03-16 15:25:37 read UDPv4 [ECONNREFUSED]: Connection refused (fd=6,code=111)
2024-03-16 15:25:53 read UDPv4 [ECONNREFUSED]: Connection refused (fd=6,code=111)
2024-03-16 15:26:23 5.6.7.8:14601 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-03-16 15:26:23 5.6.7.8:14601 TLS Error: TLS handshake failed
2024-03-16 15:26:23 5.6.7.8:14601 SIGUSR1[soft,tls-error] received, client-instance restarting
I found these sentences in the log of the Linux client:
Code: Select all
2024-03-16 15:25:23 Certificate does not have key usage extension
2024-03-16 15:25:23 VERIFY KU ERROR
Thanks.
Supplementary content
When I remove the
Code: Select all
remote-cert-tls server