edit : tls-auth , server hardening error

Samples of working configurations.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
bretsie
OpenVpn Newbie
Posts: 10
Joined: Thu Jul 19, 2012 3:21 pm

edit : tls-auth , server hardening error

Post by bretsie » Fri Jul 20, 2012 7:08 pm

I'm trying to figure out how to exactly change clients certificate life span.
It's stuck at 3650 days and I can't change it.
I have tried to edit the vars file then build-key, it still says 3650 days.

Do I have to run these commands again?

Code: Select all

. /etc/openvpn/easy-rsa/2.0/vars #i know this contains information on the key infrastructure(bit encryption, ca length, key length)
. /etc/openvpn/easy-rsa/2.0/clean-all #im not really sure what this does
. /etc/openvpn/easy-rsa/2.0/build-ca #from what I understand this builds the server/client ca file that is needed to be authed.
Also, what is the best way to manage clients? I do not use the Access Server, is there a log file where all the clients are saved and their certificate durations are at?

One last question. Does the command..

Code: Select all

. /etc/openvpn/easy-rsa/2.0/build-dh
Build the dh1024.pem/dh2048.pem files that are configured in the var file? Or does this command also access the client/server crt's and keys to encrypt them?
Last edited by bretsie on Mon Jul 23, 2012 2:45 pm, edited 1 time in total.

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Correct Way to Change Client Certificates? And Manage?

Post by maikcat » Sat Jul 21, 2012 10:48 am

hi there,

here we go
I'm trying to figure out how to exactly change clients certificate life span.
It's stuck at 3650 days and I can't change it.
I have tried to edit the vars file then build-key, it still says 3650 days.
if you are allready had created a cert and you want to change its lifespan
i think the answer is no...

if you want to create a new cert with different life span then simply edit
vars file and change the appropriate SET enviromental value then:

source vars file
run build-key script to create the new cert with the selected life span.

openssl creates index.txt containing info about your created certs.
One last question. Does the command..

Code:
. /etc/openvpn/easy-rsa/2.0/build-dh


Build the dh1024.pem/dh2048.pem files that are configured in the var file? Or does this command also access the client/server crt's and keys to encrypt them?
I'm trying to figure out how to exactly change clients certificate life span.
It's stuck at 3650 days and I can't change it.
I have tried to edit the vars file then build-key, it still says 3650 days.

Do I have to run these commands again?

Code: Select all

. /etc/openvpn/easy-rsa/2.0/vars #i know this contains information on the key infrastructure(bit encryption, ca length, key length)
. /etc/openvpn/easy-rsa/2.0/clean-all #im not really sure what this does
. /etc/openvpn/easy-rsa/2.0/build-ca #from what I understand this builds the server/client ca file that is needed to be authed.
Also, what is the best way to manage clients? I do not use the Access Server, is there a log file where all the clients are saved and their certificate durations are at?

One last question. Does the command..

Code: Select all

. /etc/openvpn/easy-rsa/2.0/build-dh
Build the dh1024.pem/dh2048.pem files that are configured in the var file? Or does this command also access the client/server crt's and keys to encrypt them?
build-dh builds diffie-helman parameters file dh(keysize).pem file
diffie-helman algorithm is used for key exchange when the symmetric encryption takes place,
No it does not encrypts client/server crt files..

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

bretsie
OpenVpn Newbie
Posts: 10
Joined: Thu Jul 19, 2012 3:21 pm

Re: Correct Way to Change Client Certificates? And Manage?

Post by bretsie » Sun Jul 22, 2012 12:34 pm

I have ran into another problem, so I will post it here instead of making a new thread.

I am trying to enable "cipher AES-256-CBC" in my 'server.conf' file. I do so and then add the same cipher into my client.conf. But when ever I use some encryption besides the standard Blowfish encryption my clients can connect to the VPN but not browse while on the VPN. No web pages will display.

Also, what commands do I need to un-comment to fully disable logs?

server.conf file and client.conf file's below.

server.conf

Code: Select all



push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt


keepalive 10 120
cipher AES-256-CBC   # AES
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
client.conf

Code: Select all


client
dev tun
proto udp
remote XXX.XXX.XXX.XXX 1194 #Removing my server for security reasons.
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3
;mute 20

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Correct Way to Change Client Certificates? And Manage?

Post by maikcat » Sun Jul 22, 2012 3:04 pm

hi there,

(i removed comments from configs)

can you post the logs from server/client when you connect using AES?
can you ping 10.8.0.1 from your clients when using AES?
to disable logging completely use verb 0

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

bretsie
OpenVpn Newbie
Posts: 10
Joined: Thu Jul 19, 2012 3:21 pm

Re: Correct Way to Change Client Certificates? And Manage?

Post by bretsie » Sun Jul 22, 2012 7:25 pm

Okay I changed the verbosity to 6 on the server.conf for the AES-256-CBC test.

Here is what I got.

When the client pinged 10.8.0.1 all the request were timed out.

openvpn-status.log

Code: Select all

OpenVPN CLIENT LIST
Updated,Sun Jul 22 23:20:50 2012
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
client2,67.173.49.170:53069,14847,8001,Sun Jul 22 23:20:00 2012
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.10,client2,67.173.49.170:53069,Sun Jul 22 23:20:42 2012
GLOBAL STATS
Max bcast/mcast queue length,0
END

bretsie
OpenVpn Newbie
Posts: 10
Joined: Thu Jul 19, 2012 3:21 pm

Re: Correct Way to Change Client Certificates? And Manage?

Post by bretsie » Mon Jul 23, 2012 12:39 am

Sorry I'm a idiot, here is the correct log.

After switching to a new OpenVPN client version 2.2.

Now I am receiving a TCP error. If possible keep my server ip discrete.

Log File

Code: Select all

Sun Jul 22 19:35:53 2012 us=32000 Current Parameter Settings:
Sun Jul 22 19:35:53 2012 us=32000   config = 'client2.ovpn'
Sun Jul 22 19:35:53 2012 us=32000   mode = 0
Sun Jul 22 19:35:53 2012 us=32000   show_ciphers = DISABLED
Sun Jul 22 19:35:53 2012 us=32000   show_digests = DISABLED
Sun Jul 22 19:35:53 2012 us=32000   show_engines = DISABLED
Sun Jul 22 19:35:53 2012 us=32000   genkey = DISABLED
Sun Jul 22 19:35:53 2012 us=32000   key_pass_file = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=32000   show_tls_ciphers = DISABLED
Sun Jul 22 19:35:53 2012 us=32000 Connection profiles [default]:
Sun Jul 22 19:35:53 2012 us=32000   proto = udp
Sun Jul 22 19:35:53 2012 us=32000   local = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=32000   local_port = 0
Sun Jul 22 19:35:53 2012 us=32000   remote = 'XXX.XXX.XXX.XXX'
Sun Jul 22 19:35:53 2012 us=32000   remote_port = 1194
Sun Jul 22 19:35:53 2012 us=32000   remote_float = DISABLED
Sun Jul 22 19:35:53 2012 us=32000   bind_defined = DISABLED
Sun Jul 22 19:35:53 2012 us=32000   bind_local = DISABLED
Sun Jul 22 19:35:53 2012 us=32000   connect_retry_seconds = 5
Sun Jul 22 19:35:53 2012 us=32000   connect_timeout = 10
Sun Jul 22 19:35:53 2012 us=32000   connect_retry_max = 0
Sun Jul 22 19:35:53 2012 us=32000   socks_proxy_server = 'XXX.XXX.XXX.XXX'
Sun Jul 22 19:35:53 2012 us=32000   socks_proxy_port = 1194
Sun Jul 22 19:35:53 2012 us=32000   socks_proxy_retry = DISABLED
Sun Jul 22 19:35:53 2012 us=32000 Connection profiles END
Sun Jul 22 19:35:53 2012 us=32000   remote_random = DISABLED
Sun Jul 22 19:35:53 2012 us=32000   ipchange = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=32000   dev = 'tun'
Sun Jul 22 19:35:53 2012 us=32000   dev_type = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=32000   dev_node = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=32000   lladdr = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=32000   topology = 1
Sun Jul 22 19:35:53 2012 us=32000   tun_ipv6 = DISABLED
Sun Jul 22 19:35:53 2012 us=32000   ifconfig_local = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=32000   ifconfig_remote_netmask = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=32000   ifconfig_noexec = DISABLED
Sun Jul 22 19:35:53 2012 us=32000   ifconfig_nowarn = DISABLED
Sun Jul 22 19:35:53 2012 us=32000   shaper = 0
Sun Jul 22 19:35:53 2012 us=32000   tun_mtu = 1500
Sun Jul 22 19:35:53 2012 us=32000   tun_mtu_defined = ENABLED
Sun Jul 22 19:35:53 2012 us=32000   link_mtu = 1500
Sun Jul 22 19:35:53 2012 us=32000   link_mtu_defined = DISABLED
Sun Jul 22 19:35:53 2012 us=32000   tun_mtu_extra = 0
Sun Jul 22 19:35:53 2012 us=32000   tun_mtu_extra_defined = DISABLED
Sun Jul 22 19:35:53 2012 us=32000   fragment = 0
Sun Jul 22 19:35:53 2012 us=32000   mtu_discover_type = -1
Sun Jul 22 19:35:53 2012 us=32000   mtu_test = 0
Sun Jul 22 19:35:53 2012 us=32000   mlock = DISABLED
Sun Jul 22 19:35:53 2012 us=32000   keepalive_ping = 0
Sun Jul 22 19:35:53 2012 us=32000   keepalive_timeout = 0
Sun Jul 22 19:35:53 2012 us=32000   inactivity_timeout = 0
Sun Jul 22 19:35:53 2012 us=32000   ping_send_timeout = 0
Sun Jul 22 19:35:53 2012 us=32000   ping_rec_timeout = 0
Sun Jul 22 19:35:53 2012 us=32000   ping_rec_timeout_action = 0
Sun Jul 22 19:35:53 2012 us=32000   ping_timer_remote = DISABLED
Sun Jul 22 19:35:53 2012 us=32000   remap_sigusr1 = 0
Sun Jul 22 19:35:53 2012 us=32000   explicit_exit_notification = 0
Sun Jul 22 19:35:53 2012 us=32000   persist_tun = ENABLED
Sun Jul 22 19:35:53 2012 us=32000   persist_local_ip = DISABLED
Sun Jul 22 19:35:53 2012 us=32000   persist_remote_ip = DISABLED
Sun Jul 22 19:35:53 2012 us=32000   persist_key = ENABLED
Sun Jul 22 19:35:53 2012 us=32000   mssfix = 1450
Sun Jul 22 19:35:53 2012 us=32000   resolve_retry_seconds = 1000000000
Sun Jul 22 19:35:53 2012 us=32000   username = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=32000   groupname = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=32000   chroot_dir = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=32000   cd_dir = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=32000   writepid = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=32000   up_script = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=266000   down_script = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=266000   down_pre = DISABLED
Sun Jul 22 19:35:53 2012 us=266000   up_restart = DISABLED
Sun Jul 22 19:35:53 2012 us=266000   up_delay = DISABLED
Sun Jul 22 19:35:53 2012 us=266000   daemon = DISABLED
Sun Jul 22 19:35:53 2012 us=266000   inetd = 0
Sun Jul 22 19:35:53 2012 us=266000   log = DISABLED
Sun Jul 22 19:35:53 2012 us=266000   suppress_timestamps = DISABLED
Sun Jul 22 19:35:53 2012 us=266000   nice = 0
Sun Jul 22 19:35:53 2012 us=266000   verbosity = 5
Sun Jul 22 19:35:53 2012 us=266000   mute = 0
Sun Jul 22 19:35:53 2012 us=266000   gremlin = 0
Sun Jul 22 19:35:53 2012 us=266000   status_file = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=266000   status_file_version = 1
Sun Jul 22 19:35:53 2012 us=266000   status_file_update_freq = 60
Sun Jul 22 19:35:53 2012 us=266000   occ = ENABLED
Sun Jul 22 19:35:53 2012 us=266000   rcvbuf = 0
Sun Jul 22 19:35:53 2012 us=266000   sndbuf = 0
Sun Jul 22 19:35:53 2012 us=266000   sockflags = 0
Sun Jul 22 19:35:53 2012 us=282000   fast_io = DISABLED
Sun Jul 22 19:35:53 2012 us=282000   lzo = 7
Sun Jul 22 19:35:53 2012 us=282000   route_script = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=282000   route_default_gateway = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=282000   route_default_metric = 0
Sun Jul 22 19:35:53 2012 us=282000   route_noexec = DISABLED
Sun Jul 22 19:35:53 2012 us=282000   route_delay = 5
Sun Jul 22 19:35:53 2012 us=282000   route_delay_window = 30
Sun Jul 22 19:35:53 2012 us=282000   route_delay_defined = ENABLED
Sun Jul 22 19:35:53 2012 us=282000   route_nopull = DISABLED
Sun Jul 22 19:35:53 2012 us=282000   route_gateway_via_dhcp = DISABLED
Sun Jul 22 19:35:53 2012 us=282000   max_routes = 100
Sun Jul 22 19:35:53 2012 us=282000   allow_pull_fqdn = DISABLED
Sun Jul 22 19:35:53 2012 us=282000   management_addr = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=282000   management_port = 0
Sun Jul 22 19:35:53 2012 us=282000   management_user_pass = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=298000   management_log_history_cache = 250
Sun Jul 22 19:35:53 2012 us=298000   management_echo_buffer_size = 100
Sun Jul 22 19:35:53 2012 us=298000   management_write_peer_info_file = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=298000   management_client_user = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=298000   management_client_group = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=298000   management_flags = 0
Sun Jul 22 19:35:53 2012 us=298000   shared_secret_file = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=298000   key_direction = 0
Sun Jul 22 19:35:53 2012 us=298000   ciphername_defined = ENABLED
Sun Jul 22 19:35:53 2012 us=298000   ciphername = 'AES-256-CBC'
Sun Jul 22 19:35:53 2012 us=298000   authname_defined = ENABLED
Sun Jul 22 19:35:53 2012 us=298000   authname = 'SHA1'
Sun Jul 22 19:35:53 2012 us=298000   prng_hash = 'SHA1'
Sun Jul 22 19:35:53 2012 us=298000   prng_nonce_secret_len = 16
Sun Jul 22 19:35:53 2012 us=298000   keysize = 0
Sun Jul 22 19:35:53 2012 us=313000   engine = DISABLED
Sun Jul 22 19:35:53 2012 us=313000   replay = ENABLED
Sun Jul 22 19:35:53 2012 us=313000   mute_replay_warnings = DISABLED
Sun Jul 22 19:35:53 2012 us=313000   replay_window = 64
Sun Jul 22 19:35:53 2012 us=313000   replay_time = 15
Sun Jul 22 19:35:53 2012 us=313000   packet_id_file = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=313000   use_iv = ENABLED
Sun Jul 22 19:35:53 2012 us=313000   test_crypto = DISABLED
Sun Jul 22 19:35:53 2012 us=313000   tls_server = DISABLED
Sun Jul 22 19:35:53 2012 us=313000   tls_client = ENABLED
Sun Jul 22 19:35:53 2012 us=313000   key_method = 2
Sun Jul 22 19:35:53 2012 us=313000   ca_file = 'ca.crt'
Sun Jul 22 19:35:53 2012 us=313000   ca_path = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=313000   dh_file = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=313000   cert_file = 'client2.crt'
Sun Jul 22 19:35:53 2012 us=313000   priv_key_file = 'client2.key'
Sun Jul 22 19:35:53 2012 us=313000   pkcs12_file = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=344000   cryptoapi_cert = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=344000   cipher_list = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=344000   tls_verify = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=344000   tls_export_cert = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=344000   tls_remote = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=344000   crl_file = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=344000   ns_cert_type = 64
Sun Jul 22 19:35:53 2012 us=344000   remote_cert_ku[i] = 0
Sun Jul 22 19:35:53 2012 us=344000   remote_cert_ku[i] = 0
Sun Jul 22 19:35:53 2012 us=344000   remote_cert_ku[i] = 0
Sun Jul 22 19:35:53 2012 us=344000   remote_cert_ku[i] = 0
Sun Jul 22 19:35:53 2012 us=344000   remote_cert_ku[i] = 0
Sun Jul 22 19:35:53 2012 us=344000   remote_cert_ku[i] = 0
Sun Jul 22 19:35:53 2012 us=344000   remote_cert_ku[i] = 0
Sun Jul 22 19:35:53 2012 us=344000   remote_cert_ku[i] = 0
Sun Jul 22 19:35:53 2012 us=344000   remote_cert_ku[i] = 0
Sun Jul 22 19:35:53 2012 us=360000   remote_cert_ku[i] = 0
Sun Jul 22 19:35:53 2012 us=360000   remote_cert_ku[i] = 0
Sun Jul 22 19:35:53 2012 us=360000   remote_cert_ku[i] = 0
Sun Jul 22 19:35:53 2012 us=360000   remote_cert_ku[i] = 0
Sun Jul 22 19:35:53 2012 us=360000   remote_cert_ku[i] = 0
Sun Jul 22 19:35:53 2012 us=360000   remote_cert_ku[i] = 0
Sun Jul 22 19:35:53 2012 us=360000   remote_cert_ku[i] = 0
Sun Jul 22 19:35:53 2012 us=360000   remote_cert_eku = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=360000   tls_timeout = 2
Sun Jul 22 19:35:53 2012 us=360000   renegotiate_bytes = 0
Sun Jul 22 19:35:53 2012 us=360000   renegotiate_packets = 0
Sun Jul 22 19:35:53 2012 us=360000   renegotiate_seconds = 3600
Sun Jul 22 19:35:53 2012 us=360000   handshake_window = 60
Sun Jul 22 19:35:53 2012 us=360000   transition_window = 3600
Sun Jul 22 19:35:53 2012 us=360000   single_session = DISABLED
Sun Jul 22 19:35:53 2012 us=360000   push_peer_info = DISABLED
Sun Jul 22 19:35:53 2012 us=360000   tls_exit = DISABLED
Sun Jul 22 19:35:53 2012 us=376000   tls_auth_file = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=376000   pkcs11_protected_authentication = DISABLED
Sun Jul 22 19:35:53 2012 us=376000   pkcs11_protected_authentication = DISABLED
Sun Jul 22 19:35:53 2012 us=376000   pkcs11_protected_authentication = DISABLED
Sun Jul 22 19:35:53 2012 us=376000   pkcs11_protected_authentication = DISABLED
Sun Jul 22 19:35:53 2012 us=376000   pkcs11_protected_authentication = DISABLED
Sun Jul 22 19:35:53 2012 us=376000   pkcs11_protected_authentication = DISABLED
Sun Jul 22 19:35:53 2012 us=376000   pkcs11_protected_authentication = DISABLED
Sun Jul 22 19:35:53 2012 us=376000   pkcs11_protected_authentication = DISABLED
Sun Jul 22 19:35:53 2012 us=376000   pkcs11_protected_authentication = DISABLED
Sun Jul 22 19:35:53 2012 us=376000   pkcs11_protected_authentication = DISABLED
Sun Jul 22 19:35:53 2012 us=376000   pkcs11_protected_authentication = DISABLED
Sun Jul 22 19:35:53 2012 us=376000   pkcs11_protected_authentication = DISABLED
Sun Jul 22 19:35:53 2012 us=407000   pkcs11_protected_authentication = DISABLED
Sun Jul 22 19:35:53 2012 us=407000   pkcs11_protected_authentication = DISABLED
Sun Jul 22 19:35:53 2012 us=407000   pkcs11_protected_authentication = DISABLED
Sun Jul 22 19:35:53 2012 us=407000   pkcs11_protected_authentication = DISABLED
Sun Jul 22 19:35:53 2012 us=407000   pkcs11_private_mode = 00000000
Sun Jul 22 19:35:53 2012 us=407000   pkcs11_private_mode = 00000000
Sun Jul 22 19:35:53 2012 us=407000   pkcs11_private_mode = 00000000
Sun Jul 22 19:35:53 2012 us=407000   pkcs11_private_mode = 00000000
Sun Jul 22 19:35:53 2012 us=407000   pkcs11_private_mode = 00000000
Sun Jul 22 19:35:53 2012 us=407000   pkcs11_private_mode = 00000000
Sun Jul 22 19:35:53 2012 us=407000   pkcs11_private_mode = 00000000
Sun Jul 22 19:35:53 2012 us=407000   pkcs11_private_mode = 00000000
Sun Jul 22 19:35:53 2012 us=407000   pkcs11_private_mode = 00000000
Sun Jul 22 19:35:53 2012 us=407000   pkcs11_private_mode = 00000000
Sun Jul 22 19:35:53 2012 us=438000   pkcs11_private_mode = 00000000
Sun Jul 22 19:35:53 2012 us=438000   pkcs11_private_mode = 00000000
Sun Jul 22 19:35:53 2012 us=438000   pkcs11_private_mode = 00000000
Sun Jul 22 19:35:53 2012 us=438000   pkcs11_private_mode = 00000000
Sun Jul 22 19:35:53 2012 us=438000   pkcs11_private_mode = 00000000
Sun Jul 22 19:35:53 2012 us=438000   pkcs11_private_mode = 00000000
Sun Jul 22 19:35:53 2012 us=438000   pkcs11_cert_private = DISABLED
Sun Jul 22 19:35:53 2012 us=438000   pkcs11_cert_private = DISABLED
Sun Jul 22 19:35:53 2012 us=438000   pkcs11_cert_private = DISABLED
Sun Jul 22 19:35:53 2012 us=438000   pkcs11_cert_private = DISABLED
Sun Jul 22 19:35:53 2012 us=438000   pkcs11_cert_private = DISABLED
Sun Jul 22 19:35:53 2012 us=438000   pkcs11_cert_private = DISABLED
Sun Jul 22 19:35:53 2012 us=438000   pkcs11_cert_private = DISABLED
Sun Jul 22 19:35:53 2012 us=438000   pkcs11_cert_private = DISABLED
Sun Jul 22 19:35:53 2012 us=469000   pkcs11_cert_private = DISABLED
Sun Jul 22 19:35:53 2012 us=469000   pkcs11_cert_private = DISABLED
Sun Jul 22 19:35:53 2012 us=469000   pkcs11_cert_private = DISABLED
Sun Jul 22 19:35:53 2012 us=469000   pkcs11_cert_private = DISABLED
Sun Jul 22 19:35:53 2012 us=469000   pkcs11_cert_private = DISABLED
Sun Jul 22 19:35:53 2012 us=469000   pkcs11_cert_private = DISABLED
Sun Jul 22 19:35:53 2012 us=469000   pkcs11_cert_private = DISABLED
Sun Jul 22 19:35:53 2012 us=469000   pkcs11_cert_private = DISABLED
Sun Jul 22 19:35:53 2012 us=469000   pkcs11_pin_cache_period = -1
Sun Jul 22 19:35:53 2012 us=469000   pkcs11_id = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=469000   pkcs11_id_management = DISABLED
Sun Jul 22 19:35:53 2012 us=469000   server_network = 0.0.0.0
Sun Jul 22 19:35:53 2012 us=469000   server_netmask = 0.0.0.0
Sun Jul 22 19:35:53 2012 us=469000   server_bridge_ip = 0.0.0.0
Sun Jul 22 19:35:53 2012 us=469000   server_bridge_netmask = 0.0.0.0
Sun Jul 22 19:35:53 2012 us=500000   server_bridge_pool_start = 0.0.0.0
Sun Jul 22 19:35:53 2012 us=500000   server_bridge_pool_end = 0.0.0.0
Sun Jul 22 19:35:53 2012 us=500000   ifconfig_pool_defined = DISABLED
Sun Jul 22 19:35:53 2012 us=500000   ifconfig_pool_start = 0.0.0.0
Sun Jul 22 19:35:53 2012 us=500000   ifconfig_pool_end = 0.0.0.0
Sun Jul 22 19:35:53 2012 us=500000   ifconfig_pool_netmask = 0.0.0.0
Sun Jul 22 19:35:53 2012 us=500000   ifconfig_pool_persist_filename = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=500000   ifconfig_pool_persist_refresh_freq = 600
Sun Jul 22 19:35:53 2012 us=500000   n_bcast_buf = 256
Sun Jul 22 19:35:53 2012 us=500000   tcp_queue_limit = 64
Sun Jul 22 19:35:53 2012 us=500000   real_hash_size = 256
Sun Jul 22 19:35:53 2012 us=500000   virtual_hash_size = 256
Sun Jul 22 19:35:53 2012 us=500000   client_connect_script = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=500000   learn_address_script = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=516000   client_disconnect_script = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=516000   client_config_dir = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=516000   ccd_exclusive = DISABLED
Sun Jul 22 19:35:53 2012 us=516000   tmp_dir = 'C:\Users\X\AppData\Local\Temp\'
Sun Jul 22 19:35:53 2012 us=516000   push_ifconfig_defined = DISABLED
Sun Jul 22 19:35:53 2012 us=516000   push_ifconfig_local = 0.0.0.0
Sun Jul 22 19:35:53 2012 us=516000   push_ifconfig_remote_netmask = 0.0.0.0
Sun Jul 22 19:35:53 2012 us=516000   enable_c2c = DISABLED
Sun Jul 22 19:35:53 2012 us=516000   duplicate_cn = DISABLED
Sun Jul 22 19:35:53 2012 us=516000   cf_max = 0
Sun Jul 22 19:35:53 2012 us=516000   cf_per = 0
Sun Jul 22 19:35:53 2012 us=516000   max_clients = 1024
Sun Jul 22 19:35:53 2012 us=516000   max_routes_per_client = 256
Sun Jul 22 19:35:53 2012 us=516000   auth_user_pass_verify_script = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=516000   auth_user_pass_verify_script_via_file = DISABLED
Sun Jul 22 19:35:53 2012 us=532000   ssl_flags = 0
Sun Jul 22 19:35:53 2012 us=532000   client = ENABLED
Sun Jul 22 19:35:53 2012 us=532000   pull = ENABLED
Sun Jul 22 19:35:53 2012 us=532000   auth_user_pass_file = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=532000   show_net_up = DISABLED
Sun Jul 22 19:35:53 2012 us=532000   route_method = 0
Sun Jul 22 19:35:53 2012 us=532000   ip_win32_defined = DISABLED
Sun Jul 22 19:35:53 2012 us=532000   ip_win32_type = 3
Sun Jul 22 19:35:53 2012 us=532000   dhcp_masq_offset = 0
Sun Jul 22 19:35:53 2012 us=532000   dhcp_lease_time = 31536000
Sun Jul 22 19:35:53 2012 us=532000   tap_sleep = 0
Sun Jul 22 19:35:53 2012 us=532000   dhcp_options = DISABLED
Sun Jul 22 19:35:53 2012 us=532000   dhcp_renew = DISABLED
Sun Jul 22 19:35:53 2012 us=532000   dhcp_pre_release = DISABLED
Sun Jul 22 19:35:53 2012 us=532000   dhcp_release = DISABLED
Sun Jul 22 19:35:53 2012 us=532000   domain = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=578000   netbios_scope = '[UNDEF]'
Sun Jul 22 19:35:53 2012 us=578000   netbios_node_type = 0
Sun Jul 22 19:35:53 2012 us=578000   disable_nbt = DISABLED
Sun Jul 22 19:35:53 2012 us=578000 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Sun Jul 22 19:35:53 2012 us=578000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Jul 22 19:35:55 2012 us=856000 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jul 22 19:35:55 2012 us=856000 LZO compression initialized
Sun Jul 22 19:35:55 2012 us=856000 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:10 ]
Sun Jul 22 19:35:55 2012 us=856000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jul 22 19:35:55 2012 us=856000 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:10 AF:3/1 ]
Sun Jul 22 19:35:55 2012 us=856000 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Sun Jul 22 19:35:55 2012 us=856000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Sun Jul 22 19:35:55 2012 us=856000 Local Options hash (VER=V4): '22188c5b'
Sun Jul 22 19:35:55 2012 us=856000 Expected Remote Options hash (VER=V4): 'a8f55717'
Sun Jul 22 19:35:55 2012 us=856000 Attempting to establish TCP connection with XXX.XXX.XXX.XXX:1194
Sun Jul 22 19:35:57 2012 us=57000 TCP: connect to XXX.XXX.XXX.XXX:1194 failed, will try again in 5 seconds: Connection refused (WSAECONNREFUSED)
Last edited by bretsie on Mon Jul 23, 2012 2:43 pm, edited 1 time in total.

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Correct Way to Change Client Certificates? And Manage?

Post by maikcat » Mon Jul 23, 2012 1:39 pm

Sun Jul 22 19:35:57 2012 us=57000 TCP: connect to 173.254.244.148:1194 failed, will try again in 5 seconds: Connection refused (WSAECONNREFUSED)
the above message is clear..

something is blocking openvpn server (firewall on server itself/ or on router / Nat on router not enabled)?

please check it and when it connect post client & server logs.

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

bretsie
OpenVpn Newbie
Posts: 10
Joined: Thu Jul 19, 2012 3:21 pm

Re: Correct Way to Change Client Certificates? And Manage?

Post by bretsie » Mon Jul 23, 2012 2:35 pm

The fix for this was that when I edited my client.conf, it wasn't actually updating in OpenVPN client. It was still reading settings from a old config.

I fixed it by renaming my client.conf and removing the profile, then re-adding it. Weirdly enough it worked, this was also the problem for when I was changing my cipher to AES-256-CBC, it was saving for the default BF-128 cipher. So this little weird thing fixed a lot of problems for me.

But now I am trying to harden my server from attacks or what it be. Reading the documentation it says 'tls-auth' is something highly recommended. So when I went ahead and tried it, I ran into the following problem.

Code: Select all

Mon Jul 23 09:28:05 2012 us=786000 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jul 23 09:28:05 2012 us=786000 TLS Error: TLS handshake failed
Mon Jul 23 09:28:05 2012 us=786000 TCP/UDP: Closing socket
Mon Jul 23 09:28:05 2012 us=786000 SIGUSR1[soft,tls-error] received, process restarting
Mon Jul 23 09:28:05 2012 us=786000 MANAGEMENT: >STATE:1343053685,RECONNECTING,tls-error,,

Code: Select all

Mon Jul 23 09:26:59 2012 us=688000 Note: option http-proxy-fallback ignored because no TCP-based connection profiles are defined
Mon Jul 23 09:26:59 2012 us=688000 Current Parameter Settings:
Mon Jul 23 09:26:59 2012 us=688000   config = 'stdin'
Mon Jul 23 09:26:59 2012 us=688000   mode = 0
Mon Jul 23 09:26:59 2012 us=688000   show_ciphers = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   show_digests = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   show_engines = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   genkey = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   key_pass_file = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   show_tls_ciphers = DISABLED
Mon Jul 23 09:26:59 2012 us=688000 Connection profiles [default]:
Mon Jul 23 09:26:59 2012 us=688000   proto = udp
Mon Jul 23 09:26:59 2012 us=688000   local = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   local_port = 1194
Mon Jul 23 09:26:59 2012 us=688000   remote = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   remote_port = 1194
Mon Jul 23 09:26:59 2012 us=688000   remote_float = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   bind_defined = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   bind_local = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   connect_retry_seconds = 5
Mon Jul 23 09:26:59 2012 us=688000   connect_timeout = 10
Mon Jul 23 09:26:59 2012 us=688000   connect_retry_max = 0
Mon Jul 23 09:26:59 2012 us=688000   socks_proxy_server = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   socks_proxy_port = 0
Mon Jul 23 09:26:59 2012 us=688000   socks_proxy_retry = DISABLED
Mon Jul 23 09:26:59 2012 us=688000 Connection profiles [0]:
Mon Jul 23 09:26:59 2012 us=688000   proto = udp
Mon Jul 23 09:26:59 2012 us=688000   local = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   local_port = 0
Mon Jul 23 09:26:59 2012 us=688000   remote = 'XXX.XXX.XXX.XXX'
Mon Jul 23 09:26:59 2012 us=688000   remote_port = 1194
Mon Jul 23 09:26:59 2012 us=688000   remote_float = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   bind_defined = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   bind_local = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   connect_retry_seconds = 5
Mon Jul 23 09:26:59 2012 us=688000   connect_timeout = 10
Mon Jul 23 09:26:59 2012 us=688000   connect_retry_max = 0
Mon Jul 23 09:26:59 2012 us=688000   socks_proxy_server = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   socks_proxy_port = 0
Mon Jul 23 09:26:59 2012 us=688000   socks_proxy_retry = DISABLED
Mon Jul 23 09:26:59 2012 us=688000 Connection profiles END
Mon Jul 23 09:26:59 2012 us=688000   remote_random = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   ipchange = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   dev = 'tun'
Mon Jul 23 09:26:59 2012 us=688000   dev_type = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   dev_node = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   lladdr = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   topology = 1
Mon Jul 23 09:26:59 2012 us=688000   tun_ipv6 = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   ifconfig_local = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   ifconfig_remote_netmask = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   ifconfig_noexec = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   ifconfig_nowarn = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   shaper = 0
Mon Jul 23 09:26:59 2012 us=688000   tun_mtu = 1500
Mon Jul 23 09:26:59 2012 us=688000   tun_mtu_defined = ENABLED
Mon Jul 23 09:26:59 2012 us=688000   link_mtu = 1500
Mon Jul 23 09:26:59 2012 us=688000   link_mtu_defined = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   tun_mtu_extra = 0
Mon Jul 23 09:26:59 2012 us=688000   tun_mtu_extra_defined = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   fragment = 0
Mon Jul 23 09:26:59 2012 us=688000   mtu_discover_type = -1
Mon Jul 23 09:26:59 2012 us=688000   mtu_test = 0
Mon Jul 23 09:26:59 2012 us=688000   mlock = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   keepalive_ping = 0
Mon Jul 23 09:26:59 2012 us=688000   keepalive_timeout = 0
Mon Jul 23 09:26:59 2012 us=688000   inactivity_timeout = 0
Mon Jul 23 09:26:59 2012 us=688000   ping_send_timeout = 0
Mon Jul 23 09:26:59 2012 us=688000   ping_rec_timeout = 0
Mon Jul 23 09:26:59 2012 us=688000   ping_rec_timeout_action = 0
Mon Jul 23 09:26:59 2012 us=688000   ping_timer_remote = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   remap_sigusr1 = 0
Mon Jul 23 09:26:59 2012 us=688000   explicit_exit_notification = 0
Mon Jul 23 09:26:59 2012 us=688000   persist_tun = ENABLED
Mon Jul 23 09:26:59 2012 us=688000   persist_local_ip = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   persist_remote_ip = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   persist_key = ENABLED
Mon Jul 23 09:26:59 2012 us=688000   mssfix = 1450
Mon Jul 23 09:26:59 2012 us=688000   resolve_retry_seconds = 1000000000
Mon Jul 23 09:26:59 2012 us=688000   username = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   groupname = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   chroot_dir = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   cd_dir = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   writepid = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   up_script = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   down_script = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   down_pre = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   up_restart = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   up_delay = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   daemon = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   inetd = 0
Mon Jul 23 09:26:59 2012 us=688000   log = ENABLED
Mon Jul 23 09:26:59 2012 us=688000   suppress_timestamps = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   nice = 0
Mon Jul 23 09:26:59 2012 us=688000   verbosity = 5
Mon Jul 23 09:26:59 2012 us=688000   mute = 0
Mon Jul 23 09:26:59 2012 us=688000   gremlin = 0
Mon Jul 23 09:26:59 2012 us=688000   status_file = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   status_file_version = 1
Mon Jul 23 09:26:59 2012 us=688000   status_file_update_freq = 60
Mon Jul 23 09:26:59 2012 us=688000   occ = ENABLED
Mon Jul 23 09:26:59 2012 us=688000   rcvbuf = 0
Mon Jul 23 09:26:59 2012 us=688000   sndbuf = 0
Mon Jul 23 09:26:59 2012 us=688000   sockflags = 0
Mon Jul 23 09:26:59 2012 us=688000   fast_io = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   lzo = 7
Mon Jul 23 09:26:59 2012 us=688000   route_script = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   route_default_gateway = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   route_default_metric = 0
Mon Jul 23 09:26:59 2012 us=688000   route_noexec = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   route_delay = 5
Mon Jul 23 09:26:59 2012 us=688000   route_delay_window = 30
Mon Jul 23 09:26:59 2012 us=688000   route_delay_defined = ENABLED
Mon Jul 23 09:26:59 2012 us=688000   route_nopull = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   route_gateway_via_dhcp = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   max_routes = 100
Mon Jul 23 09:26:59 2012 us=688000   allow_pull_fqdn = ENABLED
Mon Jul 23 09:26:59 2012 us=688000   management_addr = '127.0.0.1'
Mon Jul 23 09:26:59 2012 us=688000   management_port = 37695
Mon Jul 23 09:26:59 2012 us=688000   management_user_pass = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   management_log_history_cache = 250
Mon Jul 23 09:26:59 2012 us=688000   management_echo_buffer_size = 100
Mon Jul 23 09:26:59 2012 us=688000   management_write_peer_info_file = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   management_client_user = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   management_client_group = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   management_flags = 38
Mon Jul 23 09:26:59 2012 us=688000   shared_secret_file = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   key_direction = 0
Mon Jul 23 09:26:59 2012 us=688000   ciphername_defined = ENABLED
Mon Jul 23 09:26:59 2012 us=688000   ciphername = 'AES-256-CBC'
Mon Jul 23 09:26:59 2012 us=688000   authname_defined = ENABLED
Mon Jul 23 09:26:59 2012 us=688000   authname = 'SHA1'
Mon Jul 23 09:26:59 2012 us=688000   prng_hash = 'SHA1'
Mon Jul 23 09:26:59 2012 us=688000   prng_nonce_secret_len = 16
Mon Jul 23 09:26:59 2012 us=688000   keysize = 0
Mon Jul 23 09:26:59 2012 us=688000   engine = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   replay = ENABLED
Mon Jul 23 09:26:59 2012 us=688000   mute_replay_warnings = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   replay_window = 64
Mon Jul 23 09:26:59 2012 us=688000   replay_time = 15
Mon Jul 23 09:26:59 2012 us=688000   packet_id_file = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   use_iv = ENABLED
Mon Jul 23 09:26:59 2012 us=688000   test_crypto = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   tls_server = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   tls_client = ENABLED
Mon Jul 23 09:26:59 2012 us=688000   key_method = 2
Mon Jul 23 09:26:59 2012 us=688000   ca_file = '[[INLINE]]'
Mon Jul 23 09:26:59 2012 us=688000   ca_path = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   dh_file = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   cert_file = '[[INLINE]]'
Mon Jul 23 09:26:59 2012 us=688000   priv_key_file = '[[INLINE]]'
Mon Jul 23 09:26:59 2012 us=688000   pkcs12_file = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   cryptoapi_cert = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   cipher_list = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   tls_verify = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   tls_remote = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   crl_file = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   ns_cert_type = 64
Mon Jul 23 09:26:59 2012 us=688000   remote_cert_ku[i] = 0
Mon Jul 23 09:26:59 2012 us=688000   remote_cert_ku[i] = 0
Mon Jul 23 09:26:59 2012 us=688000   remote_cert_ku[i] = 0
Mon Jul 23 09:26:59 2012 us=688000   remote_cert_ku[i] = 0
Mon Jul 23 09:26:59 2012 us=688000   remote_cert_ku[i] = 0
Mon Jul 23 09:26:59 2012 us=688000   remote_cert_ku[i] = 0
Mon Jul 23 09:26:59 2012 us=688000   remote_cert_ku[i] = 0
Mon Jul 23 09:26:59 2012 us=688000   remote_cert_ku[i] = 0
Mon Jul 23 09:26:59 2012 us=688000   remote_cert_ku[i] = 0
Mon Jul 23 09:26:59 2012 us=688000   remote_cert_ku[i] = 0
Mon Jul 23 09:26:59 2012 us=688000   remote_cert_ku[i] = 0
Mon Jul 23 09:26:59 2012 us=688000   remote_cert_ku[i] = 0
Mon Jul 23 09:26:59 2012 us=688000   remote_cert_ku[i] = 0
Mon Jul 23 09:26:59 2012 us=688000   remote_cert_ku[i] = 0
Mon Jul 23 09:26:59 2012 us=688000   remote_cert_ku[i] = 0
Mon Jul 23 09:26:59 2012 us=688000   remote_cert_ku[i] = 0
Mon Jul 23 09:26:59 2012 us=688000   remote_cert_eku = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   tls_timeout = 2
Mon Jul 23 09:26:59 2012 us=688000   renegotiate_bytes = 0
Mon Jul 23 09:26:59 2012 us=688000   renegotiate_packets = 0
Mon Jul 23 09:26:59 2012 us=688000   renegotiate_seconds = 3600
Mon Jul 23 09:26:59 2012 us=688000   handshake_window = 60
Mon Jul 23 09:26:59 2012 us=688000   transition_window = 3600
Mon Jul 23 09:26:59 2012 us=688000   single_session = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   push_peer_info = ENABLED
Mon Jul 23 09:26:59 2012 us=688000   tls_exit = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   tls_auth_file = '[[INLINE]]'
Mon Jul 23 09:26:59 2012 us=688000   client = ENABLED
Mon Jul 23 09:26:59 2012 us=688000   pull = ENABLED
Mon Jul 23 09:26:59 2012 us=688000   auth_user_pass_file = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   show_net_up = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   route_method = 0
Mon Jul 23 09:26:59 2012 us=688000   ip_win32_defined = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   ip_win32_type = 3
Mon Jul 23 09:26:59 2012 us=688000   dhcp_masq_offset = 0
Mon Jul 23 09:26:59 2012 us=688000   dhcp_lease_time = 31536000
Mon Jul 23 09:26:59 2012 us=688000   tap_sleep = 0
Mon Jul 23 09:26:59 2012 us=688000   dhcp_options = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   dhcp_renew = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   dhcp_pre_release = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   dhcp_release = DISABLED
Mon Jul 23 09:26:59 2012 us=688000   domain = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   netbios_scope = '[UNDEF]'
Mon Jul 23 09:26:59 2012 us=688000   netbios_node_type = 0
Mon Jul 23 09:26:59 2012 us=688000   disable_nbt = DISABLED
Mon Jul 23 09:26:59 2012 us=688000 OpenVPNAS 2.1.1oOAS Win32-MSVC++ [SSL] [LZO2] built on Jul 29 2010
Mon Jul 23 09:26:59 2012 us=688000 MANAGEMENT: Connected to management server at 127.0.0.1:37695
Mon Jul 23 09:26:59 2012 us=688000 MANAGEMENT: CMD 'log on'
Mon Jul 23 09:26:59 2012 us=688000 MANAGEMENT: CMD 'state on'
Mon Jul 23 09:26:59 2012 us=688000 MANAGEMENT: CMD 'echo on'
Mon Jul 23 09:26:59 2012 us=688000 MANAGEMENT: CMD 'bytecount 5'
Mon Jul 23 09:26:59 2012 us=688000 MANAGEMENT: CMD 'hold off'
Mon Jul 23 09:26:59 2012 us=688000 MANAGEMENT: CMD 'hold release'
Mon Jul 23 09:26:59 2012 us=688000 NOTE: OpenVPNAS 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Jul 23 09:27:05 2012 us=210000 MANAGEMENT: CMD 'username "Private Key" "client1"'
Mon Jul 23 09:27:05 2012 us=210000 MANAGEMENT: CMD 'password [...]'
Mon Jul 23 09:27:05 2012 us=210000 Control Channel Authentication: tls-auth using INLINE static key file
Mon Jul 23 09:27:05 2012 us=210000 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 23 09:27:05 2012 us=210000 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 23 09:27:05 2012 us=210000 LZO compression initialized
Mon Jul 23 09:27:05 2012 us=210000 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Jul 23 09:27:05 2012 us=226000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Jul 23 09:27:05 2012 us=226000 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jul 23 09:27:05 2012 us=226000 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Mon Jul 23 09:27:05 2012 us=226000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Mon Jul 23 09:27:05 2012 us=226000 Local Options hash (VER=V4): '5b243d85'
Mon Jul 23 09:27:05 2012 us=226000 Expected Remote Options hash (VER=V4): '0b024030'
Mon Jul 23 09:27:05 2012 us=226000 UDPv4 link local: [undef]
Mon Jul 23 09:27:05 2012 us=226000 UDPv4 link remote: XXX.XXX.XXX.XXX:1194
Mon Jul 23 09:27:05 2012 us=226000 MANAGEMENT: >STATE:1343053625,WAIT,,,
Mon Jul 23 09:28:05 2012 us=786000 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jul 23 09:28:05 2012 us=786000 TLS Error: TLS handshake failed
Mon Jul 23 09:28:05 2012 us=786000 TCP/UDP: Closing socket
Mon Jul 23 09:28:05 2012 us=786000 SIGUSR1[soft,tls-error] received, process restarting
Mon Jul 23 09:28:05 2012 us=786000 MANAGEMENT: >STATE:1343053685,RECONNECTING,tls-error,,
Mon Jul 23 09:28:05 2012 us=786000 Restart pause, 2 second(s)
Mon Jul 23 09:28:07 2012 us=782000 NOTE: OpenVPNAS 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Jul 23 09:28:07 2012 us=782000 Re-using SSL/TLS context
Mon Jul 23 09:28:07 2012 us=782000 LZO compression initialized
Mon Jul 23 09:28:07 2012 us=782000 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Jul 23 09:28:07 2012 us=782000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Jul 23 09:28:07 2012 us=782000 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jul 23 09:28:07 2012 us=782000 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Mon Jul 23 09:28:07 2012 us=782000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Mon Jul 23 09:28:07 2012 us=782000 Local Options hash (VER=V4): '5b243d85'
Mon Jul 23 09:28:07 2012 us=782000 Expected Remote Options hash (VER=V4): '0b024030'
Mon Jul 23 09:28:07 2012 us=782000 UDPv4 link local: [undef]
Mon Jul 23 09:28:07 2012 us=782000 UDPv4 link remote: XXX.XXX.XXX.XXX:1194
Mon Jul 23 09:28:07 2012 us=782000 MANAGEMENT: >STATE:1343053687,WAIT,,,
server.conf

Code: Select all

push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 0
client.conf

Code: Select all

client
dev tun
proto udp
remote XXX.XXX.XXX.XXX 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 5
My server has pretty good specs, it shouldn't be too slow for such a thing. From the research I have been trying to do, it seems to have something to do with my TCP configuration, or tls-auth requires it? I checked with my server administration and they say there is no firewalls or anything blocking anything.

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: edit : tls-auth , server hardening error

Post by maikcat » Tue Jul 24, 2012 8:13 am

hi there,
From the research I have been trying to do, it seems to have something to do with my TCP configuration, or tls-auth requires it?
tls-auth works with both tcp/udp configs..

check your firewalls...

just to add that i have noticed that errors like this (tls negotiation failed etc)
they had also appeared to me in working installations and a simple router restart (here in greece we have adsl)
fix the problem... :?

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

bretsie
OpenVpn Newbie
Posts: 10
Joined: Thu Jul 19, 2012 3:21 pm

Re: edit : tls-auth , server hardening error

Post by bretsie » Tue Jul 24, 2012 5:20 pm

I don't understand what I would have to do or my VPS host would have to do to fix the "router" problem. When the problem wouldn't be on my end, nor on the VPS settings. I don't know what to exactly try to fix this problem.

Post Reply