I have a working OpenVPN server and 2 working clients.
I am trying to add a new client and I failed with self-signed certificate.
The client log is:
Code: Select all
2021-09-16 23:55:03 OpenVPN 2.5.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 17 2021
2021-09-16 23:55:03 Windows version 10.0 (Windows 10 or greater) 64bit
2021-09-16 23:55:03 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
Enter Management Password:
2021-09-16 23:55:03 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
2021-09-16 23:55:03 Need hold release from management interface, waiting...
2021-09-16 23:55:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
2021-09-16 23:55:04 MANAGEMENT: CMD 'state on'
2021-09-16 23:55:04 MANAGEMENT: CMD 'log all on'
2021-09-16 23:55:04 MANAGEMENT: CMD 'echo all on'
2021-09-16 23:55:04 MANAGEMENT: CMD 'bytecount 5'
2021-09-16 23:55:04 MANAGEMENT: CMD 'hold off'
2021-09-16 23:55:04 MANAGEMENT: CMD 'hold release'
2021-09-16 23:55:04 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-09-16 23:55:04 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-09-16 23:55:04 MANAGEMENT: >STATE:1631825704,RESOLVE,,,,,,
2021-09-16 23:55:04 TCP/UDP: Preserving recently used remote address: [AF_INET]94.64.21.191:1194
2021-09-16 23:55:04 Socket Buffers: R=[65536->65536] S=[65536->65536]
2021-09-16 23:55:04 UDP link local (bound): [AF_INET][undef]:1194
2021-09-16 23:55:04 UDP link remote: [AF_INET]94.64.21.191:1194
2021-09-16 23:55:04 MANAGEMENT: >STATE:1631825704,WAIT,,,,,,
2021-09-16 23:55:04 MANAGEMENT: >STATE:1631825704,AUTH,,,,,,
2021-09-16 23:55:04 TLS: Initial packet from [AF_INET]94.64.21.191:1194, sid=dccc7737 35dbc0c1
2021-09-16 23:55:04 VERIFY ERROR: depth=0, error=self signed certificate: C=GR, ST=Ελλάδα (Greece), L=Λάρισα (Larissa), O=Γκέσος Παύλος (Gkesos Pavlos), CN=Γκέσος Παύλος (Gkesos Pavlos), emailAddress=gessos.paul@gmail.com, serial=1
2021-09-16 23:55:04 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-09-16 23:55:04 TLS_ERROR: BIO read tls_read_plaintext error
2021-09-16 23:55:04 TLS Error: TLS object -> incoming plaintext read error
2021-09-16 23:55:04 TLS Error: TLS handshake failed
2021-09-16 23:55:04 SIGUSR1[soft,tls-error] received, process restarting
2021-09-16 23:55:04 MANAGEMENT: >STATE:1631825704,RECONNECTING,tls-error,,,,,
2021-09-16 23:55:04 Restart pause, 5 second(s)
2021-09-16 23:55:08 SIGTERM[hard,init_instance] received, process exiting
2021-09-16 23:55:08 MANAGEMENT: >STATE:1631825708,EXITING,init_instance,,,,,
Also, some console commands give these results:
Code: Select all
root@ODROID-HC2:~/cert/openvpn# cat ca.crt | openssl x509 -noout -enddate
notAfter=Apr 5 18:04:05 2120 GMT
root@ODROID-HC2:~/cert/openvpn# openssl verify -verbose -CAfile ca.crt server.crt
server.crt: OK
root@ODROID-HC2:~/cert/openvpn# openssl verify -verbose -CAfile ca.crt pavlos.crt
pavlos.crt: OK
Also the server's var/log/syslog gives:
Code: Select all
Sep 17 00:18:11 ODROID-HC2 ovpn-server[363]: MULTI: multi_create_instance called
Sep 17 00:18:11 ODROID-HC2 ovpn-server[363]: 10.0.0.1:1194 Re-using SSL/TLS context
Sep 17 00:18:11 ODROID-HC2 ovpn-server[363]: 10.0.0.1:1194 Control Channel MTU parms [ L:1653 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sep 17 00:18:11 ODROID-HC2 ovpn-server[363]: 10.0.0.1:1194 Data Channel MTU parms [ L:1653 D:1450 EF:121 EB:411 ET:32 EL:3 ]
Sep 17 00:18:11 ODROID-HC2 ovpn-server[363]: 10.0.0.1:1194 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1581,tun-mtu 1532,proto UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
Sep 17 00:18:11 ODROID-HC2 ovpn-server[363]: 10.0.0.1:1194 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1581,tun-mtu 1532,proto UDPv4,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
Sep 17 00:18:11 ODROID-HC2 ovpn-server[363]: 10.0.0.1:1194 TLS: Initial packet from [AF_INET]10.0.0.1:1194, sid=5aa55dff f6a54fe3
What is happening here?
PS: Using the config with inline certs from one working client to new client, DOES NOT WORK!!!