Koozali.org: home of the SME Server

openvpn can't connect TLS_ERROR

Offline globalsi

  • ****
  • 167
  • +0/-0
openvpn can't connect TLS_ERROR
« on: November 19, 2014, 01:19:57 PM »
Hi,

I've installed OpenVPN on a SME8.1 following http://wiki.contribs.org/OpenVPN
When I try to connect a client (Windows 7), I've got this :

Quote
Wed Nov 19 13:15:36 2014 us=765000 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov  8 2010
Enter Auth Username:myuser
Enter Auth Password:
Wed Nov 19 13:15:48 2014 us=500000 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Nov 19 13:15:48 2014 us=500000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Nov 19 13:15:48 2014 us=609000 LZO compression initialized
Wed Nov 19 13:15:48 2014 us=609000 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Nov 19 13:15:48 2014 us=609000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Nov 19 13:15:48 2014 us=609000 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Nov 19 13:15:48 2014 us=609000 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed Nov 19 13:15:48 2014 us=609000 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed Nov 19 13:15:48 2014 us=609000 Local Options hash (VER=V4): 'd79ca330'
Wed Nov 19 13:15:48 2014 us=609000 Expected Remote Options hash (VER=V4): 'f7df56b8'
Wed Nov 19 13:15:48 2014 us=609000 UDPv4 link local (bound): [undef]:1194
Wed Nov 19 13:15:48 2014 us=609000 UDPv4 link remote: 90.83.157.146:1194
Wed Nov 19 13:15:48 2014 us=671000 TLS: Initial packet from 90.83.157.146:1194, sid=bac392b0 12f9ae39
Wed Nov 19 13:15:48 2014 us=671000 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Nov 19 13:15:48 2014 us=890000 VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=FR/ST=RA/L=MYTOWN/O=MYORG/OU=VPN/CN=Server/name=changeme/emailAddress=contact@foo.fo
Wed Nov 19 13:15:48 2014 us=890000 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Nov 19 13:15:48 2014 us=890000 TLS Error: TLS object -> incoming plaintext read error
Wed Nov 19 13:15:48 2014 us=890000 TLS Error: TLS handshake failed
Wed Nov 19 13:15:48 2014 us=890000 TCP/UDP: Closing socket
Wed Nov 19 13:15:48 2014 us=890000 SIGUSR1[soft,tls-error] received, process restarting
Wed Nov 19 13:15:48 2014 us=890000 Restart pause, 2 second(s)

Any ideas ?

Thks.

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: openvpn can't connect TLS_ERROR
« Reply #1 on: November 19, 2014, 02:07:38 PM »
did you try to use google?

Offline globalsi

  • ****
  • 167
  • +0/-0
Re: openvpn can't connect TLS_ERROR
« Reply #2 on: November 19, 2014, 04:17:04 PM »
Thks for your answer.

Yes, i regenerate my certificate without success

I check the certificate and it's ok
openssl verify -CAfile ca.crt server.crt
 -> server.crt: OK

 :-(

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: openvpn can't connect TLS_ERROR
« Reply #3 on: November 19, 2014, 04:26:22 PM »
The interesting error is: error=unsupported certificate purpose

It's hard to say exactly what's wrong without seeing your exact configuration (especially on client side), but I'd guess the server.crt hasn't been created for server usage (a certificate can be created for server or client, or both, and each side can be told to check for the remote cert's usage, this is prevent a malicious client to present himself as a server)
C'est la fin du monde !!! :lol:

Offline globalsi

  • ****
  • 167
  • +0/-0
Re: openvpn can't connect TLS_ERROR
« Reply #4 on: November 19, 2014, 04:43:02 PM »
Here's for the server :
Code: [Select]
[root@sme8j openvpn]# more /etc/openvpn/server.conf
port 1194
dev tap

tls-server

dh dh1024.pem
ca ca.crt
cert server.crt
key server.key

auth-user-pass-verify ./validate.sh via-env
client-disconnect ./logoff.sh

up ./openvpn.up

mode server
duplicate-cn
ifconfig 192.168.100.1 255.255.255.0

ifconfig-pool 192.168.100.100 192.168.100.200 255.255.255.0 # IP range for openvpn client

mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120

push "ping 10"
push "ping-restart 60"

push "dhcp-option DOMAIN mydomainfr.local"             # push the DNS domain suffix
push "dhcp-option DNS 192.168.1.1"                   # push DNS entries to openvpn client
push "route 192.168.1.0 255.255.255.0 192.168.100.1" # add route to to protected network

comp-lzo
status-version 2
status openvpn-status.log
verb 3


Code: [Select]
[root@sme8j openvpn]# more /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/vars
# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"

#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"


# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"

# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="FR"
export KEY_PROVINCE="RA"
export KEY_CITY="MYTOWN"
export KEY_ORG="MYORG"
export KEY_EMAIL="contact@foo.fo"
export KEY_EMAIL=contact@foo.fo
export KEY_CN=changeme
export KEY_NAME=changeme
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234


and for the client.ovpn
Quote
port 1194
dev tap
remote my.public.ip.here
tls-client
auth-user-pass
ca ca.crt
cert client.crt
key client.key
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull
comp-lzo
verb 4


To create the server.crt, i've done (as said in http://wiki.contribs.org/OpenVPN#OpenVPN_Server_Configuration)  : sh build-key server


Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: openvpn can't connect TLS_ERROR
« Reply #5 on: November 19, 2014, 04:45:51 PM »
This how-to is very old, you should check on google for how to create certificates for OpenVPN. You can also try the PHPki contrib (check on the wiki) which provides a easy interface to manage them
C'est la fin du monde !!! :lol:

Offline globalsi

  • ****
  • 167
  • +0/-0
Re: openvpn can't connect TLS_ERROR
« Reply #6 on: November 19, 2014, 04:53:17 PM »
I thought this how-to was fine for SME8.

I'll look elsewhere for information.

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: openvpn can't connect TLS_ERROR
« Reply #7 on: November 19, 2014, 04:55:01 PM »
Most OpenVPN users either use OpenVPN Bridge or OpenVPN SiteToSite I guess (you can find information for both on the wiki). For the certificates, you can have a look at PHPki (also found in the wiki).
C'est la fin du monde !!! :lol:

Offline globalsi

  • ****
  • 167
  • +0/-0
Re: openvpn can't connect TLS_ERROR
« Reply #8 on: November 19, 2014, 04:56:29 PM »
Most OpenVPN users either use OpenVPN Bridge or OpenVPN SiteToSite I guess (you can find information for both on the wiki). For the certificates, you can have a look at PHPki (also found in the wiki).

I want to connect 1 or 2 computers to the network, not 2 networks (bridge).

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: openvpn can't connect TLS_ERROR
« Reply #9 on: November 19, 2014, 04:57:20 PM »
OpenVPN bridge is fine for what you want. It's made specially for road warriors. Only SiteToSite is made to connect two servers
C'est la fin du monde !!! :lol:

Offline globalsi

  • ****
  • 167
  • +0/-0
Re: openvpn can't connect TLS_ERROR
« Reply #10 on: November 19, 2014, 05:01:09 PM »
ok, I'll check this.  :-P

THKS.

Offline globalsi

  • ****
  • 167
  • +0/-0
Re: openvpn can't connect TLS_ERROR
« Reply #11 on: February 02, 2017, 09:34:13 AM »
Hi,
Just for information, after severals months, I have updated my SME8.1 to 9.1
I followed https://wiki.contribs.org/OpenVPN_Bridge/fr and it works like a charm.  :smile:

thank every body for your help and the topic can be closed as "SOLVED" (after 2 years  :???: )

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: openvpn can't connect TLS_ERROR
« Reply #12 on: February 03, 2017, 12:02:31 AM »
As a follow up, depending on your needs you can also use:

https://wiki.contribs.org/OpenVPN_Routed

I use it for road warriors to log in to the phone system and it works well.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation