Topic: Openvpn-bridge connection to Fedora 28 not connecting

[brianr]

I have followed the wiki as best I could, had to install manually on the fedora system as it did not like the format of the .openvpn file.

However I get this in the logs:

2018-09-03 19:57:01.286121500 OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
2018-09-03 19:57:01.286127500 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
2018-09-03 19:57:01.286428500 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:11194
2018-09-03 19:57:01.286505500 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
2018-09-03 19:57:01.287513500 Diffie-Hellman initialized with 1024 bit key
2018-09-03 19:57:01.287773500 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'.  If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
2018-09-03 19:57:01.287783500 Exiting due to fatal error

I'm guessing I got something wrong, but no idea where!!

[Daniel B.]

The private key on the server must not be password protected. Create a new certificate for the server, and this time leave the password field empty

[brianr]

The private key on the server must not be password protected. Create a new certificate for the server, and this time leave the password field empty

How do I force phpki to create the server certificate again?

Sorry - found it - the password field is not required if you choose the cert type as "Server only".

[brianr]

Still not got it right:

2018-09-04 16:38:44.475830500 OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
2018-09-04 16:38:44.475840500 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
2018-09-04 16:38:44.476189500 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:11194
2018-09-04 16:38:44.476275500 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
2018-09-04 16:38:44.477304500 Diffie-Hellman initialized with 1024 bit key
2018-09-04 16:38:44.477885500 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
2018-09-04 16:38:44.477887500 ECDH curve secp384r1 added
2018-09-04 16:38:44.478021500 TUN/TAP device tap0 opened
2018-09-04 16:38:44.478030500 TUN/TAP TX queue length set to 100
2018-09-04 16:38:44.478175500 nice 5 succeeded
2018-09-04 16:38:44.478175500 Could not determine IPv4/IPv6 protocol. Using AF_INET
2018-09-04 16:38:44.478193500 Socket Buffers: R=[124928->124928] S=[124928->124928]
2018-09-04 16:38:44.478200500 UDPv4 link local (bound): [AF_INET][undef]:1194
2018-09-04 16:38:44.478206500 UDPv4 link remote: [AF_UNSPEC]
2018-09-04 16:38:44.478220500 chroot to '/etc/openvpn/bridge' and cd to '/' succeeded
2018-09-04 16:38:44.478226500 GID set to nobody
2018-09-04 16:38:44.478238500 UID set to nobody
2018-09-04 16:38:44.478244500 MULTI: multi_init called, r=256 v=256
2018-09-04 16:38:44.478314500 IFCONFIG POOL: base=192.168.100.40 size=6, ipv6=0
2018-09-04 16:38:44.478315500 Initialization Sequence Completed
2018-09-04 16:40:50.022051500 92.9.37.219:43022 TLS: Initial packet from [AF_INET]92.9.37.219:43022, sid=89ded3a6 21bb2cdb
2018-09-04 16:41:00.228046500 92.9.37.219:34182 TLS: Initial packet from [AF_INET]92.9.37.219:34182, sid=8a5edd07 a1e25629
2018-09-04 16:41:10.565056500 92.9.37.219:44784 TLS: Initial packet from [AF_INET]92.9.37.219:44784, sid=ce936e1b 1f4576a6
2018-09-04 16:41:20.827177500 92.9.37.219:50579 TLS: Initial packet from [AF_INET]92.9.37.219:50579, sid=5c915bdb d63319a9
2018-09-04 16:41:31.113033500 92.9.37.219:34493 TLS: Initial packet from [AF_INET]92.9.37.219:34493, sid=ae30ca36 6092ff12
2018-09-04 16:41:50.837940500 92.9.37.219:43022 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2018-09-04 16:41:50.837942500 92.9.37.219:43022 TLS Error: TLS handshake failed
2018-09-04 16:41:50.837990500 92.9.37.219:43022 SIGUSR1[soft,tls-error] received, client-instance restarting
2018-09-04 16:42:01.091773500 92.9.37.219:34182 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2018-09-04 16:42:01.091774500 92.9.37.219:34182 TLS Error: TLS handshake failed
2018-09-04 16:42:01.091846500 92.9.37.219:34182 SIGUSR1[soft,tls-error] received, client-instance restarting
2018-09-04 16:42:10.576096500 92.9.37.219:44784 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2018-09-04 16:42:10.576098500 92.9.37.219:44784 TLS Error: TLS handshake failed
2018-09-04 16:42:10.576184500 92.9.37.219:44784 SIGUSR1[soft,tls-error] received, client-instance restarting
2018-09-04 16:42:20.212559500 92.9.37.219:50579 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2018-09-04 16:42:20.212561500 92.9.37.219:50579 TLS Error: TLS handshake failed
2018-09-04 16:42:20.212662500 92.9.37.219:50579 SIGUSR1[soft,tls-error] received, client-instance restarting
2018-09-04 16:42:31.639619500 92.9.37.219:34493 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2018-09-04 16:42:31.639621500 92.9.37.219:34493 TLS Error: TLS handshake failed
2018-09-04 16:42:31.639710500 92.9.37.219:34493 SIGUSR1[soft,tls-error] received, client-instance restarting

Unable to find where the Fedora 28 openvpn client config file is - /etc/openvpn/client is empty! Any ideas?

[Daniel B.]

Most likely, the client can't verify the server's certificate. Check the client logs with

Code: [Select]

journalctl -fl
(while the VPN tries to connect)

[brianr]

Most likely, the client can't verify the server's certificate. Check the client logs with

Code: [Select]

journalctl -fl
(while the VPN tries to connect)

I get this:

Sep 04 19:03:26 fedora-28.bjsystems.co.uk nm-openvpn[32481]: VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=UK, ST=Lancs, L=Skelmersdale, O=bjsystems, O=21232f297a57a5a743894a0e4a801fc3, OU=software, CN=openvpn-bridged-2, emailAddress=brianr@bjsystems.co.uk
Sep 04 19:03:26 fedora-28.bjsystems.co.uk nm-openvpn[32481]: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Sep 04 19:03:26 fedora-28.bjsystems.co.uk nm-openvpn[32481]: TLS_ERROR: BIO read tls_read_plaintext error
Sep 04 19:03:26 fedora-28.bjsystems.co.uk nm-openvpn[32481]: TLS Error: TLS object -> incoming plaintext read error
Sep 04 19:03:26 fedora-28.bjsystems.co.uk nm-openvpn[32481]: TLS Error: TLS handshake failed

I specified the server as Client, see here:

Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : No
SSL server CA : No
Netscape SSL server : No
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

I have the TLS "extra" authorisation set as "none"  - is that ok?

If I set it to TLS-Auth (and link in the takey.pem), I get this on the client:

Sep 04 19:15:58 fedora-28.bjsystems.co.uk nm-openvpn[509]: OpenVPN 2.4.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
Sep 04 19:15:58 fedora-28.bjsystems.co.uk nm-openvpn[509]: library versions: OpenSSL 1.1.0h-fips  27 Mar 2018, LZO 2.08
Sep 04 19:15:58 fedora-28.bjsystems.co.uk nm-openvpn[509]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sep 04 19:15:58 fedora-28.bjsystems.co.uk nm-openvpn[509]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 04 19:16:04 fedora-28.bjsystems.co.uk nm-openvpn[509]: TCP/UDP: Preserving recently used remote address: [AF_INET]92.9.35.118:1194
Sep 04 19:16:04 fedora-28.bjsystems.co.uk nm-openvpn[509]: UDP link local: (not bound)
Sep 04 19:16:04 fedora-28.bjsystems.co.uk nm-openvpn[509]: UDP link remote: [AF_INET]92.9.35.118:1194
Sep 04 19:16:04 fedora-28.bjsystems.co.uk nm-openvpn[509]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sep 04 19:16:04 fedora-28.bjsystems.co.uk nm-openvpn[509]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]92.9.35.118:1194
Sep 04 19:16:06 fedora-28.bjsystems.co.uk nm-openvpn[509]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]92.9.35.118:1194
Sep 04 19:16:07 fedora-28.bjsystems.co.uk audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Sep 04 19:16:10 fedora-28.bjsystems.co.uk nm-openvpn[509]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]92.9.35.118:1194
Sep 04 19:16:18 fedora-28.bjsystems.co.uk nm-openvpn[509]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]92.9.35.118:1194
Sep 04 19:16:34 fedora-28.bjsystems.co.uk nm-openvpn[509]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]92.9.35.118:1194

[brianr]

Also have submitted

https://bugs.contribs.org/show_bug.cgi?id=10622

ereg deprecated warnings on phpki web pages.