Most likely, the client can't verify the server's certificate. Check the client logs with
journalctl -fl
(while the VPN tries to connect)
I get this:
Sep 04 19:03:26 fedora-28.bjsystems.co.uk nm-openvpn[32481]: VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=UK, ST=Lancs, L=Skelmersdale, O=bjsystems, O=21232f297a57a5a743894a0e4a801fc3, OU=software, CN=openvpn-bridged-2, emailAddress=brianr@bjsystems.co.uk
Sep 04 19:03:26 fedora-28.bjsystems.co.uk nm-openvpn[32481]: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Sep 04 19:03:26 fedora-28.bjsystems.co.uk nm-openvpn[32481]: TLS_ERROR: BIO read tls_read_plaintext error
Sep 04 19:03:26 fedora-28.bjsystems.co.uk nm-openvpn[32481]: TLS Error: TLS object -> incoming plaintext read error
Sep 04 19:03:26 fedora-28.bjsystems.co.uk nm-openvpn[32481]: TLS Error: TLS handshake failed
I specified the server as Client, see here:
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : No
SSL server CA : No
Netscape SSL server : No
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
I have the TLS "extra" authorisation set as "none" - is that ok?
If I set it to TLS-Auth (and link in the takey.pem), I get this on the client:
Sep 04 19:15:58 fedora-28.bjsystems.co.uk nm-openvpn[509]: OpenVPN 2.4.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
Sep 04 19:15:58 fedora-28.bjsystems.co.uk nm-openvpn[509]: library versions: OpenSSL 1.1.0h-fips 27 Mar 2018, LZO 2.08
Sep 04 19:15:58 fedora-28.bjsystems.co.uk nm-openvpn[509]: WARNING: No server certificate verification method has been enabled. See
http://openvpn.net/howto.html#mitm for more info.
Sep 04 19:15:58 fedora-28.bjsystems.co.uk nm-openvpn[509]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 04 19:16:04 fedora-28.bjsystems.co.uk nm-openvpn[509]: TCP/UDP: Preserving recently used remote address: [AF_INET]92.9.35.118:1194
Sep 04 19:16:04 fedora-28.bjsystems.co.uk nm-openvpn[509]: UDP link local: (not bound)
Sep 04 19:16:04 fedora-28.bjsystems.co.uk nm-openvpn[509]: UDP link remote: [AF_INET]92.9.35.118:1194
Sep 04 19:16:04 fedora-28.bjsystems.co.uk nm-openvpn[509]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sep 04 19:16:04 fedora-28.bjsystems.co.uk nm-openvpn[509]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]92.9.35.118:1194
Sep 04 19:16:06 fedora-28.bjsystems.co.uk nm-openvpn[509]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]92.9.35.118:1194
Sep 04 19:16:07 fedora-28.bjsystems.co.uk audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Sep 04 19:16:10 fedora-28.bjsystems.co.uk nm-openvpn[509]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]92.9.35.118:1194
Sep 04 19:16:18 fedora-28.bjsystems.co.uk nm-openvpn[509]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]92.9.35.118:1194
Sep 04 19:16:34 fedora-28.bjsystems.co.uk nm-openvpn[509]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]92.9.35.118:1194