Koozali.org: home of the SME Server

Cannot connect with openvpn

Offline crazybob

  • ****
  • 894
  • +0/-0
    • Stalzer R&D
Cannot connect with openvpn
« on: September 28, 2020, 06:14:14 AM »
Ive been fighting to get openvpn to work.
i have installed it and phpki a number of times and keep coming up with the same issue.
the log file on my computer shows

Mon Sep 28 00:05:06 2020 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=US/ST=MI/L=Grandville/O=Stalzer_R_D/O=21232f297a57a5a743894a0e4a801fc3/OU=IT/CN=openvpn-bridge/emailAddress=bob@srdpc.com
Mon Sep 28 00:05:06 2020 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Sep 28 00:05:06 2020 TLS Error: TLS object -> incoming plaintext read error
Mon Sep 28 00:05:06 2020 TLS Error: TLS handshake failed
Mon Sep 28 00:05:06 2020 SIGUSR1[soft,tls-error] received, process restarting
Mon Sep 28 00:05:08 2020 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Sep 28 00:05:08 2020 LZO compression initialized
Mon Sep 28 00:05:08 2020 UDPv4 link local: [undef]

when I first install the certs I get an error message

Operation status report
Error: CSRF token is invalid or outdated.
but when i save the certs a second time it says its good.

Ive install this on many servers and never had any issues.any advice would be appreeciated.
If you think you know whats going on, you obviously have no idea whats going on!

Offline stefangk

  • 20
  • +0/-0
Re: Cannot connect with openvpn
« Reply #1 on: September 28, 2020, 11:21:36 AM »
I'am using OpenVPN-Bridge & PHPKi Contribs for many years without problems. Did you follow all contribs docs and recommendations? You have to issue a certificate for the server first (with CN=openvpn-bridge) and setup it correctly before issue certificates for the clients. In case this certificate expires you should renew it as well.

Certificate Details
(#100015)
openvpn-bridge <admin@fide-assist.com>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1048597 (0x100015)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=BG, ST=SF, L=Sofia, O=Fidelitas Assistance Ltd., OU=Certificate Authority, CN=PHPki Certificate Authority/emailAddress=admin@fide-assist.com
        Validity
            Not Before: May 13 04:25:55 2019 GMT
            Not After : May 12 04:25:55 2024 GMT

        Subject: C=BG, ST=SF, L=Sofia, O=Fidelitas Assistance Ltd., O=21232f297a57a5a743894a0e4a801fc3, OU=VPN, CN=openvpn-bridge/emailAddress=admin@fide-assist.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b2:f1:01:d5:f4:77:f7:b8:14:68:eb:26:d6:00:
               ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication
            Netscape Cert Type: critical
                SSL Server
            X509v3 Subject Key Identifier:
                55:4D:87:97:9A:78:A8:43:98:98:F2:65:5E:66:E2:2C:53:E4:7E:30
            X509v3 Authority Key Identifier:
                keyid:58:52:CC:E2:DD:DA:9C:1D:1E:90:54:62:7C:16:79:53:CE:A1:15:8C
                DirName:/C=BG/ST=SF/L=Sofia/O=Fidelitas Assistance Ltd./OU=Certificate Authority/CN=PHPki Certificate Authority/emailAddress=admin@fide-assist.com
                serial:BE:C2:55:0D:3A:84:4D:5F

            X509v3 Subject Alternative Name:
                DNS:openvpn-bridge, email:admin@fide-assist.com
    Signature Algorithm: sha1WithRSAEncryption
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
Stefan Krastanov

Offline crazybob

  • ****
  • 894
  • +0/-0
    • Stalzer R&D
Re: Cannot connect with openvpn
« Reply #2 on: September 28, 2020, 02:53:14 PM »
I have installed openvpn many times also, but this is the first time I've had this kind of issue.
i have uninstalled phpki a few times trying to get this working.
after I removed it, I also removed /opt/phpki folder.
Is there anything else I should delete?
After I re-install phpki I create the CA, and the other certs per instructions.
when I got o openvpn to install the certs, I find they are already populated. Is this normal.
I do copy and past the new certs, and when I save everything, I get the error message I revered to.
is there somewhere else I need to go to remove the old certs? could that fix things?
If you think you know whats going on, you obviously have no idea whats going on!

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Cannot connect with openvpn
« Reply #3 on: September 28, 2020, 10:11:49 PM »
I can't do much to help right now as I am on holiday, back later this week.

Some things you can do to help yourself.

Note down exactly what steps you took please and show us. It helps with diagnosis.

There's a newer version of PHPKI I think in testing. I'd really suggest you use it to future proof yourself.

Check the wiki page and then:

https://bugs.contribs.org/show_bug.cgi?id=8685

Report any issues.

Removal instructions are as per wiki. Make sure you clear browser caches.....

Last, search the interwebs for your errors which will guide you to the problems.

Eg

"openvpn SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"

"openvpn TLS Error: TLS object -> incoming plaintext read error"

The script-security error can be ignored (but check if there is a bug too)

And also paste your configs (without anything sensitive) though my guess is you have just got in a muddle with your certs.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Cannot connect with openvpn
« Reply #4 on: September 30, 2020, 10:38:05 AM »
after I removed it, I also removed /opt/phpki folder.
Is there anything else I should delete?

That the important bit - all your old certs are in there. You should get the 'create new CA' routine when you start PHPKi again.

Quote
when I got o openvpn to install the certs, I find they are already populated. Is this normal.

I doubt it. Sounds like your browser is remembering things. Clear your browser cache and start again.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Cannot connect with openvpn
« Reply #5 on: September 30, 2020, 10:40:11 AM »
BTW - please post back on any of your queries here and let people know if you have cured things or not - it assists other people when they are looking for answers.

Leaving things unanswered is not very helpful.

Thanks.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline crazybob

  • ****
  • 894
  • +0/-0
    • Stalzer R&D
Re: Cannot connect with openvpn
« Reply #6 on: October 19, 2020, 02:20:36 AM »
I completely removed phpki. and removed the entries in/opt
I reinstalled phpki per the instructions in the contribs.

I now get read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054), and it stalls.

I have installed this on about 6 or seven servers without a problem. I follow the instructions exactly.
If you think you know whats going on, you obviously have no idea whats going on!

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Cannot connect with openvpn
« Reply #7 on: October 20, 2020, 10:25:59 AM »
I completely removed phpki. and removed the entries in/opt
I reinstalled phpki per the instructions in the contribs.

I now get read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054), and it stalls.

I have installed this on about 6 or seven servers without a problem. I follow the instructions exactly.

Always do a quick search for our error on the interwebs eg:

https://serverfault.com/questions/544285/why-connection-reset-by-peer-when-im-trying-to-connect-to-server-in-openvpn

https://sourceforge.net/p/openvpn/mailman/message/24828114/

https://github.com/Nyr/openvpn-install/issues/182

Quote
most likely a firewall issue...

What else do you have between your clients and your server? Router etc?

If your other servers are OK then this one should be if you set it up correctly.

Note with the updated PHPKi I have it running on one of my servers so I know it works if you set it up correctly.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline crazybob

  • ****
  • 894
  • +0/-0
    • Stalzer R&D
Re: Cannot connect with openvpn
« Reply #8 on: October 21, 2020, 09:22:07 PM »
I looked at the things you suggested, and I'm going to do more digging on those items.
there is a router made for AT&T for the server I am trying to connect to, and I have set the port forwarding to the server. I also have an shh port pointing to the server, and it functions properly.

When I removed phpki, I deleted the certs that were in /opt/phpki, but the information was still in the certificate entry blocks in the openvpn menu, adn I was using a computer and browser that had never been connected to that server before.

What is the version of phpki that you are referring to, and where can I find it?
Thank you for the input.
If you think you know whats going on, you obviously have no idea whats going on!

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Cannot connect with openvpn
« Reply #9 on: October 22, 2020, 12:06:02 PM »
I think you are mixing things up here. PHPKi is not related to the the setup & operation of OpenVpn.

OpenVPN will use certificates created by PHPKi, but they could be created by PHPKi on a totally different server.

First, I think if you are running openvpn-s2s it stores details in a DB configuration entry.

Try:

Code: [Select]
db configuration show openvpn-s2s
The web panel then creates templates in /etc/openvpn/s2s from those settings.

You should be able to delete those entries with the openvpn-s2s web panel and then add new certificates.

The updated PHPKi is in my Test repo.

It seems to work without issues but I was concerned about trashing exiting installations so have not generally released it.

It should backup existing certificates if it finds them.

You can get it here and then:

https://www.reetspetit.com/smetest/6/x86_64/phpki-0.83-8.el6.sme.noarch.rpm

Code: [Select]
yum localinstall phpki-0.83-8.el6.sme.noarch.rpm
When it is first installed it should ask you about creating a new CA etc.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline crazybob

  • ****
  • 894
  • +0/-0
    • Stalzer R&D
Re: Cannot connect with openvpn
« Reply #10 on: October 22, 2020, 10:29:15 PM »
i removed the current phpki, then installed your version.
I don't get a web panel for it, and am not sure how to get it.
Should I have installed it on top of the version that is on the contribs website/
If you think you know whats going on, you obviously have no idea whats going on!

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Cannot connect with openvpn
« Reply #11 on: October 22, 2020, 10:36:34 PM »
Yes it needs smeserver-phpki for the panel.

Phpki itself is the backend certificate generation which is quite generic, but needs the other contrib for the panel.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation