[TriLUG] OpenVPN revisited - TLS?

Paul G. Szabady Paul at ThyService.com
Tue Dec 5 00:36:46 EST 2006 

Greetings,

OK, so after about a year of not using openvpn, I find myself needing it
again.  Although "nothing changed"  ;)  it no longer works.  I suspect
upgrades over the past year might have something to do with it.  All
instances of "xxxx" shown below were put there for privacy...

According to some googling I did (ie:
http://openvpn.net/archive/openvpn-users/2005-07/msg00037.html), the
"error" in the server log is due to the server not being notified of the
server disconnect.  I can only assume this is true at this point.

>From the server's log:
Dec  5 00:26:19 server openvpn[5398]: MULTI: multi_create_instance called
Dec  5 00:26:19 server openvpn[5398]: xx.xx.xx.xx:54322 Re-using SSL/TLS
context
Dec  5 00:26:19 server openvpn[5398]: xx.xx.xx.xx:54322 LZO compression
initialized
Dec  5 00:26:19 server openvpn[5398]: xx.xx.xx.xx:54322 Control Channel
MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Dec  5 00:26:19 server openvpn[5398]: xx.xx.xx.xx:54322 Data Channel MTU
parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Dec  5 00:26:19 server openvpn[5398]: xx.xx.xx.xx:54322 Local Options
String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto
UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method
2,tls-server'
Dec  5 00:26:19 server openvpn[5398]: xx.xx.xx.xx:54322 Expected Remote
Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto
UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method
2,tls-client'
Dec  5 00:26:19 server openvpn[5398]: xx.xx.xx.xx:54322 Local Options hash
(VER=V4): 'f7df56b8'
Dec  5 00:26:19 server openvpn[5398]: xx.xx.xx.xx:54322 Expected Remote
Options hash (VER=V4): 'd79ca330'
Dec  5 00:26:19 server openvpn[5398]: xx.xx.xx.xx:54322 TLS: Initial
packet from xx.xx.xx.xx:54322, sid=3aef92c6 ee94874f
Dec  5 00:26:19 server openvpn[5398]: read UDPv4 [ECONNREFUSED]:
Connection refused (code=111)
Dec  5 00:26:21 server last message repeated 6 times


I get the following errors in the client's log:

Dec  5 00:09:01 client openvpn[11435]: VERIFY ERROR: depth=1, error=self
signed certificate in certificate chain:
/C=US/ST=NC/L=Raleigh/O=xxxxx/CN=xxxxx/emailAddress=xxxxx
Dec  5 00:09:01 client openvpn[11435]: TLS_ERROR: BIO read
tls_read_plaintext error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Dec  5 00:09:01 client openvpn[11435]: TLS Error: TLS object -> incoming
plaintext read error
Dec  5 00:09:01 client openvpn[11435]: TLS Error: TLS handshake failed
Dec  5 00:09:01 client openvpn[11435]: TCP/UDP: Closing socket

I've verified the ca.crt on both server and client, and the server.crt and
client crt, and they all return "OK".

$ openssl verify -CAfile ca.crt -purpose sslclient ca.crt
$ openssl verify -CAfile ca.crt -purpose sslclient client.crt
$ openssl verify -CAfile ca.crt -purpose sslclient ca.crt
$ openssl verify -CAfile ca.crt -purpose sslserver ca.crt
$ openssl verify -CAfile ca.crt -purpose sslserver server.crt


client config:
client
dev tun
proto udp
remote xx.xx.xx.xx 1194
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 5

server config:
port 1194
proto udp
dev tap0
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.2.1 255.255.255.0 192.168.2.200 192.168.2.249
keepalive 10 120
cipher BF-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 4
mute 20

Any thoughts or ideas?

Oh, the server is sitting behind a NAT'd firewall and the client is on an
internet routable IP.

Thanks in advance!

-- 
Paul
@ Thy Service

More information about the TriLUG mailing list