Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[Solved] OpenVPN not working in Linux, but in Windows
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Qcumber-some
n00b
n00b


Joined: 10 Jun 2007
Posts: 61
PostPosted: Sun Mar 04, 2018 6:35 am    Post subject: [Solved] OpenVPN not working in Linux, but in Windows Reply with quote
:evil: Edit2:
The "provider" indeed regenerated the server/CA certificate without sending out new ones to the clients.

Unfortunately, OpenVPN does not include any details of the certificate in the error message (only the subject), so if the subject hasn't changed, in the error it looks like it is looking for the certificate you already have, but it is looking for a different certificate with the same subject.

Got a new .p12 file and it is working now, thanks!



Edit: Sorry people,
I just came around trying the very same again in Windows, and guess what: it doesn't work anymore. I just have to believe the "provider" tinkered again on the server/CA certificates after issuing the client certificates. So, I guess that's kind of "invalid", but not "solved" for now, but many thanks to anyone who read this and wasted their mind power.

Can you tell I am pretty pissed?




Here goes the original text:
Hi there,

hope you can shed some light on an issue I have.

My current Gentoo won't connect to an OpenVPN server. The log shows:
Code:

Mar  3 20:10:17 xxx openvpn[1879]: TLS: Initial packet from [AF_INET]ip:port, sid=xxx xxx
Mar  3 20:10:17 xxx openvpn[1879]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: follows the CA certificate data
Mar  3 20:10:17 xxx openvpn[1879]: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Mar  3 20:10:17 xxx openvpn[1879]: TLS_ERROR: BIO read tls_read_plaintext error
Mar  3 20:10:17 xxx openvpn[1879]: TLS Error: TLS object -> incoming plaintext read error
Mar  3 20:10:17 xxx openvpn[1879]: TLS Error: TLS handshake failed
Mar  3 20:10:17 xxx openvpn[1879]: TCP/UDP: Closing socket


I have read lots and lots of search results from search engines, and it is apparently not one of the easier to spot issues. Following are some more details:

openvpn.conf:
Code:

tls-client
client
dev tun
proto udp
tun-mtu 1400
remote xxx xxx
pkcs12 xxx.p12
cipher BF-CBC
verb 4
ns-cert-type server
askpass


Some more things to know:

    * It DOES work in Win7 with this openvpn.conf (as client.ovpn, without the askpass) with OpenVPN 2.3.18.
    * The server is not controlled by me, but by a "provider" I can not really ask for Linux support or even for a logfile.
    * It also does not work in Ubuntu 16.04 (OpenVPN 2.3.10 and OpenSSL 1.0.2g) or 17.10 (OpenVPN 2.4.x and OpenSSL 1.0.2g) - same error message.
    * My Gentoo box has OpenVPN net-vpn/openvpn-2.4.4 and dev-libs/openssl-1.0.2n .
    * I have tried using the openvpn service as well as openvpn --config client.ovpn.
    * I already tried separating the p12 file to ca.crt, client.key and client.crt, resulting in the same error message.
    * I also tried to install the ca.crt in /etc/ssl/certs and using capath parameter, resulting in the same error message (both with the .p12 and separated).
    * The "server" is rumored to be an IPCop instance and installed not long ago (so probably quite fresh).
    * The .p12 file contains cert, ca-cert and key (protected) as expected.


I expect the problem to be some fundamental difference between the Windows build of OpenVPN and the Linux builds in general, but I can not find anything. Surely somebody must have tried the same?

If you know anything to try, please help :-)

Thank you very much!

Last edited by Qcumber-some on Tue Mar 06, 2018 8:31 am; edited 1 time in total
Back to top
View user's profile Send private message
mike155
Advocate
Advocate


Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
PostPosted: Mon Mar 05, 2018 12:19 pm    Post subject: Reply with quote
Cryptography is difficult. The most difficult part is not the maths, but the stupid and misleading error messages you get from programs and libraries if something doesn't work.

I guess OpenVPN wants to tell you: I was able to establish a connection to the server and the server sent me its server certificate. I tried to verify the server certificate using the CA certificate - and that failed. I won't tell you the reason why it failed, because that would make it too easy for you to fix the problem. Instead, I will give you some stupid messages...

What you can do is: try to find out what's wrong with the server certificate. Extract the server certificate from the data stream sent by the server and write it to a file. Use Openssl to decode it and try to verify it with the CA certificate in your PKCS #12 file.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy