You are not logged in.

#1 2017-06-25 12:04:47

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Unable to generate functional openvpn (client.conf) recently

I am unable to connect to my openvpn server on a new box (new box runs Arch x86_64 and client box also runs Arch x86_64).  The error in the client's log is as follows:

# openvpn /etc/openvpn/client/client.conf     
Sun Jun 25 07:37:12 2017 OpenVPN 2.4.3 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 21 2017
Sun Jun 25 07:37:12 2017 library versions: OpenSSL 1.1.0f  25 May 2017, LZO 2.10
Sun Jun 25 07:37:12 2017 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jun 25 07:37:12 2017 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jun 25 07:37:12 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:443
Sun Jun 25 07:37:12 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sun Jun 25 07:37:12 2017 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443 [nonblock]
Sun Jun 25 07:37:13 2017 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443
Sun Jun 25 07:37:13 2017 TCP_CLIENT link local: (not bound)
Sun Jun 25 07:37:13 2017 TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
Sun Jun 25 07:37:13 2017 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:443, sid=da26dcc7 994b1462
Sun Jun 25 07:37:13 2017 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=Sunshine CA
Sun Jun 25 07:37:13 2017 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Sun Jun 25 07:37:13 2017 TLS_ERROR: BIO read tls_read_plaintext error
Sun Jun 25 07:37:13 2017 TLS Error: TLS object -> incoming plaintext read error
Sun Jun 25 07:37:13 2017 TLS Error: TLS handshake failed
Sun Jun 25 07:37:13 2017 Fatal TLS error (check_tls_errors_co), restarting
Sun Jun 25 07:37:13 2017 SIGUSR1[soft,tls-error] received, process restarting
Sun Jun 25 07:37:13 2017 Restart pause, 5 second(s)

It seems that the key error has to with a problem with my ca.crt but when I verified the client.crt against it, they check out:

# openssl verify -CAfile /etc/openvpn/server/ca.crt /etc/easy-rsa/pki/signed/client.crt 
/etc/easy-rsa/pki/signed/client.crt: OK

I generated the server files and client files following the Easy-RSA article (most of which I actually wrote smile a while ago and I have used it successfully to do this a few times back in November of 2016 so I know that at least at that time, it worked).

Any suggestions are welcomed to trouble shoot.

For reference, I used ovpngen to make the client.conf file which I shown sanitized below:

client
dev tun
remote my.fqdn.org 443 tcp
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
cipher AES-256-CBC
auth SHA512
comp-lzo
remote-cert-tls server
key-direction 1
<ca>
... omitted ...
</ca>
<cert>
... omitted ...
</cert>
<key>
... omitted ...
</key>
<tls-auth>
... omitted ...
</tls-auth>

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#2 2017-06-25 14:29:47

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: Unable to generate functional openvpn (client.conf) recently

For testing purposes I would comment "remote-cert-tls server" and "key-direction 1" and see if it works.


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#3 2017-06-25 15:03:42

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Unable to generate functional openvpn (client.conf) recently

See non-trusted by default answer.

A man-in-the-midlle attacker could create a "self-signed cert", just as easily as you can wink

How does openvpn/openssl know that you *trust* the signer?

Offline

#4 2017-06-25 15:05:52

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Unable to generate functional openvpn (client.conf) recently

R00KIE wrote:

For testing purposes I would comment "remote-cert-tls server" and "key-direction 1" and see if it works.

No change in the error with that line commented unfortunately for me:

# openvpn /etc/openvpn/client/client.conf
Sun Jun 25 11:04:05 2017 OpenVPN 2.4.3 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 21 2017
Sun Jun 25 11:04:05 2017 library versions: OpenSSL 1.1.0f  25 May 2017, LZO 2.10
Sun Jun 25 11:04:05 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Jun 25 11:04:05 2017 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jun 25 11:04:05 2017 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jun 25 11:04:05 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:443
Sun Jun 25 11:04:05 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sun Jun 25 11:04:05 2017 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443 [nonblock]
Sun Jun 25 11:04:06 2017 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443
Sun Jun 25 11:04:06 2017 TCP_CLIENT link local: (not bound)
Sun Jun 25 11:04:06 2017 TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
Sun Jun 25 11:04:06 2017 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:443, sid=8ed48ff1 74af2f6a
Sun Jun 25 11:04:06 2017 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=Easy-RSA CA
Sun Jun 25 11:04:06 2017 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Sun Jun 25 11:04:06 2017 TLS_ERROR: BIO read tls_read_plaintext error
Sun Jun 25 11:04:06 2017 TLS Error: TLS object -> incoming plaintext read error
Sun Jun 25 11:04:06 2017 TLS Error: TLS handshake failed
Sun Jun 25 11:04:06 2017 Fatal TLS error (check_tls_errors_co), restarting
Sun Jun 25 11:04:06 2017 SIGUSR1[soft,tls-error] received, process restarting
Sun Jun 25 11:04:06 2017 Restart pause, 5 second(s)
Sun Jun 25 11:04:09 2017 SIGINT[hard,init_instance] received, process exiting

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#5 2017-06-25 15:29:38

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Unable to generate functional openvpn (client.conf) recently

brebs wrote:

See non-trusted by default answer.

A man-in-the-midlle attacker could create a "self-signed cert", just as easily as you can wink

How does openvpn/openssl know that you *trust* the signer?

Interesting link and new to me since I wrote the guide circa Nov/2016.  Two questions:

1) Why does my other OpenVPN server work as-is (again, I spun it up in Nov.2016)?  Perhaps something new introduced in openssl since then?
2) If you look at the Easy-RSA wiki page, how would you recommend incorporating the steps that aren't immediately obvious to me from the link you posted to give a functional setup?  For example, I am not finding any pem formatted files on my CA machine.

I'd like to update that wiki page not only for my benefit but for the benefit of others.  Thank you!


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#6 2017-06-25 15:30:59

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: Unable to generate functional openvpn (client.conf) recently

brebs wrote:

How does openvpn/openssl know that you *trust* the signer?

Maybe because with easy-rsa you create and control the CA that signs both server and client certificates so I'm not sure it will be identified as self signed.

@graysky
You could try to have the certificates and private keys in separate files and call/include them from the openvpn configuration file. On linux I've never been able to make things work when I embed the certs and key files in the main configuration file.

If that doesn't work you can try recreating everything from scratch. As in using the current easy-rsa to create the CA, then generate the certificates and sign requests, sign the requests, etc., the whole nine yards.


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#7 2017-06-25 15:37:07

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Unable to generate functional openvpn (client.conf) recently

R00KIE wrote:

If that doesn't work you can try recreating everything from scratch. As in using the current easy-rsa to create the CA, then generate the certificates and sign requests, sign the requests, etc., the whole nine yards.

This takes me back to my original post.  I nuked everything on my CA server (workstation) and on my OpenVPN server (lxc) under both /etc/easy-rsa and /etc/openvpn.  I followed-up the steps on the Easy-RSA wiki page a half dozen times which ultimately let me to post here out of frustration smile

Perhaps the best next step is to ask you or someone who isn't me to try to follow that wiki page to verify that I am not omitting a step or making a serial mistake.  Would you (or any other reader) be willing to try and verify?  If unsuccessful, then I think we need to consider the link brebs posted or some third option.


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#8 2017-06-25 17:12:41

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Unable to generate functional openvpn (client.conf) recently

Given "VERIFY ERROR: depth=1, error=self signed certificate in certificate chain" - are any of the involved certificates (client, server or CA) self-signed?

This might be some additional strictness, or even a bug, caused by Arch's use of openssl 1.1

Offline

#9 2017-06-25 17:44:47

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Unable to generate functional openvpn (client.conf) recently

@brebs - Yes, if you check out the steps on the wiki page, it requires that we use a self-signed CA certificate (called ca.crt).  Since this worked in the November 2016 time frame (we were on openssl-1.0.2j-1 then), it really makes me think it's a bug (our cause or upstream).

EDIT:  downgrading to test is complicated in this case:

% sudo pacman -U /scratch/openssl-1.0.2.j-1-x86_64.pkg.tar.xz
loading packages...
warning: downgrading package openssl (1.1.0.f-1 => 1.0.2.j-1)
resolving dependencies...
looking for conflicting packages...

Packages (1) openssl-1.0.2.j-1

Total Installed Size:  6.99 MiB
Net Upgrade Size:      0.73 MiB

:: Proceed with installation? [Y/n] 
(1/1) checking keys in keyring                                               [############################################] 100%
(1/1) checking package integrity                                             [############################################] 100%
(1/1) loading package files                                                  [############################################] 100%
(1/1) checking for file conflicts                                            [############################################] 100%
error: failed to commit transaction (conflicting files)
openssl: /usr/lib/libcrypto.so.1.0.0 exists in filesystem
openssl: /usr/lib/libssl.so.1.0.0 exists in filesystem
Errors occurred, no packages were upgraded.

% pacman -Qo /usr/lib/libssl.so.1.0.0
/usr/lib/libssl.so.1.0.0 is owned by openssl-1.0 1.0.2.l-1

Last edited by graysky (2017-06-25 17:49:22)


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#10 2017-06-25 18:50:00

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: Unable to generate functional openvpn (client.conf) recently

The steps on the wiki look about right, I guess that is what I have followed not long ago to setup everything again for my machines and it worked both with openvpn and also stunnel which also uses certificates.

Can you also post your sanitized server config file? Maybe you are overlooking something on the server side, and even if you aren't at least we get a more complete picture of the problem.


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#11 2017-06-25 18:56:36

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Unable to generate functional openvpn (client.conf) recently

R00KIE wrote:

Can you also post your sanitized server config file? Maybe you are overlooking something on the server side, and even if you aren't at least we get a more complete picture of the problem.

Thanks for the time and effort to review.  Please find complete logs and example conf files in FS#54589.


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#12 2017-06-25 20:05:55

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Unable to generate functional openvpn (client.conf) recently

Why does the CN keep changing, in your examples:

CN=Sunshine CA
CN=Easy-RSA CA
CN=ease CA (from your bug report)

Is it just because you've recreated all the certs?

On linux I've never been able to make things work when I embed the certs

And I've never tried - I definitely also recommend just referring to separate cert files - especially since the most likely problem, I reckon, is that the client openvpn is not recognizing the server's CA, even though you are specifying it on the client.

Offline

#13 2017-06-25 20:08:30

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Unable to generate functional openvpn (client.conf) recently

@brebs - Yes, I have repeated the process several times, some following the wiki, some following the easy rsa docs, some following misc sources and changed file names each time in an attempt to see about any key differences retrospectively.


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

Board footer

Powered by FluxBB