0

Has anyone seen these error before with OpenVPN.

Secure Connection Failed

An error occurred during a connection to openvpn.example.com. PR_END_OF_FILE_ERROR

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

I looked at the log file :/var/log/ openvpnas.log I found the following:

2021-09-14T19:58:23+0000 [stdout#info] [OVPN 0] OUT: 'Tue Sep 14 19:58:23 2021 myip:11301 Connection reset, restarting [0]'
2021-09-14T19:58:23+0000 [stdout#info] [OVPN 0] OUT: 'Tue Sep 14 19:58:23 2021 myip:11301 SIGUSR1[soft,connection-reset] received, client-instance restarting'
2021-09-14T19:59:13+0000 [stdout#info] [OVPN 0] OUT: 'Tue Sep 14 19:59:13 2021 TCP connection established with [AF_INET]myip:10603'
2021-09-14T19:59:13+0000 [stdout#info] [OVPN 0] OUT: 'Tue Sep 14 19:59:13 2021 Socket flags: TCP_NODELAY=1 succeeded'
2021-09-14T19:59:13+0000 [stdout#info] [OVPN 0] OUT: 'Tue Sep 14 19:59:13 2021 myip:10603 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or -
-link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]'
2021-09-14T19:59:13+0000 [stdout#info] [OVPN 0] OUT: 'Tue Sep 14 19:59:13 2021 myip:10603 Connection reset, restarting [0]'
2021-09-14T19:59:13+0000 [stdout#info] [OVPN 0] OUT: 'Tue Sep 14 19:59:13 2021 myip:10603 SIGUSR1[soft,connection-reset] received, client-instance restarting'

It seems like my request is making it to the instance as per logs in the GCP logging

{ insertId: "148f4tog64jclgg" jsonPay

load: {
connection: {
dest_ip: "*******"
dest_port: 443
protocol: 6
src_ip: "*********"
src_port: ****
}
disposition: "ALLOWED"
instance: {

but have no idea why its getting dropped. Has anyone experience similar?

Sunny J
  • 607
  • 3
  • 14
  • Maybe related to the certificate, but not sure where or how to validate this. – Sunny J Sep 14 '21 at 20:16
  • 1
    I think you have a mismatched MTU value between OpenVPN and your VPC. The default Google Cloud VPC MTU is 1460 bytes. This article might help you with Open VPN MTU/MSS. https://www.sonassi.net/help/troubleshooting/setting-correct-mtu-for-openvpn In summary, try adding **mssfix 1420** to your OpenVPN configuration file and reboot everything. MSS = MTU - 40. – John Hanley Sep 14 '21 at 21:17
  • have you also tried using a different ISP service? – Alex G Sep 15 '21 at 05:17
  • 1
    The reason I mention MTU is the error message mentions MTU. For your last comment, please put that information in your question with context so that it is readable and understandable. – John Hanley Sep 15 '21 at 19:32
  • Thanks John, I found a solution and will post the answer here. Thanks again for your help looking into this. – Sunny J Sep 15 '21 at 20:06

1 Answers1

1

I reached out to OpenVPN Support team and they were able to help confirm the rootcause and provided a solution.

There is something wrong with your certificates or the configuration of it. It's basically telling you what's wrong.

"error", "cert bundle validation error: [Errno 2] No such file or directory: u'':

Looks like the value for cs.ca_bundle is empty. The configuration key should either not be present at all (not set to empty) so it falls back to the built-in self-signed certificates, or it should contain a path to a file that contains the CA bundle, or it should contain the CA certificate bundle in-line. But it should not be empty, and it looks like it is empty.

"error", "certificate validation error: [('PEM routines', 'get_name', 'no start line')]: "error", "private key validation error: [('PEM routines', 'get_name', 'no start line')]:

Looks like whatever you put into the cs.cert and cs.priv_key value is not valid, or whatever it is finding there doesn't have the correct start line that a PEM type certificate or private key should have.

It's no wonder that the web interface doesn't work right. It doesn't have what it needs to start up correctly. I suggest you roll Access Server back to self-signed certificates. That should get your web interface working again. And then work on putting the correct and valid certificates in.

I believe this document can help you further: https://openvpn.net/vpn-server-resource ... rtificate/

Particularly these instructions will generate self-signed certificates and configure them for use in Access Server (run commands as root user):

Regenerate self-signed certificates (overwrites existing ones):
cd /usr/local/openvpn_as/scripts/
./certool -d /usr/local/openvpn_as/etc/web-ssl --type ca --unique --cn "OpenVPN Web CA"
./certool -d /usr/local/openvpn_as/etc/web-ssl --type server --remove_csr --sn_off --serial 1 --name server --cn vpn.example.com
./sacli start

Remove web certificates and keys from the configuration (so it falls back to self-signed certs you just created):

cd /usr/local/openvpn_as/scripts/
./sacli --key "cs.cert" ConfigDel
./sacli --key “cs.priv_key” ConfigDel
./sacli --key "cs.ca_bundle" ConfigDel
./sacli --key "cs.ca_key" ConfigDel

./sacli start

Thanks to @Johnan OVPN community See full answer here

Sunny J
  • 607
  • 3
  • 14