0
I want to use openvpn from centos7, but been facing problems of TLS handshaking error (and WARNING: No server certificate verification method has been enabled.)
code of client.ovpn file
client
dev tap
proto udp
remote 202.79.XX.XXX 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
#ca wlink-ca.pem
ca ca.crt
comp-lzo
verb 3
auth-user-pass
route-method exe
route-delay 2
I have 4 files in /etc/openvpn
- ca.crt
- client.ovpn
- easy-rsa
- README.txt
Output:
sudo openvpn --config client.ovpn
Wed Mar 15 11:22:31 2017 OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 7 2016
Wed Mar 15 11:22:31 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Enter Auth Username: ***************
Enter Auth Password: *****
Wed Mar 15 11:22:45 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Mar 15 11:22:45 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Mar 15 11:22:45 2017 UDPv4 link local: [undef]
Wed Mar 15 11:22:45 2017 UDPv4 link remote: [AF_INET]202.79.XX.XXX:1194
Wed Mar 15 11:22:45 2017 TLS: Initial packet from [AF_INET]202.79.32.115:1194, sid=9b186f7d ff710a3f
Wed Mar 15 11:22:45 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Mar 15 11:22:46 2017 VERIFY OK: depth=1, C=NP, ST=Bagmati, L=Kathmandu, O=Worldlink, OU=System, CN=something, emailAddress=something@something.com.np
Wed Mar 15 11:22:46 2017 VERIFY ERROR: depth=0, error=certificate signature failure: C=NP, ST=Bagmati, O=Worldlink, OU=System, CN=something, emailAddress=something@something.com.np
Wed Mar 15 11:22:46 2017 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Mar 15 11:22:46 2017 TLS_ERROR: BIO read tls_read_plaintext error
Wed Mar 15 11:22:46 2017 TLS Error: TLS object -> incoming plaintext read error
Wed Mar 15 11:22:46 2017 TLS Error: TLS handshake failed
Wed Mar 15 11:22:46 2017 SIGUSR1[soft,tls-error] received, process restarting
Wed Mar 15 11:22:46 2017 Restart pause, 2 second(s)
^CWed Mar 15 11:22:47 2017 SIGINT[hard,init_instance] received, process exiting
e here
How can i fix this issue?
spandan pradhan
Posted 2017-03-15T05:53:47.567
Reputation: 53
Does the ovpn file have the public & private key made by easy-rsa embedded in it? – davidgo – 2017-03-15T09:06:20.337
01.pem ca.key client.csr dh2048.pem index.txt.attr serial ca.crt client.crt client.key index.txt index.txt.old serial.old
These are the files in /etc/openvpn/easy-rsa/2.0/keys/
I have pasted the codes of .ovpn file above. – spandan pradhan – 2017-03-15T09:54:33.517
I think we are talking past each other. Your ovpn files need to either imbed the contents of the appropriate files or you need directives cert /etc/openvpn/easy-rsa/2.0/keys/client.crt (enter) key/etc/openvpn/easy-rsa/2.0/keys/client.key (enter) and you may need to change the ca line to have the full path as well. – davidgo – 2017-03-15T09:58:32.453
Whenever i append these two ( cert /etc/openvpn/easy-rsa/2.0/keys/client.crt key /etc/openvpn/easy-rsa/2.0/keys/client.key ) lines, i get following error.
sudo openvpn --config client.ovpn Options error: In [CMD-LINE]:1: Error opening configuration file: client.ovpn Use --help for more information. – spandan pradhan – 2017-03-15T10:10:45.540
Are you running openvpn as root? – davidgo – 2017-03-15T10:40:08.887
yes, [root@centos7 username ] # – spandan pradhan – 2017-03-15T11:18:16.013
Try temporarily disabling selinux and see if that helps. – davidgo – 2017-03-15T18:39:00.030
yes i did that already. I think i am missing some .key file or some .cert certificate , since error also shows No certification verification done. I am stuck. – spandan pradhan – 2017-03-20T10:55:22.453
Dear all, Problem is solved now. After changing ovpn file (which organization provided), now vpn successful. Thanks all for suggestions and efforts. – spandan pradhan – 2018-01-07T07:13:22.007