OpenVPN Newbie connection error

czar666

You made a typo in your config file on the client side. Check your public ip addres: 189.211.133.690:1194

cmb

You made a typo in your config file on the client side. Check your public ip addres: 189.211.133.690:1194

Good point! Didn't catch that. Maybe that was just typoed in an obfuscation attempt though, I think it would have errored out differently if trying to connect to an IP that isn't actually an IP. :)

r0utevv3

Yes I changed it in the post because I have heard that is not secure publish your public IP address on the Internet, although maybe I am just being paranoid. Nevertheless my real IP address is correct (I checked it here : https://www.whatismyip.com/). I did what you told me in Diagnostics: Show States, and it says: No states were found. I think that maybe it gets to my wan, but then it has problems to go to my pfSense Box. But it's strange because my ISP modem is configured in demilitarized zone mode. So I think it's something related with pfSense, but I am not sure

r0utevv3

I fixed it, the dmz was no pointing to the ip address of my pfsense box, but now I have another problem, when it's trying to connect it says:


Sat Jul 02 17:25:19 2016 OpenVPN 2.3.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
Sat Jul 02 17:25:19 2016 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Sat Jul 02 17:25:35 2016 Control Channel Authentication: using 'pfSense-udp-1194-vpnuser-tls.key' as a OpenVPN static key file
Sat Jul 02 17:25:35 2016 UDPv4 link local (bound): [undef]
Sat Jul 02 17:25:35 2016 UDPv4 link remote: [AF_INET]189.211.xxx.xxx:1194
Sat Jul 02 17:26:06 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Jul 02 17:26:06 2016 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=MX, ST=xxxxxx, L=xxxxxx, O=My Company, emailAddress=xxxxxxxxxxxx@gmail.com, CN=vpnuser
Sat Jul 02 17:26:06 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sat Jul 02 17:26:06 2016 TLS Error: TLS object -> incoming plaintext read error
Sat Jul 02 17:26:06 2016 TLS Error: TLS handshake failed
Sat Jul 02 17:26:06 2016 SIGUSR1[soft,tls-error] received, process restarting

It found in some posts with the same problem that that means I am using a server certificate to authenticate a client, or vice-versa. But I don't see why is wrong, to me both certificates are correct, and I use the tool in the client export utility to install OpenVPN in Windows

In OpenVPN - Server - Cryptographic Settings
I have:


Peer Certificate Authority: VPN Server CA

and


Server Certificate: vpnuser (CA: VPN Server CA) *In Use

divsys

If you go to "System->Certificate Manager>Certificates" you'll see the certificate you created for the Server and the Client.
The Server uses a "Server" type certificate (whoda thunk?) and the Client uses a "User" type certificate.
Somehow you've got the wrong type for one or both, commonly it's trying to use a "Server" type certificate for the Client.

Recreate the Certificate to the correct type, re-export and install and it'll probably work fine.

r0utevv3

I think they are correct, I followed every single step in some tutorials, maybe is something else

johnpoz

You think they are fine… Why not actually check them and post that they are fine.. Vs just thinking..

The wizard if you ran through it on pfsense will not allow you to create wrong cert for the server side. But what did you create for the user?

See mine attached.. You can see both issued by same CA my openvpn CA. There is a server one which is in use by the openvpn server. And then there is a user cert.. If you actually validate this we will all be on the same page vs just guessing.

BTW that tutorial is OLD, from pfsense 2.0.1 and and doesn't even use the wizard to create the CA, etc.. And has you create a user in your usermanage, etc. Which you do not need! Freaking idiot couldn't even use the right certs when walking through the wizard..

And then for the server he picks the user cert.. So if you followed that tutorial then yeah its going to FAIL.. See 2nd attachment showing him picking the wrong cert for the server. It was correct using the server cert, then he changed it to a user cert..

vpncerts.jpg_thumb

wrongcert.jpg_thumb

r0utevv3

Yes, I attached an image. VPN Server Cert has nothing in the section "In Use", while VPNUserCert has UserCert and OpenVPN Server. Is this the problem? How can I change it?

Imagen1.png_thumb

johnpoz

From that pic your using the same cert the vpnusercert as your server and as a user - so yeah fail. Just like the tutorial showed you do ;) Anyone following that tutorial is going to FAIL if they follow it.. Because that is exactly what he shows doing..

Change the cert on the vpn server to use your vpn server cert..

vpnservercert.jpg_thumb

r0utevv3

Thanks! You are right, that tutorial is wrong. Now it works perfectly!!