[SOLVED]OpenVPN to pfSense box/server behind it, error=unsupported certificate



  • Help me to understand what I did wrong.
    Why would certificate be unsupported?

    Wed Sep 13 17:04:50 2017 OpenVPN 2.4.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jul 14 2017
    Wed Sep 13 17:04:50 2017 Windows version 6.2 (Windows 8 or greater) 64bit
    Wed Sep 13 17:04:50 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
    Wed Sep 13 17:05:07 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
    Wed Sep 13 17:05:07 2017 UDP link local (bound): [AF_INET][undef]:1194
    Wed Sep 13 17:05:07 2017 UDP link remote: [AF_INET]x.x.x.x:1194
    Wed Sep 13 17:05:07 2017 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
    Wed Sep 13 17:05:07 2017 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=US, ST=Maryland, L=Parkville, O=Maryland Healthcare Clinics, emailAddress=vbrodov@mdhealthcorp.com, CN=mhcvpn.com, OU=IT
    Wed Sep 13 17:05:07 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    Wed Sep 13 17:05:07 2017 TLS_ERROR: BIO read tls_read_plaintext error
    Wed Sep 13 17:05:07 2017 TLS Error: TLS object -> incoming plaintext read error
    Wed Sep 13 17:05:07 2017 TLS Error: TLS handshake failed
    Wed Sep 13 17:05:07 2017 SIGUSR1[soft,tls-error] received, process restarting
    Wed Sep 13 17:05:12 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
    Wed Sep 13 17:05:12 2017 UDP link local (bound): [AF_INET][undef]:1194
    Wed Sep 13 17:05:12 2017 UDP link remote: [AF_INET]x.x.x.x:1194
    Wed Sep 13 17:05:12 2017 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
    Wed Sep 13 17:05:12 2017 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=US, ST=Maryland, L=Parkville, O=Maryland Healthcare Clinics, emailAddress=cool@beans.com, CN=mhcvpn.com, OU=IT
    Wed Sep 13 17:05:12 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    Wed Sep 13 17:05:12 2017 TLS_ERROR: BIO read tls_read_plaintext error
    Wed Sep 13 17:05:12 2017 TLS Error: TLS object -> incoming plaintext read error
    Wed Sep 13 17:05:12 2017 TLS Error: TLS handshake failed
    Wed Sep 13 17:05:12 2017 SIGUSR1[soft,tls-error] received, process restarting
    Wed Sep 13 17:05:17 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
    Wed Sep 13 17:05:17 2017 UDP link local (bound): [AF_INET][undef]:1194
    Wed Sep 13 17:05:17 2017 UDP link remote: [AF_INET]x.x.x.x:1194
    Wed Sep 13 17:05:17 2017 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_ACK_V1)
    Wed Sep 13 17:05:19 2017 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_ACK_V1)
    Wed Sep 13 17:05:22 2017 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
    Wed Sep 13 17:05:23 2017 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)

    Also, under configuration "IPv4 Tunnel Network" do I put local subnet of the client I am trying to connect from?


  • Rebel Alliance Developer Netgate

    "unsupported certificate purpose" usually means the certificate chosen for your server was not generated as a server certificate, but as a user certificate. You may need to make a new server certificate.

    IPv4 Tunnel network is a unique, unused network only for the VPN clients.

    Your local network you want them to reach goes in IPv4 Local Network



  • It worked, and you were right it was a user's cert and not the server.

    Thank you!