Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [SOLVED]OpenVPN to pfSense box/server behind it, error=unsupported certificate

    OpenVPN
    2
    3
    2382
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • pfrickroll
      pfrickroll last edited by

      Help me to understand what I did wrong.
      Why would certificate be unsupported?

      Wed Sep 13 17:04:50 2017 OpenVPN 2.4.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jul 14 2017
      Wed Sep 13 17:04:50 2017 Windows version 6.2 (Windows 8 or greater) 64bit
      Wed Sep 13 17:04:50 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
      Wed Sep 13 17:05:07 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
      Wed Sep 13 17:05:07 2017 UDP link local (bound): [AF_INET][undef]:1194
      Wed Sep 13 17:05:07 2017 UDP link remote: [AF_INET]x.x.x.x:1194
      Wed Sep 13 17:05:07 2017 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
      Wed Sep 13 17:05:07 2017 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=US, ST=Maryland, L=Parkville, O=Maryland Healthcare Clinics, emailAddress=vbrodov@mdhealthcorp.com, CN=mhcvpn.com, OU=IT
      Wed Sep 13 17:05:07 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
      Wed Sep 13 17:05:07 2017 TLS_ERROR: BIO read tls_read_plaintext error
      Wed Sep 13 17:05:07 2017 TLS Error: TLS object -> incoming plaintext read error
      Wed Sep 13 17:05:07 2017 TLS Error: TLS handshake failed
      Wed Sep 13 17:05:07 2017 SIGUSR1[soft,tls-error] received, process restarting
      Wed Sep 13 17:05:12 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
      Wed Sep 13 17:05:12 2017 UDP link local (bound): [AF_INET][undef]:1194
      Wed Sep 13 17:05:12 2017 UDP link remote: [AF_INET]x.x.x.x:1194
      Wed Sep 13 17:05:12 2017 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
      Wed Sep 13 17:05:12 2017 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=US, ST=Maryland, L=Parkville, O=Maryland Healthcare Clinics, emailAddress=cool@beans.com, CN=mhcvpn.com, OU=IT
      Wed Sep 13 17:05:12 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
      Wed Sep 13 17:05:12 2017 TLS_ERROR: BIO read tls_read_plaintext error
      Wed Sep 13 17:05:12 2017 TLS Error: TLS object -> incoming plaintext read error
      Wed Sep 13 17:05:12 2017 TLS Error: TLS handshake failed
      Wed Sep 13 17:05:12 2017 SIGUSR1[soft,tls-error] received, process restarting
      Wed Sep 13 17:05:17 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
      Wed Sep 13 17:05:17 2017 UDP link local (bound): [AF_INET][undef]:1194
      Wed Sep 13 17:05:17 2017 UDP link remote: [AF_INET]x.x.x.x:1194
      Wed Sep 13 17:05:17 2017 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_ACK_V1)
      Wed Sep 13 17:05:19 2017 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_ACK_V1)
      Wed Sep 13 17:05:22 2017 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
      Wed Sep 13 17:05:23 2017 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)

      Also, under configuration "IPv4 Tunnel Network" do I put local subnet of the client I am trying to connect from?

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        "unsupported certificate purpose" usually means the certificate chosen for your server was not generated as a server certificate, but as a user certificate. You may need to make a new server certificate.

        IPv4 Tunnel network is a unique, unused network only for the VPN clients.

        Your local network you want them to reach goes in IPv4 Local Network

        1 Reply Last reply Reply Quote 0
        • pfrickroll
          pfrickroll last edited by

          It worked, and you were right it was a user's cert and not the server.

          Thank you!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy