4. OpenVPN: OpenSSL: error:140890C7 (peer did not return a certificate)

OpenVPN: OpenSSL: error:140890C7 (peer did not return a certificate)

  • F

    I tried to configure a VPN using OpenVPN on my pfSense (latest version 2.4.3-RELEASE-p1 (amd64)), following the guide at: https://vorkbaard.nl/set-up-openvpn-on-pfsense-with-user-certificates-and-active-directory-authentication/

    LDAP authentication works perfectly, as tested from the Diagnostics->Authentication option.

    When I try to connect to the VPN (both on UDP or TCP), the client (Linux, using --verb 3) sees:

    Mon Jul 30 18:19:11 2018 WARNING: file 'server001-tls.key' is group or others accessible
Mon Jul 30 18:19:11 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
Mon Jul 30 18:19:11 2018 library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
Enter Auth Username: myuser
Enter Auth Password: ********
Mon Jul 30 18:19:18 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 30 18:19:18 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 30 18:19:18 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Mon Jul 30 18:19:18 2018 Socket Buffers: R=[87380->87380] S=[16384->16384]
Mon Jul 30 18:19:18 2018 Attempting to establish TCP connection with [AF_INET]x.x.x.x:1194 [nonblock]
Mon Jul 30 18:19:19 2018 TCP connection established with [AF_INET]x.x.x.x:1194
Mon Jul 30 18:19:19 2018 TCP_CLIENT link local: (not bound)
Mon Jul 30 18:19:19 2018 TCP_CLIENT link remote: [AF_INET]x.x.x.x:1194
Mon Jul 30 18:19:19 2018 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=65axx884 644xxa2a
Mon Jul 30 18:19:19 2018 VERIFY OK: depth=1, C=US, ST=Texas, L=Houston, O=HOU Lab, emailAddress=admin@mydomain.local, CN=OpenVPN_CA, OU=Testing
Mon Jul 30 18:19:19 2018 VERIFY KU OK
Mon Jul 30 18:19:19 2018 Validating certificate extended key usage
Mon Jul 30 18:19:19 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jul 30 18:19:19 2018 VERIFY EKU OK
Mon Jul 30 18:19:19 2018 VERIFY X509NAME OK: C=US, ST=Texas, L=Austin, O=Lab, emailAddress=admin@mydomain.local, CN=vpn.mydomain.local, OU=Testing
Mon Jul 30 18:19:19 2018 VERIFY OK: depth=0, C=US, ST=Texas, L=Austin, O=Lab, emailAddress=admin@mydomain.local, CN=vpn.mydomain.local, OU=Testing
Mon Jul 30 18:19:19 2018 Connection reset, restarting [0]
Mon Jul 30 18:19:19 2018 SIGUSR1[soft,connection-reset] received, process restarting
Mon Jul 30 18:19:19 2018 Restart pause, 5 second(s)

    And the server sees this:

    Jul 30 23:19:18 sverver001 openvpn[35836]: TCP connection established with [AF_INET]y.y.y.y:44294
Jul 30 23:19:19 sverver001 openvpn[35836]: y.y.y.y:44294 OpenSSL: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate
Jul 30 23:19:19 sverver001 openvpn[35836]: y.y.y.y:44294 TLS_ERROR: BIO read tls_read_plaintext error
Jul 30 23:19:19 sverver001 openvpn[35836]: y.y.y.y:44294 TLS Error: TLS object -> incoming plaintext read error
Jul 30 23:19:19 sverver001 openvpn[35836]: y.y.y.y:44294 TLS Error: TLS handshake failed
Jul 30 23:19:19 sverver001 openvpn[35836]: y.y.y.y:44294 Fatal TLS error (check_tls_errors_co), restarting

    My server config file looks like this:

    dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp4-server
cipher AES-256-GCM
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local x.x.x.x
tls-server
server 192.168.100.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user QWN0a12345dG9yeQ== true server1 1194" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.mydomain.local' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
push "dhcp-option DOMAIN mydomain.local"
push "dhcp-option DNS 192.168.0.2"
push "redirect-gateway def1"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
ncp-ciphers AES-256-OFB:AES-256-CFB8:AES-256-CFB1:AES-256-CFB
topology subnet

    and my client config is this one:

    dev tun
persist-tun
persist-key
cipher AES-256-GCM
ncp-ciphers AES-256-OFB:AES-256-CFB8:AES-256-CFB1:AES-256-CFB
auth SHA1
tls-client
client
resolv-retry infinite
remote x.x.x.x 1194 tcp-client
verify-x509-name "vpn.mydomain.local" name
auth-user-pass
ca server001-ca.crt
#cryptoapicert "SUBJ:"
tls-auth server001-tls.key 1
remote-cert-tls server
auth-nocache

    x.x.x.x=VPN Server
    y.y.y.y=VPN Client
    mydomain.local=LDAP domain

    Any ideas ? I am currently testing on TCP to make sure the connection is available (client can see port 1194/tcp open) - I could not test that on UDP. Once it works I will switch it back to UDP.

    Please let me know if you need additional information.

    Thank you very much in advance,

    F4

    0
  • Netgate

    I don't see that you have cert or key directives pointing to the client credentials. The server is expecting the client to provide one because it is in tls-server mode:

    To use TLS mode, each peer that runs OpenVPN should have its own local certificate/key pair ( --cert and --key ), signed by the root certificate which is specified in --ca.

    https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

    I am currently testing on TCP to make sure the connection is available (client can see port 1194/tcp open) - I could not test that on UDP. Once it works I will switch it back to UDP.

    PCAP on the server on UDP 1194 and try the connection. If you see the traffic, the port is "open."

    0
  • F

    From the OpenVPN Export Utility, I generated a ZIP file (Bundled Configurations -> Archive), that contains the following files:

    server001.ovpn
    server001.p12
    server001-ca.crt
    server001-tls.key

    I was trying these yesterday (see above):

    openvpn --config server001.ovpn --verb3

    If I try:

    openvpn --config server001.ovpn --verb3 --key server001-tls.key --cert server001-ca.crt

    I get:

    Tue Jul 31 14:12:19 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
Tue Jul 31 14:12:19 2018 library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
Enter Auth Username: myuser
Enter Auth Password: ********
Tue Jul 31 14:12:26 2018 Error: private key password verification failed
Tue Jul 31 14:12:26 2018 Exiting due to fatal error

    Should have I gotten other files from the server? Am I using these files incorrectly?

    0
  • Netgate

    I would just use the config exporter, generate an inline config, and use the data in there.

    0
  • F

    Thanks for the help ...

    I have not been using Inline, because I get this when trying to generate:

    The following input errors were detected:

Microsoft Certificate Storage cannot be used with an Inline configuration.
Failed to export config files!

    Any suggestions ?

    0
  • Netgate

    The user certificates are in the .p12 file. Try exporting with Microsoft Certificate Storage enabled. You are exporting for Linux, not Windows!

    0
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy