OpenVPN: OpenSSL: error:140890C7 (peer did not return a certificate)



  • I tried to configure a VPN using OpenVPN on my pfSense (latest version 2.4.3-RELEASE-p1 (amd64)), following the guide at: https://vorkbaard.nl/set-up-openvpn-on-pfsense-with-user-certificates-and-active-directory-authentication/

    LDAP authentication works perfectly, as tested from the Diagnostics->Authentication option.

    When I try to connect to the VPN (both on UDP or TCP), the client (Linux, using --verb 3) sees:

    Mon Jul 30 18:19:11 2018 WARNING: file 'server001-tls.key' is group or others accessible
    Mon Jul 30 18:19:11 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
    Mon Jul 30 18:19:11 2018 library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
    Enter Auth Username: myuser
    Enter Auth Password: ********
    Mon Jul 30 18:19:18 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Jul 30 18:19:18 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Jul 30 18:19:18 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
    Mon Jul 30 18:19:18 2018 Socket Buffers: R=[87380->87380] S=[16384->16384]
    Mon Jul 30 18:19:18 2018 Attempting to establish TCP connection with [AF_INET]x.x.x.x:1194 [nonblock]
    Mon Jul 30 18:19:19 2018 TCP connection established with [AF_INET]x.x.x.x:1194
    Mon Jul 30 18:19:19 2018 TCP_CLIENT link local: (not bound)
    Mon Jul 30 18:19:19 2018 TCP_CLIENT link remote: [AF_INET]x.x.x.x:1194
    Mon Jul 30 18:19:19 2018 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=65axx884 644xxa2a
    Mon Jul 30 18:19:19 2018 VERIFY OK: depth=1, C=US, ST=Texas, L=Houston, O=HOU Lab, emailAddress=admin@mydomain.local, CN=OpenVPN_CA, OU=Testing
    Mon Jul 30 18:19:19 2018 VERIFY KU OK
    Mon Jul 30 18:19:19 2018 Validating certificate extended key usage
    Mon Jul 30 18:19:19 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    Mon Jul 30 18:19:19 2018 VERIFY EKU OK
    Mon Jul 30 18:19:19 2018 VERIFY X509NAME OK: C=US, ST=Texas, L=Austin, O=Lab, emailAddress=admin@mydomain.local, CN=vpn.mydomain.local, OU=Testing
    Mon Jul 30 18:19:19 2018 VERIFY OK: depth=0, C=US, ST=Texas, L=Austin, O=Lab, emailAddress=admin@mydomain.local, CN=vpn.mydomain.local, OU=Testing
    Mon Jul 30 18:19:19 2018 Connection reset, restarting [0]
    Mon Jul 30 18:19:19 2018 SIGUSR1[soft,connection-reset] received, process restarting
    Mon Jul 30 18:19:19 2018 Restart pause, 5 second(s)
    

    And the server sees this:

    Jul 30 23:19:18 sverver001 openvpn[35836]: TCP connection established with [AF_INET]y.y.y.y:44294
    Jul 30 23:19:19 sverver001 openvpn[35836]: y.y.y.y:44294 OpenSSL: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate
    Jul 30 23:19:19 sverver001 openvpn[35836]: y.y.y.y:44294 TLS_ERROR: BIO read tls_read_plaintext error
    Jul 30 23:19:19 sverver001 openvpn[35836]: y.y.y.y:44294 TLS Error: TLS object -> incoming plaintext read error
    Jul 30 23:19:19 sverver001 openvpn[35836]: y.y.y.y:44294 TLS Error: TLS handshake failed
    Jul 30 23:19:19 sverver001 openvpn[35836]: y.y.y.y:44294 Fatal TLS error (check_tls_errors_co), restarting
    

    My server config file looks like this:

    dev ovpns1
    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp4-server
    cipher AES-256-GCM
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local x.x.x.x
    tls-server
    server 192.168.100.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server1
    username-as-common-name
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user QWN0a12345dG9yeQ== true server1 1194" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.mydomain.local' 1"
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "dhcp-option DOMAIN mydomain.local"
    push "dhcp-option DNS 192.168.0.2"
    push "redirect-gateway def1"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    ncp-ciphers AES-256-OFB:AES-256-CFB8:AES-256-CFB1:AES-256-CFB
    topology subnet
    

    and my client config is this one:

    dev tun
    persist-tun
    persist-key
    cipher AES-256-GCM
    ncp-ciphers AES-256-OFB:AES-256-CFB8:AES-256-CFB1:AES-256-CFB
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote x.x.x.x 1194 tcp-client
    verify-x509-name "vpn.mydomain.local" name
    auth-user-pass
    ca server001-ca.crt
    #cryptoapicert "SUBJ:"
    tls-auth server001-tls.key 1
    remote-cert-tls server
    auth-nocache
    

    x.x.x.x=VPN Server
    y.y.y.y=VPN Client
    mydomain.local=LDAP domain

    Any ideas ? I am currently testing on TCP to make sure the connection is available (client can see port 1194/tcp open) - I could not test that on UDP. Once it works I will switch it back to UDP.

    Please let me know if you need additional information.

    Thank you very much in advance,

    F4


  • Netgate

    I don't see that you have cert or key directives pointing to the client credentials. The server is expecting the client to provide one because it is in tls-server mode:

    To use TLS mode, each peer that runs OpenVPN should have its own local certificate/key pair ( --cert and --key ), signed by the root certificate which is specified in --ca.

    https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

    I am currently testing on TCP to make sure the connection is available (client can see port 1194/tcp open) - I could not test that on UDP. Once it works I will switch it back to UDP.

    PCAP on the server on UDP 1194 and try the connection. If you see the traffic, the port is "open."



  • From the OpenVPN Export Utility, I generated a ZIP file (Bundled Configurations -> Archive), that contains the following files:

    server001.ovpn
    server001.p12
    server001-ca.crt
    server001-tls.key

    I was trying these yesterday (see above):

    openvpn --config server001.ovpn --verb3
    

    If I try:

    openvpn --config server001.ovpn --verb3 --key server001-tls.key --cert server001-ca.crt
    

    I get:

    Tue Jul 31 14:12:19 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
    Tue Jul 31 14:12:19 2018 library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
    Enter Auth Username: myuser
    Enter Auth Password: ********
    Tue Jul 31 14:12:26 2018 Error: private key password verification failed
    Tue Jul 31 14:12:26 2018 Exiting due to fatal error
    

    Should have I gotten other files from the server? Am I using these files incorrectly?


  • Netgate

    I would just use the config exporter, generate an inline config, and use the data in there.



  • Thanks for the help ...

    I have not been using Inline, because I get this when trying to generate:

    The following input errors were detected:
    
    Microsoft Certificate Storage cannot be used with an Inline configuration.
    Failed to export config files!
    

    Any suggestions ?


  • Netgate

    The user certificates are in the .p12 file. Try exporting with Microsoft Certificate Storage enabled. You are exporting for Linux, not Windows!