I'm trying to setup OpenVPN from a windows client to my pfsense box, but I'm having some troubles with the verification phase:
Wed Jun 30 15:48:55 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009 Wed Jun 30 15:48:55 2010 WARNING: --ping should normally be used with --ping-restart or --ping-exit Wed Jun 30 15:48:55 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Wed Jun 30 15:48:55 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Wed Jun 30 15:48:56 2010 LZO compression initialized Wed Jun 30 15:48:56 2010 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ] Wed Jun 30 15:48:56 2010 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Wed Jun 30 15:48:56 2010 Local Options hash (VER=V4): '69109d17' Wed Jun 30 15:48:56 2010 Expected Remote Options hash (VER=V4): 'c0103fa8' Wed Jun 30 15:48:56 2010 Attempting to establish TCP connection with XX.XX.XX.132:1194 Wed Jun 30 15:48:56 2010 TCP connection established with XX.XX.XX.132:1194 Wed Jun 30 15:48:56 2010 Socket Buffers: R=[8192->8192] S=[8192->8192] Wed Jun 30 15:48:56 2010 TCPv4_CLIENT link local: [undef] Wed Jun 30 15:48:56 2010 TCPv4_CLIENT link remote: XX.XX.XX.132:1194 Wed Jun 30 15:48:57 2010 TLS: Initial packet from XX.XX.XX.132:1194, sid=2b06b725 a75f95b5 Wed Jun 30 15:49:07 2010 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=IT/ST=Italy/L=Sassuolo/O=MySite/CN=MySite_CA/emailAddress=xxx@xxx Wed Jun 30 15:49:07 2010 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Wed Jun 30 15:49:07 2010 TLS Error: TLS object -> incoming plaintext read error Wed Jun 30 15:49:07 2010 TLS Error: TLS handshake failed Wed Jun 30 15:49:07 2010 Fatal TLS error (check_tls_errors_co), restarting Wed Jun 30 15:49:07 2010 TCP/UDP: Closing socket
as you can see there is a VERIFY ERROR, that is something I have never seen in other pfsense openvpns I've set up in the same identical way. However, what I've done is:
./clean-all ./build-ca ./build-dh ./build-key-server myserver ./build-key user
and then copied the user key and certificate and the server certificate into the client configuration.
The same client from the same computer to another pfsense box configured the same way works fine without a problem. Any idea or clue on what to search for solving the problem?
Don't use the server certificate in the client configuration, use the certificate of the CA that signed the server cert which in your case is the same ca.crt that you used on the server.
Thanks, I had mess up the certificates! Now it works.