Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN - TLS incoming plaintext read error?

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 5 Posters 110.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      victorhooi
      last edited by

      Hi,

      I have a pfSense 2.1 (Beta0) install, and I'm trying to connect via OpenVPN.

      My client is Tunnelblick 3.3beta16 (build 3070 - OpenVPN 2.3-alpha1), running on OSX.

      From pfSense, I generated a Configuration archive, renamed it to add .tblk to the folder name, then imported into TunnelBlick.

      However, it seems to stall at the Authorizing stage.

      In the OpenVPN logs, I can see:

      Aug 4 18:42:27	openvpn[6629]: 123.243.8.55:1194 Re-using SSL/TLS context
      Aug 4 18:42:27	openvpn[6629]: 123.243.8.55:1194 LZO compression initialized
      Aug 4 18:42:27	openvpn[6629]: 123.243.8.55:1194 VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=AU/ST=New_South_Wales/L=Sydney/O=We_Love_Travel/emailAddress=victorhooi@yahoo.com/CN=campervans
      Aug 4 18:42:27	openvpn[6629]: 123.243.8.55:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
      Aug 4 18:42:27	openvpn[6629]: 123.243.8.55:1194 TLS Error: TLS object -> incoming plaintext read error
      Aug 4 18:42:27	openvpn[6629]: 123.243.8.55:1194 TLS Error: TLS handshake failed
      

      Any ideas?

      Cheers,
      Victor

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Inside that log message is shows:

        Aug 4 18:42:27 openvpn[6629]: 123.243.8.55:1194 VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=AU/ST=New_South_Wales/L=Sydney/O=We_Love_Travel/emailAddress=victorhooi@yahoo.com/CN=campervans

        (emphasis mine)

        Which generally means you made the wrong sort of certificate for what you're trying to do. If that log is on the client side, the certificate on the server may not actually be a "server certificate" and if that log is on the server side, the client cert may not be a "user certificate".

        As it's dangerous to mix and match the certificate purposes (you don't want to use a CA cert as a vpn client…) it tries to make it a little stricter there.

        Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • I
          InVidTiv
          last edited by

          Hello, I have been deploying openVpn in pfsense for a while, with no hickups.

          Until this week, a severe modification in design of the network, crashed Pfsense all together. Decided to restart from scratch.
          All well at first, squid, sarg reports, untill openVPN. Being a bit overconfident, I even created all the users for the vpn. Without testing itĀ  :(Ā  Was so confident…

          And boom same TLS error as described above.

          Ok fix for this,Ā  it takes a while.

          • erase every setting and server from the openvpn, erase any certificate created during previous atempts

          • Create a server certificate from the menu of the certificate.

          • run the wizard for the open vpn server. Choose that certificate for the server.

          • go into the OPENVPN server config page, remove tls auth and save.

          • go again into the openVPN server config page, and select tls auth this will create a new tls

          • only now create the certificate for the users.

          I really don t know why, this solved the issue, I never ran into this before… ???

          Hope this can help anyone... ;D

          1 Reply Last reply Reply Quote 0
          • R
            rajbps
            last edited by

            I have followed these steps but still tls error :-(

            Anyone any more ideas pls?

            Cheers,

            Raj

            1 Reply Last reply Reply Quote 0
            • P
              pkwong
              last edited by

              When you set up the VPN configuration, make sure you're using the right certificate authority and client certificate in your config.Ā  Otherwise, delete the CA cert and client cert and redo those.Ā  It'll almost definitely solve your problem.Ā  Sounds like a problem with your cut and paste.

              -Percy Kwong
              http://swimminginthought.com

              When all else fails, don't blame the machine.Ā  Blame your architecture.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.