OpenVPN Handshake/TLS Issues



  • Hello,

    I've been smashing my head in the wall for weeks over this. I don't fully understand certificates, but I believe I am having issues in this area and need some help.

    I'll keep it brief until I know what you guys are wanting to see.

    I will provide some logs from two situations:

    1. site-to-site tunnel to an Ubiquiti Edgemax router over 1194
    2. site-to-client (me) with my Pfsense Server over 1195

    My site-to-client tunnel is failing due to the following:

    Viscosity log:

    
    Dec 01 22:23:49: SIGTERM[hard,] received, process exiting
    Dec 01 22:24:18: Viscosity Mac 1.5.11 (1314)
    Dec 01 22:24:18: Viscosity OpenVPN Engine Started
    Dec 01 22:24:18: Running on Mac OS X 10.11
    Dec 01 22:24:18: ---------
    Dec 01 22:24:18: Checking reachability status of connection...
    Dec 01 22:24:18: Connection is reachable. Starting connection attempt.
    Dec 01 22:24:18: OpenVPN 2.3.8 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Sep 23 2015
    Dec 01 22:24:18: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
    Dec 01 22:24:26: Control Channel Authentication: using '/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/connection.JLad5J/ta.key' as a OpenVPN static key file
    Dec 01 22:24:26: UDPv4 link local (bound): [undef]
    Dec 01 22:24:26: UDPv4 link remote: [AF_INET]pfsense-public-ip:1195
    Dec 01 22:24:26: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Dec 01 22:24:26: VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=CA, ST=State, L=City, O=Brailyn, emailAddress=my-email, CN=tunnel.my-domain.ca
    Dec 01 22:24:26: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    Dec 01 22:24:26: TLS Error: TLS object -> incoming plaintext read error
    Dec 01 22:24:26: TLS Error: TLS handshake failed
    Dec 01 22:24:26: SIGUSR1[soft,tls-error] received, process restarting
    Dec 01 22:24:37: UDPv4 link local (bound): [undef]
    Dec 01 22:24:37: UDPv4 link remote: [AF_INET]pfsense-public-ip:1195
    Dec 01 22:24:37: VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=CA, ST=State, L=City, O=Brailyn, emailAddress=my-email, CN=tunnel.my-domain.ca
    Dec 01 22:24:37: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    Dec 01 22:24:37: TLS Error: TLS object -> incoming plaintext read error
    Dec 01 22:24:37: TLS Error: TLS handshake failed
    Dec 01 22:24:37: SIGUSR1[soft,tls-error] received, process restarting
    
    

    PfSense Log

    
    Dec 1 22:24:56
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Local Options hash (VER=V4): '8a3b3cca'
    Dec 1 22:24:56
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Expected Remote Options hash (VER=V4): '73e43c96'
    Dec 1 22:24:56
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 MULTI: new incoming connection would exceed maximum number of clients (3)
    Dec 1 22:24:56
    openvpn[93522]: MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock
    Dec 1 22:24:56
    openvpn[93522]: MANAGEMENT: CMD 'status 2'
    Dec 1 22:24:57
    openvpn[93522]: MANAGEMENT: CMD 'quit'
    Dec 1 22:24:57
    openvpn[93522]: MANAGEMENT: Client disconnected
    Dec 1 22:24:57
    openvpn[93522]: MULTI: multi_create_instance called
    Dec 1 22:24:57
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Re-using SSL/TLS context
    Dec 1 22:24:57
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 LZO compression initialized
    Dec 1 22:24:57
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Control Channel MTU parms [ L:1570 D:178 EF:78 EB:0 ET:0 EL:3 ]
    Dec 1 22:24:57
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:143 ET:0 EL:3 AF:3/1 ]
    Dec 1 22:24:57
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
    Dec 1 22:24:57
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
    Dec 1 22:24:57
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Local Options hash (VER=V4): '8a3b3cca'
    Dec 1 22:24:57
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Expected Remote Options hash (VER=V4): '73e43c96'
    Dec 1 22:24:57
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 MULTI: new incoming connection would exceed maximum number of clients (3)
    Dec 1 22:24:59
    openvpn[93522]: MULTI: multi_create_instance called
    Dec 1 22:24:59
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Re-using SSL/TLS context
    Dec 1 22:24:59
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 LZO compression initialized
    Dec 1 22:24:59
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Control Channel MTU parms [ L:1570 D:178 EF:78 EB:0 ET:0 EL:3 ]
    Dec 1 22:24:59
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:143 ET:0 EL:3 AF:3/1 ]
    Dec 1 22:24:59
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
    Dec 1 22:24:59
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
    Dec 1 22:24:59
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Local Options hash (VER=V4): '8a3b3cca'
    Dec 1 22:24:59
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Expected Remote Options hash (VER=V4): '73e43c96'
    Dec 1 22:24:59
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 MULTI: new incoming connection would exceed maximum number of clients (3)
    Dec 1 22:25:08
    openvpn[93522]: MULTI: multi_create_instance called
    Dec 1 22:25:08
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Re-using SSL/TLS context
    Dec 1 22:25:08
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 LZO compression initialized
    Dec 1 22:25:08
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Control Channel MTU parms [ L:1570 D:178 EF:78 EB:0 ET:0 EL:3 ]
    Dec 1 22:25:08
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:143 ET:0 EL:3 AF:3/1 ]
    Dec 1 22:25:08
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
    Dec 1 22:25:08
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
    Dec 1 22:25:08
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Local Options hash (VER=V4): '8a3b3cca'
    Dec 1 22:25:08
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 Expected Remote Options hash (VER=V4): '73e43c96'
    Dec 1 22:25:08
    openvpn[93522]: my-mobile-client-dynamic-ip:45959 MULTI: new incoming connection would exceed maximum number of clients (3)
    Dec 1 22:25:20
    openvpn[93522]: my-mobile-client-dynamic-ip:53888 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Dec 1 22:25:20
    openvpn[93522]: my-mobile-client-dynamic-ip:53888 TLS Error: TLS handshake failed
    Dec 1 22:25:20
    openvpn[93522]: my-mobile-client-dynamic-ip:53888 SIGUSR1[soft,tls-error] received, client-instance restarting
    Dec 1 22:25:31
    openvpn[93522]: my-mobile-client-dynamic-ip:56967 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Dec 1 22:25:31
    openvpn[93522]: my-mobile-client-dynamic-ip:56967 TLS Error: TLS handshake failed
    Dec 1 22:25:31
    openvpn[93522]: my-mobile-client-dynamic-ip:56967 SIGUSR1[soft,tls-error] received, client-instance restarting
    Dec 1 22:25:42
    openvpn[93522]: my-mobile-client-dynamic-ip:42893 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Dec 1 22:25:42
    openvpn[93522]: my-mobile-client-dynamic-ip:42893 TLS Error: TLS handshake failed
    Dec 1 22:25:42
    openvpn[93522]: my-mobile-client-dynamic-ip:42893 SIGUSR1[soft,tls-error] received, client-instance restarting
    Dec 1 22:25:58
    openvpn[93522]: MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock
    Dec 1 22:25:58
    openvpn[93522]: MANAGEMENT: CMD 'status 2'
    Dec 1 22:25:59
    openvpn[93522]: MANAGEMENT: CMD 'quit'
    Dec 1 22:25:59
    openvpn[93522]: MANAGEMENT: Client disconnected
    
    

    Attempting site-to-site

    edgemax site-to-site tail log:

    
    Brailyn@ubnt:~$ show log tail                                                     
    Dec  1 22:36:33 ubnt openvpn[1354]: Expected Remote Options String: 'V4,dev-type t
    un,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.8.8.2 10.8.8.1,comp-lzo,ciph
    er AES-256-CBC,auth SHA1,keysize 256,secret'                                      
    Dec  1 22:36:33 ubnt openvpn[1354]: Local Options hash (VER=V4): '6c017bd4'       
    Dec  1 22:36:33 ubnt openvpn[1354]: Expected Remote Options hash (VER=V4): '344720
    7f'                                                                               
    Dec  1 22:36:33 ubnt openvpn[1354]: UDPv4 link local (bound): [undef]             
    Dec  1 22:36:33 ubnt openvpn[1354]: UDPv4 link remote: [AF_INET]pfsense-public-ip:1194 
    Dec  1 22:36:49 ubnt kernel: [WAN_LOCAL-default-D]IN=eth0 OUT= MAC= SRC=172.16.1.1
    00 DST=255.255.255.255 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=13412 DF PROTO=UDP SPT=
    41763 DPT=10001 LEN=12                                                            
    Dec  1 22:36:53 ubnt openvpn[1354]: Inactivity timeout (--ping-restart), restartin
    g                                                                                 
    Dec  1 22:36:53 ubnt openvpn[1354]: TCP/UDP: Closing socket                       
    Dec  1 22:36:53 ubnt openvpn[1354]: SIGUSR1[soft,ping-restart] received, process r
    estarting                                                                         
    Dec  1 22:36:53 ubnt openvpn[1354]: Restart pause, 2 second(s)                    
    Dec  1 22:36:55 ubnt openvpn[1354]: Re-using pre-shared static key                
    Dec  1 22:36:55 ubnt openvpn[1354]: LZO compression initialized                   
    Dec  1 22:36:55 ubnt openvpn[1354]: Socket Buffers: R=[294912->131072] S=[294912->
    131072]                                                                           
    Dec  1 22:36:55 ubnt openvpn[1354]: Preserving previous TUN/TAP instance: vtun0   
    Dec  1 22:36:55 ubnt openvpn[1354]: Data Channel MTU parms [ L:1561 D:1450 EF:61 E
    B:135 ET:0 EL:0 AF:3/1 ]                                                          
    Dec  1 22:36:55 ubnt openvpn[1354]: Local Options String: 'V4,dev-type tun,link-mt
    u 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.8.8.1 10.8.8.2,comp-lzo,cipher AES-256
    -CBC,auth SHA1,keysize 256,secret'                                                
    Dec  1 22:36:55 ubnt openvpn[1354]: Expected Remote Options String: 'V4,dev-type t
    un,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.8.8.2 10.8.8.1,comp-lzo,ciph
    er AES-256-CBC,auth SHA1,keysize 256,secret'                                      
    Dec  1 22:36:55 ubnt openvpn[1354]: Local Options hash (VER=V4): '6c017bd4'       
    Dec  1 22:36:55 ubnt openvpn[1354]: Expected Remote Options hash (VER=V4): '344720
    7f'                                                                               
    Dec  1 22:36:55 ubnt openvpn[1354]: UDPv4 link local (bound): [undef]             
    Dec  1 22:36:55 ubnt openvpn[1354]: UDPv4 link remote: [AF_INET]pfsense-public-ip:1194 
    Dec  1 22:37:15 ubnt openvpn[1354]: Inactivity timeout (--ping-restart), restartin
    g                                                                                 
    Dec  1 22:37:15 ubnt openvpn[1354]: TCP/UDP: Closing socket                       
    Dec  1 22:37:15 ubnt openvpn[1354]: SIGUSR1[soft,ping-restart] received, process r
    estarting                                                                         
    Dec  1 22:37:15 ubnt openvpn[1354]: Restart pause, 2 second(s)                    
    Dec  1 22:37:17 ubnt openvpn[1354]: Re-using pre-shared static key                
    Dec  1 22:37:17 ubnt openvpn[1354]: LZO compression initialized                   
    Dec  1 22:37:17 ubnt openvpn[1354]: Socket Buffers: R=[294912->131072] S=[294912->
    131072]                                                                           
    Dec  1 22:37:17 ubnt openvpn[1354]: Preserving previous TUN/TAP instance: vtun0   
    Dec  1 22:37:17 ubnt openvpn[1354]: Data Channel MTU parms [ L:1561 D:1450 EF:61 E
    B:135 ET:0 EL:0 AF:3/1 ]                                                          
    Dec  1 22:37:17 ubnt openvpn[1354]: Local Options String: 'V4,dev-type tun,link-mt
    u 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.8.8.1 10.8.8.2,comp-lzo,cipher AES-256
    -CBC,auth SHA1,keysize 256,secret'                                                
    Dec  1 22:37:17 ubnt openvpn[1354]: Expected Remote Options String: 'V4,dev-type t
    un,link-mtu 1561,tun-mtu 1500,proto UDPv4,ifconfig 10.8.8.2 10.8.8.1,comp-lzo,ciph
    er AES-256-CBC,auth SHA1,keysize 256,secret'                                      
    Dec  1 22:37:17 ubnt openvpn[1354]: Local Options hash (VER=V4): '6c017bd4'       
    Dec  1 22:37:17 ubnt openvpn[1354]: Expected Remote Options hash (VER=V4): '344720
    7f'                                                                               
    Dec  1 22:37:17 ubnt openvpn[1354]: UDPv4 link local (bound): [undef]             
    Dec  1 22:37:17 ubnt openvpn[1354]: UDPv4 link remote: [AF_INET]pfsense-public-ip:1194 
    Dec  1 22:37:20 ubnt kernel: [WAN_LOCAL-default-D]IN=eth0 OUT= MAC= SRC=172.16.1.1
    00 DST=255.255.255.255 LEN=32 TOS=0x00 PREC=0x00 TTL=64 ID=13419 DF PROTO=UDP SPT=
    39874 DPT=10001 LEN=12                                                            
    
    ```       
    
    PFsense log site-to-site
    
    

    Last 50 OpenVPN log entries
    Dec 1 22:35:50
    openvpn[19617]: MANAGEMENT: CMD 'state 1'
    Dec 1 22:35:50
    openvpn[19617]: MANAGEMENT: Client disconnected
    Dec 1 22:35:54
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:35:54
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:36:00
    openvpn[19617]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Dec 1 22:36:00
    openvpn[19617]: MANAGEMENT: CMD 'status 2'
    Dec 1 22:36:00
    openvpn[19617]: MANAGEMENT: CMD 'quit'
    Dec 1 22:36:00
    openvpn[19617]: MANAGEMENT: Client disconnected
    Dec 1 22:36:06
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:36:12
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:36:12
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:36:16
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:36:28
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:36:38
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:36:38
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:36:43
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:36:43
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:36:50
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:36:59
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:36:59
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:37:02
    openvpn[19617]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Dec 1 22:37:02
    openvpn[19617]: MANAGEMENT: CMD 'status 2'
    Dec 1 22:37:02
    openvpn[19617]: MANAGEMENT: CMD 'quit'
    Dec 1 22:37:02
    openvpn[19617]: MANAGEMENT: Client disconnected
    Dec 1 22:37:12
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:37:14
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:37:14
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:37:21
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:37:34
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:37:43
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:37:43
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:37:45
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:37:45
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:37:56
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:38:04
    openvpn[19617]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
    Dec 1 22:38:04
    openvpn[19617]: MANAGEMENT: CMD 'status 2'
    Dec 1 22:38:04
    openvpn[19617]: MANAGEMENT: CMD 'quit'
    Dec 1 22:38:04
    openvpn[19617]: MANAGEMENT: Client disconnected
    Dec 1 22:38:06
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 1 22:38:06
    openvpn[19617]: Authenticate/Decrypt packet error: packet HMAC authentication failed

    
    Other notes:
    
    0) I've attempted recreating CAs and certificates numerous times with the PfSense cert utility and create-user utility.
    
    1) CNs may have to be equivalent to the FQDN of the server. tried that, and no difference.
    
    2) Not sure if the certs have much to do with the site-to-site issues. regardless, I do see issues in the edgemax config.
    what I seen that should likely be helpful if this debacle not cert related:
    
    

    openvpn[68502]: Local Options String: 'V4,dev-type tun,link-mtu 1573,tun-mtu 1500,proto UDPv4,tun-ipv6,ifconfig 10.8.8.2 10.8.8.1,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,secret'
    openvpn[68502]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1573,tun-mtu 1500,proto UDPv4,tun-ipv6,ifconfig 10.8.8.1 10.8.8.2,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,secret'
    openvpn[68502]: Local Options hash (VER=V4): 'aee34c5c'
    openvpn[68502]: Expected Remote Options hash (VER=V4): '4de81f85'

    
    3)my server LAN is 10.0.0.0/24
      my site-to-site client LAN is 10.1.1.0/24
    
    4) my tunnel addresses for site-to-site is 10.8.8.0/32 (10.8.8.1 (server) and 10.8.8.2 (client))
        my tunnel address space for client-to-site is 10.0.8.0/24
    
    5) site-to-site is possible with edgemax according to users in the ubnt forums.
    
    6) I'm using PfSense 2.2.5
    
    7) My PfSense is behind a 2wire gateway unfortunately. OpenVPN has worked using other LAN servers before.
    
    I know I've kind of spread info everywhere… I'm kinda new around here, so please let me know if I should do something different.

  • Banned

    And another. You are using WRONG certificate!

    
    Dec 01 22:24:26: VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=CA, ST=State, L=City, O=Brailyn, emailAddress=my-email, CN=tunnel.my-domain.ca
    
    

  • LAYER 8 Global Moderator

    How are these people f'ing this up so often??  Wizard makes it impossible to create the wrong cert type…


  • Banned

    I've been wondering about input validation using the cert_get_purpose() from certs.inc to make it impossible to save similar nonsense.

    https://redmine.pfsense.org/issues/5602



  • Excuse my limited understanding…

    I created them quite a few times, with quite a few variations... Are you saying a user cert is not what to use?

    I'd like TLS + User Auth.

    The user creator gives basically no options when it creates a user cert...

    Is it the same issue for site-to-site or is that another can of worms?


  • Banned

    What user creator? You are using wrong certificate for the server.

    As noted on the https://redmine.pfsense.org/issues/5602 - you cannot use the certificate verification when you use client cert for server.



  • Okay,

    I got a connection by doing the obvious!

    My SERVER uses a server certificate. And my USER has a user certificate.

    It would be nice if the OVPN server would stop this from being allowed… You guys should laugh at all of us relying on brute force and ignorance to get stuff working :)

    Any idea how to solve the HMAC issue with my site-to-site tunnel? Shall I create another thread?



  • Site-to-site now online :)

    Was missing the following from my Vyatta config:

    set interfaces openvpn vtun0 hash sha256
    

    Changed a few other options, but this I believe was the main fix.

    For those of you searching for this, I'll post my Vyatta config here, but if you want detailed configuration of this, search the Ubiquiti forum for my posts. I'll get something in there when the connection is configured how I want. For those PfSense wizards… A few of us would appreciate an export wizard for VyOS/Vyatta for the OpenVPN export package.

    My config:

    
    set interfaces openvpn vtun0 encryption aes256
    set interfaces openvpn vtun0 hash sha256
    set interfaces openvpn vtun0 local-address 10.8.8.2
    set interfaces openvpn vtun0 local-port 1194
    set interfaces openvpn vtun0 mode site-to-site
    set interfaces openvpn vtun0 openvpn-option '--ping 10'
    set interfaces openvpn vtun0 openvpn-option '--ping-restart 20'
    set interfaces openvpn vtun0 openvpn-option '--user nobody'
    set interfaces openvpn vtun0 openvpn-option '--group nogroup'
    set interfaces openvpn vtun0 openvpn-option '--verb 5'
    set interfaces openvpn vtun0 openvpn-option 'mssfix 1450'
    set interfaces openvpn vtun0 openvpn-option 'tun-mtu 1500'
    set interfaces openvpn vtun0 openvpn-option 'tun-mtu-extra 32'
    set interfaces openvpn vtun0 openvpn-option --comp-lzo
    set interfaces openvpn vtun0 openvpn-option --float
    set interfaces openvpn vtun0 openvpn-option --ping-timer-rem
    set interfaces openvpn vtun0 openvpn-option --persist-tun
    set interfaces openvpn vtun0 openvpn-option --persist-key
    set interfaces openvpn vtun0 protocol udp
    set interfaces openvpn vtun0 remote-address 10.8.8.1
    set interfaces openvpn vtun0 remote-host dns-for-remote-server.com
    set interfaces openvpn vtun0 remote-port 1194
    set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret
    
    

    Hope that helps!


  • LAYER 8 Global Moderator

    "A few of us would appreciate an export wizard for VyOS/Vyatta for the OpenVPN export package."

    Export package doesn't export S2S setups..  Is your openvpn on pfsense running in road warrior mode?

    Seem not
    vtun0 mode site-to-site



  • I'm not certain about road warrior mode, other than being able to access my PfSense while one the road…so yes that is configured as a seperate OpenVPN server.


Log in to reply