[solved]TLS error with Open VPN

nhanyeudoi · Mar 15, 2016, 2:44 AM

Sorry for my English.
I'm new to pfsense, now I want to make the VPN Connection with Open VPN (client-site). I followed the instruction from this link https://www.youtube.com/watch?v=VdAHVSTl1ys
But when I make the connect from client pc to pfsense I've got this error
On Open Gui:
Mon Mar 14 19:23:25 2016 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=VN, ST=Ho Chi Minh, L=Ho Chi Minh, O=canhabennhau, emailAddress=yeudoivtn17@yahoo.com, CN=nhan
Mon Mar 14 19:23:25 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Mar 14 19:23:25 2016 TLS Error: TLS object -> incoming plaintext read error
Mon Mar 14 19:23:25 2016 TLS Error: TLS handshake failed

On System log - Open VPN
Mar 14 19:23:49 pfSense openvpn[11258]: 171.254.30.155:32805 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 14 19:23:49 pfSense openvpn[11258]: 171.254.30.155:32805 TLS Error: TLS handshake failed
Mar 14 19:23:57 pfSense openvpn[11258]: 171.254.30.155:32772 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 14 19:23:57 pfSense openvpn[11258]: 171.254.30.155:32772 TLS Error: TLS handshake failed
Mar 14 19:24:08 pfSense openvpn[11258]: 171.254.30.155:32825 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 14 19:24:08 pfSense openvpn[11258]: 171.254.30.155:32825 TLS Error: TLS handshake failed

In Firewall Rules and Open VPN rules I have these rules already (in the attach pictures)

Can any one help me to fix this. What am I missing here, what I need to do? Thank you so much
![OV rules.jpg](/public/imported_attachments/1/OV rules.jpg)
![OV rules.jpg_thumb](/public/imported_attachments/1/OV rules.jpg_thumb)

divsys · Mar 14, 2016, 10:59 PM

Mon Mar 14 19:23:25 2016 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=VN, ST=Ho Chi Minh, L=Ho Chi Minh, O=canhabennhau, emailAddress=yeudoivtn17@yahoo.com, CN=nhan
Mon Mar 14 19:23:25 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Mar 14 19:23:25 2016 TLS Error: TLS object -> incoming plaintext read error

This error leads me to think you created the wrong type of Certificate for the OpenVPN Server.
The OpenVPN Server requires a certificate of the type:Server
The OpenVPN Client requires a certificate of the type:User
Both certificates must use the same Certificate of Authority for their creation.

Check all your certificates.

nhanyeudoi · Mar 15, 2016, 2:33 AM

Thank you so much for your reply. I'm not sure that I clearly understang your answer. But after I try again with creating Open VPN and create new Certificate when in wizard of OpenVPN -> it's now OK.
;D

divsys · Mar 15, 2016, 3:10 AM

Glad you got it working.

If you want an idea of what your certificates look like take a look through the "Certificate Manager" section of your WebGui.

Welcome to pfSense!