-
LonelyPixel
- OpenVpn Newbie
- Posts: 13
- Joined: Fri Nov 23, 2012 7:44 pm
No server certificate verification method has been enabled.
When connecting to my OpenVPN server, I get this message on the client in red colour:
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
I have read that page and acknowledged it. The certificates already have the appropriate settings. How can I make this red line go away?
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11142
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No server certificate verification method has been enabled.
Post
by TinCanTech » Thu May 31, 2018 11:27 am
The HOWTO wrote:Now add the following line to your client configuration:
remote-cert-tls server
-
LonelyPixel
- OpenVpn Newbie
- Posts: 13
- Joined: Fri Nov 23, 2012 7:44 pm
Re: No server certificate verification method has been enabled.
Post
by LonelyPixel » Thu May 31, 2018 12:53 pm
Thanks for the pointer. I haven’t seen this line and thought there’s nothing more to do. Maybe the page layout was a bit too complex or I was already in that «stupid documentation» mood.
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11142
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No server certificate verification method has been enabled.
Post
by TinCanTech » Thu May 31, 2018 1:15 pm
LonelyPixel wrote: ↑
Thu May 31, 2018 12:53 pm
or I was already in that «stupid documentation» mood.
Would you prefer there not to be documentation ?
People put a lot of effort into writing it .. but we can delete it all if you prefer 
-
LonelyPixel
- OpenVpn Newbie
- Posts: 13
- Joined: Fri Nov 23, 2012 7:44 pm
Re: No server certificate verification method has been enabled.
Post
by LonelyPixel » Thu May 31, 2018 5:19 pm
If there is no documentation, I’d be annoyed about it not being there. If there’s a documentation that’s hard to find, use and understand, I’d be annoyed about it being hard to find, use and understand. Please understand that incomplete efforts cannot beat psychology. You can’t sell a product by arguing that you couldn’t do it any better. I’m just giving you feedback on that, other’s won’t and turn somewhere else. I guess you still don’t care because we’re all not paying any money.
And yes, deleting the outdated part of the documentation might indeed be helpful! It just doesn’t look too professional if I turn to the forums about a documentation page from a prominent FAQ list only to hear that it’s long outdated. You see where my impression comes from?
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11142
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No server certificate verification method has been enabled.
Post
by TinCanTech » Thu May 31, 2018 5:56 pm
LonelyPixel wrote: ↑
Thu May 31, 2018 5:19 pm
If there is no documentation, I’d be annoyed about it not being there. If there’s a documentation that’s hard to find, use and understand, I’d be annoyed about it being hard to find, use and understand.
You can help improve it 
LonelyPixel wrote: ↑
Thu May 31, 2018 5:19 pm
You can’t sell a product by arguing that you couldn’t do it any better. I’m just giving you feedback on that, other’s won’t and turn somewhere else. I guess you still don’t care because we’re all not paying any money.
I care which is why I help .. but we need more help.
LonelyPixel wrote: ↑
Thu May 31, 2018 5:19 pm
yes, deleting the outdated part of the documentation might indeed be helpful!
You can help improve it
LonelyPixel wrote: ↑
Thu May 31, 2018 5:19 pm
It just doesn’t look too professional if I turn to the forums about a documentation page from a prominent FAQ list only to hear that it’s long outdated.
At least all the pages of documentation from Openvpn are fully dated, unlike much of the FUD out there .. so you can decide immediately if you want to read it or not.
-
LonelyPixel
- OpenVpn Newbie
- Posts: 13
- Joined: Fri Nov 23, 2012 7:44 pm
Re: No server certificate verification method has been enabled.
Post
by LonelyPixel » Tue Aug 14, 2018 6:58 pm
Oh, that’s been a long time.
I understand that you need more help to keep the docs updated. But I really feel that should be done by people who know what they talk about. You can probably guess from my questions that I’m not one of them. Set aside that I can’t even guess the effort it’d take me to find out how to help with that. Somebody would have to spend a lot of time putting me on the right track that they could better spend in fixing it directly.
-
1_C4T4LY5T
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Jul 06, 2020 12:48 am
Re: No server certificate verification method has been enabled.
Post
by 1_C4T4LY5T » Mon Jul 06, 2020 12:51 am
I see that open vpn error tells me to go here: https://openvpn.net/community-resources/how-to/#mitm
but that makes no sense to me as I’m definitely a noob to vpn’s in general. I did try to add «remote-cert-tls server» to the end of my client config file. When I added it the red error went away but now the client just keeps saying connecting in status and never actually errors or connects for me.
Could I get some help from anyone in a very dumbed down way? like if you were explaining it to your mom for example 
?
Thank you in advance for any help.
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11142
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No server certificate verification method has been enabled.
Post
by TinCanTech » Mon Jul 06, 2020 2:11 am
You mist speak to your server admin
-
1_C4T4LY5T
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Jul 06, 2020 12:48 am
Re: No server certificate verification method has been enabled.
Post
by 1_C4T4LY5T » Mon Jul 06, 2020 2:36 am
I have no server admin. This is an hp elite 8300 sff i7-2600 box I setup server 2019 on and then installed Open VPN. I’d be happy to provide needed info.
I’ve setup the vpn through enabling the open vpn setting on my nighthawk R7000P. I’ve followed the directions from netgear and everything else seems to have setup just as it described …all but this open vpn client starting up.
-
300000
- OpenVPN Expert
- Posts: 688
- Joined: Tue May 01, 2012 9:30 pm
Re: No server certificate verification method has been enabled.
Post
by 300000 » Mon Jul 06, 2020 12:10 pm
You can try paid version on this site and setup is more easy .no more red or whatever notice.
If you want red warning go away you need adding something into openssl config inside easyras so it will adding attribute httpsserver authentication so the warning will go.
That is the way people consider using community version for personal use and paid version for commercial use .
It is only one line of config that work the best and there is no document how to do it either so try to find it yourself .openvpn manual not document it anywhere so people can’t find it
-
Hart, Henry
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Sep 08, 2020 3:02 am
Re: No server certificate verification method has been enabled.
Post
by Hart, Henry » Tue Sep 08, 2020 3:05 am
300000 wrote: ↑
Mon Jul 06, 2020 12:10 pm
You can try paid version on this site and setup is more easy .no more red or whatever notice.
Is this true? I would be more than happy to use the Paid version if I knew that almost nothing would be required of me — no red notices, no errors, no dropped connections with errors (which we too are experiencing now without touching the server and certs are up to date) and 24/7 support. Where do I sign up….
-
300000
- OpenVPN Expert
- Posts: 688
- Joined: Tue May 01, 2012 9:30 pm
Re: No server certificate verification method has been enabled.
Post
by 300000 » Tue Sep 08, 2020 10:42 am
you can download OpenVPN Access Server now to try it , no more red or whatever notice to up set people but only pay money that is how free software work or if you like you can do it yourself simple. infarct red warning make quite scare to use when you want to hide something more than nomal .
I am using XCA to create certificate so for me no red warning at all or whatever but you need to going to openssl to learn how to create certificate and what kind of difference attribute to create all kind of difference certificate to use in all difference situation
Hi guys,
for those who simply want to change location like me and have no network knowledge.
Can you be more specific about which file to custom and where it location? Where in the file can I add your code?
because I can’t find client config file but only client.opvn (C:Program FilesOpenVPNsample-config)
Mon Mar 27 17:05:42 2023 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
Mon Mar 27 17:05:42 2023 OpenVPN 2.6.1 [git:v2.6.1/2c2a98a0e559928c] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Mar 8 2023
Mon Mar 27 17:05:42 2023 Windows version 10.0 (Windows 10 or greater), amd64 executable
Mon Mar 27 17:05:42 2023 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
Mon Mar 27 17:05:42 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Mon Mar 27 17:05:42 2023 Need hold release from management interface, waiting...
Mon Mar 27 17:05:42 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:51102
Mon Mar 27 17:05:43 2023 MANAGEMENT: CMD 'state on'
Mon Mar 27 17:05:43 2023 MANAGEMENT: CMD 'log on all'
Mon Mar 27 17:05:43 2023 MANAGEMENT: CMD 'echo on all'
Mon Mar 27 17:05:43 2023 MANAGEMENT: CMD 'bytecount 5'
Mon Mar 27 17:05:43 2023 MANAGEMENT: CMD 'state'
Mon Mar 27 17:05:43 2023 MANAGEMENT: CMD 'hold off'
Mon Mar 27 17:05:43 2023 MANAGEMENT: CMD 'hold release'
**Mon Mar 27 17:05:43 2023 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.**
Mon Mar 27 17:05:43 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]113.166.128.178:8443
Mon Mar 27 17:05:43 2023 ovpn-dco device [OpenVPN Data Channel Offload] opened
Mon Mar 27 17:05:43 2023 UDP link local: (not bound)
Mon Mar 27 17:05:43 2023 UDP link remote: [AF_INET]113.166.128.178:8443
Mon Mar 27 17:05:43 2023 MANAGEMENT: >STATE:1679911543,WAIT,,,,,,
Mon Mar 27 17:05:45 2023 MANAGEMENT: >STATE:1679911545,AUTH,,,,,,
Mon Mar 27 17:05:45 2023 TLS: Initial packet from [AF_INET]113.166.128.178:8443, sid=bf66666d 85a66410
Mon Mar 27 17:05:46 2023 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
Mon Mar 27 17:05:46 2023 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
Mon Mar 27 17:05:46 2023 VERIFY OK: depth=0, CN=opengw.net
Mon Mar 27 17:05:46 2023 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Mon Mar 27 17:05:46 2023 [opengw.net] Peer Connection Initiated with [AF_INET]113.166.128.178:8443
Mon Mar 27 17:05:46 2023 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Mon Mar 27 17:05:46 2023 TLS: tls_multi_process: initial untrusted session promoted to trusted
I tried to install openvpn on debian squeez (server) and connect from my fedora 17 as (client). Here is my configuration:
server configuration
# Server TCP
proto tcp
port 1194
dev tun
# Keys and certificates
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
# Network
# Virtual address of the VPN network
server 192.170.70.0 255.255.255.0
# This line adds the client to the router network server
push "route 192.168.1.0 255.255.255.0"
# Create a route server to the tun interface
#route 192.170.70.0 255.255.255.0
# Security
keepalive 10 120
# type of data encryption
cipher AES-128-CBC
# enabling compression
comp-lzo
# maximum number of clients allowed
max-clients 10
# no user and group specific to the use of the VPN
user nobody
group nogroup
# to make persistent connection
persist-key
persist-tun
# Log of the OpenVPN status
status /var/log/openvpn-status.log
# logs openvpnlog /var/log/openvpn.log
log-append /var/log/openvpn.log
# verbosity
verb 5
client configuration
client
dev tun
proto tcp-client
remote <my server wan IP> 1194
resolv-retry infinite
cipher AES-128-CBC
# Keys
ca ca.crt
cert client.crt
key client.key
# Security
nobind
persist-key
persist-tun
comp-lzo
verb 3
Message from the host client (fedora 17) in the log file /var/log/messages:
Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> Starting VPN service 'openvpn'...
Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 7470
Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' appeared; activating connections
Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN plugin state changed: starting (3)
Dec 6 21:56:01 GlobalTIC NetworkManager[691]: <info> VPN connection 'Connexion VPN 1' (Connect) reply received.
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: OpenVPN 2.2.2 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 5 2012
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"][U][B] WARNING: No server certificate verification method has been enabled.[/B][/U][/COLOR] See http://openvpn.net/howto.html#mitm for more info.
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"] WARNING: file '/home/login/client/client.key' is group or others accessible[/COLOR]
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link local: [undef]
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link remote: [COLOR="Red"]<my server wan IP>[/COLOR]:1194
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4 [ECONNREFUSED]: Connection refused (code=111)[/COLOR]
Dec 6 21:56:03 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4[/COLOR] [ECONNREFUSED]: Connection refused (code=111)
Dec 6 21:56:07 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec 6 21:56:15 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec 6 21:56:31 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec 6 21:56:41 GlobalTIC NetworkManager[691]: <warn> VPN connection 'Connexion VPN 1' (IP Conf[/CODE]
ifconfig on server host(debian):
ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:16:21:ac
inet addr:192.168.1.6 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe16:21ac/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9059 errors:0 dropped:0 overruns:0 frame:0
TX packets:5660 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:919427 (897.8 KiB) TX bytes:1273891 (1.2 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.170.70.1 P-t-P:192.170.70.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ifconfig on the client host (fedora 17)
as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 5.5.0.1 netmask 255.255.252.0 destination 5.5.0.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 321 (321.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
as0t1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 5.5.4.1 netmask 255.255.252.0 destination 5.5.4.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 321 (321.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
as0t2: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 5.5.8.1 netmask 255.255.252.0 destination 5.5.8.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 321 (321.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
as0t3: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 5.5.12.1 netmask 255.255.252.0 destination 5.5.12.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 321 (321.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
**p255p1**: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::21d:baff:fe20:b7e6 prefixlen 64 scopeid 0x20<link>
ether 00:1d:ba:20:b7:e6 txqueuelen 1000 (Ethernet)
RX packets 4842070 bytes 3579798184 (3.3 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3996158 bytes 2436442882 (2.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16
p255p1 is label for eth0 interface
and
on the server :
root@hoteserver:/etc/openvpn# tree
.
├── client
│** ├── ca.crt
│** ├── client.conf
│** ├── client.crt
│** ├── client.csr
│** ├── client.key
│** ├── client.ovpn
│*
│**
├── easy-rsa
│** ├── build-ca
│** ├── build-dh
│** ├── build-inter
│** ├── build-key
│** ├── build-key-pass
│** ├── build-key-pkcs12
│** ├── build-key-server
│** ├── build-req
│** ├── build-req-pass
│** ├── clean-all
│** ├── inherit-inter
│** ├── keys
│** │** ├── 01.pem
│** │** ├── 02.pem
│** │** ├── ca.crt
│** │** ├── ca.key
│** │** ├── client.crt
│** │** ├── client.csr
│** │** ├── client.key
│** │** ├── dh1024.pem
│** │** ├── index.txt
│** │** ├── index.txt.attr
│** │** ├── index.txt.attr.old
│** │** ├── index.txt.old
│** │** ├── serial
│** │** ├── serial.old
│** │** ├── server.crt
│** │** ├── server.csr
│** │** └── server.key
│** ├── list-crl
│** ├── Makefile
│** ├── openssl-0.9.6.cnf.gz
│** ├── openssl.cnf
│** ├── pkitool
│** ├── README.gz
│** ├── revoke-full
│** ├── sign-req
│** ├── vars
│** └── whichopensslcnf
├── openvpn.log
├── openvpn-status.log
├── server.conf
└── update-resolv-conf
on the client:
[login@hoteclient openvpn]$ tree
.
|-- easy-rsa
| |-- 1.0
| | |-- build-ca
| | |-- build-dh
| | |-- build-inter
| | |-- build-key
| | |-- build-key-pass
| | |-- build-key-pkcs12
| | |-- build-key-server
| | |-- build-req
| | |-- build-req-pass
| | |-- clean-all
| | |-- list-crl
| | |-- make-crl
| | |-- openssl.cnf
| | |-- README
| | |-- revoke-crt
| | |-- revoke-full
| | |-- sign-req
| | `-- vars
| `-- 2.0
| |-- build-ca
| |-- build-dh
| |-- build-inter
| |-- build-key
| |-- build-key-pass
| |-- build-key-pkcs12
| |-- build-key-server
| |-- build-req
| |-- build-req-pass
| |-- clean-all
| |-- inherit-inter
| |-- keys [error opening dir]
| |-- list-crl
| |-- Makefile
| |-- openssl-0.9.6.cnf
| |-- openssl-0.9.8.cnf
| |-- openssl-1.0.0.cnf
| |-- pkitool
| |-- README
| |-- revoke-full
| |-- sign-req
| |-- vars
| `-- whichopensslcnf
|-- keys -> ./easy-rsa/2.0/keys/
`-- server.conf
Is the source of the problem cipher AES-128-CBC, proto tcp-client or UDP or the interface p255p1 on Fedora17 or that file authentification ta.key is not found?
Jun 10 19:57:31 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
Fri Jun 10 19:57:31 2016 TLS Error: TLS object -> incoming plaintext read error
Fri Jun 10 19:57:31 2016 TLS Error: TLS handshake failed
Fri Jun 10 19:57:31 2016 Fatal TLS error (check_tls_errors_co), restarting
Fri Jun 10 19:57:31 2016 SIGUSR1[soft,tls-error] received, process restarting
ovpn,debug,error,20076,45952,54076,56464,27884,55388,56408,54072,l2tp,info,54076,debug,79,65535,critical,17776,62372,45968,54712,55464,47496,45952,54852,5
4848,55388,58288,55388,error duplicate packet, dropping
echo: ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,error duplicate packet, dropping
Всех приветствую !
OS-OpenSuse 42.3
OpenVPN-2.3
easyrsa- 3.0.5
Server.conf
Код:
port 1194
proto tcp
dev tun
server 192.168.99.0 255.255.255.0
push "route 192.168.90.0 255.255.255.0"
ca ca.crt
cert blic-vpn.crt
key blic-vpn.key
dh dh.pem
tls-auth ta.key 0
crl-verify crl.pem
key-direction 0
cipher AES-256-CBC
auth SHA256
explicit-exit-notify 0
ifconfig-pool-persist ipp.txt
mute 10
persist-key
persist-tun
max-clients 50
keepalive 10 900
user nobody
group nobody
status openvpn-status.log 1
status-version 3
log-append openvpn-server.log
verb 9
Client.conf
Код:
client
dev tun
remote 192.168.80.21
proto tcp
ca ca.crt
cert adm.crt
key adm.key
cipher AES-256-CBC
auth SHA256
key-direction 1
route-method exe
route-delay 2
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
tls-auth ta.key 1
auth-nocache
Создал тестовый OpenVPN и столкнулся со следующим:
Интерфейс tun подымается
Логи клиента при попытке подключиться к серверу:
Код:
Sat Jan 12 00:51:28 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Sat Jan 12 00:51:28 2019 Windows version 6.1 (Windows 7) 64bit
Sat Jan 12 00:51:28 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Sat Jan 12 00:51:28 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 12 00:51:28 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:28 2019 Attempting to establish TCP connection with [AF_INET]192.168.80.21:1194 [nonblock]
Sat Jan 12 00:51:29 2019 TCP connection established with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:29 2019 TCP_CLIENT link local: (not bound)
Sat Jan 12 00:51:29 2019 TCP_CLIENT link remote: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:30 2019 Connection reset, restarting [-1]
Sat Jan 12 00:51:30 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sat Jan 12 00:51:35 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 12 00:51:35 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:35 2019 Attempting to establish TCP connection with [AF_INET]192.168.80.21:1194 [nonblock]
Sat Jan 12 00:51:36 2019 TCP connection established with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:36 2019 TCP_CLIENT link local: (not bound)
Sat Jan 12 00:51:36 2019 TCP_CLIENT link remote: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:36 2019 Connection reset, restarting [-1]
Sat Jan 12 00:51:36 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sat Jan 12 00:51:38 2019 SIGTERM[hard,init_instance] received, process exiting
Как только я комментирую на сервере строку отвечающую за проверку сертификатов:
#crl-verify crl.pem
Клиент подключается и работает как положено.
Лог клиента после удачного подключения:
Код:
Sat Jan 12 00:56:17 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Sat Jan 12 00:56:17 2019 Windows version 6.1 (Windows 7) 64bit
Sat Jan 12 00:56:17 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Sat Jan 12 00:56:17 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 12 00:56:17 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:17 2019 Attempting to establish TCP connection with [AF_INET]192.168.80.21:1194 [nonblock]
Sat Jan 12 00:56:18 2019 TCP connection established with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:18 2019 TCP_CLIENT link local: (not bound)
Sat Jan 12 00:56:18 2019 TCP_CLIENT link remote: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:18 2019 [blic-vpn] Peer Connection Initiated with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:20 2019 open_tun
Sat Jan 12 00:56:20 2019 TAP-WIN32 device [Подключение по локальной сети 2] opened: \.Global{61223E3E-B757-452A-B418-E67442450004}.tap
Sat Jan 12 00:56:20 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.88.6/255.255.255.252 on interface {61223E3E-B757-452A-B418-E67442450004} [DHCP-serv: 192.168.88.5, lease-time: 31536000]
Sat Jan 12 00:56:20 2019 Successful ARP Flush on interface [24] {61223E3E-B757-452A-B418-E67442450004}
Sat Jan 12 00:56:20 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Jan 12 00:56:22 2019 env_block: add PATH=C:WindowsSystem32;C:Windows;C:WindowsSystem32Wbem
Sat Jan 12 00:56:22 2019 env_block: add PATH=C:WindowsSystem32;C:Windows;C:WindowsSystem32Wbem
Sat Jan 12 00:56:22 2019 Initialization Sequence Completed
Sat Jan 12 00:56:32 2019 env_block: add PATH=C:WindowsSystem32;C:Windows;C:WindowsSystem32Wbem
Sat Jan 12 00:56:32 2019 env_block: add PATH=C:WindowsSystem32;C:Windows;C:WindowsSystem32Wbem
Sat Jan 12 00:56:32 2019 SIGTERM[hard,] received, process exiting
Дата и время сервер/клиент не расходятся, полность удалял тестовую среду генерил заново.
Ошибка повторяется.
Лог сервера когда строка crl-verify crl.pem не закоментированна (Ошибка.txt)
Лог сервера когда строка crl-verify crl.pem с коментом (Работает.txt)
Последний раз редактировалось leksstav 14.01.2019 15:43, всего редактировалось 2 раза.