Need help fixing error with OpenVPN connection

bsmorgan · 11 April 2023 18:29

I had OpenVPN working on 173 last week but after a reboot of IPFire it fails with the OpenVPN GUI v11.39.0.0, OpenVPN v2.6.2 error below. It also fails using OpenVPN Connect 3.3.7 with a similar error, log follows the first one.

I don’t believe there were any updates applied during the reboot so I’m at a loss to explain why it worked before but not after. Any suggestions to fix this are welcome.

2023-04-11 12:13:31 OpenVPN 2.6.2 [git:v2.6.2/3577442530eb7830] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Mar 24 2023
2023-04-11 12:13:31 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-04-11 12:13:31 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-04-11 12:13:31 DCO version: v0
2023-04-11 12:13:31 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
2023-04-11 12:13:31 Need hold release from management interface, waiting...
2023-04-11 12:13:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:5624
2023-04-11 12:13:32 MANAGEMENT: CMD 'hold off'
2023-04-11 12:13:32 MANAGEMENT: CMD 'hold release'
2023-04-11 12:13:32 TCP/UDP: Preserving recently used remote address: [AF_INET]23.24.142.193:1194
2023-04-11 12:13:32 Socket Buffers: R=[65536->65536] S=[65536->65536]
2023-04-11 12:13:32 Attempting to establish TCP connection with [AF_INET]23.24.142.193:1194
2023-04-11 12:13:32 TCP connection established with [AF_INET]23.24.142.193:1194
2023-04-11 12:13:32 TCPv4_CLIENT link local: (not bound)
2023-04-11 12:13:32 TCPv4_CLIENT link remote: [AF_INET]23.24.142.193:1194
2023-04-11 12:13:32 MANAGEMENT: CMD 'state on'
2023-04-11 12:13:32 MANAGEMENT: CMD 'log on all'
2023-04-11 12:13:32 MANAGEMENT: >STATE:1681236812,AUTH,,,,,,
2023-04-11 12:13:32 TLS: Initial packet from [AF_INET]23.24.142.193:1194, sid=84b2fe73 5bd9f53a
2023-04-11 12:13:32 VERIFY ERROR: depth=1, error=self-signed certificate in certificate chain: C=US, ST=Colorado, L=Colorado Springs, O=Westside CARES, OU=IT, CN=Westside CARES CA, emailAddress=administrator@westsidecares.org, serial=17657118651195078939
2023-04-11 12:13:32 OpenSSL: error:0A000086:SSL routines::certificate verify failed
2023-04-11 12:13:32 TLS_ERROR: BIO read tls_read_plaintext error
2023-04-11 12:13:32 TLS Error: TLS object -> incoming plaintext read error
2023-04-11 12:13:32 TLS Error: TLS handshake failed
2023-04-11 12:13:32 Fatal TLS error (check_tls_errors_co), restarting
2023-04-11 12:13:32 SIGUSR1[soft,tls-error] received, process restarting
2023-04-11 12:13:32 MANAGEMENT: >STATE:1681236812,RECONNECTING,tls-error,,,,,
2023-04-11 12:13:32 Restart pause, 1 second(s)

⏎[Apr 11, 2023, 12:21:50] Connecting to [wscfw.westsidecares.org]:1194 (23.24.142.193) via TCPv4
⏎[Apr 11, 2023, 12:21:50] EVENT: CONNECTING ⏎[Apr 11, 2023, 12:21:50] Tunnel Options:V4,dev-type tun,link-mtu 1503,tun-mtu 1400,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client
⏎[Apr 11, 2023, 12:21:50] Creds: UsernameEmpty/PasswordEmpty
⏎[Apr 11, 2023, 12:21:50] Peer Info:
IV_VER=3.git::d3f8b18b
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
IV_AUTO_SESS=1
IV_GUI_VER=OCWindows_3.3.7-2979
IV_SSO=webauth,openurl,crtext

⏎[Apr 11, 2023, 12:21:51] Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
⏎[Apr 11, 2023, 12:21:51] EVENT: CERT_VERIFY_FAIL OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed⏎[Apr 11, 2023, 12:21:51] EVENT: DISCONNECTED ⏎

hvacguy · 11 April 2023 21:52

Probably related to this.

bsmorgan · 11 April 2023 22:00

I changed the encryption to AES-GCM (256 bit) because I saw a “deprecated” message in the logs (that I didn’t post). I deleted the existing connections and built a new one which now works.