OpenVPN host certificate

The host certificate shown in the “Certifcate Authorities and -Keys” section of the OpenVPN setup page, the Host Certificate shows an ip that does not exist. (At least I can’t ping the address shown).

When, on a client, I attempt to connect it fails to connect. The log shows the address mentioned above.

After adding the .opvn file on the device, the first time I attempt to connect is also show this certificate when the user is prompted to select. But, I can’t find a way to either generate a new one (in the IPFIRE OpenVPN configuration) or select (on the client) it if I did.

Any guidance appreciated.

If the wrong VPN Hostname or IP was entered when you originally created the Root and Host certificates then the only option is to create a new one.

To create a new Root/Host certificate set you first have to remove the existing one. This is the button at the bottom of the OpenVPN WUI page labelled “Remove x509”.
https://wiki.ipfire.org/configuration/services/openvpn/config/upload_gen#remove-x509

Note that this will remove the Root/Host certificates but also all the client certificates. It basically takes you back to a fresh OpenVPN default page. Creating a new Root/Host certificate set requires all client connections to be re-created as they use the server certificate info.

So before you press the “Remove x509” button (If you do press it then you first get a warning about what will happen) make sure that the issue is an incorrectly defined IP/Hostname. If the OpenVPN clients used to be able to access the IPFire OpenVPN server then something must have changed.

Do you have a static IP from your ISP.

Do you have a Dynamic IP Address from your ISP. If so then when the IP changes your OpenVPN server would no longer be accessible.
In that case, set up a Dynamic DNS address to your ISP IP and use the DDNS name for the OpenVPN server.

2 Likes

Hmm…the dynamic dns sounded like the right thing to do, since the ip address changing was how this all got started.

So I did the Remove x509, then went and set up a dynamic dns service.

Then I re-did the server and created new roadwarrior package.

Move the package to the device in question, imported it…and it wont connect.

The log says stuff about CA not defined when I don’t select the only offered cert, and read_cleartext: BIO_read failed…when I do.

That message means that the server certificate failed verification from your client for some reason.

It would be useful if you could show the full log messages from the client and also from the IPFire OpenVPN Server.
You can change sensitive items such as your Dynamic DNS host/domain name.

When you created the client connection did you use a password for the certificate or is password-less?

What log from the ipfire server? I can find nothing in any of the logs about the vpn service.

This is the log from the client. This is the latest log (what was posted earlier was from before I re-did the server with Dyn. DNS

13:09:40.783 -- ----- OpenVPN Start -----

13:09:40.783 -- EVENT: CORE_THREAD_ACTIVE

13:09:40.797 -- OpenVPN core 3.git::d3f8b18b:Release android arm64 64-bit PT_PROXY

13:09:40.820 -- Frame=512/2048/512 mssfix-ctrl=1250

13:09:40.824 -- UNUSED OPTIONS
0 [tls-client]
2 [nobind]
7 [pkcs12] [MyDevice.p12]
12 [verb] [3]
16 [auth-nocache]
17 [auth-token-user] [USER]
18 [auth-token] [TOTP]
19 [auth-retry] [interact]

13:09:40.826 -- EVENT: RESOLVE

13:09:41.289 -- Contacting ##.##.##.##:1194 via UDP

13:09:41.289 -- EVENT: WAIT

13:09:41.294 -- Connecting to [homeatparker.hopto.org]:1194 (##.##.##.##) via UDPv4

13:09:41.523 -- EVENT: CONNECTING

13:09:41.526 -- Tunnel Options:V4,dev-type tun,link-mtu 1501,tun-mtu 1400,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client

13:09:41.527 -- Creds: UsernameEmpty/PasswordEmpty

13:09:41.528 -- Peer Info:
IV_VER=3.git::d3f8b18b:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.android_3.3.0-8367
IV_SSO=webauth,openurl


13:09:41.765 -- VERIFY FAIL: depth=1, /C=US/ST=NH/L=MYTOWN/O=mydomain/CN=mydomain CA/emailAddress=macdroid53@gmail.com, signature: RSA-SHA512 [self signed certificate in certificate chain]

13:09:41.766 -- Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

13:09:41.767 -- EVENT: CERT_VERIFY_FAIL info='OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed'

13:09:41.775 -- EVENT: DISCONNECTED

13:09:41.776 -- Tunnel bytes per CPU second: 0

13:09:41.776 -- ----- OpenVPN Stop -----

 

Go to the WUI menu Logs - System Logs and select OpenVPN in the drop down box and then press the Update button.

1 Like
13:09:42 openvpnserver[23624]:  <device attempting to VPN in>:43765 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
13:09:42 openvpnserver[23624]:  <device attempting to VPN in>:43765 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
13:09:42 openvpnserver[23624]:  <device attempting to VPN in>:43765 TLS: Initial packet from [AF_INET]<device attempting to VPN in>:43765, sid=5143f877 4e6259af
13:09:46 openvpnserver[23624]: read UDPv4 [ECONNREFUSED]:  Connection refused (code=111)
13:09:49 openvpnserver[23624]: read UDPv4 [ECONNREFUSED]:  Connection refused (code=111)
13:09:58 openvpnserver[23624]: read UDPv4 [ECONNREFUSED]:  Connection refused (code=111)
13:10:14 openvpnserver[23624]: read UDPv4 [ECONNREFUSED]:  Connection refused (code=111)
13:10:42 openvpnserver[23624]:  <device attempting to VPN in>:43765 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
13:10:42 openvpnserver[23624]:  <device attempting to VPN in>:43765 TLS Error: TLS handshake failed
13:10:42 openvpnserver[23624]:  <device attempting to VPN in>:43765 SIGUSR1[soft,tls-error] received, client-instance restarting


You have turned on TLS Channel Protection on the server and this is what is failing in the communication between client and server.

When you set up the client did you install the ta.key file from the IPFire client package into the appropriate place in the client for the tls authentication?

The client has an import .ovpn file option. This allows selection of the 3 files in the zip file downloaded and unzipped from the server. When adding a profile I must select the .ovpn and ta.key files otherwise it fails to parse and won’t add the profile.

I didn’t set TLS, at least not knowingly.

In the client settings the is a setting for minimum TLS version, it defaults to “profile default”. But, setting it to any of the options (1.0,1.3,etc.) seems to make no difference.

The section circled in red if checked is providing TLS Channel Protection and will give you tls-auth in the .ovpn file and you will get a ta.key file that has to be loaded up in your client.

Are you also selecting the .p12 file. That also has to be selected as that is the client certificate for the OpenVPN tunnel.

What client are you using?

Searching on the message

The common issues with this are related to a firewall blocking the communication. In the case of IPFire it is set up to allow OpenVPN communications to occur so that is unlikely to be the problem unless you have specifically created Firewall Rules to block port 1194 or whichever port you are using.

The other cause that is mentioned is

The OpenVPN client config does not have the correct server address in its config file. The remote directive in the client config file must point to either the server itself or the public IP address of the server network’s gateway.

Is the remote directive in your client .ovpn the same as your Dynamic DNS address

Ok, so TLS is checked by default and I never changed it.

The client is OpenVPN on Android.

I’m pretty sure I tried selecting all three files at one point, .opvn, .key, and .p12.

One thing I notice, is when I try to connect it always asks to select a certificate. But, the selection doesn’t show where the offered cert is coming from and doesn’t show enough of it to compare to what’s seen in the server.

I don’t think I have any port blocking specifically for 1194. I do have intrusion prevention enabled with Emergingthreats.net Community Rules.

Currently my cell service is intermittent so can’t tinker…(that’s where the client is installed)

try this howto: https://community.ipfire.org/t/how-to-set-up-a-roadwarrior-config-in-openvpn-using-openvpn-connect-for-android-and-ios/8366/9?u=cfusco

I tested it many times and following each step would always work.

2 Likes

Thank you! That worked!

The missing step for me was setting the password for the .p12.

Doing that and following the rest of the steps produced more steps (on the client) that I was not offered previously.

And, part of the problem appears to be a stale cert on the phone. I now have the new (working) cert and the stale one. Can’t seem to find a way to remove the old cert.

It’s in the tutorial:

Sigh, that’s what I get for not reading to the end. Thanks.

don’t worry, I do not read it to the end as well and I wrote it. I also forget 70% of what is in there after I close the window.