Ok, I'll explain what I did… and at the end is the queston. THank you!
To set up my VPN I installed OpenVPN in server and client machines. On server I configured the cert Authority in the file /etc/openvpn/easy-rsa/vars editing this lines:
export KEY_COUNTRY=”ES”
export KEY_PROVINCE=”M”
export KEY_CITY=”Madrid”
export KEY_ORG=”My Organization”
export KEY_EMAIL=”mail@example.com”
then i generated the cert:
cd /etc/openvpn/easy-rsa/ ln -s openssl-1.0.0.cnf openssl.cnf source
vars ./clean-all ./build-ca
Created the cerver certs:
./build-key-server myServer
Diffie Hellman parameters to server
./build-dh
Copyed certs and keys /etc/openvpn
cd keys/
cp myServer.crt myServer.key ca.crt dh1024.pem /etc/openvpn/
Created client Certs
cd /etc/openvpn/easy-rsa/
source vars
./build-key client1
Copied this certs to client machine and erased them from server:
/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/cliente.crt
/etc/openvpn/easy-rsa/keys/cliente.key
Edited /etc/openvpn/server.conf to my files names
ca ca.crt
cert myServer.crt
key myServer.key
dh dh1024.pem
/etc/init.d/openvpn restart
Verified that tun0 is there
ifconfig tun0
Enabled ip_forward parameter on /etc/sysctl.conf so packages may flow
net.ipv4.ip_forward=1
Also enabled virtual network masking so client may access all remote machines
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
and saved the ip tables conf so they dont desappear in a reboot
Save conf into file
sudo sh -c “iptables-save > /etc/iptables.rules”
Edit /etc/network/interfaces adding the interface (eth0 in this case)
pre-up iptables-restore < /etc/iptables.rules
Getting the following server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb3
In the client i installed OpenVPN and edited the client.conf file which is in /etc/openvpn with the certs: ca.cert, client1.key, client1.conf getting the following client.conf file:
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
then restarted:
/etc/init.d/openvpn restart
And when i want to verify that the interface tun0 is there with ifconfig tun0, there is not.
So I checked my log for errors, in the client machine and there is this error:
VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=Es/ST=M/L=Madrid/O=xxx/OU=xxx/CN=myServer/name=xxx/emailAddress=mail@xxxx.co
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
user openvpn[7984]: TLS Error: TLS object -> incoming plaintext read error
user openvpn[7984]: TLS Error: TLS handshake failed
and this is the error int the servers log
xxx.xxx.xxx.xxx:59439 SIGUSR1[soft,tls-error] received, client-instance restarting
MULTI: multi_create_instance called
xxx.xxx.xxx.xxx:59485 Re-using SSL/TLS context
xxx.xxx.xxx.xxx:59485 LZO compression initialized
xxx.xxx.xxx.xxx:59485 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
xxx.xxx.xxx.xxx:59485 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
xxx.xxx.xxx.xxx:59485 Local Options hash (VER=V4): '530fdded'
xxx.xxx.xxx.xxx:59485 Expected Remote Options hash (VER=V4): '41690919'
xxx.xxx.xxx.xxx:59485 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:59485, sid=0349f4d6 657535c9
xxx.xxx.xxx.xxx:59440 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
xxx.xxx.xxx.xxx:59440 TLS Error: TLS handshake failed
xxx.xxx.xxx.xxx:59440 SIGUSR1[soft,tls-error] received, client-instance restarting
I've created the keys again, and added the full path of the certs in the client.conf file but it still doesn't work. Also tryed with all my firewalls disabled and still cant conect to my server because of that error.
Another important thing is that my server is an ubuntu 12.04 and client CentOS 6.3
I can see that i find my server but still the connection isn't completed…
What should I do??
If any more config files are needed, tell me to show you
Best Answer
Your error message indicates that the client doesn't like the certificate presented by the server for whatever reason. Send a copy of server.crt to the client, then run:
If it's OK, you should get something that looks like
server.crt: OKBasically, you want to check that the server.crt is properly signed by the ca.crt file on the client. You can play with the options to see what a failure looks like by leaving out the
-CAfile ca.crt. In this case (or if the ca.crt did not sign the server.crt) you will get some message like:If this is the case, go over your certificate generation process.