Asus RT-N66U & OpenVPN server #2: Certificate error x509 - Error code 0

[MuVo]

Hello ,

Finally i have got OpenVPN Server #1 working, between my home and my parents home, lan to lan! Using a TAP connection.

Now i would like to have VPN on my iOS devices, but Apple is not supporting TAP. So i have to use TUN.
I thought no problem, because i have setup earlier a TUN connection for Server #1, so i want to used the same settings of my earlier try on Server #2. Only problem i had earlier with TUN is that OpenVPN generates a time out on local wifi network, but connects fine on my cellular network 4G.

Now i have created a TUN network as Server #2. When i connect with my phone and OpenVPN app, i receive the following certificate error:

At the router the next message displays:

But this message disapears if i save the details page:
https://c1.staticflickr.com/9/8886/18039257382_8156350669_z.jpg

I found out that iOS and apple has a strict way to use certificates and formats to validated the certs that are used. I think my certificated is wrongly formatted by my asus router.

What i have tried:
- Regenerating server certificated by delete the values in the fields and restart Server #2
- Manual insert the Cert data in a OpenVPN export file.

Can anyone help solve this issue, or is anyone familiar with certifications? I have not the know how about certificates. Thanks.

And because this is my first post here:
Merlin thank you for the great firmware!
and since i am a Fork user, john9527 Thank you for creating the fork!

My router:
Asus RT-N66U
Firmware:374.43_2-11E1j9527

More info:
Here they talk about the error, but i have no clue how to apply the fix they suggest.
https://forums.openvpn.net/topic11986.html

https://www.kolja-engelmann.de/blog...ssl-error-parsing-ca-certificate-x509-fehler/ <<-- Also no clue how to convert to open SSL

Screenshots
Detail Settings of OpenVPN
https://c4.staticflickr.com/8/7694/17419964384_e2627bc28b_z.jpg
https://c4.staticflickr.com/8/7720/17419964484_1cc8a1b683_z.jpg

OpenVPN Log @ iOS:

 

[john9527]

Hopefully, someone with more OpenVPN experience (particularly with iOS) will help out. But a couple of things we can start out with.

- The error when starting the server
There should be some info in the router syslog about why that is the case. After you start the server and get the error, switch over to the syslog and copy out the end with any openvpn tags and we should be able to see what's going on.

- How are you transferring the .ovpn file over to your client? Did you open the .ovpn on the client to make sure it looks OK?

- Reading thru your referenced web sites (good investigation!) one possible solution is to edit the .ovpn file to move the ca to the end of the file. Have you given that a try?

 

[ewwatson]

I have openvpn working on my ipad using privateintenetacces https://www.privateinternetaccess.com/pages/client-support/#ios_openvpn. And using these simple directions.

 

[MuVo]

1 - This is the log, after applying the details settings & Starting the server. Plus connecting with the OpenVPN client:

May 25 16:09:12 openvpn[497]: 92.**.**.**:63443 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 25 16:09:12 openvpn[497]: 92.**.**.**:63443 TLS Error: TLS handshake failed
May 25 16:09:12 openvpn[497]: 92.**.**.**:63443 SIGUSR1[soft,tls-error] received, client-instance restarting
May 25 16:10:08 rc_service: httpd 324:notify_rc stop_vpnserver2
May 25 16:10:08 kernel: Interface tap22 doesn't exist
May 25 16:10:08 kernel: Interface tun22 doesn't exist
May 25 16:12:02 rc_service: httpd 324:notify_rc start_vpnserver2
May 25 16:12:02 kernel: device tun22 entered promiscuous mode
May 25 16:12:05 openvpn[1138]: OpenVPN 2.3.6 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May 1 2015
May 25 16:12:05 openvpn[1138]: library versions: OpenSSL 1.0.0r 19 Mar 2015, LZO 2.08
May 25 16:12:05 openvpn[1138]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
May 25 16:12:05 openvpn[1138]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
May 25 16:12:05 openvpn[1138]: Diffie-Hellman initialized with 512 bit key
May 25 16:12:05 openvpn[1138]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
May 25 16:12:05 openvpn[1138]: Socket Buffers: R=[118784->131072] S=[118784->131072]
May 25 16:12:05 openvpn[1138]: TCP/UDP: Socket bind failed on local address [undef]: Address already in use
May 25 16:12:05 openvpn[1138]: Exiting due to fatal error
May 25 16:13:11 openvpn[497]: 92.**.**.**:63475 TLS: Initial packet from [AF_INET]92.69.232.91:63475, sid=a74bb70b a8f4c5af

2 - I send my OVPN file via a mail adres (via my work email) to my telephone. The OPVN file looks good i think, it has the the following style:

client
dev tun
proto udp
remote ******** 1194
float
cipher AES-256-CBC
comp-lzo adaptive
keepalive 15 60
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
**********
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
*******
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
***********
-----END PRIVATE KEY-----
</key>
ns-cert-type server
resolv-retry infinite
nobind

3 - I understand what you mean, but I dont understand wich part of the OVPN file to move where, do you mean this:

client
dev tun
proto udp
remote ******** 1194
float
cipher AES-256-CBC
comp-lzo adaptive
keepalive 15 60
auth-user-pass
<cert>
-----BEGIN CERTIFICATE-----
*******
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
***********
-----END PRIVATE KEY-----
</key>
<ca>
-----BEGIN CERTIFICATE-----
**********
-----END CERTIFICATE-----
</ca>
ns-cert-type server
resolv-retry infinite
nobind

I will try this updated OVPN file.

Edit:
I tryed to regenerated the OVPN file and restarted the VPN server, Error 0 showed up. THis is the log:

May 25 16:31:19 rc_service: httpd 324:notify_rc start_vpnserver2
May 25 16:31:19 kernel: device tun22 entered promiscuous mode
May 25 16:31:56 openvpn[1309]: OpenVPN 2.3.6 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May 1 2015
May 25 16:31:56 openvpn[1309]: library versions: OpenSSL 1.0.0r 19 Mar 2015, LZO 2.08
May 25 16:31:56 openvpn[1309]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
May 25 16:31:56 openvpn[1309]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
May 25 16:31:56 openvpn[1309]: Diffie-Hellman initialized with 512 bit key
May 25 16:31:56 openvpn[1309]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
May 25 16:31:56 openvpn[1309]: Socket Buffers: R=[118784->131072] S=[118784->131072]
May 25 16:31:56 openvpn[1309]: TCP/UDP: Socket bind failed on local address [undef]: Address already in use
May 25 16:31:56 openvpn[1309]: Exiting due to fatal error

Thanks for your help

 

[john9527]

1 - This is the log, after applying the details settings & Starting the server. Plus connecting with the OpenVPN client:

Can you do a log capture after starting the server, but before starting the client?

2 - I send my OVPN file via a mail adres (via my work email) to my telephone. The OPVN file looks good i think, it has the the following style:

Don't see anything obviously wrong there.

3 - I understand what you mean, but I dont understand wich part of the OVPN file to move where, do you mean this:
I will try this updated OVPN file.

Hard to tell from the post if they meant 'end of certs' or 'end of file'....

At this point, I'd try a little bit of a reset. Turn off the server, then reboot the router. Turn on the server (and capture the syslog).
Try this .ovpn file and try to connect again....

client
dev tun
proto udp
remote ******** 1194
float
cipher AES-256-CBC
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
resolv-retry infinite
nobind
<cert>
-----BEGIN CERTIFICATE-----
*******
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
***********
-----END PRIVATE KEY-----
</key>
<ca>
-----BEGIN CERTIFICATE-----
**********
-----END CERTIFICATE-----
</ca>

Capture the syslog again.

 

[MuVo]

I have done your instructions, this is the log:

May 25 20:38:39 rc_service: httpd 324:notify_rc start_vpnserver2
May 25 20:38:39 kernel: device tun22 entered promiscuous mode
May 25 20:39:40 openvpn[623]: OpenVPN 2.3.6 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May 1 2015
May 25 20:39:40 openvpn[623]: library versions: OpenSSL 1.0.0r 19 Mar 2015, LZO 2.08
May 25 20:39:40 openvpn[623]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
May 25 20:39:40 openvpn[623]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
May 25 20:39:40 openvpn[623]: Diffie-Hellman initialized with 512 bit key
May 25 20:39:40 openvpn[623]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
May 25 20:39:40 openvpn[623]: Socket Buffers: R=[118784->131072] S=[118784->131072]
May 25 20:39:40 openvpn[623]: TCP/UDP: Socket bind failed on local address [undef]: Address already in use
May 25 20:39:40 openvpn[623]: Exiting due to fatal error
May 25 20:43:21 openvpn[497]: **********:63384 TLS: Initial packet from [AF_INET]**********:63384, sid=51215dde 53d5b7a1
May 25 20:43:45 openvpn[497]: **********:63404 TLS: Initial packet from [AF_INET]**********:63404, sid=16439cca 9f5b8237
May 25 20:44:21 openvpn[497]: **********:63384 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 25 20:44:21 openvpn[497]: **********:63384 TLS Error: TLS handshake failed
May 25 20:44:21 openvpn[497]: **********:63384 SIGUSR1[soft,tls-error] received, client-instance restarting

I made some errors bold. It seems to me that it is trying to connect to OpenVPN server #1? and compring the certificate of server #2 with the one of server #1?

THe OVPN file that was generated by the export was short:

client
dev tun
proto udp
remote ****** 1194
float
cipher AES-256-CBC
comp-lzo adaptive
keepalive 15 60
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
********
-----END CERTIFICATE-----
</ca>
ns-cert-type server
resolv-retry infinite
nobind

This OVPN file is to short?
At the details page Content modification of Keys & Certificates are correctly filled.
I resaved the Details page, wich result in the following log:

May 25 20:45:04 dnsmasq-dhcp[323]: DHCPINFORM(br0) 10.40.46.11 34:02:86:84:85:af
May 25 20:45:04 dnsmasq-dhcp[323]: DHCPACK(br0) 10.40.46.11 34:02:86:84:85:af 3RFRP32
May 25 20:51:13 dnsmasq-dhcp[323]: DHCPINFORM(br0) 10.40.46.11 34:02:86:84:85:af
May 25 20:51:13 dnsmasq-dhcp[323]: DHCPACK(br0) 10.40.46.11 34:02:86:84:85:af 3RFRP32
May 25 20:51:55 rc_service: httpd 324:notify_rc restart_vpnserver2
May 25 20:51:55 kernel: Interface tap22 doesn't exist
May 25 20:51:55 kernel: Interface tun22 doesn't exist
May 25 20:51:55 kernel: device tun22 entered promiscuous mode
May 25 20:51:58 openvpn[674]: OpenVPN 2.3.6 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May 1 2015
May 25 20:51:58 openvpn[674]: library versions: OpenSSL 1.0.0r 19 Mar 2015, LZO 2.08
May 25 20:51:58 openvpn[674]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
May 25 20:51:58 openvpn[674]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
May 25 20:51:58 openvpn[674]: Diffie-Hellman initialized with 512 bit key
May 25 20:51:58 openvpn[674]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
May 25 20:51:58 openvpn[674]: Socket Buffers: R=[118784->131072] S=[118784->131072]
May 25 20:51:58 openvpn[674]: TCP/UDP: Socket bind failed on local address [undef]: Address already in use
May 25 20:51:58 openvpn[674]: Exiting due to fatal error

I hope this information is clear for you.

 

[john9527]

Duh...(slaps forehead!)

It's telling us exactly what's wrong. If you are trying to run both servers at the same time, you need to change the port for one of the servers from 1194 to something else (try 1195).

But you need to think a bit about having both active at the same time.....with an N66 you'll probably bring its single MIPS processor to its knees with activity on both servers at the same time.

 

[wiz]

you don't need 2 openvpn servers, one is enough to do that

Also it states in the configuration the client-cert-not-required seems to be configured, so you do not have to have a trusted client cert in order to connect to your open vpn server, which is not a secure way to do. What you also could do is switch off compression, the processor is too busy with encrypting/decrypting so extra load is not a good idea (compressing/decompressing).

 

[MuVo]

Changing port 1194 to 1195 didn't work. But first i regenerated the certificate, then i set it to TCP and used port 1195. Started the server, send the OVPN file... and it WORKS!! :-D

A small problem port problem, but thanks for helping solving it, Thank you!! Also OpenVPN is now working on my local WiFi network.

I will test the performance, the first server will be less active for now. I will keep my Openvpn on my phone always on. I will test how it works out.

Today i tested the download speed from server #1 at my parents home. At my home i have an upload of 100mbit, i downloading a 500mb file at my nas from home (SMB protocol). I was recieveing 2 MB download speed. Is this a good performance?

If the N66U cannot keep it up with the task i do with it, then i have to upgrade. But for now it is fine

Thanks again

 

[MuVo]

I have openvpn working on my ipad using privateintenetacces https://www.privateinternetaccess.com/pages/client-support/#ios_openvpn. And using these simple directions.

So you are using a OpenVPN client with a (3rd party?) OpenVPN provider. What also is a good option
But I would like to host my own OpenVPN server but encounter the problem above, but its solved.

 

[john9527]

Glad to hear you got it working!

As far as performance goes, there's a lot that goes into it and some tuning you can try (mtu in particular). If you do a search on 'OpenVPN performance' you can find multiple threads on the topic. (Your parents service speed also comes into play). Your ISP could also be throttling things behind the scenes. The journey begins