I feel there might be a problem with deletion of a single existing entry from the revocation list. It was very hard to actually remove it and when I managed to clear the revocation list, my VPN was dead.
Asus RT-AC56U, fw380.57
I wanted to verify OpenVPN Certificate Revocation is working using "my" OpenVPN server (meaning, with my certs, not a default one I used for testing). VPN was working normally prior to that. I was using the same client all the time.
After adding a cert to the Certificate Revocation List, that particular client was blocked as it should.
OK, let's remove it, we were just testing. Nope. After some 4-5-7-9 tries combining on/off that server and deletion of entered data, I managed to remove cert from the Revocation list. But now, I was not able to connect any more to my OpenVPN. Switching to a second server (with all default certs) was also no go. Somehow, I managed to untangle them and connect to defaults server, but not to "my" server.
Problem was solved by deleting all files related to "my" server manually and rebuilding it again with the same certs of mine. Not an action any regular user can do.
Possible clues lie in a log:
Asus RT-AC56U, fw380.57
I wanted to verify OpenVPN Certificate Revocation is working using "my" OpenVPN server (meaning, with my certs, not a default one I used for testing). VPN was working normally prior to that. I was using the same client all the time.
After adding a cert to the Certificate Revocation List, that particular client was blocked as it should.
OK, let's remove it, we were just testing. Nope. After some 4-5-7-9 tries combining on/off that server and deletion of entered data, I managed to remove cert from the Revocation list. But now, I was not able to connect any more to my OpenVPN. Switching to a second server (with all default certs) was also no go. Somehow, I managed to untangle them and connect to defaults server, but not to "my" server.
Problem was solved by deleting all files related to "my" server manually and rebuilding it again with the same certs of mine. Not an action any regular user can do.
Possible clues lie in a log:
Code:
Mar 24 20:16:21 openvpn[1139]: 10.212.207.103:36248 CRL: cannot read CRL from file crl.pem
Mar 24 20:16:21 openvpn[1139]: 10.212.207.103:36248 TLS_ERROR: BIO read tls_read_plaintext error: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Mar 24 20:16:21 openvpn[1139]: 10.212.207.103:36248 TLS Error: TLS object -> incoming plaintext read error
Mar 24 20:16:21 openvpn[1139]: 10.212.207.103:36248 TLS Error: TLS handshake failed
Mar 24 20:16:21 openvpn[1139]: 10.212.207.103:36248 SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 24 20:16:54 openvpn[1139]: 10.212.207.103:42066 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 24 20:16:54 openvpn[1139]: 10.212.207.103:42066 TLS Error: TLS handshake failed
Mar 24 20:16:54 openvpn[1139]: 10.212.207.103:42066 SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 24 20:16:55 openvpn[1139]: 10.212.207.103:44029 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 24 20:16:55 openvpn[1139]: 10.212.207.103:44029 TLS Error: TLS handshake failed
Mar 24 20:16:55 openvpn[1139]: 10.212.207.103:44029 SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 24 20:16:55 openvpn[1139]: 10.212.207.103:35306 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 24 20:16:55 openvpn[1139]: 10.212.207.103:35306 TLS Error: TLS handshake failed
Mar 24 20:16:55 openvpn[1139]: 10.212.207.103:35306 SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 24 20:16:55 openvpn[1139]: 10.212.207.103:52267 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 24 20:16:55 openvpn[1139]: 10.212.207.103:52267 TLS Error: TLS handshake failed
Mar 24 20:16:55 openvpn[1139]: 10.212.207.103:52267 SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 24 20:16:55 openvpn[1139]: 10.212.207.103:60980 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 24 20:16:55 openvpn[1139]: 10.212.207.103:60980 TLS Error: TLS handshake failed
Mar 24 20:16:55 openvpn[1139]: 10.212.207.103:60980 SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 24 20:16:56 openvpn[1139]: 10.212.207.103:38906 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 24 20:16:56 openvpn[1139]: 10.212.207.103:38906 TLS Error: TLS handshake failed
Mar 24 20:16:56 openvpn[1139]: 10.212.207.103:38906 SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 24 20:16:58 openvpn[1139]: event_wait : Interrupted system call (code=4)
Mar 24 20:16:58 openvpn[1139]: TITLE,OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 24 2015
Mar 24 20:16:58 openvpn[1139]: TIME,Thu Mar 24 20:16:58 2016,1458847018
Mar 24 20:16:58 openvpn[1139]: HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username
Mar 24 20:16:58 openvpn[1139]: HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
Mar 24 20:16:58 openvpn[1139]: GLOBAL_STATS,Max bcast/mcast queue length,0
Mar 24 20:16:58 openvpn[1139]: END
Last edited:
