openvpn server cant connect

[sabot105mm]

openvpn server cant connect (solved)

router ip 10.9.10.1 255.255.255.240

openvpn subnet 10.8.0.0 255.255.255.0

client computer win 7 cant connect

iptables[CODE]Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere            udp dpt:1194 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            udp dpt:1194 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:4672 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:4665 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:4662 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:51413 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:51413 
logdrop    all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            state NEW 
ACCEPT     all  --  anywhere             anywhere            state NEW 
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc 
ACCEPT     tcp  --  anywhere             www.asusnetwork.net tcp dpt:www 
ACCEPT     tcp  --  anywhere             www.asusnetwork.net tcp dpt:8443 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8082 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1723 
ACCEPT     gre  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
logdrop    all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
logdrop    all  --  anywhere             anywhere            
logdrop    all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 
ACCEPT     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request limit: avg 1/sec burst 5 
ACCEPT     all  --  anywhere             anywhere            ctstate DNAT 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere            udp dpt:4672 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:4665 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:4662 

Chain FUPNP (0 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             Gary-PC             tcp dpt:6783 
ACCEPT     tcp  --  anywhere             Gary-PC             tcp dpt:6784 
ACCEPT     tcp  --  anywhere             Gary-PC             tcp dpt:6785 

Chain PControls (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain logaccept (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT ' 
ACCEPT     all  --  anywhere             anywhere            

Chain logdrop (4 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP' 
DROP       all  --  anywhere             anywhere

routes

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun21
Xxxx.             *               255.255.255.255 UH    0      0        0 WAN
10.9.10.0       *               255.255.255.240 U     0      0        0 LAN
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun21
Xxxx              *               255.255.252.0   U     0      0        0 WAN
default         Xxxx      0.0.0.0         UG    0      0        0 WAN

router log

eb 20 00:35:42 notify_rc : start_vpnserver1
Feb 20 00:35:42 kernel: tun: Universal TUN/TAP device driver, 1.6
Feb 20 00:35:42 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Feb 20 00:35:42 kernel: device tun21 entered promiscuous mode
Feb 20 00:35:42 openvpn[16877]: OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Feb 13 2013
Feb 20 00:35:42 openvpn[16877]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Feb 20 00:35:42 openvpn[16877]: Diffie-Hellman initialized with 1024 bit key
Feb 20 00:35:42 openvpn[16877]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Feb 20 00:35:42 openvpn[16877]: TUN/TAP device tun21 opened
Feb 20 00:35:42 openvpn[16877]: TUN/TAP TX queue length set to 100
Feb 20 00:35:42 openvpn[16877]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Feb 20 00:35:42 openvpn[16877]: /sbin/ifconfig tun21 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Feb 20 00:35:42 openvpn[16877]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Feb 20 00:35:42 openvpn[16885]: UDPv4 link local (bound): [undef]
Feb 20 00:35:42 openvpn[16885]: UDPv4 link remote: [undef]
Feb 20 00:35:42 openvpn[16885]: MULTI: multi_init called, r=256 v=256
Feb 20 00:35:42 openvpn[16885]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Feb 20 00:35:42 openvpn[16885]: Initialization Sequence Completed
Feb 20 00:35:42 openvpn[16885]: 10.9.10.5:63644 TLS: Initial packet from [AF_INET]10.9.10.5:63644, sid=9b36932a 2e4d0df2

Feb 20 00:36:15 openvpn[16885]: 10.9.10.5:63645 TLS: Initial packet from [AF_INET]10.9.10.5:63645, sid=6d9c5462 264435ef
Feb 20 00:36:17 kernel: printk: 15 messages suppressed.
Feb 20 00:36:17 kernel: protocol 0000 is buggy, dev eth0

client log

Wed Feb 20 00:36:14 2013 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010
Wed Feb 20 00:36:14 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Wed Feb 20 00:36:14 2013 Control Channel MTU parms [ L:1557 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Feb 20 00:36:14 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Feb 20 00:36:14 2013 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Wed Feb 20 00:36:14 2013 Local Options hash (VER=V4): '8326dbaa'
Wed Feb 20 00:36:14 2013 Expected Remote Options hash (VER=V4): 'b7f67de4'
Wed Feb 20 00:36:14 2013 UDPv4 link local: [undef]
Wed Feb 20 00:36:14 2013 UDPv4 link remote: x.x.x.x:1194
Wed Feb 20 00:36:44 2013 TCP/UDP: Incoming packet rejected from 10.9.10.1:1194[2], expected peer address: x.x.x.x:1194 (all
ow this incoming source address/port by removing --remote or adding --float)
Wed Feb 20 00:37:14 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Feb 20 00:37:14 2013 TLS Error: TLS handshake failed
Wed Feb 20 00:37:14 2013 TCP/UDP: Closing socket
Wed Feb 20 00:37:14 2013 SIGUSR1[soft,tls-error] received, process restarting
Wed Feb 20 00:37:14 2013 Restart pause, 2 second(s)
Wed Feb 20 00:37:16 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Wed Feb 20 00:37:16 2013 Re-using SSL/TLS context
Wed Feb 20 00:37:16 2013 Control Channel MTU parms [ L:1557 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Feb 20 00:37:16 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Feb 20 00:37:16 2013 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Wed Feb 20 00:37:16 2013 Local Options hash (VER=V4): '8326dbaa'
Wed Feb 20 00:37:16 2013 Expected Remote Options hash (VER=V4): 'b7f67de4'
Wed Feb 20 00:37:16 2013 UDPv4 link local: [undef]
Wed Feb 20 00:37:16 2013 UDPv4 link remote: xxxx:1194
Wed Feb 20 00:37:16 2013 TCP/UDP: Incoming packet rejected from 10.9.10.1:1194[2], expected peer address: xxxx:1194 (all
ow this incoming source address/port by removing --remote or adding --float

[/CODE]

 

[huotg01]

router ip 10.9.10.1 255.255.255.240

openvpn subnet 10.8.0.0 255.255.255.0

client computer win 7 cant connect

How (process) did you "mount" your Win7 client ?

GH

 

[jobongo]

What remote IP are you using in you client config? Are you using your public IP address? It looks as though it is receiving a connection attempt from an IP different than the remote IP in the client config and thus it is not establishing the connection. This can happen if NAT/PAT is setup improperly among other things. Need a little more info.

Could you also post the nat table?

iptables -t nat -L POSTROUTING -v

Thanks

 

[sabot105mm]

iptables nat

Chain POSTROUTING (policy ACCEPT 92609 packets, 24M bytes)
 pkts bytes target     prot opt in     out     source               destination                                    
 3513  207K MASQUERADE  all  --  any    eth0   !c-XX-XX-XX-XX.hsd1.fl.comcast.net  anywhere
    0     0 MASQUERADE  all  --  any    any     anywhere             anywhere       MARK match 0xd001

I believe i know why i i was getting that error

TCP/UDP: Incoming packet rejected from 10.9.10.1:1194[2], expected peer address: xxxx:1194

. i was connecting from the same network as the server. so i tried connecting from a different network and got this error

Thu Feb 21 11:05:14 2013 OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010
Thu Feb 21 11:05:14 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

Thu Feb 21 11:05:14 2013 Control Channel MTU parms [ L:1557 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Feb 21 11:05:14 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Feb 21 11:05:15 2013 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Thu Feb 21 11:05:15 2013 Local Options hash (VER=V4): '8326dbaa'
Thu Feb 21 11:05:15 2013 Expected Remote Options hash (VER=V4): 'b7f67de4'
Thu Feb 21 11:05:15 2013 UDPv4 link local: [undef]
Thu Feb 21 11:05:15 2013 UDPv4 link remote: XX.XX.XX.XX:1194
Thu Feb 21 11:05:15 2013 TLS: Initial packet from XX.XX.XX.XX:1194, sid=a4139b2f 402d3d3b
Thu Feb 21 11:05:16 2013 VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=US/ST=Florida/L=Sarasota/O=Home/OU=Ho
me1/CN=server1/name=Openvpn/emailAddress=Xxx
Thu Feb 21 11:05:16 2013 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed
Thu Feb 21 11:05:16 2013 TLS Error: TLS object -> incoming plaintext read error
Thu Feb 21 11:05:16 2013 TLS Error: TLS handshake failed
Thu Feb 21 11:05:16 2013 TCP/UDP: Closing socket
Thu Feb 21 11:05:16 2013 SIGUSR1[soft,tls-error] received, process restarting
Thu Feb 21 11:05:16 2013 Restart pause, 2 second(s)

 

[sabot105mm]

How (process) did you "mount" your Win7 client ?

GH

by mount you mean what program am i using to connect? i using the openvpn .ovpn file

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote xxxx.asuscomm.com 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
ca [inline]
cert [inline]
key [inline]
# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
;static.key

<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>






# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
tls-client


# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
;comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

 

[jobongo]

I believe i know why i i was getting that error
. i was connecting from the same network as the server. so i tried connecting from a different network and got this error

I was actually going to ask this very question in my last post.

I see in your client config that you are using a tun interface. Are you also set for the same on the server? It looks like you are using the default config files. Are you using a tls-auth key on the server?

 

[wiz]

i
Thu Feb 21 11:05:16 2013 VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=US/ST=Florida/L=Sarasota/O=Home/OU=Ho
me1/CN=server1/name=Openvpn/emailAddress=Garydavisjackie@gmail.com
Thu Feb 21 11:05:16 2013 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed
Thu Feb 21 11:05:16 2013 TLS Error: TLS object -> incoming plaintext read error
Thu Feb 21 11:05:16 2013 TLS Error: TLS handshake failed
Thu Feb 21 11:05:16 2013 TCP/UDP: Closing socket
Thu Feb 21 11:05:16 2013 SIGUSR1[soft,tls-error] received, process restarting
Thu Feb 21 11:05:16 2013 Restart pause, 2 second(s)

It seems your TLS handshake goes wrong. Did you use the static key file on the client side as well?

in your client key there's the following statement:

;tls-auth ta.key 1

Remove the ; and save the contents of what you filled in in the static key as ta.key.

Set the authorisation mode on the server to TLS, and Extra Hmac authorization to incoming on the server.

Then it should not complain about tls handshake going wrong.

 

[sabot105mm]

i will say first i am generating the certs with easy-rsa through the router itself following these instructions. this (note the same error as mine(

VERIFY ERROR: depth=0, error=self signed certificate: /C=NL/ST=NH/L=Amsterdam/O=localhost/CN=client1/emailAddress=client1@localhost
2012-04-08 14:37:19 us=189870 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2012-04-08 14:37:19 us=189950 TLS Error: TLS object -> incoming plaintext read error
2012-04-08 14:37:19 us=190023 TLS Error: TLS handshake failed

)) user pointed out that generating certs from one computer didnt properly generate them, and so switching computers may work; and thats where another problem presents its self my computer dosnt not want to cooperate. it keeps saying it cant find the sslconfig file.

I was actually going to ask this very question in my last post.

I see in your client config that you are using a tun interface. Are you also set for the same on the server? It looks like you are using the default config files. Are you using a tls-auth key on the server?

heres my server config

# Automatically generated configuration
daemon
server 10.8.5.0 255.255.255.0
proto udp
port 1194
dev tun21
cipher AES-128-CBC
keepalive 15 60
verb 3
push "route 10.9.10.0 255.255.255.240"
client-config-dir ccd
client-to-client
push "dhcp-option DNS 10.9.10.1"
push "redirect-gateway def1"
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

# Custom Configuration
duplicate-cn

 

[jobongo]

Hmmm. Well there is obviously a problem with the tls-handshaking. I see in you client config that you have the tls-client option. Try disabling this. If you want to keep this option, then add this line to the server config.

tls-server

I had to read on the openvpn site and it looks as this is not really something that is necessary. I am not sure if setting client on one side automatically make the other side the server be default.

Reference:

http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html

 

[huotg01]

I setup, using OpenVPN:

• the RT-N66U as a server
• my windows laptop as a client
• my Galaxy note as a client

and everything seems to work properly.

I downloaded everything from here: http://openvpn.net/index.php/open-source/downloads.html
I used the Tomato tutorial pointed out by RMerlin in the wiki, and also http://openvpn.net/index.php/open-source/documentation/howto.html#pki from the OpenVPN site.

The laptop ovpn client file is the following :

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote xxxxxxxxxx.asuscomm.com 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert huogasDev1.crt
key huogasDev1.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 4

# Silence repeating messages
;mute 20

All the required keys and certificates (genereted as per tutorials on my windows environment) were placed in My Programs, OpenVPN, Config, with the customized ovpn file.

On the server side, all keys and certificates (genereted as per tutorials on my windows environment) were copied in the specified section in the tab OpenVPN keys of the ASUS, and the others setup in OpenVPN server settings on the ASUS router are in the attched image.

I'm in the process of preparing a tutorial, but in the mean time, the previous could help.
GH

 

[wiz]

if you disable compression, you'll get a bit more speed than with lzo compression, at least on my setup without compression there's more bandwidth than with compression on.

 

[sabot105mm]

so i think im making progress, i got my win7 computer to gen the certs andnot not getting the tls errors anymore, but i now have to correct this new problem that has presented itself.
client log

OpenVPN 2.3.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Feb 14 2013
WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Socket Buffers: R=[8192->8192] S=[8192->8192]
UDPv4 link local: [undef]
UDPv4 link remote: [AF_INET]xxxx:1194
TLS: Initial packet from [AF_INET]xxxx:1194, sid=10a46a1b 900780d9
VERIFY OK: depth=1, C=US, ST=FL, L=Sarasota, O=OpenVPN, OU=Home1, CN=Openvpn, name=Home, emailAddress=Xxx
VERIFY OK: depth=0, C=US, ST=FL, L=Sarasota, O=OpenVPN, OU=Home1, CN=Openvpn, name=Home, emailAddress=Xxxx
Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
[Openvpn] Peer Connection Initiated with [AF_INET]xxxx:1194
SENT CONTROL [Openvpn]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,route 10.9.10.0 255.255.255.240,dhcp-option DNS 10.9.10.1,redirect-gateway def1,route 10.8.5.0 255.255.255.0,topology net30,ping 15,ping-restart 60,ifconfig 10.8.5.10 10.8.5.9'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
open_tun, tt->ipv6=0
TAP-WIN32 device [MyTap] opened: \\.\Global\{CD391F59-C537-4739-B1F4-77EB09DD699E}.tap
TAP-Windows Driver Version 9.9
Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.5.10/255.255.255.252 on interface {CD391F59-C537-4739-B1F4-77EB09DD699E} [DHCP-serv: 10.8.5.9, lease-time: 31536000]
NOTE: FlushIpNetTable failed on interface [17] {CD391F59-C537-4739-B1F4-77EB09DD699E} (status=5) : Access is denied.
TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
C:\Windows\system32\route.exe ADD xxxx MASK 255.255.255.255 192.168.2.254
ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.   [status=5 if_index=18]
Route addition via IPAPI failed [adaptive]
Route addition fallback to route.exe
env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
equires elevation.
ERROR: Windows route add command failed [adaptive]: returned error code 1
C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.5.9
ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.   [status=5 if_index=17]
Route addition via IPAPI failed [adaptive]
Route addition fallback to route.exe
env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
equires elevation.
ERROR: Windows route add command failed [adaptive]: returned error code 1
C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.5.9
ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.   [status=5 if_index=17]
Route addition via IPAPI failed [adaptive]
Route addition fallback to route.exe
env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
equires elevation.
ERROR: Windows route add command failed [adaptive]: returned error code 1
C:\Windows\system32\route.exe ADD 10.9.10.0 MASK 255.255.255.240 10.8.5.9
ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.   [status=5 if_index=17]
Route addition via IPAPI failed [adaptive]
Route addition fallback to route.exe
env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
equires elevation.
ERROR: Windows route add command failed [adaptive]: returned error code 1
C:\Windows\system32\route.exe ADD 10.8.5.0 MASK 255.255.255.0 10.8.5.9
ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.   [status=5 if_index=17]
Route addition via IPAPI failed [adaptive]
Route addition fallback to route.exe
env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
equires elevation.
ERROR: Windows route add command failed [adaptive]: returned error code 1
Initialization Sequence Completed

server config

# Automatically generated configuration
daemon
server 10.8.5.0 255.255.255.0
proto udp
port 1194
dev tun21
cipher BF-CBC
keepalive 15 60
verb 3
push "route 10.9.10.0 255.255.255.240"
client-config-dir ccd
client-to-client
push "dhcp-option DNS 10.9.10.1"
push "redirect-gateway def1"
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

# Custom Configuration
duplicate-cn

client config

client
dev tun
dev-node MyTap
proto udp
remote blarg.asuscomm.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca [inline]
cert [inline]
key [inline]
<ca>
-----BEGIN CERTIFICATE-----
x
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
x
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
x
-----END PRIVATE KEY-----
</key>

verb 3

server log

Feb 22 18:30:43 openvpn[26335]: XXX.XXX.XXX.XXX:1430 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1430, sid=XXXXXXXXXXXXXXX
Feb 22 18:30:43 kernel: printk: 5 messages suppressed.
Feb 22 18:30:43 kernel: protocol 0000 is buggy, dev eth1
Feb 22 18:30:44 openvpn[26335]: XXX.XXX.XXX.XXX:1430 VERIFY OK: depth=1, C=US, ST=FL, L=Sarasota, O=OpenVPN, OU=Home1, CN=Openvpn, name=Home, emailAddress
Feb 22 18:30:44 openvpn[26335]: XXX.XXX.XXX.XXX:1430 VERIFY OK: depth=0, C=US, ST=FL, L=Sarasota, O=OpenVPN, OU=Home1, CN=VPN, name=Home, emailAddress=Xxx
Feb 22 18:30:45 openvpn[26335]: XXX.XXX.XXX.XXX:1430 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 22 18:30:45 openvpn[26335]: XXX.XXX.XXX.XXX:1430 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 22 18:30:45 openvpn[26335]: XXX.XXX.XXX.XXX:1430 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Feb 22 18:30:45 openvpn[26335]: XXX.XXX.XXX.XXX:1430 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 22 18:30:45 openvpn[26335]: XXX.XXX.XXX.XXX:1430 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Feb 22 18:30:45 openvpn[26335]: XXX.XXX.XXX.XXX:1430 [VPN] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1430
Feb 22 18:30:45 openvpn[26335]: VPN/XXX.XXX.XXX.XXX:1430 MULTI_sva: pool returned IPv4=10.8.5.6, IPv6=(Not enabled)
Feb 22 18:30:45 openvpn[26335]: VPN/XXX.XXX.XXX.XXX:1430 MULTI: Learn: 10.8.5.6 -> VPN/XXX.XXX.XXX.XXX:1430
Feb 22 18:30:45 openvpn[26335]: VPN/XXX.XXX.XXX.XXX:1430 MULTI: primary virtual IP for VPN/174.228.198.247:1430: 10.8.5.6
Feb 22 18:30:47 kernel: printk: 5 messages suppressed.
Feb 22 18:30:47 kernel: protocol 0000 is buggy, dev eth1
Feb 22 18:30:47 openvpn[26335]: VPN/XXX.XXX.XXX.XXX:1430 PUSH: Received control message: 'PUSH_REQUEST'
Feb 22 18:30:47 openvpn[26335]: VPN/XXX.XXX.XXX.XXX:1430 send_push_reply(): safe_cap=940
Feb 22 18:30:47 openvpn[26335]: VPN/XXX.XXX.XXX.XXX:1430 SENT CONTROL [VPN]: 'PUSH_REPLY,route 10.9.10.0 255.255.255.240,dhcp-option DNS 10.9.10.1,redirect-gateway def1,route 10.8.5.0 255.255.255.0,topology net30,ping 15,ping-restart 60,ifconfig 10.8.5.6 10.8.5.5' (status=1)
Feb 22 18:31:20 dnsmasq-dhcp[560]: DHCPREQUEST(br0) 10.9.10.5 XX:XX:XX:XX:XX:XX
Feb 22 18:31:20 dnsmasq-dhcp[560]: DHCPACK(br0) 10.9.10.5 XX:XX:XX:XX:XX:XX Gary-PC

 

[sabot105mm]

What I learned so far.
If you are running win7 or vista make sure both openvpn-gui.exe and openvpn.exe are run as admin or this happens

ERROR: Windows route add command failed [adaptive]: returned error code 1
C:\Windows\system32\route.exe ADD 10.9.10.0 MASK 255.255.255.240 10.8.5.9
ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=17]
Route addition via IPAPI failed [adaptive]
Route addition fallback to route.exe
env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
equires elevation.

Don't connect to your VPN from the same network/subnetwork or this happens.

TCP/UDP: Incoming packet rejected from 10.9.10.1:1194[2], expected peer address: x.x.x.x:1194 (all
ow this incoming source address/port by removing --remote or adding --float)

Do not generate your certs through the router or this will happen

the problem is (again) in your server certificate - either the server cert was signed using another CA certificate or the server cert was not generated correctly. Try using the 'easy-rsa' scripts again and run 'build-key-server

TLS: Initial packet from XX.XX.XX.XX:1194, sid=a4139b2f 402d3d3b
Thu Feb 21 11:05:16 2013 VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=US/ST=Florida/L=Sarasota/O=Home/OU=Ho
me1/CN=server1/name=Openvpn/emailAddress=Xxx
Thu Feb 21 11:05:16 2013 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed
Thu Feb 21 11:05:16 2013 TLS Error: TLS object -> incoming plaintext read error
Thu Feb 21 11:05:16 2013 TLS Error: TLS handshake failed

 

[RMerlin]

Do not generate your certs through the router or this will happen

Generating the certificates from the router is fine. I specifically added EasyRSA and instructions on the Wiki on how to use it. This is how I generated the certificates I use myself to remotely connect from work.

 

[sabot105mm]

if you want ill give you the certs to see why they dont work

 

[kaiguy]

i will say first i am generating the certs with easy-rsa through the router itself following these instructions.

I just ran through that article as well and hit some issues. I believe there is a typo when generating the server keys. The command should be:

./build-key-server server1

not

./build-key server1

At least all other instances I've seen when building keys uses that script for the server instead of the one used to build client keys.