OpenVPN Server - Client Error Connecting

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

dcsang

Occasional Visitor
I recently updated my RT-AC88U from 384.19 to 386.1_2 and performed a factory reset. I failed to export the VPN Server configuration and manually reconfigured. Various server settings, including default values, were tried but when the resulting 'client.ovpn' file is imported into Android 'OpenVPN Connect' I am receiving errors. The message states "ssl_connect_error. OpenSSLContext: CA not defined" but the ovpn file includes the <ca>, <cert>, and <key> blocks. The router generated Certificate Authority, Server Certificate, Server Key, and Diffie Hellman entries. Any guidance would be appreciated.

I wasn't sure if this would be the right forum, but posted here since the issue occurred after the update. Thank you.
 

dcsang

Occasional Visitor
Here are my current settings for reference.

2021-03-02 13_16_12-Window.png
 

eibgrad

Very Senior Member
Does it report the error at the point the config file is imported, or when the connection attempt is made to the server? The former would suggest to me it isn't present (or is corrupted/truncated), or perhaps just can't read the file for some reason. The latter would suggest it's present but doesn't match the server.
 

dcsang

Occasional Visitor
I just set the TLS control channel security to "Bi-directional Auth" and the result was the same with a newly exported config file.

The ovpn file imports successfully to the client and the error occurs when connecting. I verified that the Certificate Authority key matched the <ca> block in the config file. The <cert>, <key>, and <tls-auth> sections do not match any of the values generated by the router.
 
Last edited:

dcsang

Occasional Visitor
One more thing

TLS control channel security to disable

Make sure you click apply button then export new configuration file to clients.
Unfortunately the same result. Everything else, including my VPN clients, appears to be working just fine. Is there any way to obtain a more detailed log on the client side to gain some additional information? I will try a laptop through my mobile provider using the same ovpn file later tonight.
 

dcsang

Occasional Visitor
Win10 OpenVPN Client also fails to connect with the config file. Thinking of downgrading to the 384.19 firmware but will await additional commentary in hopes of a resolution. Thanks for the suggestions thus far!
 

RMerlin

Asuswrt-Merlin dev
Just re-export the config file from the server, and use that to connect. Unless you also use self-generated client keys, it's all you will need to connect. I've done quite a few quick "server config + client export" over the past few weeks while testing OpenVPN changes.
 

dcsang

Occasional Visitor
Just re-export the config file from the server, and use that to connect. Unless you also use self-generated client keys, it's all you will need to connect. I've done quite a few quick "server config + client export" over the past few weeks while testing OpenVPN changes.
Thank you for the guidance. When you say "re-export the config file from the server" do you me exporting a fresh config file from the VPN Server settings? If so, I've done that several times and both the Android and Windows OpenVPN clients continue to fail when connecting. Please let me know if I'm missing any steps.
 

RMerlin

Asuswrt-Merlin dev
Thank you for the guidance. When you say "re-export the config file from the server" do you me exporting a fresh config file from the VPN Server settings? If so, I've done that several times and both the Android and Windows OpenVPN clients continue to fail when connecting. Please let me know if I'm missing any steps.
If it fails connecting with the exported file, then it could be because you enabled client cert-based authentication, in which case you might need to generate and insert the client key and certificates into the exported config file.

Check your system log for more info as to the cause. Your initial post was reporting a missing CA, which would indicate that the server itself isn't correctly configured, or the exported config was incorrect.
 

dcsang

Occasional Visitor
Below is the message I consistently receive from the Android OpenVPN client regardless of configuration changes. My VPN Server configuration is also provided for reference. The router is populating Static Key, Certificate Authority (which matches the ovpn <ca> block), Server Certificate, Server Key, and Diffie Hellman values.

Where would I find the setting for cert-based authentication?

Screenshot_20210303-024148_OpenVPN Connect.jpg


2021-03-03 02_45_34-Window.png
 

RMerlin

Asuswrt-Merlin dev
It's complaining about a missing CA. If you do have the CA both under the "Edit..." button and inside your config file, then I have no idea what's wrong with your client, sorry.
 

dcsang

Occasional Visitor
Issue resolved!

I was sending the config files through Gmail and apparently something (possibly file encoding) changes by the time it's downloaded to my mobile device. Sending the file through Google Drive did the trick. Yesterday I tested a laptop and used a flash drive to move the config file, so not sure why it failed in that instance.

Thanks for all your help and feedback!
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top