New Member
Posts: 11
Registered: ‎04-03-2017
Accepted Solution

OpenVPN connection fail tls

Hi,

 

I try to setup OpenVPN and follow https://help.ubnt.com/hc/en-us/articles/115015971688-EdgeRouter-OpenVPN-Server

When i want to connect i get the follow error:

 

Tue Oct 16 16:11:54 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Tue Oct 16 16:11:54 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Oct 16 16:11:54 2018 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Tue Oct 16 16:11:54 2018 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Oct 16 16:11:54 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]94.211.***.***:1194
Tue Oct 16 16:11:54 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Oct 16 16:11:54 2018 UDP link local: (not bound)
Tue Oct 16 16:11:54 2018 UDP link remote: [AF_INET]94.211.***.***1194
Tue Oct 16 16:11:54 2018 TLS: Initial packet from [AF_INET]94.211.***.***:1194, sid=278c638b 2c08df90
Tue Oct 16 16:11:55 2018 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=NL, ST=NH, O=RDH, OU=nvt, CN=root, emailAddress=***@gmail.com
Tue Oct 16 16:11:55 2018 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Tue Oct 16 16:11:55 2018 TLS_ERROR: BIO read tls_read_plaintext error
Tue Oct 16 16:11:55 2018 TLS Error: TLS object -> incoming plaintext read error
Tue Oct 16 16:11:55 2018 TLS Error: TLS handshake failed
Tue Oct 16 16:11:55 2018 SIGUSR1[soft,tls-error] received, process restarting
Tue Oct 16 16:11:55 2018 Restart pause, 5 second(s)
Tue Oct 16 16:12:00 2018 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

I create a couple of times new certificates but get everytime the same error.

What's going wrong here?

 

Thanks for your reply.


Accepted Solutions
SuperUser
Posts: 8,585
Registered: ‎01-05-2012
Kudos: 2263
Solutions: 1144

Re: OpenVPN connection fail tls

Are both certs signed by the same CA ? Anyway, try by setting the logging level to debugging, on both, server

Spoiler
configure
set interfaces openvpn vtun0 openvpn-option "--verb 7"
commit

And client

Spoiler
verb 7

Then, try to connect, and post the output. Hide, public ip addresses/FQDN, if needed.
Cheers,
jonatha

View solution in original post


All Replies
Regular Member
Posts: 495
Registered: ‎06-02-2015
Kudos: 88
Solutions: 24

Re: OpenVPN connection fail tls

[ Edited ]

show your ovpn config file for the windows client, remove any sensitive info.

Also show your router's config, redacting sensitive info of course.

 

P.S. Try searching this forum section for 

TLS_ERROR: BIO read tls_read_plaintext error

There are threads with the same issue as yours. 

New Member
Posts: 11
Registered: ‎04-03-2017

Re: OpenVPN connection fail tls

[ Edited ]

Here we go:

 

Router config:

root@Kratai-ERX:/usr/lib/ssl/misc# show configuration
firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
:
firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description OpenVPN
            destination {
                port 1194
            }
            protocol udp
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description OpenVPN
            destination {
                port 1194
            }
            protocol udp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        mode server
        server {
            name-server 192.168.1.1
            push-route 192.168.1.0/24
            subnet 172.16.1.0/24
        }
        tls {
            ca-cert-file /config/auth/cacert.pem
            cert-file /config/auth/server.pem
            dh-file /config/auth/dh.pem
            key-file /config/auth/server.key
        }
    }
    switch switch0 {
        address 192.168.1.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 8.8.8.8
                dns-server 8.8.4.4
                lease 86400
                start 192.168.1.10 {
                    stop 192.168.1.245
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
            listen-on vtun0
            name-server 8.8.8.8
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    host-name Kratai-ERX
    login {
        user admin {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Amsterdam
}

OpenVPN config:

 

client
dev tun
proto udp
remote ***.***.***.*** 1194
float
resolv-retry infinite 
nobind
persist-key 
persist-tun 
verb 3
ca cacert.pem 
cert client1.pem
key client1.key

 

Regular Member
Posts: 495
Registered: ‎06-02-2015
Kudos: 88
Solutions: 24

Re: OpenVPN connection fail tls

Try adding more details to your openvpn server config, i.e.
set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 hash sha256
Adjust encryption and hash to your settings. Also why do you split WAN_LOCAL openvpn rules in two?
Delete rule 10 and move rule 30 in its place.
SuperUser
Posts: 8,585
Registered: ‎01-05-2012
Kudos: 2263
Solutions: 1144

Re: OpenVPN connection fail tls

Are both certs signed by the same CA ? Anyway, try by setting the logging level to debugging, on both, server

Spoiler
configure
set interfaces openvpn vtun0 openvpn-option "--verb 7"
commit

And client

Spoiler
verb 7

Then, try to connect, and post the output. Hide, public ip addresses/FQDN, if needed.
Cheers,
jonatha

New Member
Posts: 11
Registered: ‎04-03-2017

Re: OpenVPN connection fail tls

[ Edited ]

Thank for your reply.

 

Problem solved:

 

OpenVPN configuration error: Specified dh-file "/config/auth/dh.pem" is not valid.

I forget to create the dh.pm ZZzzzzZZzzzz

openssl dhparam -out /config/auth/dh.pem -2 1024

No it works perfect!

 

root@Kratai-ERX:/home/admin# show openvpn status server
OpenVPN server status on vtun0 []

Client CN       Remote IP       Tunnel IP       TX byte RX byte Connected Since
--------------- --------------- --------------- ------- ------- ------------------------
client1         217.148.***.*** 172.16.1.2         4.2K   14.9K Wed Oct 17 13:33:55 2018

 

New Member
Posts: 4
Registered: ‎02-12-2019

Re: OpenVPN connection fail tls

Hi. I have similar problem as is describe in this article. I am trying to find out, what is wrong. I did :

configure
set interfaces openvpn vtun0 openvpn-option "--verb 7"
commit and also in client
verb 7. I tried to connect. In the article is writeen: Then, try to connect, and post the output. 
Where can I find the output?
Thank you
Stan