Re: OpenVPN setup

Mario Limonciello wrote:
> Hello list,

Hi Mario.

> Now I can connect fine using the config file that I have placed in /etc/
> and manually launching the daemon.  When I use NM however, it complains
> that I'm not doing any verification of server side keys.

How did you create the NM configuration for that VPN? Can you give
indications how you translated client.conf values to NM mask entries?

> My log on my laptop has something along these lines:

> Apr 18 15:56:11 localhost nm-openvpn[27403]: TLS_ERROR: BIO read
> tls_read_plaintext error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Apr 18 15:56:11 localhost nm-openvpn[27403]: TLS Error: TLS object ->
> incoming plaintext read error
> Apr 18 15:56:11 localhost nm-openvpn[27403]: TLS Error: TLS handshake
> failed

This is where it breaks.

I think the problem may be the following: NM strictly enforces the
server key to be a server key. This means: In the certificate presented
to your client is a flag which denotes the certificate to be a "server"
certificate. This is for the following reason: Imagine a network where a
client has been compromised. If you would not check for the server flag
this client certificate could be used to fake a server (as the
certificate is still valid and signed by the CA).
But in the HOWTO this is _not_ done, and so this may be the reason why
this fails. I strongly recommend to use the easy-rsa suite that comes
with OpenVPN to create keys and signing requests. If you can't do that
consider the following: the line that reads

openssl req -nodes -new -keyout server.key -out server.csr

in the tutorial should be

openssl req -nodes -new -keyout server.key -out server.csr -extensions

(on one line). Than sign this csr and try it again. It may already solve
your problem.

I also don't know what the latest versions are that have been compiled
for Ubuntu. Is that really the current version? Check version numbers
from the package (or better: source) with the ones from CVS (

And have you given the CACert CA file in the appropriate field in the
config GUI?

Hope that helps and gives you a hint where to search. You may also
consider to look at for some "known
working" configurations (also it will need some documentation merging
efforts for the CSR).


    Tim Niemueller <tim niemueller de>
 Imagination is more important than knowledge. (Albert Einstein)

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]