April 9, 2016 at 3:59 pm #44531
One of my users is trying to use OpenVPN to connect to my Zeroshell box and LAN. Their VPN connection establishes, I can see them connected in the clients list, but a few seconds later they disconnect.
Here’s what they see in the log:
Sat Apr 09 18:44:05 2016 OpenVPN 2.0_rc18 Win32-MinGW [SSL] [LZO] built on Mar 28 2005
Sat Apr 09 18:44:24 2016 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Apr 09 18:44:24 2016 Re-using SSL/TLS context
Sat Apr 09 18:44:24 2016 LZO compression initialized
Sat Apr 09 18:44:24 2016 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sat Apr 09 18:44:24 2016 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:23 ET:32 EL:0 AF:3/1 ]
Sat Apr 09 18:44:24 2016 Local Options hash (VER=V4): '31fdf004'
Sat Apr 09 18:44:24 2016 Expected Remote Options hash (VER=V4): '3e6d1056'
Sat Apr 09 18:44:24 2016 Attempting to establish TCP connection with 2**.***.***.**4:1194
Sat Apr 09 18:44:24 2016 TCP connection established with 2**.***.***.**4:1194
Sat Apr 09 18:44:24 2016 TCPv4_CLIENT link local: [undef]
Sat Apr 09 18:44:24 2016 TCPv4_CLIENT link remote: 2**.***.***.**4:1194
Sat Apr 09 18:44:25 2016 TLS: Initial packet from 2**.***.***.**4:1194, sid=af7e203b c6dd3070
Sat Apr 09 18:44:27 2016 VERIFY OK: depth=1, /C=IT/O=Zeroshell.net/OU=Example/CN=ZeroShell_Example_CA/emailAddress=Fulvio.Ricciardi@zeroshell.net
Sat Apr 09 18:44:27 2016 VERIFY ERROR: depth=0, error=certificate signature failure: /OU=Hosts/CN=router.earthlovesme.ca
Sat Apr 09 18:44:27 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:04077077:rsa routines:RSA_verify:wrong signature length: error:0D089006:asn1 encoding routines:ASN1_verify:EVP lib: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sat Apr 09 18:44:27 2016 TLS Error: TLS object -> incoming plaintext read error
Sat Apr 09 18:44:27 2016 TLS Error: TLS handshake failed
Sat Apr 09 18:44:27 2016 Fatal TLS error (check_tls_errors_co), restarting
Sat Apr 09 18:44:27 2016 TCP/UDP: Closing socket
Sat Apr 09 18:44:27 2016 SIGUSR1[soft,tls-error] received, process restarting
Sat Apr 09 18:44:27 2016 Restart pause, 5 second(s)
I downloaded the CA.pem file from the Zeroshell login page and emailed as an attachment to the user, they copied the file to the Open VPN client config directory and changed remote in the OVPN file to the external IP of the Zeroshell box.
What are we doing wrong?
Is 2.0 client going to work? Or should we upgrade? I am not very confident that OpenVPN sight is what it should be – they redirect to some Tunelling application – is it still OpenVPN or their site has been hijacked?April 9, 2016 at 7:25 pm #54069
Are you sure that the certificates are the correct ones ??
Sat Apr 09 18:44:19 2016 VERIFY OK: depth=1, /C=IT/O=Zeroshell.net/OU=Example/CN=ZeroShell_Example_CA/emailAddress=Fulvio.Ricciardi@zeroshell.net
Sat Apr 09 18:44:19 2016 VERIFY ERROR: depth=0, error=certificate signature failure: /OU=Hosts/CN=router.earthlovesme.ca
Sat Apr 09 18:44:19 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:04077077:rsa routines:RSA_verify:wrong signature length: error:0D089006:asn1 encoding routines:ASN1_verify:EVP lib: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
P.S. Which cert. are you using in ZS, for the vpn ??
VPN, X.509 Configuration, X.509 Host Certificate, drop down menu’ …April 10, 2016 at 12:20 pm #54070
Not really sure I have set up everything correctly.
How can I find out for sure?
VPN is set up to use 509+password, the certificate CA.pem downloaded from the login page and the user installed it.
1st drop down: Local CA
2nd drop down: OU=hosts, CN=router.earthlovesme.ca
It is a valid non-expired certificate
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IT, O=Zeroshell.net, OU=Example, CN=ZeroShell Example CA/emailAddress=Fulvio.Ricciardi@zeroshell.net
Not Before: Apr 9 16:11:41 2016 GMT
Not After : Apr 7 16:11:41 2026 GMT
Subject: OU=Hosts, CN=router.earthlovesme.ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
Exponent: 65537 (0x10001)
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha1WithRSAEncryption
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
But here is something I do not understand: when exporting the router certificate from X590 manager, it spits out router.earthlovesme.ca.pem which is 2891 bytes long and has 2 secons inside for the cert and sig:
BEGIN RSA PRIVATE KEY
END RSA PRIVATE KEY
But CA.pem that the login page spits out (and which I sent to the user to install in OpenVPN GUI config folder) is 1619 bytes long and has only one section (it is Okay if they are different, as I had to re-generate since exporting the router.earthlovesme.pem):
April 16, 2016 at 5:59 pm #54071
Is this line in the certificate killing me?
Netscape SSL server : Yes
This error seems to have something to do with Netscape:
VERIFY nsCertType ERROR: /OU
This is a torture!!! Following the instructions to the letter and not getting anywhere. Can anyone at all clarify how to set up host-to-lan VPN with ZS? It seems to be working for some, but `some` is a very small number when we are talking about following instructions such as this https://www.zeroshell.org/openvpn-client/ and downloading ready-made files.April 16, 2016 at 7:17 pm #54072
Hi DrmCa, you may try as follows … firstly, install openvpn 2.3.10, then …
On ZS, in the vpn section, X.509 Configuration, X.509 Host Certificate, are you using local or imported ? In the first case, the client must hace , as CA certificate, the CA certificate of ZS itself ( without the private key),
SECURITY, X.509 CA, Setup, export button (uncheck the flag ‘key’).
In the second case, the client must have the CA certificate of the CA which has signed the imported certificate that you are using in ZS for the vpn server (and which could also be the same that you are using for the https server…).
For eg, personally I use for ZS as well as for the client, certificates which have been generated from an external CA, so for my, an additional step is importing the ‘external’ CA certificate in ‘Trusted CAs’, and still in vpn section, X.509 Configuration, authentication button
‘Allow the X.509 VPN access with the certificates signed by the following Trusted CAs:’ , check the imported CA certificate ……
jonathaApril 18, 2016 at 9:07 pm #54073
Using the certificates generated by Zeroshell.
This https://openvpn.net/index.php/open-source/documentation/howto.html#pki talks about generating a whole load of files, but never mentiones CA.pem – is that a problem?
I do not undertand how OpenVPN would work with Zeroshell if the instructions here https://www.zeroshell.org/openvpn-client/ were wrong – then it would not work for anyone. So whose instructions are correct and which of them should I follow?
This really feels like a torture – something that should be so straightforward (and is with Cisco, FortiClient etc VPN solutions – install, click connect and voila, no certificate generation, no exporting and sending files across the globe etc) turns into several weeks of frustration from getting nowhere.April 19, 2016 at 11:05 am #54074
With cisco, things not always go so fine and smoothly… (eg, fort make the vpn-client work, on win8.1, was required to install also the citrix DNE, other story, btw …)
Could you post the ‘sanitized’ client config ? Also, the cert. on the server is local, but which is ? Is the cert for the host router.earthlovesme.ca, or another one ?
jonathaApril 19, 2016 at 1:46 pm #54075
We used vanilla client config downloaded from https://www.zeroshell.org/download/zeroshell.ovpn with only a change for the server IP.
I also asked in the OpenVPN forum https://forums.openvpn.net/topic21541.html#p60956 but so far it seems he is talking about generating the certificate. As I understand, Zeroshell generates its own certificates. Do we have to use 1024 bit certificate only? I’ve used 4096 bits. Is that a problem?
What is he talking about here:
There are two ways to designate a certificate as a server:
nscerttype server (deprecated)
It seems that above the certificate says it is “nscerttype server”.
Overall, I feel lost and confused. This should not be such a daunting task, somewhere there is a huge design flaw if getting VPN to work is so difficult.April 19, 2016 at 5:16 pm #54076
It’s funny, personally I’ve found the configuration of the VPNs in ZS much more easier than in most other appliances … anyway, this is one of my (client side) config
remote xxxx.dyndns.org 1198
remote-cert-eku 'TLS Web Server Authentication'
verify-x509-name 'C=it, ST=xx, L=xx, O=xxxx, OU=server01, CN=server01.xxxx, emailAddressemail@example.com'
You may try something like
remote your.fqdn|ip 1194
remote-cert-eku 'TLS Web Server Authentication'
verify-x509-name 'C=xx, ST=xx, L=xx, O=xxxx, OU=xxxxxx, CN=xxxxx.xxxx, emailAddress=xxxxxxx@xxxxxx'
Firstly, I’d advise to install openvpn 2.3.10, then, about the above config, for the
you have to replace the voices with those that appear in your host-cert, that one which you are using for the vpn-server, and only those which are present, eg. if your host cert is for the host router.earthlovesme.ca, and you have only the CN and the OU in the cert, use only
verify-x509-name ‘OU=Hosts, CN=router.earthlovesme.ca’
Once you’ll have the vpn running, I’ll post how to give static ip addresses based on username/common-name, so you can use firwall rules user-based …..
jonathaApril 19, 2016 at 5:59 pm #54077
The user already upgraded to 2.3.10.
Where do I get client cert and key from?
Interesting! I tried the same CA.pem with the latest version 2.3.10 and getting this error:
Tue Apr 19 14:06:18 2016 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=IT, O=Zeroshell.net, OU=Example, CN=ZeroShell Example CA, emailAddress=Fulvio.Ricciardi@zeroshell.net
Tue Apr 19 14:06:18 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Apr 19 14:06:18 2016 TLS Error: TLS object -> incoming plaintext read error
Tue Apr 19 14:06:18 2016 TLS Error: TLS handshake failed
Tue Apr 19 14:06:18 2016 Fatal TLS error (check_tls_errors_co), restarting
I do not understand why the certificate generated by Zeroshell router is not satisfactory for using with the config file downloaded from zeroshell.org
Are the instructions outdated, incomplete or incorrect?April 19, 2016 at 6:09 pm #54078
Directly from Zs, for starting, let’s make things simple …. download, from ZS (SECURITY, X.509 CA, admin, export button, key and PEM) the admin certificate with the private key in .pem format, if the cert is named, eg., admin.earthlovesme.ca, in the vpn client’s config, after cert put admin.earthlovesme.ca.pem, the same after key,
then, try to connect via vpn, use admin as usr and the admin pwd
jonathaApril 19, 2016 at 6:21 pm #54079
Are you telling me that downloading CA.pem from the login page was not sufficient and I also had to download router.earthlovesme.ca.pem from the X508 admin page and use it for cert/key?
If that is the case, than it would explain why nothing worked! It was simply not mentioned in the instructions and how on Earth would I be expected to realize that???
OMG!!! How did you know to do that?April 19, 2016 at 6:32 pm #54080
No, I’m saying that you have to download the CA. pem and the user cert (admin) with private key, (not the host cert) 😀
jonathaApril 19, 2016 at 6:35 pm #54081
Ah… But if the user connecting to the VPN is not admin – I created another user name like vpn0, does it have to be that user’s key?April 19, 2016 at 6:38 pm #54082
The user vpn0 will have its own cert and private key, just like the admin …
You must be logged in to reply to this topic.