OpenVPN – Host-LAN problem

[mschutze]

Hi there,

I want to use OpenVPN so I can have a secure connection to the internet when I’m on a public hotspot.

Zeroshell is working fine. I activated the VPN on standard TCP 1194. Authentication is with cert+pwd.

I’m using Tunnelblick on Mac. I exported the CA.pem and client.pem, and used the following OVPN:

#============================================================================#
# Specify the Hostname or the IP, the port and the protocol (tcp or udp) #
# to reach the OpenVPN Server. #
# The Hostname can be a dynamic FQDN such as a DynDNS one. #
#============================================================================#

remote 150.164.XX.XXX 1194
proto tcp

#============================================================================#
# You must specify this parameter if you want the Username and Password #
# request to appear. Comment it if you only use X.509 Authentication. #
#============================================================================#

auth-user-pass

#============================================================================#
# You need to specify the file which contains the certificate (PEM format) #
# of the Certification Authority that signed the OpenVPN server certificate. #
# You can export it by clicking the hyperlink CA on the login page of #
# ZeroShell. #
# Notice that you need to specify this parameter also if you use #
# “Password Only” Authentication. #
#============================================================================#

ca CA.pem

#============================================================================#
# If you want to use the Client X.509 Authentication you must specify #
# a client certificate and the related private key in pem format. #
# You can merge both in the same file. #
#============================================================================#

cert manuel.pem
key manuel.pem

#============================================================================#
# You should not need to change these settings. #
#============================================================================#

comp-lzo
verb 3
mute 20
resolv-retry infinite
nobind
client
dev tap
persist-key
persist-tun

#============#

It tries to connect, but there seems to be a problem with CA certificate and TLS. This is the log from Tunnelblick:

Mon Jan 27 11:25:51 2014 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [SSL] [LZO2] [PKCS11] [eurephia] built on Jul 22 2013
Mon Jan 27 11:25:51 2014 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
Mon Jan 27 11:25:51 2014 Need hold release from management interface, waiting…
Mon Jan 27 11:25:51 2014 MANAGEMENT: Client connected from 127.0.0.1:1337
Mon Jan 27 11:25:51 2014 MANAGEMENT: CMD ‘pid’
Mon Jan 27 11:25:51 2014 MANAGEMENT: CMD ‘state on’
Mon Jan 27 11:25:51 2014 MANAGEMENT: CMD ‘state’
Mon Jan 27 11:25:51 2014 MANAGEMENT: CMD ‘bytecount 1’
Mon Jan 27 11:25:51 2014 MANAGEMENT: CMD ‘hold release’
Mon Jan 27 11:25:54 2014 MANAGEMENT: CMD ‘username “Auth” “manuel”‘
Mon Jan 27 11:25:54 2014 MANAGEMENT: CMD ‘password […]’
Mon Jan 27 11:25:54 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Jan 27 11:25:54 2014 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Mon Jan 27 11:25:54 2014 LZO compression initialized
Mon Jan 27 11:25:54 2014 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon Jan 27 11:25:54 2014 Socket Buffers: R=[131072->65536] S=[131072->65536]
Mon Jan 27 11:25:54 2014 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Jan 27 11:25:54 2014 Local Options hash (VER=V4): ’31fdf004′
Mon Jan 27 11:25:54 2014 Expected Remote Options hash (VER=V4): ‘3e6d1056’
Mon Jan 27 11:25:54 2014 Attempting to establish TCP connection with 150.164.XX.XXX:1194 [nonblock]
Mon Jan 27 11:25:54 2014 MANAGEMENT: >STATE:1390829154,TCP_CONNECT,,,
Mon Jan 27 11:25:55 2014 TCP connection established with 150.164.XX.XXX:1194
Mon Jan 27 11:25:55 2014 TCPv4_CLIENT link local: [undef]
Mon Jan 27 11:25:55 2014 TCPv4_CLIENT link remote: 150.164.89.144:1194
Mon Jan 27 11:25:55 2014 MANAGEMENT: >STATE:1390829155,WAIT,,,
Mon Jan 27 11:25:55 2014 MANAGEMENT: >STATE:1390829155,AUTH,,,
Mon Jan 27 11:25:55 2014 TLS: Initial packet from 150.164.XX.XXX:1194, sid=647f0298 8644784c
Mon Jan 27 11:25:55 2014 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
Mon Jan 27 11:25:58 2014 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /O=medicina/OU=inctmm_84c5/CN=ZeroShell
Mon Jan 27 11:25:58 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Jan 27 11:25:58 2014 TLS Error: TLS object -> incoming plaintext read error
Mon Jan 27 11:25:58 2014 TLS Error: TLS handshake failed
Mon Jan 27 11:25:58 2014 Fatal TLS error (check_tls_errors_co), restarting
Mon Jan 27 11:25:58 2014 TCP/UDP: Closing socket
Mon Jan 27 11:25:58 2014 SIGUSR1[soft,tls-error] received, process restarting

Anyone has any idea how to fix this?

Best regards,

[redfive]

Hi , on client side config , try to add these lines

remote-cert-eku 'TLS Web Server Authentication'

auth-nocache

while , on Zs , take a look in VPN, Host to Lan (OpenVpn) , then click on Authentication button
greetings

[Author]

Posts