OpenVPN – Host-LAN problem

Home Page Forums Network Management VPN OpenVPN – Host-LAN problem

This topic contains 0 replies, has 0 voices, and was last updated by  mschutze 5 years, 7 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #43832

    mschutze
    Member

    Hi there,

    I want to use OpenVPN so I can have a secure connection to the internet when I’m on a public hotspot.

    Zeroshell is working fine. I activated the VPN on standard TCP 1194. Authentication is with cert+pwd.

    I’m using Tunnelblick on Mac. I exported the CA.pem and client.pem, and used the following OVPN:

    #============================================================================#
    # Specify the Hostname or the IP, the port and the protocol (tcp or udp) #
    # to reach the OpenVPN Server. #
    # The Hostname can be a dynamic FQDN such as a DynDNS one. #
    #============================================================================#

    remote 150.164.XX.XXX 1194
    proto tcp

    #============================================================================#
    # You must specify this parameter if you want the Username and Password #
    # request to appear. Comment it if you only use X.509 Authentication. #
    #============================================================================#

    auth-user-pass

    #============================================================================#
    # You need to specify the file which contains the certificate (PEM format) #
    # of the Certification Authority that signed the OpenVPN server certificate. #
    # You can export it by clicking the hyperlink CA on the login page of #
    # ZeroShell. #
    # Notice that you need to specify this parameter also if you use #
    # “Password Only” Authentication. #
    #============================================================================#

    ca CA.pem

    #============================================================================#
    # If you want to use the Client X.509 Authentication you must specify #
    # a client certificate and the related private key in pem format. #
    # You can merge both in the same file. #
    #============================================================================#

    cert manuel.pem
    key manuel.pem

    #============================================================================#
    # You should not need to change these settings. #
    #============================================================================#

    comp-lzo
    verb 3
    mute 20
    resolv-retry infinite
    nobind
    client
    dev tap
    persist-key
    persist-tun

    #============#

    It tries to connect, but there seems to be a problem with CA certificate and TLS. This is the log from Tunnelblick:

    Mon Jan 27 11:25:51 2014 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [SSL] [LZO2] [PKCS11] [eurephia] built on Jul 22 2013
    Mon Jan 27 11:25:51 2014 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
    Mon Jan 27 11:25:51 2014 Need hold release from management interface, waiting…
    Mon Jan 27 11:25:51 2014 MANAGEMENT: Client connected from 127.0.0.1:1337
    Mon Jan 27 11:25:51 2014 MANAGEMENT: CMD ‘pid’
    Mon Jan 27 11:25:51 2014 MANAGEMENT: CMD ‘state on’
    Mon Jan 27 11:25:51 2014 MANAGEMENT: CMD ‘state’
    Mon Jan 27 11:25:51 2014 MANAGEMENT: CMD ‘bytecount 1’
    Mon Jan 27 11:25:51 2014 MANAGEMENT: CMD ‘hold release’
    Mon Jan 27 11:25:54 2014 MANAGEMENT: CMD ‘username “Auth” “manuel”‘
    Mon Jan 27 11:25:54 2014 MANAGEMENT: CMD ‘password […]’
    Mon Jan 27 11:25:54 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Mon Jan 27 11:25:54 2014 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Mon Jan 27 11:25:54 2014 LZO compression initialized
    Mon Jan 27 11:25:54 2014 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Mon Jan 27 11:25:54 2014 Socket Buffers: R=[131072->65536] S=[131072->65536]
    Mon Jan 27 11:25:54 2014 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
    Mon Jan 27 11:25:54 2014 Local Options hash (VER=V4): ’31fdf004′
    Mon Jan 27 11:25:54 2014 Expected Remote Options hash (VER=V4): ‘3e6d1056’
    Mon Jan 27 11:25:54 2014 Attempting to establish TCP connection with 150.164.XX.XXX:1194 [nonblock]
    Mon Jan 27 11:25:54 2014 MANAGEMENT: >STATE:1390829154,TCP_CONNECT,,,
    Mon Jan 27 11:25:55 2014 TCP connection established with 150.164.XX.XXX:1194
    Mon Jan 27 11:25:55 2014 TCPv4_CLIENT link local: [undef]
    Mon Jan 27 11:25:55 2014 TCPv4_CLIENT link remote: 150.164.89.144:1194
    Mon Jan 27 11:25:55 2014 MANAGEMENT: >STATE:1390829155,WAIT,,,
    Mon Jan 27 11:25:55 2014 MANAGEMENT: >STATE:1390829155,AUTH,,,
    Mon Jan 27 11:25:55 2014 TLS: Initial packet from 150.164.XX.XXX:1194, sid=647f0298 8644784c
    Mon Jan 27 11:25:55 2014 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
    Mon Jan 27 11:25:58 2014 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /O=medicina/OU=inctmm_84c5/CN=ZeroShell
    Mon Jan 27 11:25:58 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Mon Jan 27 11:25:58 2014 TLS Error: TLS object -> incoming plaintext read error
    Mon Jan 27 11:25:58 2014 TLS Error: TLS handshake failed
    Mon Jan 27 11:25:58 2014 Fatal TLS error (check_tls_errors_co), restarting

    Mon Jan 27 11:25:58 2014 TCP/UDP: Closing socket
    Mon Jan 27 11:25:58 2014 SIGUSR1[soft,tls-error] received, process restarting

    Anyone has any idea how to fix this?

    Best regards,

    #53141

    redfive
    Participant

    Hi , on client side config , try to add these lines

    remote-cert-eku 'TLS Web Server Authentication'
    auth-nocache

    while , on Zs , take a look in VPN, Host to Lan (OpenVpn) , then click on Authentication button
    greetings

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.