DD-WRT :: View topic - OpenVPN buggy - cannot connect

OpenVPN buggy - cannot connect - SOLVED

DD-WRT Forum Index -> Broadcom SoC based Hardware

View previous topic :: View next topic

Author

Message

greenleaf108
DD-WRT Novice

Joined: 03 Apr 2008
Posts: 9

Posted: Wed Dec 02, 2009 22:40 Post subject: OpenVPN buggy - cannot connect - SOLVED

I've spent the past few hours trying to set this up "the easy way" but still cannot connect. The tutorial I used is here. Can someone please help?

http://www.dd-wrt.com/wiki/index.php/VPN_%28the_easy_way%29_v24%2B

Here's what I get in the server log. Note that I am testing this from on the LAN. The public interface of the router is also on the LAN while I do my testing:

Code:

Dec 2 16:35:38 copernicus daemon.err openvpn[794]: 192.168.0.200:61128 TLS Error: TLS handshake failed
Dec 2 16:35:38 copernicus daemon.notice openvpn[794]: 192.168.0.200:61128 SIGUSR1[soft,tls-error] received, client-instance restarting
Dec 2 16:35:38 copernicus daemon.err openvpn[794]: 192.168.0.200:61189 write UDPv4 [ECONNREFUSED]: Connection refused (code=146)
Dec 2 16:35:39 copernicus daemon.notice openvpn[794]: MULTI: multi_create_instance called
Dec 2 16:35:39 copernicus daemon.notice openvpn[794]: 192.168.0.200:61198 Re-using SSL/TLS context
Dec 2 16:35:39 copernicus daemon.notice openvpn[794]: 192.168.0.200:61198 LZO compression initialized
Dec 2 16:35:39 copernicus daemon.notice openvpn[794]: 192.168.0.200:61198 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Dec 2 16:35:39 copernicus daemon.notice openvpn[794]: 192.168.0.200:61198 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Dec 2 16:35:39 copernicus daemon.notice openvpn[794]: 192.168.0.200:61198 TLS: Initial packet from 192.168.0.200:61198, sid=ff8746b7 820f78f7
Dec 2 16:35:40 copernicus daemon.err openvpn[794]: 192.168.0.200:61132 write UDPv4 [ECONNREFUSED]: Connection refused (code=146)
Dec 2 16:35:40 copernicus daemon.err openvpn[794]: 192.168.0.200:61129 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

What's up with all the UDPv4 Connection refused messages? This is in my firewall settings:

Code:

iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

The server config:

Code:

push "route 192.168.1.0 255.255.255.0"
server 192.168.66.0 255.255.255.0

dev tun0
proto udp
port 1194
keepalive 15 60
daemon
verb 5
comp-lzo
client-to-client
duplicate-cn
tls-server
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
crl-verify /tmp/openvpn/ca.crl

And the client config:

Code:

remote 192.168.0.141 1194
client
remote-cert-tls server
dev tun0
proto udp
nobind
resolv-retry infinite
persist-key
persist-tun
float
ca C:/Program\ Files/OpenVPN/easy-rsa/keys/ca.crt
cert C:/Program\ Files/OpenVPN/easy-rsa/keys/client1.crt
key C:/Program\ Files/OpenVPN/easy-rsa/keys/client1.key

Last edited by greenleaf108 on Thu Dec 03, 2009 16:20; edited 1 time in total

Sponsor

greenleaf108
DD-WRT Novice

Joined: 03 Apr 2008
Posts: 9

Posted: Wed Dec 02, 2009 22:43 Post subject: Client Log

Forgot to post, this is from the client log:

Code:

Wed Dec 02 16:42:47 2009 Re-using SSL/TLS context
Wed Dec 02 16:42:47 2009 UDPv4 link local: [undef]
Wed Dec 02 16:42:47 2009 UDPv4 link remote: 192.168.0.141:1194
Wed Dec 02 16:42:47 2009 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Dec 02 16:42:47 2009 TLS Error: TLS object -> incoming plaintext read error
Wed Dec 02 16:42:47 2009 TLS Error: TLS handshake failed
Wed Dec 02 16:42:47 2009 SIGUSR1[soft,tls-error] received, process restarting
Wed Dec 02 16:42:49 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 02 16:42:49 2009 Re-using SSL/TLS context
Wed Dec 02 16:42:49 2009 UDPv4 link local: [undef]
Wed Dec 02 16:42:49 2009 UDPv4 link remote: 192.168.0.141:1194
Wed Dec 02 16:42:50 2009 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Dec 02 16:42:50 2009 TLS Error: TLS object -> incoming plaintext read error
Wed Dec 02 16:42:50 2009 TLS Error: TLS handshake failed
Wed Dec 02 16:42:50 2009 SIGUSR1[soft,tls-error] received, process restarting
Wed Dec 02 16:42:52 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 02 16:42:52 2009 Re-using SSL/TLS context
Wed Dec 02 16:42:52 2009 UDPv4 link local: [undef]
Wed Dec 02 16:42:52 2009 UDPv4 link remote: 192.168.0.141:1194
Wed Dec 02 16:42:52 2009 SIGTERM[hard,] received, process exiting

greenleaf108
DD-WRT Novice

Joined: 03 Apr 2008
Posts: 9

Posted: Wed Dec 02, 2009 23:05 Post subject: TCP fails too

Just for the record, I have also tried using TCP, no dice:

Code:

Wed Dec 02 17:04:23 2009 TLS Error: TLS object -> incoming plaintext read error
Wed Dec 02 17:04:23 2009 TLS Error: TLS handshake failed
Wed Dec 02 17:04:23 2009 Fatal TLS error (check_tls_errors_co), restarting
Wed Dec 02 17:04:23 2009 SIGUSR1[soft,tls-error] received, process restarting
Wed Dec 02 17:04:28 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 02 17:04:28 2009 Re-using SSL/TLS context
Wed Dec 02 17:04:28 2009 Attempting to establish TCP connection with 192.168.0.141:1194
Wed Dec 02 17:04:28 2009 TCP connection established with 192.168.0.141:1194
Wed Dec 02 17:04:28 2009 TCPv4_CLIENT link local: [undef]
Wed Dec 02 17:04:28 2009 TCPv4_CLIENT link remote: 192.168.0.141:1194
Wed Dec 02 17:04:29 2009 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Dec 02 17:04:29 2009 TLS Error: TLS object -> incoming plaintext read error
Wed Dec 02 17:04:29 2009 TLS Error: TLS handshake failed
Wed Dec 02 17:04:29 2009 Fatal TLS error (check_tls_errors_co), restarting
Wed Dec 02 17:04:29 2009 SIGUSR1[soft,tls-error] received, process restarting
Wed Dec 02 17:04:34 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 02 17:04:34 2009 Re-using SSL/TLS context
Wed Dec 02 17:04:34 2009 Attempting to establish TCP connection with 192.168.0.141:1194
Wed Dec 02 17:04:34 2009 TCP connection established with 192.168.0.141:1194
Wed Dec 02 17:04:34 2009 TCPv4_CLIENT link local: [undef]
Wed Dec 02 17:04:34 2009 TCPv4_CLIENT link remote: 192.168.0.141:1194
Wed Dec 02 17:04:34 2009 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Dec 02 17:04:34 2009 TLS Error: TLS object -> incoming plaintext read error
Wed Dec 02 17:04:34 2009 TLS Error: TLS handshake failed
Wed Dec 02 17:04:34 2009 Fatal TLS error (check_tls_errors_co), restarting
Wed Dec 02 17:04:34 2009 SIGUSR1[soft,tls-error] received, process restarting

[/quote]

Cyberian
DD-WRT User

Joined: 07 Jun 2006
Posts: 198
Location: Oregon, US

Posted: Thu Dec 03, 2009 3:01 Post subject:

Try taking out...

Code:

crl-verify /tmp/openvpn/ca.crl

_________________
Michael
WRT54GS v1.1 with Eko JFFS + OpenVPN

lupine
DD-WRT Novice

Joined: 16 Jan 2007
Posts: 47

Posted: Thu Dec 03, 2009 3:11 Post subject:
Also try re-entering your certificates, Ensure that you have included the ----------Begin Certificate----- and ---End Certificate--- lines. _________________ D-Link DIR-300 Asus RT-N16 Asus WL-500gPv2 Linksys WRT54GL 1.1 Way too much time.

greenleaf108
DD-WRT Novice

Joined: 03 Apr 2008
Posts: 9

Posted: Thu Dec 03, 2009 13:03 Post subject:
Thanks guys, I've tried both these suggestions and even re-generating my certs and keys from scratch using exactly the same settings in the tutorial, but no luck. Does anyone understand the error messages I posted? This is not quite the easy button I was expecting from the tutorial...and I work with linux servers for a living!

greenleaf108
DD-WRT Novice

Joined: 03 Apr 2008
Posts: 9

Posted: Thu Dec 03, 2009 16:25 Post subject:

Ok, I was able to get openvpn working on both Ubuntu and Windows Vista. here's what I ended up doing, hopefully it saves someone else pain in the future:

When I first tried this I used the "easy-rsa" scripts included with the Windows distribution of openvpn. I also tried using the openvpn package from dag's repository on my Centos 5.3 box. This also failed. In the end what worked was this:

1. Follow the "VPN (the easy way)" tutorial:
http://www.dd-wrt.com/wiki/index.php/VPN_%28the_easy_way%29_v24%2B
2. Make sure you use an Ubuntu package to generate the certs, just like in the tutorial. I'm not sure why but this seemed to work for me, when it didn't on CentOS or Windows Vista.
3. Now for the tricky part - something is wrong with Firefox in Ubuntu, you can't paste the certificates into the gui using firefox because the server.crt will get chopped in half, causing openvpn not to start at all. You'll have to somehow get the certificates off your Ubuntu machine, and onto a Windows desktop (this is just too sad...), then you can copy and paste them into the GUI using Internet Exploder.

Use the config from the tutorial mentioned above on your client, and it should work. At least it does for me now - woohoo!

guardianx4
DD-WRT Novice

Joined: 30 Nov 2009
Posts: 13

Posted: Fri Dec 04, 2009 0:14 Post subject:
when u in window environment to copy and paste the key.. what text editor program did u use to view the keys.. did u use notepad.. or text key.. when i use textkey i see a lot of blank space within the key and blan space at the end of the keys.. do i include these blank space also??

greenleaf108
DD-WRT Novice

Joined: 03 Apr 2008
Posts: 9

Posted: Fri Dec 04, 2009 2:04 Post subject:

Hey Guardianx4:

I have a dual-boot machine, so I booted into ubuntu to generate the keys. Then I zipped them all up in a .tar.gz file and emailed them to myself. Next I rebooted, unzipped them and used Notepad++ to open the files, and copy them into the GUI on a windows machine.

I didn't include any blank space at the end of key or certs.

Another thing that helped was setting the clock on the router to UTC time. Apparently it creates a cert that for many of us in the USA will not be valid until several hours in the future. Alternatively you can make your certs and just wait until they become valid.

guardianx4
DD-WRT Novice

Joined: 30 Nov 2009
Posts: 13

Posted: Sat Dec 05, 2009 5:25 Post subject:
is this the right key being generated. i gen them under ubuntu and i also get invisble /blank character between the line.. here is a screen shot of the key when view with notpad++ with view display all characters

pcamen
DD-WRT Novice

Joined: 05 Jun 2009
Posts: 18

Posted: Wed Sep 21, 2011 4:36 Post subject: It's the Windows key/cert generation that is the culprit
Here we are two years later and the problem still exists. Two identical routers with same version of DD-WRT and the first one went fine. But the second one I couldn't get to work no matter how many times I tried to recreate the certs on Windows. Then I tried creating them on Ubuntu as suggest and it worked like a charm.

Display posts from previous:

Page 1 of 1

DD-WRT Forum Index -> Broadcom SoC based Hardware

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum

Log in

OpenVPN buggy - cannot connect - SOLVED

Quick Links

Log in