Problem with starting OpenVPN

R

reyvver

(I'm not really good at knowing English, but i try to do my best due to in the Russian Segment there is no forums that might help me xdd)

I'm a student and FreeBSD is new for me. I have tried to start OpenVPN and got connection error.

openvpn.log:
Code: 
Thu Jun 27 16:31:36 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Thu Jun 27 16:31:36 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Jun 27 16:31:36 2019 library versions: OpenSSL 1.1.0j  20 Nov 2018, LZO 2.10
Enter Management Password:
Thu Jun 27 16:31:36 2019 WARNING: Your certificate is not yet valid!
Thu Jun 27 16:31:36 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.12:1199
Thu Jun 27 16:31:36 2019 UDP link local: (not bound)
Thu Jun 27 16:31:36 2019 UDP link remote: [AF_INET]192.168.1.12:1199

client conf:
Code: 
client
nobind
dev tun
remote-cert-tls server
remote 192.168.1.12 1199
key-direction 1

<key>
-----BEGIN PRIVATE KEY-----
numbers&letters
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
numbers&letters
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
numbers&letters
-----END CERTIFICATE-----
</ca>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
numbers&letters
-----END OpenVPN Static key V1-----
</tls-auth>

rc.conf:
Code: 
hostname="tatiana"
ifconfig_em0="DHCP"
ifconfig_re0="DHCP"
sshd_enable="YES"
sshd_flags="-u0"
firewall_type=open
dumpdev="AUTO"
openvpn_enable="yes"
openvpn_flags="--tls-server"
openvpn_if="tun tap"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"

server.conf:
Code: 
port 1199
proto udp
dev tun

ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key  # This file should be kept secret

dh keys/dh.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.1.0 255.255.255.0"

client-config-dir ccd
route 10.8.0.0 255.255.255.248

push "redirect-gateway def1 bypass-dhcp"

keepalive 10 120
tls-server
tls-auth ta.key 0 # This file is secret

cipher AES-256-CBC

persist-key
persist-tun

status openvpn-status.log
verb 3
explicit-exit-notify 1
 
Last edited by a moderator:
WARNING: Your certificate is not yet valid!

It seems that somehow the certificate validity got messed up, or your system clock is incorrectly set.

Show the .CRT file info with the command openssl x509 -in certificate.crt -text -noout. Make sure the validity start and the expiration date are correctly set so that the current moment of time is within them.
Do this for the CA, server and client certificates!

Also, maybe the time zone is not set correctly on the client or the server. This is how you can change it: http://howtobsd.com/tips/how-to-set-timezone-freebsd.html
 
certificate validity might be a red herring here ... i don't see any actual connection to the server in the log, so no evidence the server considers the cert invalid.

Instead I think this line looks suspicious:
Code: 
openvpn_if="tun tap"
I'm not entirely sure as I can't check right now (on mobile), but I'd try leaving it out.
 
Just curiosity, but what system are you using and having such problem?
Thu Jun 27 16:31:36 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Click to expand...
Correct me if I'm wrong, but are you using Windows, or instead, you're connecting a machine with the mentioned system at your service?
 
Sorry but I can't help you if you didn't provided more details. What you're trying to? Are you trying to connect a client to your server? Are you using virtual machines?
Another thing...you should take a look at your rc.conf. The content inside it seems strange. Are you sure that you're doing the things right when you added those lines?
 
To reiterate the good suggestions in this thread:
  • Your certificate has an expiration date in the future, which means it may have been generated incorrectly, or the time on one or more of your machines is incorrect.
  • The rc.conf line with "tun tap" should only have one device type in it. Since you selected TUN everywhere else, select that here, but choosing one is dependent on your needs.
  • You didn't provide any logs from the server. The only apparent error in the client is that no connection was ever made because there's no log of it trying or failing or any error from the client certificate date problem
I've successfully set this up with Viscosity on Windows
 
You must log in or register to reply here.
Back
Top