Hi,
I have a problem on a new server trying to use an old server's config...
Back in 2019 I created an RPi2 based OVPN server for use by my brother-in-law to
connect back to his home in Vienna while traveling abroad.
It has worked fine for a long time but recently the RPi2 has acted up and the
service stopped occationally until someone (his son) could go over and restart
the RPi2 device. This happened repeatedly.
So to improve this I have started up a new RPi4B with the most recent PiOS Lite
(server style - no gui components).
On this I have installed openvpn via apt and I have copied over the "crypto"
files to directory /etc/openvpn/server/serverkeys.
I did so by (as sudo) creating a tar.gz file containing /etc/openvpn on the old
RPi2.
Then I have configured a server.conf file based on the old file on the RPi2 but
with some enhancements from recent times by looking at a conf file on my new
OVPN server here at home, which works just fine.
For a test I have started the service with the RPi4 on my home LAN so I have
edited the conf file to reflect my own LAN configuration network wise.
Then I have copied my ovpn file for the old server in Vienna and edited it so it
points to my own server and uses the correct port etc to be used for testing
here.
Now when I try to connect from my phone using this ovpn file modified to point
to my own url it stops with an error message:
---------------------------------------------------------------
There was an error attempting to connect to
the selected server.
Error message:
"You are using an insecure hash algorithm for the CA signature.
Regenerate the CA certificate with a secure hash algorithm."
----------------------------------------------------------------
I do not know *where* the problem is located in this case.
Nor what exactly I have to do.
Which signature is a problem? Something on the server or inside the
ovpn file I use to connect?
I used a copy of the ovpn file working towards the RPi2 device (which fully
works right now), where I just changed the port number to match what I have
forwarded on my router and switched the connection URL to my home system.
Here is my server.conf file:
---------------------------
port 1193
proto udp
dev tun
topology subnet
#Keys, Certificates, directories etc
ca /etc/openvpn/server/serverkeys/ca.crt
cert /etc/openvpn/server/serverkeys/HAKANVPN.crt
key /etc/openvpn/server/serverkeys/HAKANVPN.key
dh /etc/openvpn/server/serverkeys/dh2048.pem
tls-auth /etc/openvpn/server/serverkeys/ta.key 0
cipher AES-256-CBC
#Other files/dirs:
client-config-dir /etc/openvpn/ccd
status /etc/openvpn/log/server-status.log 20
log /etc/openvpn/log/server.log
verb 3 #Verbosity of log content
max-clients 20
key-direction 0
persist-key
persist-tun
#Server's internal network:
server 10.8.113.0 255.255.255.0 'nopool'
ifconfig-pool 10.8.113.10 10.8.113.127 255.255.255.0
ifconfig-pool-persist /etc/openvpn/server/ipp.txt
push "route 10.8.113.0 255.255.255.0"
push "route 10.8.113.1 255.255.255.255"
push "route 192.168.119.0 255.255.255.0"
push "dhcp-option DNS 192.168.119.1" # When testing at home
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
comp-lzo no
push "comp-lzo no"
duplicate-cn
keepalive 10 120
---------------------------------------------------------------
Here is the content of the ovpn file used on the phone:
---------------------------------------------------------------
client
dev tun
proto udp
myhomedomain 1093
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
auth-nocache
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
verb 2
mute 20
explicit-exit-notify 1
<ca>
-----BEGIN CERTIFICATE-----
MIIG4DCCBMigAwIBAgIUbFjR74pEthxrXy5wTGb2jx92Ty0wDQYJKoZIhvcNAQEL
....
wcq/MyVJlLSaD/8QlhwIy38repxvLEZEEodBJO4laZrdmeb9
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIHEzCCBPugAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBnjELMAkGA1UEBhMCQVQx
....
Cmed45LdJCnOG/vunkpXLM1EvtK/WSo4Hynwoi7axIVlC/6fVA72
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E1369C0CE0B22D49
....
XaE3Qw06HkP6bzXhxZWwQT9Tf1QiS1XSmhHCp76I8BPkSEr1hl6Z6C6RqLZKi6wO
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
366cadc0ebfed57a493fdb05cedd25d9
....
9ea060f01c0fcaba71f39b7d6ac92f98
-----END OpenVPN Static key V1-----
</tls-auth>
---------------------------------------------------------------
This is what is in the log file
(there are no timestamps so I don't know *when* it was logged):
-------------------------------------------------------------------------------
DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers
(AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher
negotiations.
Note: '--allow-compression' is not set to 'no', disabling data channel offload.
Consider using the '--compress migrate' option.
OpenVPN 2.6.3 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL]
[PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.15 3 Sep 2024, LZO 2.10
DCO version: N/A
WARNING: using --duplicate-cn and --client-config-dir together is probably not
what you want
WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
net_route_v4_best_gw query: dst 0.0.0.0
net_route_v4_best_gw result: via 192.168.119.1 dev eth0
Diffie-Hellman initialized with 2048 bit key
OpenSSL: error:0A00018E:SSL routines::ca md too weak
Cannot load certificate file /etc/openvpn/server/serverkeys/HAKANVPN.crt
Exiting due to fatal error
-------------------------------------------------------------------------------
And finally this is what I get with
sudo systemctl status openvpn-server@server.service
-------------------------------------------------------------------------------
openvpn-server@server.service - OpenVPN service for server
Loaded: loaded (/lib/systemd/system/openvpn-server@.service; enabled;
preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Fri 2025-03-28
22:41:14 CET; 2s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 20876 ExecStart=/usr/sbin/openvpn --status
/run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps
--config server.conf (code=exited, status=1/FAILURE)
Main PID: 20876 (code=exited, status=1/FAILURE)
Status: "Pre-connection initialization successful"
CPU: 90ms
--------------------------------------------------------------------------------
Where should I look for the problem?
And a solution.....
TIA
--
Bo Berglund
Developer in Sweden
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
