Greetings, OK, so after about a year of not using openvpn, I find myself needing it again. Although "nothing changed" ;) it no longer works. I suspect upgrades over the past year might have something to do with it. All instances of "xxxx" shown below were put there for privacy...
According to some googling I did (ie: http://openvpn.net/archive/openvpn-users/2005-07/msg00037.html), the "error" in the server log is due to the server not being notified of the server disconnect. I can only assume this is true at this point. >From the server's log: Dec 5 00:26:19 server openvpn[5398]: MULTI: multi_create_instance called Dec 5 00:26:19 server openvpn[5398]: xx.xx.xx.xx:54322 Re-using SSL/TLS context Dec 5 00:26:19 server openvpn[5398]: xx.xx.xx.xx:54322 LZO compression initialized Dec 5 00:26:19 server openvpn[5398]: xx.xx.xx.xx:54322 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ] Dec 5 00:26:19 server openvpn[5398]: xx.xx.xx.xx:54322 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] Dec 5 00:26:19 server openvpn[5398]: xx.xx.xx.xx:54322 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server' Dec 5 00:26:19 server openvpn[5398]: xx.xx.xx.xx:54322 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client' Dec 5 00:26:19 server openvpn[5398]: xx.xx.xx.xx:54322 Local Options hash (VER=V4): 'f7df56b8' Dec 5 00:26:19 server openvpn[5398]: xx.xx.xx.xx:54322 Expected Remote Options hash (VER=V4): 'd79ca330' Dec 5 00:26:19 server openvpn[5398]: xx.xx.xx.xx:54322 TLS: Initial packet from xx.xx.xx.xx:54322, sid=3aef92c6 ee94874f Dec 5 00:26:19 server openvpn[5398]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Dec 5 00:26:21 server last message repeated 6 times I get the following errors in the client's log: Dec 5 00:09:01 client openvpn[11435]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=NC/L=Raleigh/O=xxxxx/CN=xxxxx/emailAddress=xxxxx Dec 5 00:09:01 client openvpn[11435]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Dec 5 00:09:01 client openvpn[11435]: TLS Error: TLS object -> incoming plaintext read error Dec 5 00:09:01 client openvpn[11435]: TLS Error: TLS handshake failed Dec 5 00:09:01 client openvpn[11435]: TCP/UDP: Closing socket I've verified the ca.crt on both server and client, and the server.crt and client crt, and they all return "OK". $ openssl verify -CAfile ca.crt -purpose sslclient ca.crt $ openssl verify -CAfile ca.crt -purpose sslclient client.crt $ openssl verify -CAfile ca.crt -purpose sslclient ca.crt $ openssl verify -CAfile ca.crt -purpose sslserver ca.crt $ openssl verify -CAfile ca.crt -purpose sslserver server.crt client config: client dev tun proto udp remote xx.xx.xx.xx 1194 nobind user nobody group nobody persist-key persist-tun ca ca.crt cert client.crt key client.key ns-cert-type server comp-lzo verb 5 server config: port 1194 proto udp dev tap0 ca ca.crt cert server.crt key server.key dh dh1024.pem ifconfig-pool-persist ipp.txt server-bridge 192.168.2.1 255.255.255.0 192.168.2.200 192.168.2.249 keepalive 10 120 cipher BF-CBC comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log verb 4 mute 20 Any thoughts or ideas? Oh, the server is sitting behind a NAT'd firewall and the client is on an internet routable IP. Thanks in advance! -- Paul @ Thy Service -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
