TLS Error with openvpn3 #240
Replies: 15 comments
-
|
Try enabling legacy algorithms: You need to have pre-imported the configuration file first, though. Then you can start the config using |
Beta Was this translation helpful? Give feedback.
-
|
Hi, My CA algorithm signature is : I thank it was a issue from the module I want to use, but when I disable it on my openvpn server and client, isn't working. So the problem is really from openvpn3 client. Regards |
Beta Was this translation helpful? Give feedback.
-
|
That sounds more like a messed up a CA than anything else. |
Beta Was this translation helpful? Give feedback.
-
|
But when I'm trying to use my conf with Openvpn (2.5.6) it's working well :/ |
Beta Was this translation helpful? Give feedback.
-
|
OpenVPN 3 Linux and the OpenVPN 3 Core Library 3.8 is by default a lot stricter out-of-the-box than OpenVPN 2.x. |
Beta Was this translation helpful? Give feedback.
-
|
Can you post a log with |
Beta Was this translation helpful? Give feedback.
-
|
Here is it |
Beta Was this translation helpful? Give feedback.
-
|
Please also run another test: (this cannot use the pre-imported configuration, but will give a similar log output on the connection failure) |
Beta Was this translation helpful? Give feedback.
-
|
With the wrapper Openvpn 2.X for OpenVPN isn't working and I have the same problem. But when I use the package Openvpn package from apt version 2.5.5 it's working well :/ It could be an issue from openvpn3 which is stricter than openvpn 2.5.5 ? |
Beta Was this translation helpful? Give feedback.
-
|
@SherZCHR We want to see the full log of |
Beta Was this translation helpful? Give feedback.
-
|
The interesting lines from the OpenVPN 2.x log: secp256r1 is not the best cipher but it is still accepted in normal security levels of openssl
@SherZCHR do you have the possilbility to create certificates that you can share that would allow us to reproduce the problem? |
Beta Was this translation helpful? Give feedback.
-
|
@dsommers for the log with openvpn2 command I don't have any logs on the client side but for the server side : @schwabe I can't have the possilbility to create a certificat for you, I use a smallstep ca fyi |
Beta Was this translation helpful? Give feedback.
-
|
Hi, Regards, |
Beta Was this translation helpful? Give feedback.
-
|
For us to be able to understand why the "smallstep CA" isn't working, we need to see a smallstep created certificate to inspect it. Since it is working with Easy-RSA, I'm closing this issue and converting it to a Q&A discussion. This is more a support case, not an issue in OpenVPN 3 Linux. |
Beta Was this translation helpful? Give feedback.
-
|
Also smallstep CA seems to be succesfully been tested with OpenVPN (https://smallstep.com/docs/step-ca/templates/#x509-openvpn-certificates), so it does not seems to be a generic problem with that PKI software |
Beta Was this translation helpful? Give feedback.
-
Hi !
I try to use openvpn3 in order to add a MFA on my VPN connection.
I have a problem, I tried to enable my VPN connection but I got this error :
VERIFY ERROR: depth=0, error=unable to get local issuer certificate:OpenSSL: error:0A000086:SSL routines::certificate verify failed:I searched to find why I have this problem. It said it's a RSA problem because my CA isn't with a 4096 bits RSA. So I tried to change my algorithm to an ECDSA with a ECDSA-SHA256 signature but nothing too.
I think the problem come with openvpn3 because when I try to up my VPN connection with openvpn (2.6.5) the connection is good.
I also tried to deactivate my tls-ciphers security with : tls-cipher "DEFAULT:@SECLEVEL=0" but it's not working ...
Can we have more information on which ciphers are supported on this version of openvpn ?
Or can you help me why this connection isn't working with openvpn3 ?
I really need to use it, because the oauth2 module doesn't work with openvpn 2.5.6.
Regards,
Beta Was this translation helpful? Give feedback.
All reactions