[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Tun not created, possible certificate problem ?

  • Subject: [Openvpn-users] Tun not created, possible certificate problem ?
  • From: "Jeff Boyce" <jboyce@xxxxxxxxxxxxxxx>
  • Date: Thu, 1 Mar 2007 11:01:01 -0800
Greetings -

I am setting up and testing my first openvpn configuration.  After cleaning 
up multiple beginners errors, I have run across a new problem that has me 
befuddled.  The tun device is not being created when I start openvpn on my 
test client (Centos 4.4) trying to connect to my server (RHEL3).  Comparing 
a previous startup log from a week ago (when the tun was created) with a 
recent startup log (when the tun is not created) I think that there might be 
a problem with my certificate verification.  Specifically I was looking at 
the lines near the bottom of the 'tun not created log' which states that 
there was a TLS Error.  Can anyone explain to me what is going on here and 
what I might need to do to resolve it?  Searching through the list archives 
didn't really give me any good leads to follow.

Client Log when tun is created
Thu Feb 22 07:22:17 2007 us=793535   config = 'client.conf'
Thu Feb 22 07:22:17 2007 us=793589   mode = 0
Thu Feb 22 07:22:17 2007 us=793636   persist_config = DISABLED
Thu Feb 22 07:22:17 2007 us=793684   persist_mode = 1
Thu Feb 22 07:22:17 2007 us=793747   show_ciphers = DISABLED
Thu Feb 22 07:22:17 2007 us=793794   show_digests = DISABLED
Thu Feb 22 07:22:17 2007 us=793840   show_engines = DISABLED
Thu Feb 22 07:22:17 2007 us=793886   genkey = DISABLED
Thu Feb 22 07:22:17 2007 us=793933   key_pass_file = '[UNDEF]'
Thu Feb 22 07:22:17 2007 us=793979 NOTE: --mute triggered...
Thu Feb 22 07:22:17 2007 us=794068 165 variation(s) on previous 10 
message(s) suppressed by --mute
Thu Feb 22 07:22:17 2007 us=794120 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] 
[LZO] [EPOLL] built on Feb  2 2007
Thu Feb 22 07:22:17 2007 us=794311 IMPORTANT: OpenVPN's default port number 
is now 1194, based on an official port number assignment by IANA.  OpenVPN 
2.0-beta16 and earlier used 5000 as the default port.
Thu Feb 22 07:22:17 2007 us=833513 WARNING: file 
'/etc/openvpn/easy-rsa/keys/JABredcedarVPNclient.key' is group or others 
accessible
Thu Feb 22 07:22:17 2007 us=835880 LZO compression initialized
Thu Feb 22 07:22:17 2007 us=836958 Control Channel MTU parms [ L:1542 D:138 
EF:38 EB:0 ET:0 EL:0 ]
Thu Feb 22 07:22:17 2007 us=837209 Data Channel MTU parms [ L:1542 D:1450 
EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Feb 22 07:22:17 2007 us=837323 Local Options String: 'V4,dev-type 
tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth 
SHA1,keysize 128,key-method 2,tls-client'
Thu Feb 22 07:22:17 2007 us=837368 Expected Remote Options String: 
'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher 
BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Feb 22 07:22:17 2007 us=837470 Local Options hash (VER=V4): '41690919'
Thu Feb 22 07:22:17 2007 us=837552 Expected Remote Options hash (VER=V4): 
'530fdded'
Thu Feb 22 07:22:17 2007 us=840049 NOTE: UID/GID downgrade will be delayed 
because of --client, --pull, or --up-delay
Thu Feb 22 07:22:17 2007 us=840252 Socket Buffers: R=[110592->131072] 
S=[110592->131072]
Thu Feb 22 07:22:17 2007 us=840328 UDPv4 link local: [undef]
Thu Feb 22 07:22:17 2007 us=840404 UDPv4 link remote: aaa.bbb.ccc.ddd:1194
Thu Feb 22 07:22:18 2007 us=23753 TLS: Initial packet from 
aaa.bbb.ccc.ddd:1194, sid=a71916d5 a8366c39
Thu Feb 22 07:22:18 2007 us=963743 VERIFY OK: depth=1, 
/C=US/ST=WA/L=SEATTLE/O=Meridian_Environmental/CN=BisonCA/emailAddress=xxx@xxxxxxx
Thu Feb 22 07:22:18 2007 us=966257 VERIFY OK: nsCertType=SERVER
Thu Feb 22 07:22:18 2007 us=966368 VERIFY OK: depth=0, 
/C=US/ST=WA/O=Meridian_Environmental/CN=BisonVPNserver/emailAddress=xxx@xxxxxxx
Thu Feb 22 07:22:20 2007 us=868588 Data Channel Encrypt: Cipher 'BF-CBC' 
initialized with 128 bit key
Thu Feb 22 07:22:20 2007 us=868728 Data Channel Encrypt: Using 160 bit 
message hash 'SHA1' for HMAC authentication
Thu Feb 22 07:22:20 2007 us=868983 Data Channel Decrypt: Cipher 'BF-CBC' 
initialized with 128 bit key
Thu Feb 22 07:22:20 2007 us=869040 Data Channel Decrypt: Using 160 bit 
message hash 'SHA1' for HMAC authentication
Thu Feb 22 07:22:20 2007 us=869273 Control Channel: TLSv1, cipher 
TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Feb 22 07:22:20 2007 us=869387 [BisonVPNserver] Peer Connection 
Initiated with aaa.bbb.ccc.ddd:1194
Thu Feb 22 07:22:22 2007 us=201602 SENT CONTROL [BisonVPNserver]: 
'PUSH_REQUEST' (status=1)
Thu Feb 22 07:22:22 2007 us=325795 PUSH: Received control message: 
'PUSH_REPLY,route 192.168.112.0 255.255.255.0,route 10.8.6.1,ping 
60,ping-restart 600,ifconfig 10.8.6.6 10.8.6.5'
Thu Feb 22 07:22:22 2007 us=326056 OPTIONS IMPORT: timers and/or timeouts 
modified
Thu Feb 22 07:22:22 2007 us=326103 OPTIONS IMPORT: --ifconfig/up options 
modified
Thu Feb 22 07:22:22 2007 us=326146 OPTIONS IMPORT: route options modified
Thu Feb 22 07:22:22 2007 us=335546 TUN/TAP device tun0 opened
Thu Feb 22 07:22:22 2007 us=335708 TUN/TAP TX queue length set to 100
Thu Feb 22 07:22:22 2007 us=335802 /sbin/ip link set dev tun0 up mtu 1500
Thu Feb 22 07:22:22 2007 us=342223 /sbin/ip addr add dev tun0 local 10.8.6.6 
peer 10.8.6.5
Thu Feb 22 07:22:22 2007 us=351536 /sbin/ip route add 192.168.112.0/24 via 
10.8.6.5
Thu Feb 22 07:22:22 2007 us=358174 /sbin/ip route add 10.8.6.1/32 via 
10.8.6.5
Thu Feb 22 07:22:22 2007 us=364567 GID set to nobody
Thu Feb 22 07:22:22 2007 us=364742 UID set to nobody
Thu Feb 22 07:22:22 2007 us=364791 Initialization Sequence Completed


Client Log when tun is not created
Wed Feb 28 21:25:24 2007 us=95302 Current Parameter Settings:
Wed Feb 28 21:25:24 2007 us=123195   config = 'client.conf'
Wed Feb 28 21:25:24 2007 us=123271   mode = 0
Wed Feb 28 21:25:24 2007 us=123316   persist_config = DISABLED
Wed Feb 28 21:25:24 2007 us=123362   persist_mode = 1
Wed Feb 28 21:25:24 2007 us=123407   show_ciphers = DISABLED
Wed Feb 28 21:25:24 2007 us=123452   show_digests = DISABLED
Wed Feb 28 21:25:24 2007 us=123498   show_engines = DISABLED
Wed Feb 28 21:25:24 2007 us=123542   genkey = DISABLED
Wed Feb 28 21:25:24 2007 us=123588   key_pass_file = '[UNDEF]'
Wed Feb 28 21:25:24 2007 us=123633   NOTE: --mute triggered...
Wed Feb 28 21:25:24 2007 us=123678   165 variation(s) on previous 10 
message(s) suppressed by --mute
Wed Feb 28 21:25:24 2007 us=133351 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] 
[LZO] [EPOLL] built on Feb  2 2007
Wed Feb 28 21:25:24 2007 us=133578 IMPORTANT: OpenVPN's default port number 
is now 1194, based on an official port number assignment by IANA.  OpenVPN 
2.0-beta16 and earlier used 5000 as the default port.
Wed Feb 28 21:25:24 2007 us=172699 WARNING: file 
'/etc/openvpn/easy-rsa/keys/JABredcedarVPNclient.key' is group or others 
accessible
Wed Feb 28 21:25:24 2007 us=176817 LZO compression initialized
Wed Feb 28 21:25:24 2007 us=178120 Control Channel MTU parms [ L:1542 D:138 
EF:38 EB:0 ET:0 EL:0 ]
Wed Feb 28 21:25:24 2007 us=178362 Data Channel MTU parms [ L:1542 D:1450 
EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Feb 28 21:25:24 2007 us=178474 Local Options String: 'V4,dev-type 
tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth 
SHA1,keysize 128,key-method 2,tls-client'
Wed Feb 28 21:25:24 2007 us=178517 Expected Remote Options String: 
'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher 
BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed Feb 28 21:25:24 2007 us=178618 Local Options hash (VER=V4): '41690919'
Wed Feb 28 21:25:24 2007 us=178698 Expected Remote Options hash (VER=V4): 
'530fdded'
Wed Feb 28 21:25:24 2007 us=180947 NOTE: UID/GID downgrade will be delayed 
because of --client, --pull, or --up-delay
Wed Feb 28 21:25:24 2007 us=181181 Socket Buffers: R=[110592->131072] 
S=[110592->131072]
Wed Feb 28 21:25:24 2007 us=181290 UDPv4 link local: [undef]
Wed Feb 28 21:25:24 2007 us=181380 UDPv4 link remote: aaa.bbb.ccc.ddd:1194
Wed Feb 28 21:26:25 2007 us=130398 TLS Error: TLS key negotiation failed to 
occur within 60 seconds (check your network connectivity)
Wed Feb 28 21:26:25 2007 us=130463 TLS Error: TLS handshake failed
Wed Feb 28 21:26:25 2007 us=130938 TCP/UDP: Closing socket
Wed Feb 28 21:26:25 2007 us=131089 SIGUSR1[soft,tls-error] received, process 
restarting
Wed Feb 28 21:26:25 2007 us=131168 Restart pause, 2 second(s)


My most recent client config file is listed below.  There are some minor 
variations between this one and the test from a week ago, but this is just a 
basic single client connected to a server at this point.  Any help or 
diagnostic leads are appreciated.  Thanks.

CLIENT.CONF
client
dev tun
proto udp
remote aaa.bbb.ccc.ddd 1194
pull
nobind
user nobody
group nobody
persist-key
persist-tun
tls-client
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/JABredcedarVPNclient.crt
key /etc/openvpn/easy-rsa/keys/JABredcedarVPNclient.key
ns-cert-type server
keepalive 10 120
comp-lzo
verb 4
mute 10


Jeff Boyce
www.meridianenv.com 

______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users