[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] tls error when client changes its certs/keys

  • Subject: Re: [Openvpn-users] tls error when client changes its certs/keys
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Thu, 20 Jan 2005 10:34:05 -0700 (MST)

Let me preface by saying that adding "nobind" to the client config will
probably solve this problem.

More explanation below:

On Thu, 20 Jan 2005, richard wrote:

> 00EB76server1/$my_server_ip:1194 TLS Auth Error: TLS object CN attempted 
> to change from '00EB76server1' to '005BF7ser
> ver1' -- tunnel disabled

For security reasons, once the OpenVPN server constructs a client instance 
object for a given client (defined by the client's source IP:port), the 
common name is not allowed to change.

> 00EB76server1 and 005BF7server1 are the same client machine. just for 
> test, I've changed all my certs/keys files on client machine. I mean, 
> all the files are regenered with openssl line command. but, when the 
> client's openvpn is restarted with the new files, vpn server seems 
> detected a possible Man in the middle attack and disables tunnel.
> after about 5 mins and another restart with new files, the server 
> accepted peer connxion.

Right, the 5 minutes (controlled by "keepalive") caused the old client
instance object on the server to time out, so when you restart after that
you have a fresh state.

> how the server could detect the same client machine with new certs/keys 
> files? by the way, all client certs/keys aren't genered on client 
> machine, but another diffrent server.

It's because the new client instantiation (or the local NAT gateway, if 
any) is reusing the same source IP:port, causing it to bind with the 
prexisting object on the server.


Openvpn-users mailing list