OpenVPN Client on LM 18.3 Fails to Connect To OpenVPN Server

Connection sharing, Firewall, Samba..etc
Forum rules
Before you post please read how to get help
Post Reply
StarWars
Level 1
Level 1
Posts: 4
Joined: Tue Dec 26, 2017 7:01 am

OpenVPN Client on LM 18.3 Fails to Connect To OpenVPN Server

Post by StarWars » Tue Dec 26, 2017 12:26 pm

Hello All:

Though I have been using LM for the past few years, this is my first post!

I run OpenVPN Server on my home router which is also a flavour of Linux. Please see below ...

Code: Select all

SynologyRouter> openvpn
OpenVPN 2.3.11 armle-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep 14 2017

SynologyRouter> cat /proc/version
Linux version 3.4.103 (root@build3) (gcc version 4.9.3 20150311 (prerelease) (crosstool-NG 1.20.0) ) #6542 SMP Wed Nov 8 14:40:09 CST 2017
I have exported the details & certificates from OVPN Server and have been able to import in OpenVPN Client in iOS 11.x and use it quite extensively - no problems at all. The exported certificate - "VPNConfig.ovpn" file has the connection details, CA cert and TLS Key only. I have tried to import the same in LM 18.3's as below:

Network Setting > "+" > Import from file > Entered UserID > Entered Password

When I try to start the VPN from the Network Settings, the following is what I see in /var/log/syslog file.

Code: Select all

Dec 26 23:13:47 MintLinux183 NetworkManager[864]: nm-openvpn-Message: openvpn[10357] started
Dec 26 23:13:47 MintLinux183 nm-openvpn[10357]: OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Dec 26 23:13:47 MintLinux183 nm-openvpn[10357]: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Dec 26 23:13:48 MintLinux183 nm-openvpn[10357]: WARNING: No server certificate verification method has been enabled.
Dec 26 23:13:48 MintLinux183 nm-openvpn[10357]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 26 23:13:48 MintLinux183 nm-openvpn[10357]: Control Channel Authentication: using '/home/testusr/.cert/nm-openvpn/VPNConfig-tls-auth.pem' as a OpenVPN static key file
Dec 26 23:13:49 MintLinux183 nm-openvpn[10357]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Dec 26 23:13:49 MintLinux183 nm-openvpn[10357]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Dec 26 23:13:49 MintLinux183 nm-openvpn[10357]: UDPv4 link local: [undef]
Dec 26 23:13:49 MintLinux183 nm-openvpn[10357]: UDPv4 link remote: [AF_INET] XXX.YYY.AAA.BBB:443
Dec 26 23:13:50 MintLinux183 nm-openvpn[10357]: VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Dec 26 23:13:50 MintLinux183 nm-openvpn[10357]: [color=#BF0000]TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed[/color]
Dec 26 23:13:50 MintLinux183 nm-openvpn[10357]: TLS Error: TLS object -> incoming plaintext read error
Dec 26 23:13:50 MintLinux183 nm-openvpn[10357]:TLS Error: TLS handshake failed
Dec 26 23:13:50 MintLinux183 nm-openvpn[10357]: SIGUSR1[soft,tls-error] received, process restarting
The same details & cert import in iOS OpenVPN client works flawlessly. Any pointers on how to fix this will be of great help ... I'm trying to setup a laptop with LM 18.3 and OpenVPN for my daughter who needs to use VPN to connect to sites not permitted in China.

Pippin
Level 3
Level 3
Posts: 148
Joined: Wed Dec 13, 2017 11:14 am
Location: NL/DE/TH

Re: OpenVPN Client on LM 18.3 Fails to Connect To OpenVPN Server

Post by Pippin » Tue Dec 26, 2017 5:35 pm

If I`m not mistaken, on your router you can choose which certificate to use for OpenVPN, choose the Synology one and try again.
"One good thing about music, when it hits you feel no pain.”
B.M.

StarWars
Level 1
Level 1
Posts: 4
Joined: Tue Dec 26, 2017 7:01 am

Re: OpenVPN Client on LM 18.3 Fails to Connect To OpenVPN Server

Post by StarWars » Wed Dec 27, 2017 1:05 am

Pippin wrote:If I`m not mistaken, on your router you can choose which certificate to use for OpenVPN, choose the Synology one and try again.
Actually there's no option to choose in my router. In fact, different VPNs are placed in separate "Tabs" and hence their export is based on which tab you are. Please see screen shot in below link below.

https://imgur.com/a/zja2c
OVPN_Export.png
The exported certificate - "VPNConfig.ovpn" file has the connection details, CA cert and TLS Static Key only.

Pippin
Level 3
Level 3
Posts: 148
Joined: Wed Dec 13, 2017 11:14 am
Location: NL/DE/TH

Re: OpenVPN Client on LM 18.3 Fails to Connect To OpenVPN Server

Post by Pippin » Wed Dec 27, 2017 8:58 am

Have you looked in
Control Panel > Services > Certificate
?
Maybe there is an option to select which certificate must be used for OpenVPN...
If so then select it and re-export OpenVPN`s client config.

I vaguely remember that Comodo not working for VPN.
"One good thing about music, when it hits you feel no pain.”
B.M.

StarWars
Level 1
Level 1
Posts: 4
Joined: Tue Dec 26, 2017 7:01 am

Re: OpenVPN Client on LM 18.3 Fails to Connect To OpenVPN Server

Post by StarWars » Wed Dec 27, 2017 2:00 pm

@Pippin: Thanks for your hints ....

When I exported from Control Panel > Services > Certificate in my Synology Router, it saves a zip file containing the following files:

1) ca.crt
2) ca.key
3) server.crt
4) server.key
5) server-ca.crt

I also have the TLS Static Key separately saved. From what I know, *.key is private and should not be shared. I believe that my router's OpenVPN Server is using UID/Passwd and TLS Key option. The VPN server is running on a domain that I own and also have a valid SSL Certificate for it. My LM 18.3's OpenVPN config screens are as shown below - first image shows only UID/Passwd option and the second one show UID/Passwd & TLS Key option. I'm confused as to which Certificate to use where :roll:

UID/Passwd Only:
Password_Only.png
UID/Passwd & TLS Key:
Password_and_TLS-Key.png
Please note that I'm able to successfully connect to OpenVPN Server on my router from iOS OpenVPN Client. My problem is that I'm unable to connect from OpenVPN Client on my LM 18.3 laptop.

Pippin
Level 3
Level 3
Posts: 148
Joined: Wed Dec 13, 2017 11:14 am
Location: NL/DE/TH

Re: OpenVPN Client on LM 18.3 Fails to Connect To OpenVPN Server

Post by Pippin » Wed Dec 27, 2017 4:03 pm

Hi,
When I exported from Control Panel > Services > Certificate
That`s not meant for OpenVPN, export for the OpenVPN client(s) is done in VPN Server package > OpenVPN.

The idea was to designate the standard Synology certificate to be used for OpenVPN only, keeping Comodo for your domain.
Then re-export the OpenVPN client config (in VPN Server) which then contains the Synology certificates.

Please read here a similar case:
https://forum.synology.com/enu/viewtopi ... 9&p=504309
"One good thing about music, when it hits you feel no pain.”
B.M.

User avatar
phd21
Level 16
Level 16
Posts: 6956
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: OpenVPN Client on LM 18.3 Fails to Connect To OpenVPN Server

Post by phd21 » Wed Dec 27, 2017 8:28 pm

Hi "StarWars",

I just read your post and the good replies to it. Here are my thoughts on this as well.

- You could try updating the Linux Mint OpenVPN client software using the instructions from the link below. I had trouble connecting to certain OpenVPN connections unless the OpenVPN client was 2.4 or higher.
- Then, Remove or Delete any current VPN connections for your server from the Network Manager, then "import VPN" using your OpenVPN file (.ovpn).
viewtopic.php?f=157&t=242583&hilit=openvpn

- Couldn't your daughter use the free "vpngate" servers to access the internet and websites which people from all over the world do every day? You can even setup your own vpngate server with the OpenVPN protocol, if you wanted to.
vpngate
http://www.vpngate.net/en/

There is a wonderful and easy to use vpngate client called "VPNGate With Proxy" which I use frequently. It is pretty easy to use Linux Mint's Network Manager to import a vpn server whether it is yours, one of the many vpngate servers, or some other VPN provider's servers, but the console terminal application below is simple to install and use.

Easily use free vpns from vpn gate in linux with these 2 tools, Updated: February 14, 2017
http://www.webupd8.org/2017/02/easily-u ... m-vpn.html


Hope this helps ...
Phd21: Mint KDE 17.3 & 18.3, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram,256gb SDD, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

StarWars
Level 1
Level 1
Posts: 4
Joined: Tue Dec 26, 2017 7:01 am

Re: OpenVPN Client on LM 18.3 Fails to Connect To OpenVPN Server

Post by StarWars » Thu Dec 28, 2017 11:32 am

@phd21: Thanks a lot for your response! Within few mins I was able to install the vpngate in my LM 18.3 and was up and running with VPN connection.

I need to spend some more time to make VPN Client on LM 18.3 to work with the Open VPN Server in my Synology router. I'll come back and post the steps once I fix mine.

@pippin: Once I import Comodo SSL Cert, Synology's cert is overwritten; hence, when I export Open VPN config, it actually exports the CA cert of Comodo SSL.

User avatar
phd21
Level 16
Level 16
Posts: 6956
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: OpenVPN Client on LM 18.3 Fails to Connect To OpenVPN Server

Post by phd21 » Thu Dec 28, 2017 12:30 pm

Hi "StarWars",

You are welcome...

"VPNGate With Proxy" is an excellent application...

It is still a good idea to update the "OpenVPN" client software.

Keep us posted on your progress ...
Phd21: Mint KDE 17.3 & 18.3, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram,256gb SDD, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

Post Reply

Return to “Other networking topics”