OpenVPN Client on LM 18.3 Fails to Connect To OpenVPN Server

[StarWars]

Hello All:

Though I have been using LM for the past few years, this is my first post!

I run OpenVPN Server on my home router which is also a flavour of Linux. Please see below ...

Code: Select all

SynologyRouter> openvpn
OpenVPN 2.3.11 armle-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep 14 2017

SynologyRouter> cat /proc/version
Linux version 3.4.103 (root@build3) (gcc version 4.9.3 20150311 (prerelease) (crosstool-NG 1.20.0) ) #6542 SMP Wed Nov 8 14:40:09 CST 2017

I have exported the details & certificates from OVPN Server and have been able to import in OpenVPN Client in iOS 11.x and use it quite extensively - no problems at all. The exported certificate - "VPNConfig.ovpn" file has the connection details, CA cert and TLS Key only. I have tried to import the same in LM 18.3's as below:

Network Setting > "+" > Import from file > Entered UserID > Entered Password

When I try to start the VPN from the Network Settings, the following is what I see in /var/log/syslog file.

Code: Select all

Dec 26 23:13:47 MintLinux183 NetworkManager[864]: nm-openvpn-Message: openvpn[10357] started
Dec 26 23:13:47 MintLinux183 nm-openvpn[10357]: OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Dec 26 23:13:47 MintLinux183 nm-openvpn[10357]: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Dec 26 23:13:48 MintLinux183 nm-openvpn[10357]: WARNING: No server certificate verification method has been enabled.
Dec 26 23:13:48 MintLinux183 nm-openvpn[10357]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 26 23:13:48 MintLinux183 nm-openvpn[10357]: Control Channel Authentication: using '/home/testusr/.cert/nm-openvpn/VPNConfig-tls-auth.pem' as a OpenVPN static key file
Dec 26 23:13:49 MintLinux183 nm-openvpn[10357]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Dec 26 23:13:49 MintLinux183 nm-openvpn[10357]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Dec 26 23:13:49 MintLinux183 nm-openvpn[10357]: UDPv4 link local: [undef]
Dec 26 23:13:49 MintLinux183 nm-openvpn[10357]: UDPv4 link remote: [AF_INET] XXX.YYY.AAA.BBB:443
Dec 26 23:13:50 MintLinux183 nm-openvpn[10357]: VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Dec 26 23:13:50 MintLinux183 nm-openvpn[10357]: [color=#BF0000]TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed[/color]
Dec 26 23:13:50 MintLinux183 nm-openvpn[10357]: TLS Error: TLS object -> incoming plaintext read error
Dec 26 23:13:50 MintLinux183 nm-openvpn[10357]:TLS Error: TLS handshake failed
Dec 26 23:13:50 MintLinux183 nm-openvpn[10357]: SIGUSR1[soft,tls-error] received, process restarting

The same details & cert import in iOS OpenVPN client works flawlessly. Any pointers on how to fix this will be of great help ... I'm trying to setup a laptop with LM 18.3 and OpenVPN for my daughter who needs to use VPN to connect to sites not permitted in China.

[Pippin]

If I`m not mistaken, on your router you can choose which certificate to use for OpenVPN, choose the Synology one and try again.

[StarWars]

If I`m not mistaken, on your router you can choose which certificate to use for OpenVPN, choose the Synology one and try again.

Actually there's no option to choose in my router. In fact, different VPNs are placed in separate "Tabs" and hence their export is based on which tab you are. Please see screen shot in below link below.

https://imgur.com/a/zja2c

OVPN_Export.png

The exported certificate - "VPNConfig.ovpn" file has the connection details, CA cert and TLS Static Key only.

[Pippin]

Have you looked in
Control Panel > Services > Certificate
?
Maybe there is an option to select which certificate must be used for OpenVPN...
If so then select it and re-export OpenVPN`s client config.

I vaguely remember that Comodo not working for VPN.

[StarWars]

@Pippin: Thanks for your hints ....

When I exported from Control Panel > Services > Certificate in my Synology Router, it saves a zip file containing the following files:

1) ca.crt
2) ca.key
3) server.crt
4) server.key
5) server-ca.crt

I also have the TLS Static Key separately saved. From what I know, *.key is private and should not be shared. I believe that my router's OpenVPN Server is using UID/Passwd and TLS Key option. The VPN server is running on a domain that I own and also have a valid SSL Certificate for it. My LM 18.3's OpenVPN config screens are as shown below - first image shows only UID/Passwd option and the second one show UID/Passwd & TLS Key option. I'm confused as to which Certificate to use where

UID/Passwd Only:

Password_Only.png

UID/Passwd & TLS Key:

Password_and_TLS-Key.png

Please note that I'm able to successfully connect to OpenVPN Server on my router from iOS OpenVPN Client. My problem is that I'm unable to connect from OpenVPN Client on my LM 18.3 laptop.

[Pippin]

Hi,

When I exported from Control Panel > Services > Certificate

That`s not meant for OpenVPN, export for the OpenVPN client(s) is done in VPN Server package > OpenVPN.

The idea was to designate the standard Synology certificate to be used for OpenVPN only, keeping Comodo for your domain.
Then re-export the OpenVPN client config (in VPN Server) which then contains the Synology certificates.

Please read here a similar case:
https://forum.synology.com/enu/viewtopi ... 9&p=504309

[phd21]

Hi "StarWars",

I just read your post and the good replies to it. Here are my thoughts on this as well.

- You could try updating the Linux Mint OpenVPN client software using the instructions from the link below. I had trouble connecting to certain OpenVPN connections unless the OpenVPN client was 2.4 or higher.
- Then, Remove or Delete any current VPN connections for your server from the Network Manager, then "import VPN" using your OpenVPN file (.ovpn).
viewtopic.php?f=157&t=242583&hilit=openvpn

- Couldn't your daughter use the free "vpngate" servers to access the internet and websites which people from all over the world do every day? You can even setup your own vpngate server with the OpenVPN protocol, if you wanted to.
vpngate
http://www.vpngate.net/en/

There is a wonderful and easy to use vpngate client called "VPNGate With Proxy" which I use frequently. It is pretty easy to use Linux Mint's Network Manager to import a vpn server whether it is yours, one of the many vpngate servers, or some other VPN provider's servers, but the console terminal application below is simple to install and use.

Easily use free vpns from vpn gate in linux with these 2 tools, Updated: February 14, 2017
http://www.webupd8.org/2017/02/easily-u ... m-vpn.html


Hope this helps ...

[StarWars]

@phd21: Thanks a lot for your response! Within few mins I was able to install the vpngate in my LM 18.3 and was up and running with VPN connection.

I need to spend some more time to make VPN Client on LM 18.3 to work with the Open VPN Server in my Synology router. I'll come back and post the steps once I fix mine.

@pippin: Once I import Comodo SSL Cert, Synology's cert is overwritten; hence, when I export Open VPN config, it actually exports the CA cert of Comodo SSL.

[phd21]

Hi "StarWars",

You are welcome...

"VPNGate With Proxy" is an excellent application...

It is still a good idea to update the "OpenVPN" client software.

Keep us posted on your progress ...