In the Windows PC the OpenVPN GUI worked with the VPNBook
English is not my first language
Problem OpenVPN Client Side:
Mon Dec 30 17:36:55 2019 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Mon Dec 30 17:36:55 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Dec 30 17:36:55 2019 library versions: OpenSSL 1.1.0l 10 Sep 2019, LZO 2.10
Enter Management Password:
Mon Dec 30 17:36:55 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Dec 30 17:36:55 2019 Need hold release from management interface, waiting...
Mon Dec 30 17:36:55 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Dec 30 17:36:55 2019 MANAGEMENT: CMD 'state on'
Mon Dec 30 17:36:55 2019 MANAGEMENT: CMD 'log all on'
Mon Dec 30 17:36:55 2019 MANAGEMENT: CMD 'echo all on'
Mon Dec 30 17:36:55 2019 MANAGEMENT: CMD 'bytecount 5'
Mon Dec 30 17:36:55 2019 MANAGEMENT: CMD 'hold off'
Mon Dec 30 17:36:55 2019 MANAGEMENT: CMD 'hold release'
Mon Dec 30 17:37:07 2019 MANAGEMENT: CMD 'password [...]'
Mon Dec 30 17:37:07 2019 MANAGEMENT: Client disconnected
Mon Dec 30 17:37:07 2019 Insufficient key material or header text not found in file '[[INLINE]]' (0/128/256 bytes found/min/max)
Mon Dec 30 17:37:07 2019 Exiting due to fatal error
Doubts
How can I test if OpenVPN (Server Side ) is working fine?
Sorry @ulmwind if I make stupid questions I know almost nothing about OpenVPN... setup I just follow the steps in the guidance... You talking about the "client.ovpn"?
Yes it looks like the core of this problem is that something about the server certificates is garbled and unusable. I usually put them in files rather than inline in the config file.
Your client is configured with an encrypted private key, this requires the additional step to prompt the user for the passphrase needed to decrypt the key.
I would think you could have two instances of OpenVPN on a router one the server and one a client to see if you can at least auth with yourself.
So I need to create 3 files in the same directory of client.ovpn:
ca ca.crt
cert client.crt
key client.key
Am I correct?
So now my new Client.ovpn is like this:
verb 3
dev tun
nobind
client
remote XXX.XXX.XXX.XXX 1194 udp
auth-nocache
remote-cert-tls server
ca ca.crt
cert client.crt
key client.key
I tryied but the result was:
Mon Dec 30 20:57:52 2019 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Mon Dec 30 20:57:52 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Dec 30 20:57:52 2019 library versions: OpenSSL 1.1.0l 10 Sep 2019, LZO 2.10
Enter Management Password:
Mon Dec 30 20:57:52 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Dec 30 20:57:52 2019 Need hold release from management interface, waiting...
Mon Dec 30 20:57:53 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Dec 30 20:57:53 2019 MANAGEMENT: CMD 'state on'
Mon Dec 30 20:57:53 2019 MANAGEMENT: CMD 'log all on'
Mon Dec 30 20:57:53 2019 MANAGEMENT: CMD 'echo all on'
Mon Dec 30 20:57:53 2019 MANAGEMENT: CMD 'bytecount 5'
Mon Dec 30 20:57:53 2019 MANAGEMENT: CMD 'hold off'
Mon Dec 30 20:57:53 2019 MANAGEMENT: CMD 'hold release'
Mon Dec 30 20:57:53 2019 MANAGEMENT: Client disconnected
Mon Dec 30 20:57:53 2019 Insufficient key material or header text not found in file '[[INLINE]]' (0/128/256 bytes found/min/max)
Mon Dec 30 20:57:53 2019 Exiting due to fatal error
One thing that I noticed is now is not asking the password...
Put the full path to each certificate file on its line in the ovpn file.
Why is it still looking [INLINE] after you took the inline certs out? Are you sure it is running the config file you think it is? Make sure there are no stray files .conf in the openvpn directory because OpenVPN will try to parse them.
Yes it is stored like that. The generation phase produces a random key that needs to be loaded into the server and deployed to all the clients that use that server.
The TLS-crypt is an optional additional layer of encryption on top of everything else. If the server is configured not to use it, the client would not use it either.