Someone was able to set up openvpn client?,
The configuration it's working on tomato:
imgur.com/2gFtabz
imgur.com/OWAfQrg
imgur.com/lGmrACP
Files from OpenVPN Server:
Intelliholding-Aguilucho.ovpn:
client
resolv-retry 20
keepalive 10 60
nobind
mute-replay-warnings
ns-cert-type server
comp-lzo
max-routes 500
verb 1
persist-key
persist-tun
explicit-exit-notify 1
dev tun
proto udp
port 1194
cipher AES-128-CBC
cert keys/Intelliholding-Aguilucho-epizarro.crt
key keys/Intelliholding-Aguilucho-epizarro.key
ca keys/Intelliholding-Aguilucho-epizarro-ca.crt
remote xxx.xxx.xxx.xxx 1194 # public address
remote xxx.xxx.xxx.xxx 1194 # static WAN 1Intelliholding-Aguilucho-epizarro.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 848396178 (0x32917f92)
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=certificateAuthority, C=CO, ST=ST, L=L, O=O, OU=OU/dnQualifier=certificateAuthority
Validity
Not Before: Feb 9 21:47:00 2015 GMT
Not After : Feb 6 21:47:00 2025 GMT
Subject: C=CO, ST=ST, O=O, OU=OU, CN=epizarro/dnQualifier=client-epizarro
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:cb:08:75:9a:5c:3b:ae:2a:c0:ec:75:06:38:2b:
97:22:a2:68:b1:cb:a3:e2:69:f0:37:76:af:da:f9:
88:ec:8a:23:e6:c7:91:ef:8e:6c:4d:ab:87:4b:3d:
9d:9f:25:8a:a9:68:ee:8f:1d:1f:4e:21:66:6f:59:
02:af:81:30:d8:8a:c2:cc:b4:6d:0f:81:49:7b:74:
64:45:a2:ca:56:0c:78:14:e4:1a:24:0b:59:92:08:
5c:6c:08:a9:9d:15:59:ed:0f:de:4a:7c:a9:c4:79:
dd:21:3e:95:e1:48:e4:db:35:b1:c4:43:79:d2:29:
62:ba:b0:82:3b:68:76:65:cb:4f:73:59:5d:54:a9:
ce:12:b8:b3:d3:c0:aa:b0:e0:c6:c6:e3:73:28:e3:
b9:2b:65:e8:f6:93:ed:9d:96:f6:6d:6f:32:8b:03:
e3:42:13:43:9c:ce:1f:48:ec:0d:8b:32:2a:cb:71:
b4:9e:df:1b:9b:25:08:58:52:44:2b:bb:5a:92:81:
b0:74:66:78:4c:0e:5f:b8:1d:b1:a2:4a:df:34:89:
bb:2d:ad:c7:fa:c2:19:88:c0:2d:8a:50:95:9f:9b:
52:ae:b2:71:5a:4f:6d:d5:bd:a9:02:fd:95:4f:0a:
2d:bf:57:0a:0a:6d:0b:62:6f:b0:54:46:0b:9f:b2:
89:5b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BF:77:04:00:5E:08:CB:D4:71:F0:FB:76:2A:16:98:91:DF:80:B6:E0
X509v3 Authority Key Identifier:
keyid:8B:25:67:35:59:BD:88:D6:0A:76:38:4F:B1:64:0B:F6:C5:83:92:80
DirName:/CN=certificateAuthority/C=CO/ST=ST/L=L/O=O/OU=OU/dnQualifier=certificateAuthority
serial:BB:C9:7E:07:73:5D:2F:37
Signature Algorithm: md5WithRSAEncryption
64:6e:8f:b2:5e:f7:67:61:9c:c0:51:18:e0:62:0c:e6:86:c7:
0c:2e:63:07:bf:70:24:af:f0:17:3e:49:25:e4:b5:2b:1d:ac:
b3:7b:16:e6:1e:c2:42:62:46:09:08:1c:62:97:e9:2f:d7:1a:
8e:c9:e7:e3:78:f7:a7:b2:ca:d6:42:b4:16:75:5d:21:d9:e1:
61:43:29:d3:94:5e:00:0e:52:e2:44:5a:32:69:da:e9:7b:4f:
12:2d:7c:ce:a6:29:67:76:0f:4e:3e:c1:b9:58:ef:b9:45:f1:
88:d7:e5:45:0c:12:86:3f:86:19:cf:d4:e9:10:11:71:7d:8d:
49:bc:63:0f:d5:6a:3b:40:46:b3:7d:9a:93:62:1f:7d:c8:84:
7b:52:b6:26:1e:18:4a:e1:e2:1e:44:c5:de:86:78:16:ea:2c:
03:86:61:19:0c:4b:52:1a:47:50:b2:35:a3:0c:02:bb:f9:cc:
85:01:05:10:4f:9d:69:cd:bc:16:36:9c:ab:7d:e0:73:43:cb:
2c:16:75:75:a0:0e:a3:5c:ac:92:ee:c6:c9:a4:03:0c:cd:62:
d4:3e:ac:35:07:2a:32:93:88:d5:3e:b4:fe:c9:c8:60:0b:e7:
5a:b4:fe:ff:54:b7:c7:6b:47:86:0d:0b:b3:6e:f1:6b:3e:68:
bd:97:00:e8
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----From Intelliholding-Aguilucho-epizarro.crt, I trunk all except certificate (2nd attemp):
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----Intelliholding-Aguilucho-epizarro.key
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----Intelliholding-Aguilucho-epizarro-ca.crt
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----Logs from LEDE build
Mon Jun 5 13:25:14 2017 daemon.err openvpn(CostaBrothers)[13235]: OpenSSL: error:14090086:lib(20):func(144):reason(134)
Mon Jun 5 13:25:14 2017 daemon.err openvpn(CostaBrothers)[13235]: TLS_ERROR: BIO read tls_read_plaintext error
Mon Jun 5 13:25:14 2017 daemon.err openvpn(CostaBrothers)[13235]: TLS Error: TLS object -> incoming plaintext read error
Mon Jun 5 13:25:14 2017 daemon.err openvpn(CostaBrothers)[13235]: TLS Error: TLS handshake failed
Mon Jun 5 13:25:14 2017 daemon.notice openvpn(CostaBrothers)[13235]: SIGUSR1[soft,tls-error] received, process restarting
Mon Jun 5 13:25:14 2017 daemon.notice openvpn(CostaBrothers)[13235]: Restart pause, 5 second(s)
Mon Jun 5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Jun 5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Jun 5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: UDP link local: (not bound)
Mon Jun 5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Jun 5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: TLS: Initial packet from [AF_INET]200.75.7.65:1194, sid=778c6e0a 64ffb152
Mon Jun 5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: VERIFY OK: depth=1, CN=certificateAuthority, C=CO, ST=ST, L=L, O=O, OU=OU, dnQualifier=certificateAuthority
Mon Jun 5 13:25:19 2017 daemon.err openvpn(CostaBrothers)[13235]: Certificate does not have key usage extension
Mon Jun 5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: VERIFY KU ERROR
Mon Jun 5 13:25:19 2017 daemon.err openvpn(CostaBrothers)[13235]: OpenSSL: error:14090086:lib(20):func(144):reason(134)
Mon Jun 5 13:25:19 2017 daemon.err openvpn(CostaBrothers)[13235]: TLS_ERROR: BIO read tls_read_plaintext error
Mon Jun 5 13:25:19 2017 daemon.err openvpn(CostaBrothers)[13235]: TLS Error: TLS object -> incoming plaintext read error
Mon Jun 5 13:25:19 2017 daemon.err openvpn(CostaBrothers)[13235]: TLS Error: TLS handshake failed
Mon Jun 5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: SIGUSR1[soft,tls-error] received, process restarting
Mon Jun 5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: Restart pause, 5 second(s)OpenVPN Conf in my LEDE router:
config openvpn 'CostaBrothers'
option float '1'
option client '1'
option comp_lzo 'yes'
option dev 'tap'
option reneg_sec '0'
option verb '3'
option persist_key '1'
option nobind '1'
list remote 'xxx.xxx.xxx.xxx'
option key '/etc/luci-uploads/cbid.openvpn.CostaBrothers.key'
option ca '/etc/luci-uploads/cbid.openvpn.CostaBrothers.ca'
option cert '/etc/luci-uploads/cbid.openvpn.CostaBrothers.cert'
option cipher 'AES-128-CBC'
option ns_cert_type 'server'
option proto 'udp'
option resolv_retry '20'
option keepalive '10 60'
option explicit_exit_notify '1'UPDATE
The certificates are MD5 based as they are not changed on upgrade to prevent breaking existing VPNs. So I need to allow MD5 certs in LEDE openssl config.
There is a similar issue (maybe the same) with REHL Distros but you can enable:
Environment="OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5"