I am now having an issue with VPN client. I uploaded my configuration in the OpenWRT router and I am getting the following:
Sun Jan 28 09:33:03 2024 daemon.err openvpn(FW01)[22380]: VERIFY ERROR: depth=1, error=self-signed certificate in certificate chain: CN=internal-ca, C=IT, ST=State, L=Town, O=ORGANISATION, OU=Unit, serial=11111111111111
Sun Jan 28 09:33:03 2024 daemon.err openvpn(FW01)[22380]: OpenSSL: error:0A000086:SSL routines::certificate verify failed
the following is the VPN configuration:
# cat FW01.ovpn
dev tun0
persist-tun
persist-key
ncp-disable
cipher AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote xx.xxx.xxx.xxx yyyy udp4
verify-x509-name "OpenVPN Cert" name
remote-cert-tls server
passtos
explicit-exit-notify
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
If I put certificates on files I am getting:
# openssl rsa -check -noout -in FW01.key.key
RSA key ok
# openssl verify -CAfile FW01.ca.key FW01.cert.key
FW01.cert.key: OK
egc
January 28, 2024, 10:35am
3
It is possible that the keys/certs are not up to the current minimal standardtls-cipher DEFAULT:@SECLEVEL=0
Could you please tell me what is the current minimal standard?
egc
January 28, 2024, 2:25pm
5
Nowadays I think it is minimal 2048 key length but to be sure look it up
The private key already has 2048 bit:
# openssl rsa -in FW01.key.key -text -noout
Private-Key: (2048 bit, 2 primes)
And in my Manjaro Linux laptop I have the same configuration does not give me any issue.
egc
January 29, 2024, 7:27am
7
Have yo tried this?
I put that line in /etc/openvpn/FW01.ovpn and rebooted openvpn service but it didn't work.
egc
January 29, 2024, 11:00am
9
You can also try this, adding to the openvpn config:
tls-cert-profile insecure
Or redo your certs/keys, All CAs with signature algoritm SHA1 or weaker are rejected by OpenSSL 3.x, in OpenVPN 2.6
mgazzin
January 29, 2024, 7:02pm
10
No it does not work.
mgazzin
January 30, 2024, 7:36am
11
I think you are right @egc because I have another VPN config and that one works.
I am taking it from:
Where should I put the remote network address?
config interface 'vpn'
option proto 'none'
option device 'tun0'
option defaultroute '0'
and this in /etc/config/firewall:
config forwarding
option src 'lan'
option dest 'FW04'
The problem is that routing is taking 10.40.30.0/24 network but the real address is 192.168.30.0/24.
mgazzin
January 30, 2024, 8:18am
12
also tun0 is up but does not have any IP:
mgazzin
January 30, 2024, 11:14am
13
Ok now I have changed from managed to static:
config interface 'vpnFW04'
option proto 'static'
option device 'tun0'
option ipaddr '10.40.30.3'
option netmask '255.255.255.0'
option broadcast '10.40.30.255'
and tun0 is up:
The following is PBR configuration:
config policy
option name 'FW04'
option dest_addr '192.168.30.0/24'
option interface 'vpnFW04'
option enabled '1'
routing is still not working
egc
January 30, 2024, 11:15am
14
I would remove the option defaultroute '0' as you use the openvpn config to set the default route, otherwise it is fine.
Cannot say much about the routing probably make a new thread for this with all the necessary information
mgazzin
February 4, 2024, 7:04am
15
@egc this was solved creating another certificate in pfsense. Thanks.
1 Like
system
February 14, 2024, 7:07am
16
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
