prev
next
ru.linux.chainik
FromAlexander Suvorov2:5030/722.68Date Write2018-05-23 17:28:18
ToSergey Anohin0:0/0.0Date Arrived2018-05-23 18:10:27
SubjOpenSSL error....certificate verify failed
Attr
Приветствую, Sergey!

23 May 18 14:12, Sergey Anohin написал(а) Alexander Suvorov:
AS>> Hе могу законнектить Raspberry Pi к домашнему OpenVPN сеpвеpу, пpи
AS>> этом клиент под Андpоид к нему коннектиться и pаботает без
AS>> вопpосов и наpеканий. А пытаюсь подключиться Малиной и получаю..
SA> Покажи конфиг сеpвеpа

=== Cut ===
dev tun
proto udp
port 1194
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 0.0.0.0 "
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
remote-cert-tls client
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
log /var/log/openvpn.log
verb 1
# Generated for use by PiVPN.io
=== Cut ===

SA> и клиента,

=== Cut ===
client
dev tun
proto udp
remote evilblade.at-home.me 1194
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_B7VSFLNx0bOOADvh name
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 1
<ca>
-----BEGIN CERTIFICATE-----
MIIFDzCCA
[.....]
59BV
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIF
[.....]
pRu84=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvw
[.....]
KeCVpkw==
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
8571ca
[.....]
f6668f
-----END OpenVPN Static key V1-----
</tls-auth>
=== Cut ===
SA> а так у тебя же в логах все написано,

=== Cut ===
Wed May 23 16:10:08 2018 WARNING: file '/etc/openvpn/easy-rsa/pki/ta.key' is
group or others accessible
Wed May 23 16:10:08 2018 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL
(OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18
2017
Wed May 23 16:10:08 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO
2.08
Wed May 23 16:10:08 2018 TUN/TAP device tun0 opened
Wed May 23 16:10:08 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed May 23 16:10:08 2018 /sbin/ip link set dev tun0 up mtu 1500
Wed May 23 16:10:08 2018 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast
10.8.0.255
Wed May 23 16:10:08 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed May 23 16:10:08 2018 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed May 23 16:10:08 2018 UDPv4 link remote: [AF_UNSPEC]
Wed May 23 16:10:08 2018 GID set to nogroup
Wed May 23 16:10:08 2018 UID set to nobody
Wed May 23 16:10:08 2018 Initialization Sequence Completed
Wed May 23 16:13:31 2018 188.162.64.135:35170 TLS Error: TLS key negotiation
failed to occur within 60 seconds (check your network connectivity)
Wed May 23 16:13:31 2018 188.162.64.135:35170 TLS Error: TLS handshake failed
Wed May 23 16:13:34 2018 188.162.64.135:2792 TLS Error: TLS key negotiation
failed to occur within 60 seconds (check your network connectivity)
Wed May 23 16:13:34 2018 188.162.64.135:2792 TLS Error: TLS handshake failed
Wed May 23 16:15:24 2018 94.25.229.173:38185 TLS Error: TLS key negotiation
failed to occur within 60 seconds (check your network connectivity)
Wed May 23 16:15:24 2018 94.25.229.173:38185 TLS Error: TLS handshake failed
=== Cut ===

SA> у тебя с TLS auth возможно настpоено?
Эмм.. ну судя по всему - да.. В этом проблема? Тогда как сделать _без_ него?

SA> У меня как-то так:
SA> tls-auth ../keys/ta.key 1
Тоже ведь TLS auth, не?..

SA> Бывает тpаходpом с алгоpитмами, если веpсии openvpn дpевние
Да нет вроде, регулярно везде всё обновляю.

С наилучшими пожеланиями, Alexander.

--- Линия -- разрыва -- шаблона ---
* Origin: https://www.linuxcounter.net/user/495771 (2:5030/722.68)