OpenVPN failing on self-signed certificate over udp, works over tcp

ssl-certificate udp openvpn

I have the following server.conf:

# OpenVPN 2.x config

proto tcp

port 1194
dev tun-vpn
dev-type tun

server 10.8.0.0 255.255.0.0
push "route 172.16.0.0 255.255.0.0"
push "dhcp-option DOMAIN mydom.com"
push "dhcp-option DNS 172.16.1.1"

# Certificates
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
tls-server

# Diffie hellman parameters
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

# Connection settings
comp-lzo
ping 10
ping-restart 120

# Server security
persist-key
persist-tun
user nobody
group nogroup

# Logging
status openvpn-status.log
verb 4
mute 10

And the following client config:

# OpenVPN 2.x client config
client

dev tun

proto tcp

remote vpn.mydom.com 1194

resolv-retry infinite

nobind

persist-key
persist-tun

mute-replay-warnings

ca ca.crt
cert michaelc.crt
key michaelc.key

#ns-cert-type server

comp-lzo
ping 10
ping-restart 60

verb 3

These configurations work fine, but if I want to use UDP instead of TCP, I get the following log:

Thu May 24 22:30:16 2012 UDPv4 link local: [undef]
Thu May 24 22:30:16 2012 UDPv4 link remote: [AF_INET]x.x.x.x:1194
Thu May 24 22:30:16 2012 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=e63bd705 392de807
Thu May 24 22:30:16 2012 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=NL/ST=Zuid_Holland/L=_s-Gravendeel/O=Visser__s-Gravendeel_Holding_B.V./CN=Visser__s-Gravendeel_Holding_B.V._CA/[email protected]
Thu May 24 22:30:16 2012 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Thu May 24 22:30:16 2012 TLS Error: TLS object -> incoming plaintext read error
Thu May 24 22:30:16 2012 TLS Error: TLS handshake failed
Thu May 24 22:30:16 2012 TCP/UDP: Closing socket
Thu May 24 22:30:16 2012 SIGUSR1[soft,tls-error] received, process restarting
Thu May 24 22:30:16 2012 Restart pause, 2 second(s)

I have verified the certificates against the ca.crt, and both server.crt and michaelc.crt are valid certificates signed with ca.crt.

Also, because they work over TCP, my assumption would be that the certificates are perfectly valid. I can imagine the connection being bad (although it's DSL on one end and business fiber on the other end), but is this fixable? I also tried generating new certificates (both CA, server and client), but that gives the exact same error. I hope someone can give me any hints.


Solution 1:

Fortunately I figured out the issue, unfortunately it was my own mistake. A short while ago I was testing VPN over UDP on another server and thus had UDP connections on port 1194 redirected to the other server. The other server still had OpenVPN running, with a very similar certificate. So in fact, the error was correct, and was caused by connection to a different server when connecting using UDP. Although I feel stupid about making this mistake, I'm glad I actually figured out what went wrong.

Related

How to make a variable in a parameterized Puppet class default to the value of another parameter?
Clearing Java certificates cache (force reload certificates)
What is the most efficient way to backup a directory full of large database backup files?
Nginx worker_processes and multi core cpu's - Do Hyper-threading cores count?
NRPE and Perl - cannot include ANYTHING or it breaks
Troubleshooting Website problems within the local network
Logrotation - postrotate firing too soon?
Puppet - Restart a service in a different class
Reconnect to server using offline files
Fault Tolerance with 2 HP ProCurve 2824 Switches
NetApp NAS: How to enable encryption?
Windows 7 unattended install and disk/partition wiping