OpenVPN failing on self-signed certificate over udp, works over tcp
I have the following server.conf:
# OpenVPN 2.x config
proto tcp
port 1194
dev tun-vpn
dev-type tun
server 10.8.0.0 255.255.0.0
push "route 172.16.0.0 255.255.0.0"
push "dhcp-option DOMAIN mydom.com"
push "dhcp-option DNS 172.16.1.1"
# Certificates
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
tls-server
# Diffie hellman parameters
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
# Connection settings
comp-lzo
ping 10
ping-restart 120
# Server security
persist-key
persist-tun
user nobody
group nogroup
# Logging
status openvpn-status.log
verb 4
mute 10
And the following client config:
# OpenVPN 2.x client config
client
dev tun
proto tcp
remote vpn.mydom.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert michaelc.crt
key michaelc.key
#ns-cert-type server
comp-lzo
ping 10
ping-restart 60
verb 3
These configurations work fine, but if I want to use UDP instead of TCP, I get the following log:
Thu May 24 22:30:16 2012 UDPv4 link local: [undef]
Thu May 24 22:30:16 2012 UDPv4 link remote: [AF_INET]x.x.x.x:1194
Thu May 24 22:30:16 2012 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=e63bd705 392de807
Thu May 24 22:30:16 2012 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=NL/ST=Zuid_Holland/L=_s-Gravendeel/O=Visser__s-Gravendeel_Holding_B.V./CN=Visser__s-Gravendeel_Holding_B.V._CA/[email protected]
Thu May 24 22:30:16 2012 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Thu May 24 22:30:16 2012 TLS Error: TLS object -> incoming plaintext read error
Thu May 24 22:30:16 2012 TLS Error: TLS handshake failed
Thu May 24 22:30:16 2012 TCP/UDP: Closing socket
Thu May 24 22:30:16 2012 SIGUSR1[soft,tls-error] received, process restarting
Thu May 24 22:30:16 2012 Restart pause, 2 second(s)
I have verified the certificates against the ca.crt, and both server.crt and michaelc.crt are valid certificates signed with ca.crt.
Also, because they work over TCP, my assumption would be that the certificates are perfectly valid. I can imagine the connection being bad (although it's DSL on one end and business fiber on the other end), but is this fixable? I also tried generating new certificates (both CA, server and client), but that gives the exact same error. I hope someone can give me any hints.
Solution 1:
Fortunately I figured out the issue, unfortunately it was my own mistake. A short while ago I was testing VPN over UDP on another server and thus had UDP connections on port 1194 redirected to the other server. The other server still had OpenVPN running, with a very similar certificate. So in fact, the error was correct, and was caused by connection to a different server when connecting using UDP. Although I feel stupid about making this mistake, I'm glad I actually figured out what went wrong.