openvpn WARNING: No server certificate verification method has been enabled

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












8















I tried to install openvpn on debian squeez (server) and connect from my fedora 17 as (client). Here is my configuration:



server configuration



# Server TCP
proto tcp
port 1194
dev tun

# Keys and certificates
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

# Network
# Virtual address of the VPN network
server 192.170.70.0 255.255.255.0
# This line adds the client to the router network server
push "route 192.168.1.0 255.255.255.0"
# Create a route server to the tun interface
#route 192.170.70.0 255.255.255.0

# Security
keepalive 10 120
# type of data encryption
cipher AES-128-CBC
# enabling compression
comp-lzo
# maximum number of clients allowed
max-clients 10
# no user and group specific to the use of the VPN
user nobody
group nogroup

# to make persistent connection
persist-key
persist-tun

# Log of the OpenVPN status
status /var/log/openvpn-status.log

# logs openvpnlog /var/log/openvpn.log
log-append /var/log/openvpn.log

# verbosity
verb 5


client configuration



client
dev tun
proto tcp-client
remote <my server wan IP> 1194
resolv-retry infinite
cipher AES-128-CBC

# Keys
ca ca.crt
cert client.crt
key client.key

# Security
nobind
persist-key
persist-tun
comp-lzo
verb 3


Message from the host client (fedora 17) in the log file /var/log/messages:



Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> Starting VPN service 'openvpn'...
Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 7470
Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' appeared; activating connections
Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN plugin state changed: starting (3)
Dec 6 21:56:01 GlobalTIC NetworkManager[691]: <info> VPN connection 'Connexion VPN 1' (Connect) reply received.
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: OpenVPN 2.2.2 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 5 2012
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"][U][B] WARNING: No server certificate verification method has been enabled.[/B][/U][/COLOR] See http://openvpn.net/howto.html#mitm for more info.
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"] WARNING: file '/home/login/client/client.key' is group or others accessible[/COLOR]
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link local: [undef]
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link remote: [COLOR="Red"]<my server wan IP>[/COLOR]:1194
Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4 [ECONNREFUSED]: Connection refused (code=111)[/COLOR]
Dec 6 21:56:03 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4[/COLOR] [ECONNREFUSED]: Connection refused (code=111)
Dec 6 21:56:07 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec 6 21:56:15 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec 6 21:56:31 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec 6 21:56:41 GlobalTIC NetworkManager[691]: <warn> VPN connection 'Connexion VPN 1' (IP Conf[/CODE]


ifconfig on server host(debian):



ifconfig 
eth0 Link encap:Ethernet HWaddr 08:00:27:16:21:ac
inet addr:192.168.1.6 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe16:21ac/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9059 errors:0 dropped:0 overruns:0 frame:0
TX packets:5660 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:919427 (897.8 KiB) TX bytes:1273891 (1.2 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.170.70.1 P-t-P:192.170.70.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)


ifconfig on the client host (fedora 17)



as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 5.5.0.1 netmask 255.255.252.0 destination 5.5.0.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 321 (321.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

as0t1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 5.5.4.1 netmask 255.255.252.0 destination 5.5.4.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 321 (321.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

as0t2: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 5.5.8.1 netmask 255.255.252.0 destination 5.5.8.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 321 (321.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

as0t3: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 5.5.12.1 netmask 255.255.252.0 destination 5.5.12.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 321 (321.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

**p255p1**: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::21d:baff:fe20:b7e6 prefixlen 64 scopeid 0x20<link>
ether 00:1d:ba:20:b7:e6 txqueuelen 1000 (Ethernet)
RX packets 4842070 bytes 3579798184 (3.3 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3996158 bytes 2436442882 (2.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16


p255p1 is label for eth0 interface



and



on the server :



root@hoteserver:/etc/openvpn# tree
.
├── client
│** ├── ca.crt
│** ├── client.conf
│** ├── client.crt
│** ├── client.csr
│** ├── client.key
│** ├── client.ovpn
│*
│**
├── easy-rsa
│** ├── build-ca
│** ├── build-dh
│** ├── build-inter
│** ├── build-key
│** ├── build-key-pass
│** ├── build-key-pkcs12
│** ├── build-key-server
│** ├── build-req
│** ├── build-req-pass
│** ├── clean-all
│** ├── inherit-inter
│** ├── keys
│** │** ├── 01.pem
│** │** ├── 02.pem
│** │** ├── ca.crt
│** │** ├── ca.key
│** │** ├── client.crt
│** │** ├── client.csr
│** │** ├── client.key
│** │** ├── dh1024.pem
│** │** ├── index.txt
│** │** ├── index.txt.attr
│** │** ├── index.txt.attr.old
│** │** ├── index.txt.old
│** │** ├── serial
│** │** ├── serial.old
│** │** ├── server.crt
│** │** ├── server.csr
│** │** └── server.key
│** ├── list-crl
│** ├── Makefile
│** ├── openssl-0.9.6.cnf.gz
│** ├── openssl.cnf
│** ├── pkitool
│** ├── README.gz
│** ├── revoke-full
│** ├── sign-req
│** ├── vars
│** └── whichopensslcnf
├── openvpn.log
├── openvpn-status.log
├── server.conf
└── update-resolv-conf


on the client:



[login@hoteclient openvpn]$ tree 
.
|-- easy-rsa
| |-- 1.0
| | |-- build-ca
| | |-- build-dh
| | |-- build-inter
| | |-- build-key
| | |-- build-key-pass
| | |-- build-key-pkcs12
| | |-- build-key-server
| | |-- build-req
| | |-- build-req-pass
| | |-- clean-all
| | |-- list-crl
| | |-- make-crl
| | |-- openssl.cnf
| | |-- README
| | |-- revoke-crt
| | |-- revoke-full
| | |-- sign-req
| | `-- vars
| `-- 2.0
| |-- build-ca
| |-- build-dh
| |-- build-inter
| |-- build-key
| |-- build-key-pass
| |-- build-key-pkcs12
| |-- build-key-server
| |-- build-req
| |-- build-req-pass
| |-- clean-all
| |-- inherit-inter
| |-- keys [error opening dir]
| |-- list-crl
| |-- Makefile
| |-- openssl-0.9.6.cnf
| |-- openssl-0.9.8.cnf
| |-- openssl-1.0.0.cnf
| |-- pkitool
| |-- README
| |-- revoke-full
| |-- sign-req
| |-- vars
| `-- whichopensslcnf
|-- keys -> ./easy-rsa/2.0/keys/
`-- server.conf


Is the source of the problem cipher AES-128-CBC, proto tcp-client or UDP or the interface p255p1 on Fedora17 or that file authentification ta.key is not found?










share|improve this question




























    8















    I tried to install openvpn on debian squeez (server) and connect from my fedora 17 as (client). Here is my configuration:



    server configuration



    # Server TCP
    proto tcp
    port 1194
    dev tun

    # Keys and certificates
    ca /etc/openvpn/easy-rsa/keys/ca.crt
    cert /etc/openvpn/easy-rsa/keys/server.crt
    key /etc/openvpn/easy-rsa/keys/server.key
    dh /etc/openvpn/easy-rsa/keys/dh1024.pem

    # Network
    # Virtual address of the VPN network
    server 192.170.70.0 255.255.255.0
    # This line adds the client to the router network server
    push "route 192.168.1.0 255.255.255.0"
    # Create a route server to the tun interface
    #route 192.170.70.0 255.255.255.0

    # Security
    keepalive 10 120
    # type of data encryption
    cipher AES-128-CBC
    # enabling compression
    comp-lzo
    # maximum number of clients allowed
    max-clients 10
    # no user and group specific to the use of the VPN
    user nobody
    group nogroup

    # to make persistent connection
    persist-key
    persist-tun

    # Log of the OpenVPN status
    status /var/log/openvpn-status.log

    # logs openvpnlog /var/log/openvpn.log
    log-append /var/log/openvpn.log

    # verbosity
    verb 5


    client configuration



    client
    dev tun
    proto tcp-client
    remote <my server wan IP> 1194
    resolv-retry infinite
    cipher AES-128-CBC

    # Keys
    ca ca.crt
    cert client.crt
    key client.key

    # Security
    nobind
    persist-key
    persist-tun
    comp-lzo
    verb 3


    Message from the host client (fedora 17) in the log file /var/log/messages:



    Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> Starting VPN service 'openvpn'...
    Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 7470
    Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' appeared; activating connections
    Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN plugin state changed: starting (3)
    Dec 6 21:56:01 GlobalTIC NetworkManager[691]: <info> VPN connection 'Connexion VPN 1' (Connect) reply received.
    Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: OpenVPN 2.2.2 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 5 2012
    Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"][U][B] WARNING: No server certificate verification method has been enabled.[/B][/U][/COLOR] See http://openvpn.net/howto.html#mitm for more info.
    Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"] WARNING: file '/home/login/client/client.key' is group or others accessible[/COLOR]
    Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link local: [undef]
    Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link remote: [COLOR="Red"]<my server wan IP>[/COLOR]:1194
    Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4 [ECONNREFUSED]: Connection refused (code=111)[/COLOR]
    Dec 6 21:56:03 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4[/COLOR] [ECONNREFUSED]: Connection refused (code=111)
    Dec 6 21:56:07 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Dec 6 21:56:15 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Dec 6 21:56:31 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
    Dec 6 21:56:41 GlobalTIC NetworkManager[691]: <warn> VPN connection 'Connexion VPN 1' (IP Conf[/CODE]


    ifconfig on server host(debian):



    ifconfig 
    eth0 Link encap:Ethernet HWaddr 08:00:27:16:21:ac
    inet addr:192.168.1.6 Bcast:192.168.1.255 Mask:255.255.255.0
    inet6 addr: fe80::a00:27ff:fe16:21ac/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:9059 errors:0 dropped:0 overruns:0 frame:0
    TX packets:5660 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:919427 (897.8 KiB) TX bytes:1273891 (1.2 MiB)
    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:192.170.70.1 P-t-P:192.170.70.2 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)


    ifconfig on the client host (fedora 17)



    as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
    inet 5.5.0.1 netmask 255.255.252.0 destination 5.5.0.1
    unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
    RX packets 0 bytes 0 (0.0 B)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 2 bytes 321 (321.0 B)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    as0t1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
    inet 5.5.4.1 netmask 255.255.252.0 destination 5.5.4.1
    unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
    RX packets 0 bytes 0 (0.0 B)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 2 bytes 321 (321.0 B)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    as0t2: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
    inet 5.5.8.1 netmask 255.255.252.0 destination 5.5.8.1
    unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
    RX packets 0 bytes 0 (0.0 B)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 2 bytes 321 (321.0 B)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    as0t3: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
    inet 5.5.12.1 netmask 255.255.252.0 destination 5.5.12.1
    unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
    RX packets 0 bytes 0 (0.0 B)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 2 bytes 321 (321.0 B)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    **p255p1**: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
    inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255
    inet6 fe80::21d:baff:fe20:b7e6 prefixlen 64 scopeid 0x20<link>
    ether 00:1d:ba:20:b7:e6 txqueuelen 1000 (Ethernet)
    RX packets 4842070 bytes 3579798184 (3.3 GiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 3996158 bytes 2436442882 (2.2 GiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
    device interrupt 16


    p255p1 is label for eth0 interface



    and



    on the server :



    root@hoteserver:/etc/openvpn# tree
    .
    ├── client
    │** ├── ca.crt
    │** ├── client.conf
    │** ├── client.crt
    │** ├── client.csr
    │** ├── client.key
    │** ├── client.ovpn
    │*
    │**
    ├── easy-rsa
    │** ├── build-ca
    │** ├── build-dh
    │** ├── build-inter
    │** ├── build-key
    │** ├── build-key-pass
    │** ├── build-key-pkcs12
    │** ├── build-key-server
    │** ├── build-req
    │** ├── build-req-pass
    │** ├── clean-all
    │** ├── inherit-inter
    │** ├── keys
    │** │** ├── 01.pem
    │** │** ├── 02.pem
    │** │** ├── ca.crt
    │** │** ├── ca.key
    │** │** ├── client.crt
    │** │** ├── client.csr
    │** │** ├── client.key
    │** │** ├── dh1024.pem
    │** │** ├── index.txt
    │** │** ├── index.txt.attr
    │** │** ├── index.txt.attr.old
    │** │** ├── index.txt.old
    │** │** ├── serial
    │** │** ├── serial.old
    │** │** ├── server.crt
    │** │** ├── server.csr
    │** │** └── server.key
    │** ├── list-crl
    │** ├── Makefile
    │** ├── openssl-0.9.6.cnf.gz
    │** ├── openssl.cnf
    │** ├── pkitool
    │** ├── README.gz
    │** ├── revoke-full
    │** ├── sign-req
    │** ├── vars
    │** └── whichopensslcnf
    ├── openvpn.log
    ├── openvpn-status.log
    ├── server.conf
    └── update-resolv-conf


    on the client:



    [login@hoteclient openvpn]$ tree 
    .
    |-- easy-rsa
    | |-- 1.0
    | | |-- build-ca
    | | |-- build-dh
    | | |-- build-inter
    | | |-- build-key
    | | |-- build-key-pass
    | | |-- build-key-pkcs12
    | | |-- build-key-server
    | | |-- build-req
    | | |-- build-req-pass
    | | |-- clean-all
    | | |-- list-crl
    | | |-- make-crl
    | | |-- openssl.cnf
    | | |-- README
    | | |-- revoke-crt
    | | |-- revoke-full
    | | |-- sign-req
    | | `-- vars
    | `-- 2.0
    | |-- build-ca
    | |-- build-dh
    | |-- build-inter
    | |-- build-key
    | |-- build-key-pass
    | |-- build-key-pkcs12
    | |-- build-key-server
    | |-- build-req
    | |-- build-req-pass
    | |-- clean-all
    | |-- inherit-inter
    | |-- keys [error opening dir]
    | |-- list-crl
    | |-- Makefile
    | |-- openssl-0.9.6.cnf
    | |-- openssl-0.9.8.cnf
    | |-- openssl-1.0.0.cnf
    | |-- pkitool
    | |-- README
    | |-- revoke-full
    | |-- sign-req
    | |-- vars
    | `-- whichopensslcnf
    |-- keys -> ./easy-rsa/2.0/keys/
    `-- server.conf


    Is the source of the problem cipher AES-128-CBC, proto tcp-client or UDP or the interface p255p1 on Fedora17 or that file authentification ta.key is not found?










    share|improve this question


























      8












      8








      8


      1






      I tried to install openvpn on debian squeez (server) and connect from my fedora 17 as (client). Here is my configuration:



      server configuration



      # Server TCP
      proto tcp
      port 1194
      dev tun

      # Keys and certificates
      ca /etc/openvpn/easy-rsa/keys/ca.crt
      cert /etc/openvpn/easy-rsa/keys/server.crt
      key /etc/openvpn/easy-rsa/keys/server.key
      dh /etc/openvpn/easy-rsa/keys/dh1024.pem

      # Network
      # Virtual address of the VPN network
      server 192.170.70.0 255.255.255.0
      # This line adds the client to the router network server
      push "route 192.168.1.0 255.255.255.0"
      # Create a route server to the tun interface
      #route 192.170.70.0 255.255.255.0

      # Security
      keepalive 10 120
      # type of data encryption
      cipher AES-128-CBC
      # enabling compression
      comp-lzo
      # maximum number of clients allowed
      max-clients 10
      # no user and group specific to the use of the VPN
      user nobody
      group nogroup

      # to make persistent connection
      persist-key
      persist-tun

      # Log of the OpenVPN status
      status /var/log/openvpn-status.log

      # logs openvpnlog /var/log/openvpn.log
      log-append /var/log/openvpn.log

      # verbosity
      verb 5


      client configuration



      client
      dev tun
      proto tcp-client
      remote <my server wan IP> 1194
      resolv-retry infinite
      cipher AES-128-CBC

      # Keys
      ca ca.crt
      cert client.crt
      key client.key

      # Security
      nobind
      persist-key
      persist-tun
      comp-lzo
      verb 3


      Message from the host client (fedora 17) in the log file /var/log/messages:



      Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> Starting VPN service 'openvpn'...
      Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 7470
      Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' appeared; activating connections
      Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN plugin state changed: starting (3)
      Dec 6 21:56:01 GlobalTIC NetworkManager[691]: <info> VPN connection 'Connexion VPN 1' (Connect) reply received.
      Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: OpenVPN 2.2.2 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 5 2012
      Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"][U][B] WARNING: No server certificate verification method has been enabled.[/B][/U][/COLOR] See http://openvpn.net/howto.html#mitm for more info.
      Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"] WARNING: file '/home/login/client/client.key' is group or others accessible[/COLOR]
      Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link local: [undef]
      Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link remote: [COLOR="Red"]<my server wan IP>[/COLOR]:1194
      Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4 [ECONNREFUSED]: Connection refused (code=111)[/COLOR]
      Dec 6 21:56:03 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4[/COLOR] [ECONNREFUSED]: Connection refused (code=111)
      Dec 6 21:56:07 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
      Dec 6 21:56:15 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
      Dec 6 21:56:31 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
      Dec 6 21:56:41 GlobalTIC NetworkManager[691]: <warn> VPN connection 'Connexion VPN 1' (IP Conf[/CODE]


      ifconfig on server host(debian):



      ifconfig 
      eth0 Link encap:Ethernet HWaddr 08:00:27:16:21:ac
      inet addr:192.168.1.6 Bcast:192.168.1.255 Mask:255.255.255.0
      inet6 addr: fe80::a00:27ff:fe16:21ac/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
      RX packets:9059 errors:0 dropped:0 overruns:0 frame:0
      TX packets:5660 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:919427 (897.8 KiB) TX bytes:1273891 (1.2 MiB)
      tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
      inet addr:192.170.70.1 P-t-P:192.170.70.2 Mask:255.255.255.255
      UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:100
      RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)


      ifconfig on the client host (fedora 17)



      as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
      inet 5.5.0.1 netmask 255.255.252.0 destination 5.5.0.1
      unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
      RX packets 0 bytes 0 (0.0 B)
      RX errors 0 dropped 0 overruns 0 frame 0
      TX packets 2 bytes 321 (321.0 B)
      TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

      as0t1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
      inet 5.5.4.1 netmask 255.255.252.0 destination 5.5.4.1
      unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
      RX packets 0 bytes 0 (0.0 B)
      RX errors 0 dropped 0 overruns 0 frame 0
      TX packets 2 bytes 321 (321.0 B)
      TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

      as0t2: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
      inet 5.5.8.1 netmask 255.255.252.0 destination 5.5.8.1
      unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
      RX packets 0 bytes 0 (0.0 B)
      RX errors 0 dropped 0 overruns 0 frame 0
      TX packets 2 bytes 321 (321.0 B)
      TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

      as0t3: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
      inet 5.5.12.1 netmask 255.255.252.0 destination 5.5.12.1
      unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
      RX packets 0 bytes 0 (0.0 B)
      RX errors 0 dropped 0 overruns 0 frame 0
      TX packets 2 bytes 321 (321.0 B)
      TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

      **p255p1**: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
      inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255
      inet6 fe80::21d:baff:fe20:b7e6 prefixlen 64 scopeid 0x20<link>
      ether 00:1d:ba:20:b7:e6 txqueuelen 1000 (Ethernet)
      RX packets 4842070 bytes 3579798184 (3.3 GiB)
      RX errors 0 dropped 0 overruns 0 frame 0
      TX packets 3996158 bytes 2436442882 (2.2 GiB)
      TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
      device interrupt 16


      p255p1 is label for eth0 interface



      and



      on the server :



      root@hoteserver:/etc/openvpn# tree
      .
      ├── client
      │** ├── ca.crt
      │** ├── client.conf
      │** ├── client.crt
      │** ├── client.csr
      │** ├── client.key
      │** ├── client.ovpn
      │*
      │**
      ├── easy-rsa
      │** ├── build-ca
      │** ├── build-dh
      │** ├── build-inter
      │** ├── build-key
      │** ├── build-key-pass
      │** ├── build-key-pkcs12
      │** ├── build-key-server
      │** ├── build-req
      │** ├── build-req-pass
      │** ├── clean-all
      │** ├── inherit-inter
      │** ├── keys
      │** │** ├── 01.pem
      │** │** ├── 02.pem
      │** │** ├── ca.crt
      │** │** ├── ca.key
      │** │** ├── client.crt
      │** │** ├── client.csr
      │** │** ├── client.key
      │** │** ├── dh1024.pem
      │** │** ├── index.txt
      │** │** ├── index.txt.attr
      │** │** ├── index.txt.attr.old
      │** │** ├── index.txt.old
      │** │** ├── serial
      │** │** ├── serial.old
      │** │** ├── server.crt
      │** │** ├── server.csr
      │** │** └── server.key
      │** ├── list-crl
      │** ├── Makefile
      │** ├── openssl-0.9.6.cnf.gz
      │** ├── openssl.cnf
      │** ├── pkitool
      │** ├── README.gz
      │** ├── revoke-full
      │** ├── sign-req
      │** ├── vars
      │** └── whichopensslcnf
      ├── openvpn.log
      ├── openvpn-status.log
      ├── server.conf
      └── update-resolv-conf


      on the client:



      [login@hoteclient openvpn]$ tree 
      .
      |-- easy-rsa
      | |-- 1.0
      | | |-- build-ca
      | | |-- build-dh
      | | |-- build-inter
      | | |-- build-key
      | | |-- build-key-pass
      | | |-- build-key-pkcs12
      | | |-- build-key-server
      | | |-- build-req
      | | |-- build-req-pass
      | | |-- clean-all
      | | |-- list-crl
      | | |-- make-crl
      | | |-- openssl.cnf
      | | |-- README
      | | |-- revoke-crt
      | | |-- revoke-full
      | | |-- sign-req
      | | `-- vars
      | `-- 2.0
      | |-- build-ca
      | |-- build-dh
      | |-- build-inter
      | |-- build-key
      | |-- build-key-pass
      | |-- build-key-pkcs12
      | |-- build-key-server
      | |-- build-req
      | |-- build-req-pass
      | |-- clean-all
      | |-- inherit-inter
      | |-- keys [error opening dir]
      | |-- list-crl
      | |-- Makefile
      | |-- openssl-0.9.6.cnf
      | |-- openssl-0.9.8.cnf
      | |-- openssl-1.0.0.cnf
      | |-- pkitool
      | |-- README
      | |-- revoke-full
      | |-- sign-req
      | |-- vars
      | `-- whichopensslcnf
      |-- keys -> ./easy-rsa/2.0/keys/
      `-- server.conf


      Is the source of the problem cipher AES-128-CBC, proto tcp-client or UDP or the interface p255p1 on Fedora17 or that file authentification ta.key is not found?










      share|improve this question
















      I tried to install openvpn on debian squeez (server) and connect from my fedora 17 as (client). Here is my configuration:



      server configuration



      # Server TCP
      proto tcp
      port 1194
      dev tun

      # Keys and certificates
      ca /etc/openvpn/easy-rsa/keys/ca.crt
      cert /etc/openvpn/easy-rsa/keys/server.crt
      key /etc/openvpn/easy-rsa/keys/server.key
      dh /etc/openvpn/easy-rsa/keys/dh1024.pem

      # Network
      # Virtual address of the VPN network
      server 192.170.70.0 255.255.255.0
      # This line adds the client to the router network server
      push "route 192.168.1.0 255.255.255.0"
      # Create a route server to the tun interface
      #route 192.170.70.0 255.255.255.0

      # Security
      keepalive 10 120
      # type of data encryption
      cipher AES-128-CBC
      # enabling compression
      comp-lzo
      # maximum number of clients allowed
      max-clients 10
      # no user and group specific to the use of the VPN
      user nobody
      group nogroup

      # to make persistent connection
      persist-key
      persist-tun

      # Log of the OpenVPN status
      status /var/log/openvpn-status.log

      # logs openvpnlog /var/log/openvpn.log
      log-append /var/log/openvpn.log

      # verbosity
      verb 5


      client configuration



      client
      dev tun
      proto tcp-client
      remote <my server wan IP> 1194
      resolv-retry infinite
      cipher AES-128-CBC

      # Keys
      ca ca.crt
      cert client.crt
      key client.key

      # Security
      nobind
      persist-key
      persist-tun
      comp-lzo
      verb 3


      Message from the host client (fedora 17) in the log file /var/log/messages:



      Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> Starting VPN service 'openvpn'...
      Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 7470
      Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' appeared; activating connections
      Dec 6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN plugin state changed: starting (3)
      Dec 6 21:56:01 GlobalTIC NetworkManager[691]: <info> VPN connection 'Connexion VPN 1' (Connect) reply received.
      Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: OpenVPN 2.2.2 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 5 2012
      Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"][U][B] WARNING: No server certificate verification method has been enabled.[/B][/U][/COLOR] See http://openvpn.net/howto.html#mitm for more info.
      Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"] WARNING: file '/home/login/client/client.key' is group or others accessible[/COLOR]
      Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link local: [undef]
      Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link remote: [COLOR="Red"]<my server wan IP>[/COLOR]:1194
      Dec 6 21:56:01 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4 [ECONNREFUSED]: Connection refused (code=111)[/COLOR]
      Dec 6 21:56:03 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4[/COLOR] [ECONNREFUSED]: Connection refused (code=111)
      Dec 6 21:56:07 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
      Dec 6 21:56:15 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
      Dec 6 21:56:31 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
      Dec 6 21:56:41 GlobalTIC NetworkManager[691]: <warn> VPN connection 'Connexion VPN 1' (IP Conf[/CODE]


      ifconfig on server host(debian):



      ifconfig 
      eth0 Link encap:Ethernet HWaddr 08:00:27:16:21:ac
      inet addr:192.168.1.6 Bcast:192.168.1.255 Mask:255.255.255.0
      inet6 addr: fe80::a00:27ff:fe16:21ac/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
      RX packets:9059 errors:0 dropped:0 overruns:0 frame:0
      TX packets:5660 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:919427 (897.8 KiB) TX bytes:1273891 (1.2 MiB)
      tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
      inet addr:192.170.70.1 P-t-P:192.170.70.2 Mask:255.255.255.255
      UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:100
      RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)


      ifconfig on the client host (fedora 17)



      as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
      inet 5.5.0.1 netmask 255.255.252.0 destination 5.5.0.1
      unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
      RX packets 0 bytes 0 (0.0 B)
      RX errors 0 dropped 0 overruns 0 frame 0
      TX packets 2 bytes 321 (321.0 B)
      TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

      as0t1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
      inet 5.5.4.1 netmask 255.255.252.0 destination 5.5.4.1
      unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
      RX packets 0 bytes 0 (0.0 B)
      RX errors 0 dropped 0 overruns 0 frame 0
      TX packets 2 bytes 321 (321.0 B)
      TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

      as0t2: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
      inet 5.5.8.1 netmask 255.255.252.0 destination 5.5.8.1
      unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
      RX packets 0 bytes 0 (0.0 B)
      RX errors 0 dropped 0 overruns 0 frame 0
      TX packets 2 bytes 321 (321.0 B)
      TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

      as0t3: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
      inet 5.5.12.1 netmask 255.255.252.0 destination 5.5.12.1
      unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
      RX packets 0 bytes 0 (0.0 B)
      RX errors 0 dropped 0 overruns 0 frame 0
      TX packets 2 bytes 321 (321.0 B)
      TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

      **p255p1**: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
      inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255
      inet6 fe80::21d:baff:fe20:b7e6 prefixlen 64 scopeid 0x20<link>
      ether 00:1d:ba:20:b7:e6 txqueuelen 1000 (Ethernet)
      RX packets 4842070 bytes 3579798184 (3.3 GiB)
      RX errors 0 dropped 0 overruns 0 frame 0
      TX packets 3996158 bytes 2436442882 (2.2 GiB)
      TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
      device interrupt 16


      p255p1 is label for eth0 interface



      and



      on the server :



      root@hoteserver:/etc/openvpn# tree
      .
      ├── client
      │** ├── ca.crt
      │** ├── client.conf
      │** ├── client.crt
      │** ├── client.csr
      │** ├── client.key
      │** ├── client.ovpn
      │*
      │**
      ├── easy-rsa
      │** ├── build-ca
      │** ├── build-dh
      │** ├── build-inter
      │** ├── build-key
      │** ├── build-key-pass
      │** ├── build-key-pkcs12
      │** ├── build-key-server
      │** ├── build-req
      │** ├── build-req-pass
      │** ├── clean-all
      │** ├── inherit-inter
      │** ├── keys
      │** │** ├── 01.pem
      │** │** ├── 02.pem
      │** │** ├── ca.crt
      │** │** ├── ca.key
      │** │** ├── client.crt
      │** │** ├── client.csr
      │** │** ├── client.key
      │** │** ├── dh1024.pem
      │** │** ├── index.txt
      │** │** ├── index.txt.attr
      │** │** ├── index.txt.attr.old
      │** │** ├── index.txt.old
      │** │** ├── serial
      │** │** ├── serial.old
      │** │** ├── server.crt
      │** │** ├── server.csr
      │** │** └── server.key
      │** ├── list-crl
      │** ├── Makefile
      │** ├── openssl-0.9.6.cnf.gz
      │** ├── openssl.cnf
      │** ├── pkitool
      │** ├── README.gz
      │** ├── revoke-full
      │** ├── sign-req
      │** ├── vars
      │** └── whichopensslcnf
      ├── openvpn.log
      ├── openvpn-status.log
      ├── server.conf
      └── update-resolv-conf


      on the client:



      [login@hoteclient openvpn]$ tree 
      .
      |-- easy-rsa
      | |-- 1.0
      | | |-- build-ca
      | | |-- build-dh
      | | |-- build-inter
      | | |-- build-key
      | | |-- build-key-pass
      | | |-- build-key-pkcs12
      | | |-- build-key-server
      | | |-- build-req
      | | |-- build-req-pass
      | | |-- clean-all
      | | |-- list-crl
      | | |-- make-crl
      | | |-- openssl.cnf
      | | |-- README
      | | |-- revoke-crt
      | | |-- revoke-full
      | | |-- sign-req
      | | `-- vars
      | `-- 2.0
      | |-- build-ca
      | |-- build-dh
      | |-- build-inter
      | |-- build-key
      | |-- build-key-pass
      | |-- build-key-pkcs12
      | |-- build-key-server
      | |-- build-req
      | |-- build-req-pass
      | |-- clean-all
      | |-- inherit-inter
      | |-- keys [error opening dir]
      | |-- list-crl
      | |-- Makefile
      | |-- openssl-0.9.6.cnf
      | |-- openssl-0.9.8.cnf
      | |-- openssl-1.0.0.cnf
      | |-- pkitool
      | |-- README
      | |-- revoke-full
      | |-- sign-req
      | |-- vars
      | `-- whichopensslcnf
      |-- keys -> ./easy-rsa/2.0/keys/
      `-- server.conf


      Is the source of the problem cipher AES-128-CBC, proto tcp-client or UDP or the interface p255p1 on Fedora17 or that file authentification ta.key is not found?







      debian fedora openvpn






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 6 '13 at 21:32









      Renan

      14.5k65578




      14.5k65578










      asked Dec 6 '12 at 22:29









      tmedtcomtmedtcom

      1733311




      1733311




















          3 Answers
          3






          active

          oldest

          votes


















          2














          First you should change the permissions on your /home/login/client/client.key file so that it is not group or others accessable.



          chmod 400 /home/login/client/client.key



          Then as described here you should implement a method to check that your clients connect to the correct server and that no man-in-middle attack is possible.






          share|improve this answer























          • It will be nice if you post the solution here

            – Yu Jiaao
            Oct 14 '18 at 13:23


















          1














          There is a full list of problems here and you should take the warnings given by OpenVPN serious. But there are just warnings and not the reason for your problem to get a connection.
          The openvpn plugin of NetworkManager is trying to connect using UDP. I don't know which relation your client.conf has to your actual client configuration. Was it used to import the vpn settings into NetworkManager?

          Anyway you have to check the TCP connection checkbox in the advanced settings dialog of your vpn connection profile.

          As you don't seem to use tls-auth on either client nor server-side there should be no ta.key file missing (but using tls-auth is a good idea).

          The cipher seems to be the same on both sides and shouldn't be a problem.

          I really strongly suggest to verify the server certificate, as morlix stated.






          share|improve this answer






























            0














            To get rid of the No server certificate verification method has been enabled warning, generate your client and server certificates with the correct extendedKeyUsage extension and add remote-cert-tls server to the client's openvpn.conf.



            Add two sections to your CA's openssl.cnf:



            [server_cert]
            basicConstraints = CA:FALSE
            nsCertType = server
            nsComment = "OpenSSL Generated Server Certificate"
            subjectKeyIdentifier = hash
            authorityKeyIdentifier = keyid,issuer:always
            keyUsage = critical, digitalSignature, keyEncipherment
            extendedKeyUsage = serverAuth

            [client_cert]
            basicConstraints = CA:FALSE
            nsCertType = client, email
            nsComment = "OpenSSL Generated Client Certificate"
            subjectKeyIdentifier = hash
            authorityKeyIdentifier = keyid,issuer
            keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
            extendedKeyUsage = clientAuth, emailProtection


            Sign server certs at your CA like this:



            openssl ca -config openssl.cnf -extensions server_cert -notext -md sha256 -in csr.pem -out cert.pem


            Sign client certs like this:



            openssl ca -config openssl.cnf -extensions client_cert -notext -md sha256 -in csr.pem -out cert.pem


            Then in your client's openvpn.cnf add the following line:



            remote-cert-tls server


            and restart the openvpn service.






            share|improve this answer






















              Your Answer








              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "106"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              imageUploader:
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              ,
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













              draft saved

              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f57798%2fopenvpn-warning-no-server-certificate-verification-method-has-been-enabled%23new-answer', 'question_page');

              );

              Post as a guest















              Required, but never shown

























              3 Answers
              3






              active

              oldest

              votes








              3 Answers
              3






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              2














              First you should change the permissions on your /home/login/client/client.key file so that it is not group or others accessable.



              chmod 400 /home/login/client/client.key



              Then as described here you should implement a method to check that your clients connect to the correct server and that no man-in-middle attack is possible.






              share|improve this answer























              • It will be nice if you post the solution here

                – Yu Jiaao
                Oct 14 '18 at 13:23















              2














              First you should change the permissions on your /home/login/client/client.key file so that it is not group or others accessable.



              chmod 400 /home/login/client/client.key



              Then as described here you should implement a method to check that your clients connect to the correct server and that no man-in-middle attack is possible.






              share|improve this answer























              • It will be nice if you post the solution here

                – Yu Jiaao
                Oct 14 '18 at 13:23













              2












              2








              2







              First you should change the permissions on your /home/login/client/client.key file so that it is not group or others accessable.



              chmod 400 /home/login/client/client.key



              Then as described here you should implement a method to check that your clients connect to the correct server and that no man-in-middle attack is possible.






              share|improve this answer













              First you should change the permissions on your /home/login/client/client.key file so that it is not group or others accessable.



              chmod 400 /home/login/client/client.key



              Then as described here you should implement a method to check that your clients connect to the correct server and that no man-in-middle attack is possible.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Dec 7 '12 at 8:59









              teisslerteissler

              25929




              25929












              • It will be nice if you post the solution here

                – Yu Jiaao
                Oct 14 '18 at 13:23

















              • It will be nice if you post the solution here

                – Yu Jiaao
                Oct 14 '18 at 13:23
















              It will be nice if you post the solution here

              – Yu Jiaao
              Oct 14 '18 at 13:23





              It will be nice if you post the solution here

              – Yu Jiaao
              Oct 14 '18 at 13:23













              1














              There is a full list of problems here and you should take the warnings given by OpenVPN serious. But there are just warnings and not the reason for your problem to get a connection.
              The openvpn plugin of NetworkManager is trying to connect using UDP. I don't know which relation your client.conf has to your actual client configuration. Was it used to import the vpn settings into NetworkManager?

              Anyway you have to check the TCP connection checkbox in the advanced settings dialog of your vpn connection profile.

              As you don't seem to use tls-auth on either client nor server-side there should be no ta.key file missing (but using tls-auth is a good idea).

              The cipher seems to be the same on both sides and shouldn't be a problem.

              I really strongly suggest to verify the server certificate, as morlix stated.






              share|improve this answer



























                1














                There is a full list of problems here and you should take the warnings given by OpenVPN serious. But there are just warnings and not the reason for your problem to get a connection.
                The openvpn plugin of NetworkManager is trying to connect using UDP. I don't know which relation your client.conf has to your actual client configuration. Was it used to import the vpn settings into NetworkManager?

                Anyway you have to check the TCP connection checkbox in the advanced settings dialog of your vpn connection profile.

                As you don't seem to use tls-auth on either client nor server-side there should be no ta.key file missing (but using tls-auth is a good idea).

                The cipher seems to be the same on both sides and shouldn't be a problem.

                I really strongly suggest to verify the server certificate, as morlix stated.






                share|improve this answer

























                  1












                  1








                  1







                  There is a full list of problems here and you should take the warnings given by OpenVPN serious. But there are just warnings and not the reason for your problem to get a connection.
                  The openvpn plugin of NetworkManager is trying to connect using UDP. I don't know which relation your client.conf has to your actual client configuration. Was it used to import the vpn settings into NetworkManager?

                  Anyway you have to check the TCP connection checkbox in the advanced settings dialog of your vpn connection profile.

                  As you don't seem to use tls-auth on either client nor server-side there should be no ta.key file missing (but using tls-auth is a good idea).

                  The cipher seems to be the same on both sides and shouldn't be a problem.

                  I really strongly suggest to verify the server certificate, as morlix stated.






                  share|improve this answer













                  There is a full list of problems here and you should take the warnings given by OpenVPN serious. But there are just warnings and not the reason for your problem to get a connection.
                  The openvpn plugin of NetworkManager is trying to connect using UDP. I don't know which relation your client.conf has to your actual client configuration. Was it used to import the vpn settings into NetworkManager?

                  Anyway you have to check the TCP connection checkbox in the advanced settings dialog of your vpn connection profile.

                  As you don't seem to use tls-auth on either client nor server-side there should be no ta.key file missing (but using tls-auth is a good idea).

                  The cipher seems to be the same on both sides and shouldn't be a problem.

                  I really strongly suggest to verify the server certificate, as morlix stated.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Jan 6 '13 at 15:08









                  Enno GröperEnno Gröper

                  1155




                  1155





















                      0














                      To get rid of the No server certificate verification method has been enabled warning, generate your client and server certificates with the correct extendedKeyUsage extension and add remote-cert-tls server to the client's openvpn.conf.



                      Add two sections to your CA's openssl.cnf:



                      [server_cert]
                      basicConstraints = CA:FALSE
                      nsCertType = server
                      nsComment = "OpenSSL Generated Server Certificate"
                      subjectKeyIdentifier = hash
                      authorityKeyIdentifier = keyid,issuer:always
                      keyUsage = critical, digitalSignature, keyEncipherment
                      extendedKeyUsage = serverAuth

                      [client_cert]
                      basicConstraints = CA:FALSE
                      nsCertType = client, email
                      nsComment = "OpenSSL Generated Client Certificate"
                      subjectKeyIdentifier = hash
                      authorityKeyIdentifier = keyid,issuer
                      keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
                      extendedKeyUsage = clientAuth, emailProtection


                      Sign server certs at your CA like this:



                      openssl ca -config openssl.cnf -extensions server_cert -notext -md sha256 -in csr.pem -out cert.pem


                      Sign client certs like this:



                      openssl ca -config openssl.cnf -extensions client_cert -notext -md sha256 -in csr.pem -out cert.pem


                      Then in your client's openvpn.cnf add the following line:



                      remote-cert-tls server


                      and restart the openvpn service.






                      share|improve this answer



























                        0














                        To get rid of the No server certificate verification method has been enabled warning, generate your client and server certificates with the correct extendedKeyUsage extension and add remote-cert-tls server to the client's openvpn.conf.



                        Add two sections to your CA's openssl.cnf:



                        [server_cert]
                        basicConstraints = CA:FALSE
                        nsCertType = server
                        nsComment = "OpenSSL Generated Server Certificate"
                        subjectKeyIdentifier = hash
                        authorityKeyIdentifier = keyid,issuer:always
                        keyUsage = critical, digitalSignature, keyEncipherment
                        extendedKeyUsage = serverAuth

                        [client_cert]
                        basicConstraints = CA:FALSE
                        nsCertType = client, email
                        nsComment = "OpenSSL Generated Client Certificate"
                        subjectKeyIdentifier = hash
                        authorityKeyIdentifier = keyid,issuer
                        keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
                        extendedKeyUsage = clientAuth, emailProtection


                        Sign server certs at your CA like this:



                        openssl ca -config openssl.cnf -extensions server_cert -notext -md sha256 -in csr.pem -out cert.pem


                        Sign client certs like this:



                        openssl ca -config openssl.cnf -extensions client_cert -notext -md sha256 -in csr.pem -out cert.pem


                        Then in your client's openvpn.cnf add the following line:



                        remote-cert-tls server


                        and restart the openvpn service.






                        share|improve this answer

























                          0












                          0








                          0







                          To get rid of the No server certificate verification method has been enabled warning, generate your client and server certificates with the correct extendedKeyUsage extension and add remote-cert-tls server to the client's openvpn.conf.



                          Add two sections to your CA's openssl.cnf:



                          [server_cert]
                          basicConstraints = CA:FALSE
                          nsCertType = server
                          nsComment = "OpenSSL Generated Server Certificate"
                          subjectKeyIdentifier = hash
                          authorityKeyIdentifier = keyid,issuer:always
                          keyUsage = critical, digitalSignature, keyEncipherment
                          extendedKeyUsage = serverAuth

                          [client_cert]
                          basicConstraints = CA:FALSE
                          nsCertType = client, email
                          nsComment = "OpenSSL Generated Client Certificate"
                          subjectKeyIdentifier = hash
                          authorityKeyIdentifier = keyid,issuer
                          keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
                          extendedKeyUsage = clientAuth, emailProtection


                          Sign server certs at your CA like this:



                          openssl ca -config openssl.cnf -extensions server_cert -notext -md sha256 -in csr.pem -out cert.pem


                          Sign client certs like this:



                          openssl ca -config openssl.cnf -extensions client_cert -notext -md sha256 -in csr.pem -out cert.pem


                          Then in your client's openvpn.cnf add the following line:



                          remote-cert-tls server


                          and restart the openvpn service.






                          share|improve this answer













                          To get rid of the No server certificate verification method has been enabled warning, generate your client and server certificates with the correct extendedKeyUsage extension and add remote-cert-tls server to the client's openvpn.conf.



                          Add two sections to your CA's openssl.cnf:



                          [server_cert]
                          basicConstraints = CA:FALSE
                          nsCertType = server
                          nsComment = "OpenSSL Generated Server Certificate"
                          subjectKeyIdentifier = hash
                          authorityKeyIdentifier = keyid,issuer:always
                          keyUsage = critical, digitalSignature, keyEncipherment
                          extendedKeyUsage = serverAuth

                          [client_cert]
                          basicConstraints = CA:FALSE
                          nsCertType = client, email
                          nsComment = "OpenSSL Generated Client Certificate"
                          subjectKeyIdentifier = hash
                          authorityKeyIdentifier = keyid,issuer
                          keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
                          extendedKeyUsage = clientAuth, emailProtection


                          Sign server certs at your CA like this:



                          openssl ca -config openssl.cnf -extensions server_cert -notext -md sha256 -in csr.pem -out cert.pem


                          Sign client certs like this:



                          openssl ca -config openssl.cnf -extensions client_cert -notext -md sha256 -in csr.pem -out cert.pem


                          Then in your client's openvpn.cnf add the following line:



                          remote-cert-tls server


                          and restart the openvpn service.







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered Feb 4 at 22:38









                          jcofflandjcoffland

                          18112




                          18112



























                              draft saved

                              draft discarded
















































                              Thanks for contributing an answer to Unix & Linux Stack Exchange!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid


                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.

                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f57798%2fopenvpn-warning-no-server-certificate-verification-method-has-been-enabled%23new-answer', 'question_page');

                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown






                              Popular posts from this blog

                              How to check contact read email or not when send email to Individual?

                              Displaying single band from multi-band raster using QGIS

                              How many registers does an x86_64 CPU actually have?