Cannot connect using OpenVpn any more

[aht961]

I have upgraded to x.374.36_beta1, after which I cannot connect to my router using OpenVPN with iOs or Os X computers. I never had problems before using previous builds. However, this is probably not related to this build, since I have downgraded but that could not resolve the problem.

I did not change any settings or cert or key files, neither the VPN server settings. However, every time when I start a connection (using no-ip DDNS), I get:

"Transport Error: PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" In the log, I see that VERIFY FAIL CERT_NOT_TRUSTED and then a few sentences showing the cert by Asus RT-N66U etc. I did not have these entries earlier.

Any suggestions concerning what went wrong?

ps: reset to factory settings, reverted one by one back to earlier builds (down to x.374.33) - it did not help.

 

[RMerlin]

I have upgraded to x.374.36_beta1, after which I cannot connect to my router using OpenVPN with iOs or Os X computers. I never had problems before using previous builds. However, this is probably not related to this build, since I have downgraded but that could not resolve the problem.

I did not change any settings or cert or key files, neither the VPN server settings. However, every time when I start a connection (using no-ip DDNS), I get:

"Transport Error: PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" In the log, I see that VERIFY FAIL CERT_NOT_TRUSTED and then a few sentences showing the cert by Asus RT-N66U etc. I did not have these entries earlier.

Any suggestions concerning what went wrong?

ps: reset to factory settings, reverted one by one back to earlier builds (down to x.374.33) - it did not help.

See what error message you get on the router's end, in System Log. At a first glance, I would suspect the problem has to do with the client certificate not matching the CA certificate. Did you generate these yourself, or automatically through the router?

 

[aht961]

See what error message you get on the router's end, in System Log. At a first glance, I would suspect the problem has to do with the client certificate not matching the CA certificate. Did you generate these yourself, or automatically through the router?

Hi. Thanks for the quick reply and for your nice work. I have used the keys generated by myself and never had problems. It seems, though, now my router has started to generate its own keys and certificates as I see from the OpenVpn client's log on my iphone. I am not able to provide the router's log details since I am away from home (I will do this as soon as I get home). But I see from the router's GUI that a client is connected.

How can I stop the router using its own certificate and keys? I have entered all these values (keys, cert, pm values as earlier) again manually, but the problem still exists. It provides a certificate with entries like "me@myhost.my.domain, L=Taipei, CN=RT-N66U, etc." I don't have such entries in my certificates

 

[RMerlin]

Hi. Thanks for the quick reply and for your nice work. I have used the keys generated by myself and never had problems. It seems, though, now my router has started to generate its own keys and certificates as I see from the OpenVpn client's log on my iphone. I am not able to provide the router's log details since I am away from home. But I see that the router shows that a client is connected. How can I stop the router using its own certificate and keys? I have entered all these values (keys, cert, pm values as earlier) again manually, but the problem exists.

Make sure you are running a recent enough version (I recommend going with 374.36 Beta 1 - don't worry about the beta label, it was just because this build was in need of user feedback regarding networkmap-related fixes). Then, go to the VPN Details page, click on the "Content modification of Keys & Certificates" link, paste all your keys and certs, then click OK (to close the popup) then Apply. After that the router should be using your provided key and certs - it won't overwrite them automatically. You can confirm that by going back to the keys & cert link, then copying the certs there into an online PEM decoder like this one. You can also manually validate it using the openssl command over SSH (that online decoder even shows you the syntax to use).

 

[aht961]

...Then, go to the VPN Details page, click on the "Content modification of Keys & Certificates" link, paste all your keys and certs, then click OK (to close the popup) then Apply. After that the router should be using your provided key and certs - it won't overwrite them automatically.

You were right. It was my mistake since during the upgrade & reset procedure, somehow I had copied the crts and pem generated by the router and saved them as a backup (as if they were the originals produced by myself). And every time when I was trying to recover, I was pasting back these very same certificates. Now, I have put in the originals from another backup source in my NAS and everything started to function again. It was my bad, sorry for taking your time & space here. Thanks a lot for the assistance.

ps: if you wish you can remove this thread - or leave it in case if somebody else is doing the same mistake as well