Topic: OpenVPN help required - Connecting Windows 7 client to server

[snuggles99]

Hello All,

I have installed OpenVPN Bridge using the excellent description under:
http://wiki.contribs.org/OpenVPN_Bridge

I also used the setup for Windows Client as described there (Using OpenVPN 2.0.9 and GUI 1.0.3.

I have put my kexfile.p12 and connect_script.ovpn in the config folder of the OpenVPn installation.
Upon connecting it prompts for username and password, and then I get the following output (and cannot make any connection).

Code: [Select]

Wed Nov 20 19:01:14 2013 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Wed Nov 20 19:01:29 2013 LZO compression initialized
Wed Nov 20 19:01:29 2013 UDPv4 link local: [undef]
Wed Nov 20 19:01:29 2013 UDPv4 link remote: 188.109.23.222:1194
Wed Nov 20 19:02:30 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Nov 20 19:02:30 2013 TLS Error: TLS handshake failed
Wed Nov 20 19:02:30 2013 SIGUSR1[soft,tls-error] received, process restarting
Wed Nov 20 19:02:32 2013 LZO compression initialized
Wed Nov 20 19:02:32 2013 UDPv4 link local: [undef]
Wed Nov 20 19:02:32 2013 UDPv4 link remote: 188.109.23.222:1194
Wed Nov 20 19:03:32 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Nov 20 19:03:32 2013 TLS Error: TLS handshake failed
...

Does anybody know, what could be wrong at either server or client side, and how to go on?
Thanks for any help!
Stefan

[Daniel B.]

Looks like your client cannot contact the server on udp port 1194. Do you see any activity on your server in /var/log/openvpn-bridge/current ?

[snuggles99]

Hello Daniel,

first of all - again - thanks.

This is the latest entries in current log

Code: [Select]

@40000000528db8de30ebdf54 OpenVPN 2.3.1 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on May 24 2013
@40000000528db8de30f393fc MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:11194
@40000000528db8de30f4e004 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
@40000000528db8de30f6ef5c NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
@40000000528db8de31053b84 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
@40000000528db8de311af21c Diffie-Hellman initialized with 1024 bit key
@40000000528db8de311f206c Enter Private Key Password:WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
@40000000528db8de3120d5ec Error: private key password verification failed
@40000000528db8de3120d9d4 Exiting due to fatal error
@40000000528db8df347cd22c OpenVPN 2.3.1 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on May 24 2013
@40000000528db8df3484d8dc MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:11194
@40000000528db8df34863484 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
@40000000528db8df3488c8ac NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
@40000000528db8df349908d4 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
@40000000528db8df34afa5e4 Diffie-Hellman initialized with 1024 bit key
@40000000528db8df34b3dc04 Enter Private Key Password:WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
@40000000528db8df34b5acdc Error: private key password verification failed
@40000000528db8df34b5eb5c Exiting due to fatal error
@40000000528db8e038054154 OpenVPN 2.3.1 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on May 24 2013
@40000000528db8e0380d3c4c MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:11194
@40000000528db8e0380eb34c NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
@40000000528db8e03810fd3c NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
@40000000528db8e0381f39c4 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
@40000000528db8e0383559d4 Diffie-Hellman initialized with 1024 bit key
@40000000528db8e0383964fc Enter Private Key Password:WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
@40000000528db8e0383aef84 Error: private key password verification failed
@40000000528db8e0383b2634 Exiting due to fatal error
@40000000528db8e13b95901c OpenVPN 2.3.1 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on May 24 2013
@40000000528db8e20003690c MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:11194
@40000000528db8e20004c89c NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
@40000000528db8e20007416c NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
@40000000528db8e20016e554 PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
@40000000528db8e2002cda6c Diffie-Hellman initialized with 1024 bit key
@40000000528db8e200310ca4 Enter Private Key Password:WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
@40000000528db8e20032a6cc Error: private key password verification failed
@40000000528db8e200334ec4 Exiting due to fatal errorThe whole log is full of these entries, all alike.

I am quite sure however to not have entered a wrong password.

I have used as
user name: the user name which is shown under "Certificate Management" in the column "User's Name" and as
password:  the one I keyed in upon creation of that client certificate.

One more thing, when I select "Display connected clients" in OpenVPN Bridge Configuration Panel it says always: "An error occured while connecting to the manager. Check the service is running." But the service is running. Maybe there is hidden some problem?

Any ideas?

[Daniel B.]

The error here is not that you have typed the wrong password on the client. The problem is that the private key of the server is password protected, so OpenVPN cannot open it. Check http://wiki.contribs.org/OpenVPN_Bridge#Create_a_certificate_for_the_server

Password: This field must be blank. Remember that OpenVPN daemon starts without human intervention when the server boots, so it need to have access to the certificate key without being prompted for a password.

You have to generate a new certificate for the server and replace the server certificate and the server private key in the panel.

Regards, Daniel

[snuggles99]

Uh, that is embarassing - who can read is clearly having an advantage here. 
 I had overseen this!

Thank you very much, everything is up and running now! 

Can I buy you a beer somewhere close to you?

regards
Stefan

[Daniel B.]

Can I buy you a beer somewhere close to you?

Glad it's working for you now
If you really want to, you can make a donation to the Koozali Foundation either here: http://forums.contribs.org/index.php?action=profile;area=subscriptions or through the hoe page on the wiki.

[snuggles99]

I will extend my anyways running bronze subscription in January for another year!