No server certificate verification method has been enabled как исправить

No server certificate verification method has been enabled как исправить

Всех приветствую !

OS-OpenSuse 42.3
OpenVPN-2.3
easyrsa- 3.0.5

Server.conf

Код:

port 1194
proto tcp
dev tun
server 192.168.99.0 255.255.255.0
push "route 192.168.90.0 255.255.255.0"
ca ca.crt
cert blic-vpn.crt
key blic-vpn.key
dh dh.pem
tls-auth ta.key 0
crl-verify crl.pem
key-direction 0
cipher AES-256-CBC
auth SHA256
explicit-exit-notify 0
ifconfig-pool-persist ipp.txt
mute 10
persist-key
persist-tun
max-clients 50
keepalive 10 900
user nobody
group nobody
status openvpn-status.log 1
status-version 3
log-append openvpn-server.log
verb 9

Client.conf

Код:

client
dev tun
remote 192.168.80.21
proto tcp
ca ca.crt
cert adm.crt
key adm.key
cipher AES-256-CBC
auth SHA256
key-direction 1
route-method exe
route-delay 2
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
tls-auth ta.key 1
auth-nocache

Создал тестовый OpenVPN и столкнулся со следующим:

Интерфейс tun подымается

Логи клиента при попытке подключиться к серверу:

Код:

Sat Jan 12 00:51:28 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Sat Jan 12 00:51:28 2019 Windows version 6.1 (Windows 7) 64bit
Sat Jan 12 00:51:28 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Sat Jan 12 00:51:28 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 12 00:51:28 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:28 2019 Attempting to establish TCP connection with [AF_INET]192.168.80.21:1194 [nonblock]
Sat Jan 12 00:51:29 2019 TCP connection established with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:29 2019 TCP_CLIENT link local: (not bound)
Sat Jan 12 00:51:29 2019 TCP_CLIENT link remote: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:30 2019 Connection reset, restarting [-1]
Sat Jan 12 00:51:30 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sat Jan 12 00:51:35 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 12 00:51:35 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:35 2019 Attempting to establish TCP connection with [AF_INET]192.168.80.21:1194 [nonblock]
Sat Jan 12 00:51:36 2019 TCP connection established with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:36 2019 TCP_CLIENT link local: (not bound)
Sat Jan 12 00:51:36 2019 TCP_CLIENT link remote: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:36 2019 Connection reset, restarting [-1]
Sat Jan 12 00:51:36 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sat Jan 12 00:51:38 2019 SIGTERM[hard,init_instance] received, process exiting

Как только я комментирую на сервере строку отвечающую за проверку сертификатов:
#crl-verify crl.pem

Клиент подключается и работает как положено.

Лог клиента после удачного подключения:

Код:

Sat Jan 12 00:56:17 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Sat Jan 12 00:56:17 2019 Windows version 6.1 (Windows 7) 64bit
Sat Jan 12 00:56:17 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Sat Jan 12 00:56:17 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 12 00:56:17 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:17 2019 Attempting to establish TCP connection with [AF_INET]192.168.80.21:1194 [nonblock]
Sat Jan 12 00:56:18 2019 TCP connection established with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:18 2019 TCP_CLIENT link local: (not bound)
Sat Jan 12 00:56:18 2019 TCP_CLIENT link remote: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:18 2019 [blic-vpn] Peer Connection Initiated with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:20 2019 open_tun
Sat Jan 12 00:56:20 2019 TAP-WIN32 device [Подключение по локальной сети 2] opened: \.Global{61223E3E-B757-452A-B418-E67442450004}.tap
Sat Jan 12 00:56:20 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.88.6/255.255.255.252 on interface {61223E3E-B757-452A-B418-E67442450004} [DHCP-serv: 192.168.88.5, lease-time: 31536000]
Sat Jan 12 00:56:20 2019 Successful ARP Flush on interface [24] {61223E3E-B757-452A-B418-E67442450004}
Sat Jan 12 00:56:20 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Jan 12 00:56:22 2019 env_block: add PATH=C:WindowsSystem32;C:Windows;C:WindowsSystem32Wbem
Sat Jan 12 00:56:22 2019 env_block: add PATH=C:WindowsSystem32;C:Windows;C:WindowsSystem32Wbem
Sat Jan 12 00:56:22 2019 Initialization Sequence Completed
Sat Jan 12 00:56:32 2019 env_block: add PATH=C:WindowsSystem32;C:Windows;C:WindowsSystem32Wbem
Sat Jan 12 00:56:32 2019 env_block: add PATH=C:WindowsSystem32;C:Windows;C:WindowsSystem32Wbem
Sat Jan 12 00:56:32 2019 SIGTERM[hard,] received, process exiting

Дата и время сервер/клиент не расходятся, полность удалял тестовую среду генерил заново.
Ошибка повторяется.

Лог сервера когда строка crl-verify crl.pem не закоментированна (Ошибка.txt)
Лог сервера когда строка crl-verify crl.pem с коментом (Работает.txt)

Последний раз редактировалось leksstav 14.01.2019 15:43, всего редактировалось 2 раза.

Источник

LonelyPixel

OpenVpn Newbie
Posts: 13
Joined: Fri Nov 23, 2012 7:44 pm

No server certificate verification method has been enabled.

When connecting to my OpenVPN server, I get this message on the client in red colour:

WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

I have read that page and acknowledged it. The certificates already have the appropriate settings. How can I make this red line go away?

TinCanTech

OpenVPN Protagonist
Posts: 11142
Joined: Fri Jun 03, 2016 1:17 pm

Re: No server certificate verification method has been enabled.

Post

by TinCanTech » Thu May 31, 2018 11:27 am

The HOWTO wrote:Now add the following line to your client configuration:

remote-cert-tls server

:roll:

LonelyPixel

OpenVpn Newbie
Posts: 13
Joined: Fri Nov 23, 2012 7:44 pm

Re: No server certificate verification method has been enabled.

Post

by LonelyPixel » Thu May 31, 2018 12:53 pm

Thanks for the pointer. I haven’t seen this line and thought there’s nothing more to do. Maybe the page layout was a bit too complex or I was already in that “stupid documentation” mood.

TinCanTech

OpenVPN Protagonist
Posts: 11142
Joined: Fri Jun 03, 2016 1:17 pm

Re: No server certificate verification method has been enabled.

Post

by TinCanTech » Thu May 31, 2018 1:15 pm

LonelyPixel wrote: ↑

Thu May 31, 2018 12:53 pm


or I was already in that “stupid documentation” mood.

Would you prefer there not to be documentation ?

People put a lot of effort into writing it .. but we can delete it all if you prefer :mrgreen:

LonelyPixel

OpenVpn Newbie
Posts: 13
Joined: Fri Nov 23, 2012 7:44 pm

Re: No server certificate verification method has been enabled.

Post

by LonelyPixel » Thu May 31, 2018 5:19 pm

If there is no documentation, I’d be annoyed about it not being there. If there’s a documentation that’s hard to find, use and understand, I’d be annoyed about it being hard to find, use and understand. Please understand that incomplete efforts cannot beat psychology. You can’t sell a product by arguing that you couldn’t do it any better. I’m just giving you feedback on that, other’s won’t and turn somewhere else. I guess you still don’t care because we’re all not paying any money.

And yes, deleting the outdated part of the documentation might indeed be helpful! It just doesn’t look too professional if I turn to the forums about a documentation page from a prominent FAQ list only to hear that it’s long outdated. You see where my impression comes from?

TinCanTech

OpenVPN Protagonist
Posts: 11142
Joined: Fri Jun 03, 2016 1:17 pm

Re: No server certificate verification method has been enabled.

Post

by TinCanTech » Thu May 31, 2018 5:56 pm

LonelyPixel wrote: ↑

Thu May 31, 2018 5:19 pm


If there is no documentation, I’d be annoyed about it not being there. If there’s a documentation that’s hard to find, use and understand, I’d be annoyed about it being hard to find, use and understand.

You can help improve it ;)

LonelyPixel wrote: ↑

Thu May 31, 2018 5:19 pm


You can’t sell a product by arguing that you couldn’t do it any better. I’m just giving you feedback on that, other’s won’t and turn somewhere else. I guess you still don’t care because we’re all not paying any money.

I care which is why I help .. but we need more help.

LonelyPixel wrote: ↑

Thu May 31, 2018 5:19 pm


yes, deleting the outdated part of the documentation might indeed be helpful!

You can help improve it ;)

LonelyPixel wrote: ↑

Thu May 31, 2018 5:19 pm


It just doesn’t look too professional if I turn to the forums about a documentation page from a prominent FAQ list only to hear that it’s long outdated.

At least all the pages of documentation from Openvpn are fully dated, unlike much of the FUD out there .. so you can decide immediately if you want to read it or not.

LonelyPixel

OpenVpn Newbie
Posts: 13
Joined: Fri Nov 23, 2012 7:44 pm

Re: No server certificate verification method has been enabled.

Post

by LonelyPixel » Tue Aug 14, 2018 6:58 pm

Oh, that’s been a long time.

I understand that you need more help to keep the docs updated. But I really feel that should be done by people who know what they talk about. You can probably guess from my questions that I’m not one of them. Set aside that I can’t even guess the effort it’d take me to find out how to help with that. Somebody would have to spend a lot of time putting me on the right track that they could better spend in fixing it directly.

1_C4T4LY5T

OpenVpn Newbie
Posts: 2
Joined: Mon Jul 06, 2020 12:48 am

Re: No server certificate verification method has been enabled.

Post

by 1_C4T4LY5T » Mon Jul 06, 2020 12:51 am

I see that open vpn error tells me to go here: https://openvpn.net/community-resources/how-to/#mitm
but that makes no sense to me as I’m definitely a noob to vpn’s in general. I did try to add “remote-cert-tls server” to the end of my client config file. When I added it the red error went away but now the client just keeps saying connecting in status and never actually errors or connects for me.

Could I get some help from anyone in a very dumbed down way? like if you were explaining it to your mom for example :D ?

Thank you in advance for any help.

TinCanTech

OpenVPN Protagonist
Posts: 11142
Joined: Fri Jun 03, 2016 1:17 pm

Re: No server certificate verification method has been enabled.

Post

by TinCanTech » Mon Jul 06, 2020 2:11 am

You mist speak to your server admin

1_C4T4LY5T

OpenVpn Newbie
Posts: 2
Joined: Mon Jul 06, 2020 12:48 am

Re: No server certificate verification method has been enabled.

Post

by 1_C4T4LY5T » Mon Jul 06, 2020 2:36 am

I have no server admin. This is an hp elite 8300 sff i7-2600 box I setup server 2019 on and then installed Open VPN. I’d be happy to provide needed info.
I’ve setup the vpn through enabling the open vpn setting on my nighthawk R7000P. I’ve followed the directions from netgear and everything else seems to have setup just as it described …all but this open vpn client starting up.

300000

OpenVPN Expert
Posts: 688
Joined: Tue May 01, 2012 9:30 pm

Re: No server certificate verification method has been enabled.

Post

by 300000 » Mon Jul 06, 2020 12:10 pm

You can try paid version on this site and setup is more easy .no more red or whatever notice.

If you want red warning go away you need adding something into openssl config inside easyras so it will adding attribute httpsserver authentication so the warning will go.

That is the way people consider using community version for personal use and paid version for commercial use .

It is only one line of config that work the best and there is no document how to do it either so try to find it yourself .openvpn manual not document it anywhere so people can’t find it

Hart, Henry

OpenVpn Newbie
Posts: 1
Joined: Tue Sep 08, 2020 3:02 am

Re: No server certificate verification method has been enabled.

Post

by Hart, Henry » Tue Sep 08, 2020 3:05 am

300000 wrote: ↑

Mon Jul 06, 2020 12:10 pm


You can try paid version on this site and setup is more easy .no more red or whatever notice.

Is this true? I would be more than happy to use the Paid version if I knew that almost nothing would be required of me — no red notices, no errors, no dropped connections with errors (which we too are experiencing now without touching the server and certs are up to date) and 24/7 support. Where do I sign up….

300000

OpenVPN Expert
Posts: 688
Joined: Tue May 01, 2012 9:30 pm

Re: No server certificate verification method has been enabled.

Post

by 300000 » Tue Sep 08, 2020 10:42 am

you can download OpenVPN Access Server now to try it , no more red or whatever notice to up set people but only pay money that is how free software work or if you like you can do it yourself simple. infarct red warning make quite scare to use when you want to hide something more than nomal .

I am using XCA to create certificate so for me no red warning at all or whatever but you need to going to openssl to learn how to create certificate and what kind of difference attribute to create all kind of difference certificate to use in all difference situation

Источник
  • Печать

Страницы: [1]   Вниз

Тема: проблема с подключением OPENVPN  (Прочитано 14247 раз)

0 Пользователей и 1 Гость просматривают эту тему.

Оффлайн
sila31regiona

не подключаеться OPENVPN вожу логин пароль,через терминал выдает ошибку:


No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Nov 12 20:02:57 2016 NOTE: –fast-io is disabled since we are not using UDP
Sat Nov 12 20:02:57 2016 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Nov 12 20:02:57 2016 Attempting to establish TCP connection with [AF_INET]212.129.33.61:80 [nonblock]

перевод :


Ни один метод проверки сервера сертификат не был включен. Смотрите http://openvpn.net/howto.html#mitm для получения дополнительной информации.
Сб 12 ноября 20:02:57 2016 Примечание: –fast-IO отключена, так как мы не используем UDP
Сб 12 ноября 20:02:57 2016 Торцевые Буферы: R = [87380-> 87380] S = [16384-> 16384]
Сб 12 ноября 20:02:57 2016 Попытка установить соединение TCP с [AF_INET] 212.129.33.61:80 [NONBLOCK]



и как теперь подключиться к VPN если они перестали использовать UDP и TCP

    Username: *********
    Password: *********
    TCP 80, 443 ????
    UDP 53, 40000 ??????
    Unlimited Bandwidth
    Torrents Allowed
    No Logging

помогите решить проблему :)

ТС не появлялся на Форуме более полугода по состоянию на 22/07/2019 (последняя явка: 26/05/2017). Модератором раздела принято решение закрыть тему.
–zg_nico

« Последнее редактирование: 22 Июля 2019, 14:56:18 от zg_nico »

_”№%:?*()_+

Оффлайн
Длиннорогий

sila31regiona, а кто сказал, что TCP не используют?

Оффлайн
sila31regiona

Оффлайн
Длиннорогий

Если недоступен udp, попробуйте tcp.

nano /etc/openvpn/client.confили где у вас лежит конфиг. Разкоментить строку tcp, закоментить udp.

/etc/init.d/openvpn restartсмотреть, что выйдет.

Оффлайн
sila31regiona

смотри скачиваю архив с .ovpn

https://freevpn.me/accounts/

распаковываю открываю терминал в папке с файлами

в терминале пишу ls показывает содержимое папки

далее прописываю openvpn FreeVPN.me-TCP80.ovpn

нажимаю интер и высвечивается

Sat Nov 12 21:16:06 2016 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
Sat Nov 12 21:16:06 2016 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Enter Auth Username: Вожу сюда freevpnme

жму интер

Enter Auth Password: Сюда вожу пароль 0jnyTti8E

далее вижу это:


Вот что находиться в файле FreeVPN.me-TCP80.ovpn :

Пользователь добавил сообщение 12 Ноября 2016, 22:38:09:

///////////////////////////////////////////////////////////////////////////////

                                                                            подключил VPN ну только другим способом и на много дольше вот так :

                                                                            https://www.youtube.com/watch?v=196_HoLIDIA

                                                                            ///////////////////////////////////////////////////////////////////////////////
 :- :- :- :- :- :- :- :( :( :( :( :( :( :( :( :- :- :- :- :- :- :- :- :- :- :-
{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{

а хотелось бы по старинке через терминал,намного быстрее))

https://www.youtube.com/watch?v=Lp5vT4sGXmI
 
}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}

« Последнее редактирование: 12 Ноября 2016, 22:38:09 от sila31regiona »

_”№%:?*()_+

Оффлайн
Multik001

Столкнулся с такой же проблемой… днем настраивал все по вышеуказаному видео… работало часа 2 потом слетело и теперь не может подключиться…

Оффлайн
EvangelionDeath

смотри

Посмотрели. Но вы видать лог сами то и не читали? А там написано:

Sat Nov 12 21:25:32 2016 AUTH: Received control message: AUTH_FAILED

Не, я понимаю, новичек и все такое. Но, читать лог Вы и сами могли, не созывая консилиум. Если Вы до сих пор смотрите непонимающими глазами – обращайтесь в службу поддержки сервиса ибо данные вторизации невалидны, соответственно проблема не в OpenVPN.

У меня нет права закрыть тему, потому подождем.

HP Pro 840 G3: Intel i5-6300U, 32GB DDR4 2133MHz, Intel 520, Intel Pro 2500 180GB/Ubuntu 22.04
Dell Latitude 5590: Intel i5-8350U, 16GB DDR4 2400MHz, Intel 620, Samsung 1TB/Ubuntu 22.04

Оффлайн
Multik001

А в чем же может быть проблема? Провайдер блокирует VPN (МГТС это еще то г…) или сам https://freevpn.me дал попользоваться часов 5 и все…
С последними событиями про Телеграмм и РКН сейчас куча новичков лезут в эту тему VPN, но сталкиваются с кучей проблем… Первое что в youtube попадается это видео https://www.youtube.com/watch?v=Lp5vT4sGXmI и при первой настройке все работает отлично, но потом происходит сбой и подключиться больше не получается(((
Позже попробую на чистой системе, отпишусь.

 

Пользователь добавил сообщение 20 Апреля 2018, 16:46:35:

Попробовал на чистой системе результат тот же((
Подскажите в чем может быть проблема?

 

« Последнее редактирование: 20 Апреля 2018, 16:46:37 от Multik001 »

Оффлайн
EvangelionDeath

Multik001, в том, что провайдер уже залочил ИП ВПНа

HP Pro 840 G3: Intel i5-6300U, 32GB DDR4 2133MHz, Intel 520, Intel Pro 2500 180GB/Ubuntu 22.04
Dell Latitude 5590: Intel i5-8350U, 16GB DDR4 2400MHz, Intel 620, Samsung 1TB/Ubuntu 22.04

  • Печать

Страницы: [1]   Вверх

Источник

LonelyPixel

OpenVpn Newbie
Posts: 13
Joined: Fri Nov 23, 2012 7:44 pm

No server certificate verification method has been enabled.

When connecting to my OpenVPN server, I get this message on the client in red colour:

WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

I have read that page and acknowledged it. The certificates already have the appropriate settings. How can I make this red line go away?

TinCanTech

OpenVPN Protagonist
Posts: 11142
Joined: Fri Jun 03, 2016 1:17 pm

Re: No server certificate verification method has been enabled.

Post

by TinCanTech » Thu May 31, 2018 11:27 am

The HOWTO wrote:Now add the following line to your client configuration:

remote-cert-tls server

:roll:

LonelyPixel

OpenVpn Newbie
Posts: 13
Joined: Fri Nov 23, 2012 7:44 pm

Re: No server certificate verification method has been enabled.

Post

by LonelyPixel » Thu May 31, 2018 12:53 pm

Thanks for the pointer. I haven’t seen this line and thought there’s nothing more to do. Maybe the page layout was a bit too complex or I was already in that «stupid documentation» mood.

TinCanTech

OpenVPN Protagonist
Posts: 11142
Joined: Fri Jun 03, 2016 1:17 pm

Re: No server certificate verification method has been enabled.

Post

by TinCanTech » Thu May 31, 2018 1:15 pm

LonelyPixel wrote: ↑

Thu May 31, 2018 12:53 pm

or I was already in that «stupid documentation» mood.

Would you prefer there not to be documentation ?

People put a lot of effort into writing it .. but we can delete it all if you prefer :mrgreen:

LonelyPixel

OpenVpn Newbie
Posts: 13
Joined: Fri Nov 23, 2012 7:44 pm

Re: No server certificate verification method has been enabled.

Post

by LonelyPixel » Thu May 31, 2018 5:19 pm

If there is no documentation, I’d be annoyed about it not being there. If there’s a documentation that’s hard to find, use and understand, I’d be annoyed about it being hard to find, use and understand. Please understand that incomplete efforts cannot beat psychology. You can’t sell a product by arguing that you couldn’t do it any better. I’m just giving you feedback on that, other’s won’t and turn somewhere else. I guess you still don’t care because we’re all not paying any money.

And yes, deleting the outdated part of the documentation might indeed be helpful! It just doesn’t look too professional if I turn to the forums about a documentation page from a prominent FAQ list only to hear that it’s long outdated. You see where my impression comes from?

TinCanTech

OpenVPN Protagonist
Posts: 11142
Joined: Fri Jun 03, 2016 1:17 pm

Re: No server certificate verification method has been enabled.

Post

by TinCanTech » Thu May 31, 2018 5:56 pm

LonelyPixel wrote: ↑

Thu May 31, 2018 5:19 pm

If there is no documentation, I’d be annoyed about it not being there. If there’s a documentation that’s hard to find, use and understand, I’d be annoyed about it being hard to find, use and understand.

You can help improve it ;)

LonelyPixel wrote: ↑

Thu May 31, 2018 5:19 pm

You can’t sell a product by arguing that you couldn’t do it any better. I’m just giving you feedback on that, other’s won’t and turn somewhere else. I guess you still don’t care because we’re all not paying any money.

I care which is why I help .. but we need more help.

LonelyPixel wrote: ↑

Thu May 31, 2018 5:19 pm

yes, deleting the outdated part of the documentation might indeed be helpful!

You can help improve it ;)

LonelyPixel wrote: ↑

Thu May 31, 2018 5:19 pm

It just doesn’t look too professional if I turn to the forums about a documentation page from a prominent FAQ list only to hear that it’s long outdated.

At least all the pages of documentation from Openvpn are fully dated, unlike much of the FUD out there .. so you can decide immediately if you want to read it or not.

LonelyPixel

OpenVpn Newbie
Posts: 13
Joined: Fri Nov 23, 2012 7:44 pm

Re: No server certificate verification method has been enabled.

Post

by LonelyPixel » Tue Aug 14, 2018 6:58 pm

Oh, that’s been a long time.

I understand that you need more help to keep the docs updated. But I really feel that should be done by people who know what they talk about. You can probably guess from my questions that I’m not one of them. Set aside that I can’t even guess the effort it’d take me to find out how to help with that. Somebody would have to spend a lot of time putting me on the right track that they could better spend in fixing it directly.

1_C4T4LY5T

OpenVpn Newbie
Posts: 2
Joined: Mon Jul 06, 2020 12:48 am

Re: No server certificate verification method has been enabled.

Post

by 1_C4T4LY5T » Mon Jul 06, 2020 12:51 am

I see that open vpn error tells me to go here: https://openvpn.net/community-resources/how-to/#mitm
but that makes no sense to me as I’m definitely a noob to vpn’s in general. I did try to add «remote-cert-tls server» to the end of my client config file. When I added it the red error went away but now the client just keeps saying connecting in status and never actually errors or connects for me.

Could I get some help from anyone in a very dumbed down way? like if you were explaining it to your mom for example :D ?

Thank you in advance for any help.

TinCanTech

OpenVPN Protagonist
Posts: 11142
Joined: Fri Jun 03, 2016 1:17 pm

Re: No server certificate verification method has been enabled.

Post

by TinCanTech » Mon Jul 06, 2020 2:11 am

You mist speak to your server admin

1_C4T4LY5T

OpenVpn Newbie
Posts: 2
Joined: Mon Jul 06, 2020 12:48 am

Re: No server certificate verification method has been enabled.

Post

by 1_C4T4LY5T » Mon Jul 06, 2020 2:36 am

I have no server admin. This is an hp elite 8300 sff i7-2600 box I setup server 2019 on and then installed Open VPN. I’d be happy to provide needed info.
I’ve setup the vpn through enabling the open vpn setting on my nighthawk R7000P. I’ve followed the directions from netgear and everything else seems to have setup just as it described …all but this open vpn client starting up.

300000

OpenVPN Expert
Posts: 688
Joined: Tue May 01, 2012 9:30 pm

Re: No server certificate verification method has been enabled.

Post

by 300000 » Mon Jul 06, 2020 12:10 pm

You can try paid version on this site and setup is more easy .no more red or whatever notice.

If you want red warning go away you need adding something into openssl config inside easyras so it will adding attribute httpsserver authentication so the warning will go.

That is the way people consider using community version for personal use and paid version for commercial use .

It is only one line of config that work the best and there is no document how to do it either so try to find it yourself .openvpn manual not document it anywhere so people can’t find it

Hart, Henry

OpenVpn Newbie
Posts: 1
Joined: Tue Sep 08, 2020 3:02 am

Re: No server certificate verification method has been enabled.

Post

by Hart, Henry » Tue Sep 08, 2020 3:05 am

300000 wrote: ↑

Mon Jul 06, 2020 12:10 pm

You can try paid version on this site and setup is more easy .no more red or whatever notice.

Is this true? I would be more than happy to use the Paid version if I knew that almost nothing would be required of me — no red notices, no errors, no dropped connections with errors (which we too are experiencing now without touching the server and certs are up to date) and 24/7 support. Where do I sign up….

300000

OpenVPN Expert
Posts: 688
Joined: Tue May 01, 2012 9:30 pm

Re: No server certificate verification method has been enabled.

Post

by 300000 » Tue Sep 08, 2020 10:42 am

you can download OpenVPN Access Server now to try it , no more red or whatever notice to up set people but only pay money that is how free software work or if you like you can do it yourself simple. infarct red warning make quite scare to use when you want to hide something more than nomal .

I am using XCA to create certificate so for me no red warning at all or whatever but you need to going to openssl to learn how to create certificate and what kind of difference attribute to create all kind of difference certificate to use in all difference situation

Hi Gert

Thank you for your reply

Our client uses checkpoint vpn and they only give us a username a password and the gateway i.e gateway.XXX.co.za

and then we download the client — install it — enter our details and bingo! we are in.

but on Linux — checkpoint is even more difficult to understand or try to get working. so was looking for something else that I can install enter my details and connect.

is there anything like checkpoint that I can install and then simply enter my details and connect like I currently do on windows.

and please I am nowhere near being a developer or an IT guy. if you can assist I will be very gratefull.

because currently in my life no deb file or installable executable then no go.

Kind Regards
Derick

________________________________
From: Gert Doering ***@***.***>
Sent: Wednesday, 23 November 2022 09:22
To: OpenVPN/openvpn-gui ***@***.***>
Cc: Derick Mommsen ***@***.***>; Comment ***@***.***>
Subject: Re: [OpenVPN/openvpn-gui] WARNING: No server certificate verification method has been enabled. (#453)

Hi,

On Tue, Nov 22, 2022 at 10:00:17PM -0800, derickza wrote:
I will just keep trying until I either find a complete application that works on Linux or Google myself to death looking for a set of copy and paste terminal instructions that works for me. That I don???t understand in any case.

The issue here is: to use OpenVPN, you need to have a config file with
details about servers, secret keys, etc — that can not be provided by
us in an installable package.

Either the server operator provides that config file (and then he’s the
responsible person for questions about that config file), or you’ll have
to learn how these pieces all work together.

There’s no way to do «shrinkwrap VPN».

gert


«If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor.»
Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering — Munich, Germany ***@***.***


Reply to this email directly, view it on GitHub<#453 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A4KZFUU73A5JYQGCT67DFX3WJXA2PANCNFSM5D7E7WPQ>.
You are receiving this because you commented.Message ID: ***@***.***>

I tried to install openvpn on debian squeez (server) and connect from my fedora 17 as (client). Here is my configuration:

server configuration

# Server TCP
proto tcp
port 1194
dev tun

# Keys and certificates
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

# Network
# Virtual address of the VPN network
server 192.170.70.0 255.255.255.0
# This line adds the client to the router network server
push "route 192.168.1.0 255.255.255.0"
# Create a route server to the tun interface
#route 192.170.70.0 255.255.255.0

# Security
keepalive 10 120
# type of data encryption
cipher AES-128-CBC
# enabling compression
comp-lzo
# maximum number of clients allowed
max-clients 10
# no user and group specific to the use of the VPN
user nobody
group nogroup

# to make persistent connection
persist-key
persist-tun

# Log of the OpenVPN status
status /var/log/openvpn-status.log

# logs openvpnlog /var/log/openvpn.log
log-append /var/log/openvpn.log

# verbosity
verb 5

client configuration

client
dev tun
proto tcp-client
remote <my server wan IP> 1194
resolv-retry infinite
cipher AES-128-CBC

# Keys
ca ca.crt
cert client.crt
key client.key

# Security
nobind
persist-key
persist-tun
comp-lzo
verb 3

Message from the host client (fedora 17) in the log file /var/log/messages:

Dec  6 21:56:00 GlobalTIC NetworkManager[691]: <info> Starting VPN service 'openvpn'...
Dec  6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 7470
Dec  6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' appeared; activating connections
Dec  6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN plugin state changed: starting (3)
Dec  6 21:56:01 GlobalTIC NetworkManager[691]: <info> VPN connection 'Connexion VPN 1' (Connect) reply received.
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]: OpenVPN 2.2.2 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep  5 2012
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"][U][B] WARNING: No server certificate verification method has been enabled.[/B][/U][/COLOR]  See http://openvpn.net/howto.html#mitm for more info.
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"] WARNING: file '/home/login/client/client.key' is group or others accessible[/COLOR]
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link local: [undef]
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link remote: [COLOR="Red"]<my server wan IP>[/COLOR]:1194
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4 [ECONNREFUSED]: Connection refused (code=111)[/COLOR]
Dec  6 21:56:03 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4[/COLOR] [ECONNREFUSED]: Connection refused (code=111)
Dec  6 21:56:07 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec  6 21:56:15 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec  6 21:56:31 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec  6 21:56:41 GlobalTIC NetworkManager[691]: <warn> VPN connection 'Connexion VPN 1' (IP Conf[/CODE]

ifconfig on server host(debian):

ifconfig 
eth0      Link encap:Ethernet  HWaddr 08:00:27:16:21:ac  
          inet addr:192.168.1.6  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe16:21ac/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9059 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5660 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:919427 (897.8 KiB)  TX bytes:1273891 (1.2 MiB)
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.170.70.1  P-t-P:192.170.70.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ifconfig on the client host (fedora 17)

as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 5.5.0.1  netmask 255.255.252.0  destination 5.5.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 321 (321.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

as0t1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 5.5.4.1  netmask 255.255.252.0  destination 5.5.4.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 321 (321.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

as0t2: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 5.5.8.1  netmask 255.255.252.0  destination 5.5.8.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 321 (321.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

as0t3: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 5.5.12.1  netmask 255.255.252.0  destination 5.5.12.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 321 (321.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

**p255p1**: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.2  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::21d:baff:fe20:b7e6  prefixlen 64  scopeid 0x20<link>
        ether 00:1d:ba:20:b7:e6  txqueuelen 1000  (Ethernet)
        RX packets 4842070  bytes 3579798184 (3.3 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3996158  bytes 2436442882 (2.2 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16

p255p1 is label for eth0 interface

and

on the server :

root@hoteserver:/etc/openvpn# tree
.
├── client
│** ├── ca.crt
│** ├── client.conf
│** ├── client.crt
│** ├── client.csr
│** ├── client.key
│** ├── client.ovpn
│*
│** 
├── easy-rsa
│** ├── build-ca
│** ├── build-dh
│** ├── build-inter
│** ├── build-key
│** ├── build-key-pass
│** ├── build-key-pkcs12
│** ├── build-key-server
│** ├── build-req
│** ├── build-req-pass
│** ├── clean-all
│** ├── inherit-inter
│** ├── keys
│** │** ├── 01.pem
│** │** ├── 02.pem
│** │** ├── ca.crt
│** │** ├── ca.key
│** │** ├── client.crt
│** │** ├── client.csr
│** │** ├── client.key
│** │** ├── dh1024.pem
│** │** ├── index.txt
│** │** ├── index.txt.attr
│** │** ├── index.txt.attr.old
│** │** ├── index.txt.old
│** │** ├── serial
│** │** ├── serial.old
│** │** ├── server.crt
│** │** ├── server.csr
│** │** └── server.key
│** ├── list-crl
│** ├── Makefile
│** ├── openssl-0.9.6.cnf.gz
│** ├── openssl.cnf
│** ├── pkitool
│** ├── README.gz
│** ├── revoke-full
│** ├── sign-req
│** ├── vars
│** └── whichopensslcnf
├── openvpn.log
├── openvpn-status.log
├── server.conf
└── update-resolv-conf

on the client:

[login@hoteclient openvpn]$ tree 
.
|-- easy-rsa
|   |-- 1.0
|   |   |-- build-ca
|   |   |-- build-dh
|   |   |-- build-inter
|   |   |-- build-key
|   |   |-- build-key-pass
|   |   |-- build-key-pkcs12
|   |   |-- build-key-server
|   |   |-- build-req
|   |   |-- build-req-pass
|   |   |-- clean-all
|   |   |-- list-crl
|   |   |-- make-crl
|   |   |-- openssl.cnf
|   |   |-- README
|   |   |-- revoke-crt
|   |   |-- revoke-full
|   |   |-- sign-req
|   |   `-- vars
|   `-- 2.0
|       |-- build-ca
|       |-- build-dh
|       |-- build-inter
|       |-- build-key
|       |-- build-key-pass
|       |-- build-key-pkcs12
|       |-- build-key-server
|       |-- build-req
|       |-- build-req-pass
|       |-- clean-all
|       |-- inherit-inter
|       |-- keys [error opening dir]
|       |-- list-crl
|       |-- Makefile
|       |-- openssl-0.9.6.cnf
|       |-- openssl-0.9.8.cnf
|       |-- openssl-1.0.0.cnf
|       |-- pkitool
|       |-- README
|       |-- revoke-full
|       |-- sign-req
|       |-- vars
|       `-- whichopensslcnf
|-- keys -> ./easy-rsa/2.0/keys/
`-- server.conf

Is the source of the problem cipher AES-128-CBC, proto tcp-client or UDP or the interface p255p1 on Fedora17 or that file authentification ta.key is not found?

Всех приветствую !

OS-OpenSuse 42.3
OpenVPN-2.3
easyrsa- 3.0.5

Server.conf

Код:

port 1194
proto tcp
dev tun
server 192.168.99.0 255.255.255.0
push "route 192.168.90.0 255.255.255.0"
ca ca.crt
cert blic-vpn.crt
key blic-vpn.key
dh dh.pem
tls-auth ta.key 0
crl-verify crl.pem
key-direction 0
cipher AES-256-CBC
auth SHA256
explicit-exit-notify 0
ifconfig-pool-persist ipp.txt
mute 10
persist-key
persist-tun
max-clients 50
keepalive 10 900
user nobody
group nobody
status openvpn-status.log 1
status-version 3
log-append openvpn-server.log
verb 9

Client.conf

Код:

client
dev tun
remote 192.168.80.21
proto tcp
ca ca.crt
cert adm.crt
key adm.key
cipher AES-256-CBC
auth SHA256
key-direction 1
route-method exe
route-delay 2
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
tls-auth ta.key 1
auth-nocache

Создал тестовый OpenVPN и столкнулся со следующим:

Интерфейс tun подымается

Логи клиента при попытке подключиться к серверу:

Код:

Sat Jan 12 00:51:28 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Sat Jan 12 00:51:28 2019 Windows version 6.1 (Windows 7) 64bit
Sat Jan 12 00:51:28 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Sat Jan 12 00:51:28 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 12 00:51:28 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:28 2019 Attempting to establish TCP connection with [AF_INET]192.168.80.21:1194 [nonblock]
Sat Jan 12 00:51:29 2019 TCP connection established with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:29 2019 TCP_CLIENT link local: (not bound)
Sat Jan 12 00:51:29 2019 TCP_CLIENT link remote: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:30 2019 Connection reset, restarting [-1]
Sat Jan 12 00:51:30 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sat Jan 12 00:51:35 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 12 00:51:35 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:35 2019 Attempting to establish TCP connection with [AF_INET]192.168.80.21:1194 [nonblock]
Sat Jan 12 00:51:36 2019 TCP connection established with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:36 2019 TCP_CLIENT link local: (not bound)
Sat Jan 12 00:51:36 2019 TCP_CLIENT link remote: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:36 2019 Connection reset, restarting [-1]
Sat Jan 12 00:51:36 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sat Jan 12 00:51:38 2019 SIGTERM[hard,init_instance] received, process exiting

Как только я комментирую на сервере строку отвечающую за проверку сертификатов:
#crl-verify crl.pem

Клиент подключается и работает как положено.

Лог клиента после удачного подключения:

Код:

Sat Jan 12 00:56:17 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Sat Jan 12 00:56:17 2019 Windows version 6.1 (Windows 7) 64bit
Sat Jan 12 00:56:17 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Sat Jan 12 00:56:17 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 12 00:56:17 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:17 2019 Attempting to establish TCP connection with [AF_INET]192.168.80.21:1194 [nonblock]
Sat Jan 12 00:56:18 2019 TCP connection established with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:18 2019 TCP_CLIENT link local: (not bound)
Sat Jan 12 00:56:18 2019 TCP_CLIENT link remote: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:18 2019 [blic-vpn] Peer Connection Initiated with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:20 2019 open_tun
Sat Jan 12 00:56:20 2019 TAP-WIN32 device [Подключение по локальной сети 2] opened: .Global{61223E3E-B757-452A-B418-E67442450004}.tap
Sat Jan 12 00:56:20 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.88.6/255.255.255.252 on interface {61223E3E-B757-452A-B418-E67442450004} [DHCP-serv: 192.168.88.5, lease-time: 31536000]
Sat Jan 12 00:56:20 2019 Successful ARP Flush on interface [24] {61223E3E-B757-452A-B418-E67442450004}
Sat Jan 12 00:56:20 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Jan 12 00:56:22 2019 env_block: add PATH=C:WindowsSystem32;C:Windows;C:WindowsSystem32Wbem
Sat Jan 12 00:56:22 2019 env_block: add PATH=C:WindowsSystem32;C:Windows;C:WindowsSystem32Wbem
Sat Jan 12 00:56:22 2019 Initialization Sequence Completed
Sat Jan 12 00:56:32 2019 env_block: add PATH=C:WindowsSystem32;C:Windows;C:WindowsSystem32Wbem
Sat Jan 12 00:56:32 2019 env_block: add PATH=C:WindowsSystem32;C:Windows;C:WindowsSystem32Wbem
Sat Jan 12 00:56:32 2019 SIGTERM[hard,] received, process exiting

Дата и время сервер/клиент не расходятся, полность удалял тестовую среду генерил заново.
Ошибка повторяется.

Лог сервера когда строка crl-verify crl.pem не закоментированна (Ошибка.txt)
Лог сервера когда строка crl-verify crl.pem с коментом (Работает.txt)

Последний раз редактировалось leksstav 14.01.2019 15:43, всего редактировалось 2 раза.

famousdavis

Tutor

‎2018-08-19

12:24 PM

Hi, I’ve got a new Orbi router (Model RBR20) and two satellites.  The router’s firmware is V2.1.4.16.  I enabled OpenVPN on the Orbi router and it works fine with my mobile device.  When I use OpenVPN with my Windows 10 laptop, however, I get this warning message in the OpenVPN client log:

WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Visting the URL doesn’t do a lot of good.  There aren’t a lot of configuration settings for OpenVPN on the Orbi Advanced Settings / VPN Service menu option.  It lets me enable OpenVPN and little else, nothing to do with server certification verification.

The OpenVPN client for Windows is the latest available (V2.4.6).

What can I do, if anything, so this warning message doesn’t appear (and the implicit risk is properly mitigated)?


Message 1 of 43

funsurfer

Initiate

‎2019-03-02

09:26 PM

Re: OpenVPN warning: No server certificate verification method has been enabled

try adding 

remote-cert-tls server

to the end of your config file that should remove the warning

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System


Message 42 of 43

FURRYe38

Guru

‎2018-08-19

12:54 PM

Re: OpenVPN warning: No server certificate verification method has been enabled

@DarrenM

@Christian_R

My Setup ISP SparkLight | Internet Cable 1000↓/50↑ CAX80 Modem Mode |  Wifi Router MK83+ (Router Mode) | and RBK853 (Router Mode) | Switches NG GS105/8, GS308v3, GS110MX and XS505M | Additional NG HW: C7800/CAX80/CM1100/CM1200/CM2000, Orbi: CBK40, CBK752, RBK50, RBK853, RBK752, RBK953, SXK30 | NightHawk: MK63, MR6150, R7000, R7800, R7960P, R8000, R8500, R9000, RAXE500, RAX50, XR450, XR1000, EX7500/EX7700


Message 2 of 43

Christian_R

NETGEAR Employee Retired

‎2018-08-20

10:21 AM

Re: OpenVPN warning: No server certificate verification method has been enabled


Message 3 of 43

famousdavis

Tutor

‎2018-08-20

10:41 AM

Re: OpenVPN warning: No server certificate verification method has been enabled

Thanks, Christian.

When the Orbi router does it auto-check for new firmware, it says it’s already up-to-date (on V2.1.4.16).

Any downside to upgrading the firmware using your provided link? If I wanted to downgrade the firmware back to 2.1.4.16 (if something is screwy with the newer firmware version), is that possible?

And this wouldn’t require updating the firmware on the two satellites, would it?


Message 4 of 43

FURRYe38

Guru

‎2018-08-20

10:46 AM

Re: OpenVPN warning: No server certificate verification method has been enabled

It’s recommended to manually download the FW files and then update the Satellites first, then the router. Please use a wired LAN cable connected PC or laptop for this operation.

My Setup ISP SparkLight | Internet Cable 1000↓/50↑ CAX80 Modem Mode |  Wifi Router MK83+ (Router Mode) | and RBK853 (Router Mode) | Switches NG GS105/8, GS308v3, GS110MX and XS505M | Additional NG HW: C7800/CAX80/CM1100/CM1200/CM2000, Orbi: CBK40, CBK752, RBK50, RBK853, RBK752, RBK953, SXK30 | NightHawk: MK63, MR6150, R7000, R7800, R7960P, R8000, R8500, R9000, RAXE500, RAX50, XR450, XR1000, EX7500/EX7700


Message 5 of 43

Christian_R

NETGEAR Employee Retired

‎2018-08-20

11:48 AM

Re: OpenVPN warning: No server certificate verification method has been enabled

@famousdavis, 

There would be no downside using the link to upgrade your firmware and yes, you will be able to downgrade back if necessary by clicking on the various firmware versions in the link provided. 

It is not required to update the firmware on the satellites but as always, upgrading to the latest firmware is recommended. 

Regards, 

Christian 


Message 6 of 43

famousdavis

Tutor

‎2018-08-20

12:18 PM

Re: OpenVPN warning: No server certificate verification method has been enabled

Does the same firmware download work for both the Orbi router and its connected satellites? Eg, the satellites don’t get their own special firmware, correct?

If I recall, the same Orbi model number is used to identify both the Orbi router and the Orbi satellites, both. I’m inferring from your last post that I could use the firmware update on both the router and its satellites.

I’ll try this out tonight and report back whatever I learn.


Message 7 of 43

FURRYe38

Guru

‎2018-08-20

12:20 PM

Re: OpenVPN warning: No server certificate verification method has been enabled

There will be separate files for the router and satellites.

My Setup ISP SparkLight | Internet Cable 1000↓/50↑ CAX80 Modem Mode |  Wifi Router MK83+ (Router Mode) | and RBK853 (Router Mode) | Switches NG GS105/8, GS308v3, GS110MX and XS505M | Additional NG HW: C7800/CAX80/CM1100/CM1200/CM2000, Orbi: CBK40, CBK752, RBK50, RBK853, RBK752, RBK953, SXK30 | NightHawk: MK63, MR6150, R7000, R7800, R7960P, R8000, R8500, R9000, RAXE500, RAX50, XR450, XR1000, EX7500/EX7700


Message 8 of 43

famousdavis

Tutor

‎2018-08-20

12:22 PM

Re: OpenVPN warning: No server certificate verification method has been enabled

Just saw your reply, thx. Although, weirdly, on my iPhone and laptop, I can’t scroll down to see your full reply. ??? Not happening with other posts???


Message 9 of 43

famousdavis

Tutor

‎2018-08-20

12:23 PM

Re: OpenVPN warning: No server certificate verification method has been enabled

N/M. It’s just your signature I can’t see in its entirety! :slightly_smiling_face:


Message 10 of 43

FURRYe38

Guru

‎2018-08-20

12:29 PM

Re: OpenVPN warning: No server certificate verification method has been enabled

Smiley Wink

My Setup ISP SparkLight | Internet Cable 1000↓/50↑ CAX80 Modem Mode |  Wifi Router MK83+ (Router Mode) | and RBK853 (Router Mode) | Switches NG GS105/8, GS308v3, GS110MX and XS505M | Additional NG HW: C7800/CAX80/CM1100/CM1200/CM2000, Orbi: CBK40, CBK752, RBK50, RBK853, RBK752, RBK953, SXK30 | NightHawk: MK63, MR6150, R7000, R7800, R7960P, R8000, R8500, R9000, RAXE500, RAX50, XR450, XR1000, EX7500/EX7700


Message 11 of 43

famousdavis

Tutor

‎2018-08-20

07:37 PM

Re: OpenVPN warning: No server certificate verification method has been enabled

After downloading the latest f/w update for the Orbi router (v2.2.0.68), I’ve decided to forestall doing anything right now to my Orbi system.

The router’s f/w update doesn’t disclose what’s been changed in the release notes.  And the f/w is only for the RBR20 router, not the RBS20 satellites.  The Netgear support site for the satellites still shows that f/w v2.1.4.16 is the latest. 

It seems based upon my poking around and watching a few videos on the Netgear support site that it’s best to keep the router and satellites on the same f/w version, so I’m hesitant to change the f/w right now to address my issue on the router, as that would put it out-of-sync with the f/w used by the satellites.  Maybe it’s not an issue at all, but I won’t know that unless I tamper with a very stable network configuration.

And since the router’s f/w release date was literally just a few days ago, I’d rather not be one of the first out of the gate.  Having a stable network is a top priority for me more than addressing my OpenVPN warning.

I’ll monitor the discussion chatter here and see if others have a similar warning as I’ve got, and if a firmware update specifically fixes that warning condition (and the MITM threat leading to the warning).

Thanks for your timely reply to my question!  Great forum!  :slightly_smiling_face:


Message 12 of 43

FURRYe38

Guru

‎2018-08-20

07:52 PM

Re: OpenVPN warning: No server certificate verification method has been enabled

Well since this post is related to certificate verification, the router only needs updating. Hoping the new FW resolves that for you. Let us know…

My Setup ISP SparkLight | Internet Cable 1000↓/50↑ CAX80 Modem Mode |  Wifi Router MK83+ (Router Mode) | and RBK853 (Router Mode) | Switches NG GS105/8, GS308v3, GS110MX and XS505M | Additional NG HW: C7800/CAX80/CM1100/CM1200/CM2000, Orbi: CBK40, CBK752, RBK50, RBK853, RBK752, RBK953, SXK30 | NightHawk: MK63, MR6150, R7000, R7800, R7960P, R8000, R8500, R9000, RAXE500, RAX50, XR450, XR1000, EX7500/EX7700


Message 13 of 43

famousdavis

Tutor

‎2018-08-27

07:23 PM

Re: OpenVPN warning: No server certificate verification method has been enabled

Hi all,

My curiosity got the best of me, so tonight I upgraded the RBR20 router to the latest firmware, v2.2.0.68.  After the firmware update successfully applied and my Internet connection restored, I disconnected my laptop from my home network and connected it to my mobile phone’s hotspot, so I could establish an OpenVPN connection outside my home’s network.

I connected to my hotspot fine, started OpenVPN just fine, but, alas, I get the same warning message:  «No server certificate verification method has been enabled.»

The latest router firmware doesn’t resolve this issue.  :disappointed_face:


Message 14 of 43

Ocsig

Aspirant

‎2018-09-01

12:29 PM

Re: OpenVPN warning: No server certificate verification method has been enabled

I have the same problem.  I’ve got the most recent FW and have installed and reinstalled OpenVPN 3 times.  I get the same warning every time from my laptop on iphone hotspot.  I’ve had OpenVPN working in the past, so I’m confused.

Model: RBR50| Orbi AC3000 Tri-band WiFi (Router Only)


Message 15 of 43

d-One

Aspirant

‎2018-09-17

06:34 AM

Re: OpenVPN warning: No server certificate verification method has been enabled

I have the same issue! Firmware is up to date. I have uninstalled and reinstalled the OpenVPN three times. I have re-downloaded the configuration files and replaced them three times. I spent an hour on the phone with Netgear support with no resolution! So what seems to be the problem Netgear??

Model: RBR50| Orbi AC3000 Tri-band WiFi (Router Only)


Message 16 of 43

FURRYe38

Guru

‎2018-09-17

06:59 AM

Re: OpenVPN warning: No server certificate verification method has been enabled

@Christian_R

@Blanca_O

My Setup ISP SparkLight | Internet Cable 1000↓/50↑ CAX80 Modem Mode |  Wifi Router MK83+ (Router Mode) | and RBK853 (Router Mode) | Switches NG GS105/8, GS308v3, GS110MX and XS505M | Additional NG HW: C7800/CAX80/CM1100/CM1200/CM2000, Orbi: CBK40, CBK752, RBK50, RBK853, RBK752, RBK953, SXK30 | NightHawk: MK63, MR6150, R7000, R7800, R7960P, R8000, R8500, R9000, RAXE500, RAX50, XR450, XR1000, EX7500/EX7700


Message 17 of 43

Christian_R

NETGEAR Employee Retired

‎2018-09-17

10:04 AM

Re: OpenVPN warning: No server certificate verification method has been enabled

@famousdavis, 

Thank you for providing an update on your issue. I have sent you a message. Please respond at your earliest convenience. 

~Christian 


Message 18 of 43

Christian_R

NETGEAR Employee Retired

‎2018-09-17

10:07 AM

Re: OpenVPN warning: No server certificate verification method has been enabled

@Ocsig,

I have sent you a message. Please check your inbox.

~Christian 


Message 19 of 43

Christian_R

NETGEAR Employee Retired

‎2018-09-17

10:11 AM

Re: OpenVPN warning: No server certificate verification method has been enabled

@d-One

Thank you for reaching out to us with expressing a similar issue as others. I have sent you a message. 

~Christian 


Message 20 of 43

birdy99

Aspirant

‎2018-09-25

04:18 PM

Re: OpenVPN warning: No server certificate verification method has been enabled

Same Problem… Just with win10… on ios config works

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System


Message 21 of 43

ryoung81

Aspirant

‎2018-10-04

08:24 PM

Re: OpenVPN warning: No server certificate verification method has been enabled

I’m also having this issue, I’m on firmware 2.2.1.210.  Can anyone provide any insight into how I can fix the issue w/ Windows 10?

Works fine on Android.  I’ve tried downgranding OVPN to the earlier stable release, but that didn’t fix the problem either.

Model: RBR50| Orbi AC3000 Tri-band WiFi (Router Only)


Message 22 of 43

Retired_Member

Not applicable

‎2018-10-07

01:41 PM

Re: OpenVPN warning: No server certificate verification method has been enabled

Hi,

I’m having the same issue. I can connect via my iphone but not Win 10. Installed the latest firmware, but that’s made no difference. Is it something in the formatting of the ovpn file?

Thanks

Model: RBR50| Orbi AC3000 Tri-band WiFi (Router Only), RBS50| Orbi AC3000 Tri-band WiFi (Satellite Only)


Message 23 of 43

FURRYe38

Guru

‎2018-10-07

02:28 PM

Re: OpenVPN warning: No server certificate verification method has been enabled

@Blanca_O

@Christian_R

My Setup ISP SparkLight | Internet Cable 1000↓/50↑ CAX80 Modem Mode |  Wifi Router MK83+ (Router Mode) | and RBK853 (Router Mode) | Switches NG GS105/8, GS308v3, GS110MX and XS505M | Additional NG HW: C7800/CAX80/CM1100/CM1200/CM2000, Orbi: CBK40, CBK752, RBK50, RBK853, RBK752, RBK953, SXK30 | NightHawk: MK63, MR6150, R7000, R7800, R7960P, R8000, R8500, R9000, RAXE500, RAX50, XR450, XR1000, EX7500/EX7700


Message 24 of 43

Blanca_O

NETGEAR Moderator

‎2018-10-08

12:43 PM

Re: OpenVPN warning: No server certificate verification method has been enabled

Hi @ryoung81 and @Retired_Member 

I have sent you a message. Please check your inbox.

Regards, 
Blanca 
Community Team


Message 25 of 43

  • Печать

Страницы: [1]   Вниз

Тема: проблема с подключением OPENVPN  (Прочитано 13689 раз)

0 Пользователей и 1 Гость просматривают эту тему.

Оффлайн
sila31regiona

не подключаеться OPENVPN вожу логин пароль,через терминал выдает ошибку:


No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Nov 12 20:02:57 2016 NOTE: —fast-io is disabled since we are not using UDP
Sat Nov 12 20:02:57 2016 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Nov 12 20:02:57 2016 Attempting to establish TCP connection with [AF_INET]212.129.33.61:80 [nonblock]

перевод :


Ни один метод проверки сервера сертификат не был включен. Смотрите http://openvpn.net/howto.html#mitm для получения дополнительной информации.
Сб 12 ноября 20:02:57 2016 Примечание: —fast-IO отключена, так как мы не используем UDP
Сб 12 ноября 20:02:57 2016 Торцевые Буферы: R = [87380-> 87380] S = [16384-> 16384]
Сб 12 ноября 20:02:57 2016 Попытка установить соединение TCP с [AF_INET] 212.129.33.61:80 [NONBLOCK]



и как теперь подключиться к VPN если они перестали использовать UDP и TCP

    Username: *********
    Password: *********
    TCP 80, 443 ????
    UDP 53, 40000 ??????
    Unlimited Bandwidth
    Torrents Allowed
    No Logging

помогите решить проблему :)

ТС не появлялся на Форуме более полугода по состоянию на 22/07/2019 (последняя явка: 26/05/2017). Модератором раздела принято решение закрыть тему.
—zg_nico

« Последнее редактирование: 22 Июля 2019, 14:56:18 от zg_nico »

_»№%:?*()_+

Оффлайн
Длиннорогий

sila31regiona, а кто сказал, что TCP не используют?

Оффлайн
sila31regiona

Оффлайн
Длиннорогий

Если недоступен udp, попробуйте tcp.

nano /etc/openvpn/client.confили где у вас лежит конфиг. Разкоментить строку tcp, закоментить udp.

/etc/init.d/openvpn restartсмотреть, что выйдет.

Оффлайн
sila31regiona

смотри скачиваю архив с .ovpn

https://freevpn.me/accounts/

распаковываю открываю терминал в папке с файлами

в терминале пишу ls показывает содержимое папки

далее прописываю openvpn FreeVPN.me-TCP80.ovpn

нажимаю интер и высвечивается

Sat Nov 12 21:16:06 2016 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
Sat Nov 12 21:16:06 2016 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Enter Auth Username: Вожу сюда freevpnme

жму интер

Enter Auth Password: Сюда вожу пароль 0jnyTti8E

далее вижу это:


Вот что находиться в файле FreeVPN.me-TCP80.ovpn :

Пользователь добавил сообщение 12 Ноября 2016, 22:38:09:

///////////////////////////////////////////////////////////////////////////////

                                                                            подключил VPN ну только другим способом и на много дольше вот так :

                                                                            https://www.youtube.com/watch?v=196_HoLIDIA

                                                                            ///////////////////////////////////////////////////////////////////////////////
 :- :- :- :- :- :- :- :( :( :( :( :( :( :( :( :- :- :- :- :- :- :- :- :- :- :-
{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{

а хотелось бы по старинке через терминал,намного быстрее))

https://www.youtube.com/watch?v=Lp5vT4sGXmI
 
}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}

« Последнее редактирование: 12 Ноября 2016, 22:38:09 от sila31regiona »

_»№%:?*()_+

Оффлайн
Multik001

Столкнулся с такой же проблемой… днем настраивал все по вышеуказаному видео… работало часа 2 потом слетело и теперь не может подключиться…

Оффлайн
EvangelionDeath

смотри

Посмотрели. Но вы видать лог сами то и не читали? А там написано:

Sat Nov 12 21:25:32 2016 AUTH: Received control message: AUTH_FAILED

Не, я понимаю, новичек и все такое. Но, читать лог Вы и сами могли, не созывая консилиум. Если Вы до сих пор смотрите непонимающими глазами — обращайтесь в службу поддержки сервиса ибо данные вторизации невалидны, соответственно проблема не в OpenVPN.

У меня нет права закрыть тему, потому подождем.

HP Pro 840 G3: Intel i5-6300U, 32GB DDR4 2133MHz, Intel 520, Intel Pro 2500 180GB/Ubuntu 22.04
Dell Latitude 5590: Intel i5-8350U, 16GB DDR4 2400MHz, Intel 620, Samsung 1TB/Ubuntu 22.04

Оффлайн
Multik001

А в чем же может быть проблема? Провайдер блокирует VPN (МГТС это еще то г…) или сам https://freevpn.me дал попользоваться часов 5 и все…
С последними событиями про Телеграмм и РКН сейчас куча новичков лезут в эту тему VPN, но сталкиваются с кучей проблем… Первое что в youtube попадается это видео https://www.youtube.com/watch?v=Lp5vT4sGXmI и при первой настройке все работает отлично, но потом происходит сбой и подключиться больше не получается(((
Позже попробую на чистой системе, отпишусь.

 

Пользователь добавил сообщение 20 Апреля 2018, 16:46:35:

Попробовал на чистой системе результат тот же((
Подскажите в чем может быть проблема?

 

« Последнее редактирование: 20 Апреля 2018, 16:46:37 от Multik001 »

Оффлайн
EvangelionDeath

Multik001, в том, что провайдер уже залочил ИП ВПНа

HP Pro 840 G3: Intel i5-6300U, 32GB DDR4 2133MHz, Intel 520, Intel Pro 2500 180GB/Ubuntu 22.04
Dell Latitude 5590: Intel i5-8350U, 16GB DDR4 2400MHz, Intel 620, Samsung 1TB/Ubuntu 22.04

  • Печать

Страницы: [1]   Вверх

Тестирую OpenVPN на удаленном VPS, не могу подключиться. Настраивал по этому туториалу . Подскажите, в чем может быть проблема?

log подключения

Fri Mar 28 12:48:47 2014 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Fri Mar 28 12:48:50 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Mar 28 12:48:50 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Mar 28 12:48:50 2014 LZO compression initialized
Fri Mar 28 12:48:50 2014 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Mar 28 12:48:50 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Mar 28 12:48:50 2014 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Mar 28 12:48:50 2014 Local Options hash (VER=V4): 'd3a7571a'
Fri Mar 28 12:48:50 2014 Expected Remote Options hash (VER=V4): '5b1533a2'
Fri Mar 28 12:48:50 2014 UDPv4 link local: [undef]
Fri Mar 28 12:48:50 2014 UDPv4 link remote: *ip*:1194
Fri Mar 28 12:49:04 2014 TLS: Initial packet from *ip*:1194, sid=dc12be0a 9daee0c4
Fri Mar 28 12:49:04 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Mar 28 12:49:37 2014 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=changeme/name=changeme/emailAddress=mail@host.domain
Fri Mar 28 12:49:37 2014 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=server/name=changeme/emailAddress=mail@host.domain
Fri Mar 28 12:49:50 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Mar 28 12:49:50 2014 TLS Error: TLS handshake failed
Fri Mar 28 12:49:50 2014 TCP/UDP: Closing socket
Fri Mar 28 12:49:50 2014 SIGUSR1[soft,tls-error] received, process restarting

var/log/messages

Mar 28 12:22:57 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Mar 28 12:22:57 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT TLS Error: TLS object -> incoming plaintext read error
Mar 28 12:22:57 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT TLS Error: TLS handshake failed
Mar 28 12:22:57 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 28 12:23:57 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT TLS: Initial packet from [AF_INET]MY_IP:PORT, sid=6ee022fb cf324eca
Mar 28 12:24:57 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 28 12:24:57 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT TLS Error: TLS handshake failed
Mar 28 12:24:57 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 28 12:32:43 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT TLS: Initial packet from [AF_INET]MY_IP:PORT, sid=b95a9146 f3028138
Mar 28 12:33:04 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Mar 28 12:33:04 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT TLS Error: TLS object -> incoming plaintext read error
Mar 28 12:33:04 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT TLS Error: TLS handshake failed
Mar 28 12:33:04 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 28 12:33:44 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT TLS: Initial packet from [AF_INET]MY_IP:PORT, sid=6db967fe 9f5adbd3
Mar 28 12:34:06 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Mar 28 12:34:06 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT TLS Error: TLS object -> incoming plaintext read error
Mar 28 12:34:06 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT TLS Error: TLS handshake failed
Mar 28 12:34:06 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 28 12:34:46 4dfd147a-abd5-4bde-9511-00a1cc04ec56 openvpn[21023]: MY_IP:PORT TLS: Initial packet from [AF_INET]MY_IP:PORT, sid=90e5468a 0d86403b

server.conf

dev tun

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

server 10.8.0.0 255.255.255.0
fconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

keepalive 10 120
comp-lzo

user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log
verb 3

server.ovpn

client
dev tun
proto udp
remote *IP* 1194
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb 3

Источник

Hi guys,
for those who simply want to change location like me and have no network knowledge.
Can you be more specific about which file to custom and where it location? Where in the file can I add your code?
because I can’t find client config file but only client.opvn (C:Program FilesOpenVPNsample-config)


Mon Mar 27 17:05:42 2023 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
Mon Mar 27 17:05:42 2023 OpenVPN 2.6.1 [git:v2.6.1/2c2a98a0e559928c] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Mar  8 2023
Mon Mar 27 17:05:42 2023 Windows version 10.0 (Windows 10 or greater), amd64 executable
Mon Mar 27 17:05:42 2023 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
Mon Mar 27 17:05:42 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Mon Mar 27 17:05:42 2023 Need hold release from management interface, waiting...
Mon Mar 27 17:05:42 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:51102
Mon Mar 27 17:05:43 2023 MANAGEMENT: CMD 'state on'
Mon Mar 27 17:05:43 2023 MANAGEMENT: CMD 'log on all'
Mon Mar 27 17:05:43 2023 MANAGEMENT: CMD 'echo on all'
Mon Mar 27 17:05:43 2023 MANAGEMENT: CMD 'bytecount 5'
Mon Mar 27 17:05:43 2023 MANAGEMENT: CMD 'state'
Mon Mar 27 17:05:43 2023 MANAGEMENT: CMD 'hold off'
Mon Mar 27 17:05:43 2023 MANAGEMENT: CMD 'hold release'
**Mon Mar 27 17:05:43 2023 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.**
Mon Mar 27 17:05:43 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]113.166.128.178:8443
Mon Mar 27 17:05:43 2023 ovpn-dco device [OpenVPN Data Channel Offload] opened
Mon Mar 27 17:05:43 2023 UDP link local: (not bound)
Mon Mar 27 17:05:43 2023 UDP link remote: [AF_INET]113.166.128.178:8443
Mon Mar 27 17:05:43 2023 MANAGEMENT: >STATE:1679911543,WAIT,,,,,,
Mon Mar 27 17:05:45 2023 MANAGEMENT: >STATE:1679911545,AUTH,,,,,,
Mon Mar 27 17:05:45 2023 TLS: Initial packet from [AF_INET]113.166.128.178:8443, sid=bf66666d 85a66410
Mon Mar 27 17:05:46 2023 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
Mon Mar 27 17:05:46 2023 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
Mon Mar 27 17:05:46 2023 VERIFY OK: depth=0, CN=opengw.net
Mon Mar 27 17:05:46 2023 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Mon Mar 27 17:05:46 2023 [opengw.net] Peer Connection Initiated with [AF_INET]113.166.128.178:8443
Mon Mar 27 17:05:46 2023 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Mon Mar 27 17:05:46 2023 TLS: tls_multi_process: initial untrusted session promoted to trusted
Источник

Добавить комментарий