arronar Posted May 24, 2018 Posted May 24, 2018 Hi. After installing OpenVPN (apt install openvpn) I'm trying to run a VPN client on ARMBIAN 5.38 (9 stretch) 4.14.18-sunxi and I'm getting the following error when executing: sudo openvpn --config /etc/openvpn/client/myVPN.conf Quote Thu May 24 16:30:56 2018 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017 Thu May 24 16:30:56 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08 Thu May 24 16:30:56 2018 Cannot load CA certificate file ca.crt (no entries were read) Thu May 24 16:30:56 2018 Exiting due to fatal error In the /etc/openvpn/client there are Quote -rw-r--r-- 1 root root 20480 May 24 14:41 ca.crt -rw-r--r-- 1 root root 2652 May 24 15:21 myVPN.conf -rw------- 1 root root 636 Mar 8 2017 ta.key -rw-r--r-- 1 root root 5309 Mar 18 2017 vpnRouter.crt -rw------- 1 root root 1704 Mar 18 2017 vpnRouter.key while the myVPN.conf file looks like # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. dev tun # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote <ip> 1194 # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Try to preserve some state across restarts. persist-key persist-tun # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert vpnRouter.crt key vpnRouter.key # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ; ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. tls-auth ta.key 1 #To avoid a possible Man-in-the-Middle attack where an authorized #client tries to connect to another client by impersonating the #server, make sure to enforce some kind of server certificate #verification by clients. ns-cert-type server # Cryptographic algorithm cipher AES-256-CBC # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo # Set log file verbosity. verb 3 Any idea on what that means? I googled it and couldn't find anything helpfull.
zador.blood.stained Posted May 24, 2018 Posted May 24, 2018 Possibly your CA certificate is malformed or invalid. 21 minutes ago, arronar said: -rw-r--r-- 1 root root 20480 May 24 14:41 ca.crt The file size looks too large for a usual CA certificate. Please try to open it in a text editor and check if it looks like this -----BEGIN CERTIFICATE----- <several lines of characters> -----END CERTIFICATE----- or try to verify it with openssl openssl verify -CAfile /etc/openvpn/client/ca.crt /etc/openvpn/client/ca.crt 1
arronar Posted May 24, 2018 Author Posted May 24, 2018 You are right. I copied a wrong file. Thank you very much.
Recommended Posts