arronar Posted May 24, 2018 Share Posted May 24, 2018 Hi. After installing OpenVPN (apt install openvpn) I'm trying to run a VPN client on ARMBIAN 5.38 (9 stretch) 4.14.18-sunxi and I'm getting the following error when executing: sudo openvpn --config /etc/openvpn/client/myVPN.conf Quote Thu May 24 16:30:56 2018 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017 Thu May 24 16:30:56 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08 Thu May 24 16:30:56 2018 Cannot load CA certificate file ca.crt (no entries were read) Thu May 24 16:30:56 2018 Exiting due to fatal error In the /etc/openvpn/client there are Quote -rw-r--r-- 1 root root 20480 May 24 14:41 ca.crt -rw-r--r-- 1 root root 2652 May 24 15:21 myVPN.conf -rw------- 1 root root 636 Mar 8 2017 ta.key -rw-r--r-- 1 root root 5309 Mar 18 2017 vpnRouter.crt -rw------- 1 root root 1704 Mar 18 2017 vpnRouter.key while the myVPN.conf file looks like # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. dev tun # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote <ip> 1194 # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Try to preserve some state across restarts. persist-key persist-tun # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert vpnRouter.crt key vpnRouter.key # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ; ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. tls-auth ta.key 1 #To avoid a possible Man-in-the-Middle attack where an authorized #client tries to connect to another client by impersonating the #server, make sure to enforce some kind of server certificate #verification by clients. ns-cert-type server # Cryptographic algorithm cipher AES-256-CBC # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo # Set log file verbosity. verb 3 Any idea on what that means? I googled it and couldn't find anything helpfull. Link to comment Share on other sites More sharing options...
zador.blood.stained Posted May 24, 2018 Share Posted May 24, 2018 Possibly your CA certificate is malformed or invalid. 21 minutes ago, arronar said: -rw-r--r-- 1 root root 20480 May 24 14:41 ca.crt The file size looks too large for a usual CA certificate. Please try to open it in a text editor and check if it looks like this -----BEGIN CERTIFICATE----- <several lines of characters> -----END CERTIFICATE----- or try to verify it with openssl openssl verify -CAfile /etc/openvpn/client/ca.crt /etc/openvpn/client/ca.crt 1 Link to comment Share on other sites More sharing options...
arronar Posted May 24, 2018 Author Share Posted May 24, 2018 You are right. I copied a wrong file. Thank you very much. Link to comment Share on other sites More sharing options...
Recommended Posts