#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# «C:\\Program Files\\OpenVPN\\config\\foo.key» #
# #
# Comments are preceded with ‘#’ or ‘;’ #
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
# TCP or UDP server?
;proto tcp
proto udp
# «dev tun» will create a routed IP tunnel,
# «dev tap» will create an ethernet tunnel.
# Use «dev tap0» if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use «dev-node» for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don’t need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the «easy-rsa» directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see «pkcs12» directive in man page).
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh /etc/openvpn/dh.pem
# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
topology subnet
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS’s bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses. You must first use
# your OS’s bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push «route 192.168.10.0 255.255.255.0»
;push «route 192.168.20.0 255.255.255.0»
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory «ccd» for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name «Thelonious»
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious’ private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using «dev tun» and «server» directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push «redirect-gateway def1 bypass-dhcp»
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push «dhcp-option DNS 208.67.222.222»
push «dhcp-option DNS 208.67.220.220»
# Uncomment this directive to allow different
# clients to be able to «see» each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server’s TUN/TAP interface.
;client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE «COMMON NAME»,
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an «HMAC firewall»
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn —genkey tls-auth ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be ‘0’
# on the server and ‘1’ on the clients.
;tls-auth ta.key 0 # This file is secret
tls-crypt /etc/openvpn/myvpn.tlsauth
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
# Enable compression on the VPN link and push the
# option to the client (v2.4+ only, for earlier
# versions see below)
;compress lz4-v2
;push «compress lz4-v2»
# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also
# enable it in the client config file.
;comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It’s a good idea to reduce the OpenVPN
# daemon’s privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the «\Program Files\OpenVPN\log» directory).
# Use log or log-append to override this default.
# «log» will truncate the log file on OpenVPN startup,
# while «log-append» will append to it. Use one
# or the other (but not both).
;log openvpn.log
;log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1
Перейти к содержимому
Недорогой хостинг для сайтов
OpenSSL: error:14089086:SSL routines: ssl3_get_client_certificate:certificate verify failed TLS_ERROR: BIO read tls_read_plaintext error TLS Error: TLS object -> incoming plaintext read error TLS Error: TLS handshake failed TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:60382, sid=c9c9a1f3 02ce9312 VERIFY ERROR: depth=0, error=CRL hasexpired: CN=client_name SIGUSR1[soft,tls-error] received, client-instance restarting
Сегодня речь пойдет об одном нюансе, связанном со списком отозванных сертификатов (Сertificate Revocation List, CRL) в OpenVPN. Данный механизм применяется, когда требуется блокировать доступ отдельных узлов к сети (в случае увольнения сотрудника или подозрения что выданный сертификат скомпрометирован).
В какой-то момент времени, может возникнуть ошибка OpenVPN CRL has expired (просрочен список CRL) и клиенты перестают подключаться. Убедиться, что проблема именно в этом довольно просто, достаточно закомментировать в конфиге сервера строку проверки отозванных сертификатов и перезапустить сервер.
crl-verify crl.pem
После чего клиенты спокойно начнут подключаться.
Обновление списка отозванных сертификатов OpenVPN
Для решения проблемы со списком CRL надо этот список обновить. Делается это элементарно, о чём я уже рассказывал в статье про отзыв пользовательских сертификатов OpenVPN на FreeBSD 10/11:
# cd /usr/local/etc/openvpn/easy-rsa # ./easyrsa.real gen-crl
Почему возникла данная проблема? Дело в том, что периодичность обновление списка отозванных сертификатов задаётся в переменной default_crl_days в конфиге /usr/local/openvpn/easy-rsa/openssl-1.0.cnf:
default_crl_days= $ENV::EASYRSA_CRL_DAYS # how long before next CRL
Сами значения переменных задаются в файле /usr/local/openvpn/easy-rsa/vars. По умолчанию обновление списка CRL происходит каждые 180 дней (можно задать своё значение, например 365 дней) :
#set_var EASYRSA_CRL_DAYS 180
Рекомендуемый контент
Мы используем файлы cookie на нашем веб-сайте, чтобы предоставить вам наиболее релевантный опыт, запоминая ваши предпочтения и повторные посещения. Нажимая «Принять все», вы соглашаетесь на использование ВСЕХ файлов cookie. Однако вы можете посетить «Настройки файлов cookie», чтобы предоставить контролируемое согласие.
I am trying to manually install openvpn 2.4.8 on my kali 2020.1, and it shows
configure: error: openssl check failed
I looked at many threads such as this and this, but couldn’t fix it.
What is the reason and how to fix this?
asked Mar 9, 2020 at 12:49
sh.3.llsh.3.ll
8157 silver badges17 bronze badges
Short version : libssl-dev library is missing which can be fixed by running
apt-get install libssl-dev
answered Mar 16, 2021 at 17:18
Install OpenVPN 2.4.7
Visit https://openvpn.net/community-downloads/
Download via
#wget https://swupdate.openvpn.org/community/releases/openvpn-2.4.7.tar.gz
#tar xfz openvpn-2.4.7.tar.gz
#cd openvpn-2.4.7
#./configure
Output:
checking for a BSD-compatible install… /usr/bin/install -c
checking whether build environment is sane… ye
schecking for a thread-safe mkdir -p… /bin/mkdir
.
.
[truncated output]
.
checking for SSL_CTX_new… no
configure: error: openssl check failed
Install OpenSSL
Visit https://www.openssl.org/source
Download via
#wget https://www.openssl.org/source/openssl-1.0.2s.tar.gz
#tar xvf openssl-1.0.2.tar.gz
#./config -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)'
#make
#make install
Output:
#bash: /usr/bin/openssl: No such file or directory
Run Commands:
#ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
#ln -s /usr/local/ssl/bin/openssl /usr/local/bin/openssl
Note:
-openssl may or may not be needed. Since I uninstalled openssl to install latest version. Steps are mentioned below.
-/usr/local/bin is for locally compiled package and /usr/bin is for trivial binaries not needed in single user mode
Try Installing OpenVPN
#./configure
#make
#make install
#openvpn — version
Output:
#OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 26 2019library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08Originally developed by James YonanCopyright © 2002–2018 OpenVPN Inc <sales@openvpn.net>
For the error “configure: error: ssl is required but missing”
#apt-get install libssl-dev
For the error “configure: error: lzo enabled but missing”
#apt-get install liblzo2-de
For the error “configure: error: libpam required but missing “
#apt-get install libpam0g-dev
Note:
-Sudo is not used as the vm was running as root. Also we can specify manually where to install ssl libraries,etc. It is just a general workaround.
answered Mar 14, 2020 at 20:06
1
Issue
When configure openvpn with the command below.
./configure --prefix=/opt/openvpn-2.4.9But the following error occurs.
checking for setcon in -lselinux... no
checking for pam_start in -lpam... no
checking for PKCS11_HELPER... no
checking for OPENSSL... no
checking for SSL_CTX_new... no
configure: error: openssl check failedSolution
We should install openssl.
1. Install from source
Download the source and config.
$ wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz
$ tar xf openssl-1.1.1g.tar.gz
$ cd openssl-1.1.1g
$ ./config
$ make
$ make test
$ make install2. Install with command
Ubuntu/Debian
- On the https://pkgs.org/search/?q=libssl webpage, find the
libssl-devpackages that match your operating system, download and install. - Use the
apt-getcommand.
sudo apt-get install libssl-devRHEL/CentOS
- On the https://pkgs.org/search/?q=openssl-devel webpage, find the
openssl-develpackages that match your operating system, download and install. - Use the
yumcommand.
sudo yum install openssl-devel
v.2.4.5 cannot connect to already configured VPN servers with self-signed certificates showing the error like «OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed».
2.4.4 connects OK with the same server settings and ovpn configuration files.
2.4.5 is built with openssl 1.1.0 so it will reject weak signature algorithms like MD5 — If that is the case, the logs will show a line above the one you posted with «VERIFY ERROR: ….. signature digest algorithm too weak»
If so, try to convince the server admin to upgrade the server certificate. No excuse for using MD5 in certificates. If that is not an option you could run with --tls-cipher DEFAULT:@SECLEVEL=0, but its not recommended.
I am not sure about MD5, anyway — VPN server is working on Asus router and I don’t know will it allow to change signature algorithm.
tls-cipher DEFAULT:@SECLEVEL=0 works good, thank you.
SECLEVEL=0 is only a temporary quick fix — do not use it as a long-term solution.
I am going to discuss it with firmware developer.
@selvanair This is exactly what we need: a short temporary fix, but that’s the only solution ATM until we can regenerate our certificates.
Can you please help me set this up?
I’m on openSUSE and i just can’t connect to VPN. Where do i set this? I’ve looked everywhere (except in the right place, naturally)
You add that option to the client config.
@selvanair Yes, but where’s that? In command Line? on the config file? On NetworkManager?
Let me say this first: working around MD5 certificates is not the right solution — especially so for someone who has no clue how to add a config option. Get the server admin to update the certificate.
That said, config options can go into the command line or the config file. Front ends like NM have their own way of inputting options and not all options may be supported that way — but eventually the option has to end up on the command line or the config file of the openvpn process. I’ve no idea how you are running openvpn on your SUSE desktop. I use Debian and all my configs are text files in /etc/openvpn/ in case that helps.
Anyway, if you are not asking about OpenVPN Windows GUI, this is the wrong place:) Seeking help in the users IRC channel (openvpn on irc.freenode.net) may be more appropriate — also see https://community.openvpn.net/openvpn/wiki/GettingHelp
I understand your concerns and i thank you for your advice! 
I only asked where/how because i already tried all the steps you talked about before starting to ask for help…
i tried the terminal — that somehow does not allow me to use the command, and adding the config option to the file you mentioned (that in SUSE is in that directory as well). Using NM, i do not find any place i can use to either activate the option or set the command to be used.
That «weird» results are the reason i asked detailed instructions (going to as simple things as even adding the option to the config file). I think i should be humble enough to consider that it i that is doing some small detail wrongly.
That said, i’ll try to get around this in irc, then. Thank you for reply & help
We do not have any MD5 signed certificates. Would the same error be thrown when the local CA is signed with SHA1, but the client certificate is signed SHA256? I believe the WEBCA forum mentioned this problem over a year ago.
SHA1 is considered too weak and has been deprecated as well. SHA256 should be good.
Hi,
On Sat, Oct 06, 2018 at 08:39:30AM -0700, ssameer wrote:
SHA1 is considered too weak and has been deprecated as well. SHA256 should be good.
For HMAC usage, SHA1 is still fine. Just not for certificates.
Even MD5 hasn’t been broken *for HMAC*.
gert
…
—
«If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor.»
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering — Munich, Germany gert@greenie.muc.de
Actually, the bug in the openvpn is that it output something like
TLS_ERROR: BIO read tls_read_plaintext error
instead of human-readable message about low security of MD5 hashes. This should be fixed.
If the error is due to weak hash in the certificate, the logs will also show something like: «VERIFY ERROR: ….. signature digest algorithm too weak».