Bonjour,

j’ai besoin de faire un vpn entre le boulot et mon portable (qui se ballade donc). Dans un premier temps, je veux faire fonctionner ce vpn en local.
j’ai donc suivi le tuto de coagul et le serveur est normalement OK (je peux le pinger), les clefs sont faites et tout et tout.
Je configure le client et là c’est le drame, voici le message d’erreur obtenu :

---

Thu Mar 12 09:54:07 2009 OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
Thu Mar 12 09:54:07 2009 WARNING: file ‘regis.key’ is group or others accessible
Thu Mar 12 09:54:07 2009 /usr/bin/openssl-vulnkey -q -b 1024 -m
Thu Mar 12 09:54:07 2009 LZO compression initialized
Thu Mar 12 09:54:07 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Mar 12 09:54:07 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Mar 12 09:54:07 2009 Local Options hash (VER=V4): '69109d17’
Thu Mar 12 09:54:07 2009 Expected Remote Options hash (VER=V4): 'c0103fa8’
Thu Mar 12 09:54:07 2009 Attempting to establish TCP connection with 192.168.1.200:443 [nonblock]
Thu Mar 12 09:54:08 2009 TCP connection established with 192.168.1.200:443
Thu Mar 12 09:54:08 2009 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Mar 12 09:54:08 2009 TCPv4_CLIENT link local: [undef]
Thu Mar 12 09:54:08 2009 TCPv4_CLIENT link remote: 192.168.1.200:443
Thu Mar 12 09:54:08 2009 TLS: Initial packet from 192.168.1.200:443, sid=08bb22b7 d19b8623
Thu Mar 12 09:54:08 2009 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=FR/ST=NA/L=BLC/O=SARL_ROBIN_MATHIEU/CN=SARL_ROBIN_MATHIEU_CA/emailAddress=xxx.xxx@xxx.com
Thu Mar 12 09:54:08 2009 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Thu Mar 12 09:54:08 2009 TLS Error: TLS object -> incoming plaintext read error
Thu Mar 12 09:54:08 2009 TLS Error: TLS handshake failed
Thu Mar 12 09:54:08 2009 Fatal TLS error (check_tls_errors_co), restarting
Thu Mar 12 09:54:08 2009 TCP/UDP: Closing socket
Thu Mar 12 09:54:08 2009 SIGUSR1[soft,tls-error] received, process restarting
Thu Mar 12 09:54:08 2009 Restart pause, 5 second(s)

---

Pourquoi ne puis je pas serrer la main avec TLS ? :smt003 "TLS handshake failed"
J’ai fait des recherches sur le net mais je ne comprends pas trop les reponses.

Avez vous une idée du probleme ?
Merci de votre aide
Regis
PS : désolé pour la longueur de la conf serveur, il y a surmement une foule de trucs à supprimer mais pour l’instant je ne maitrise pas …

config du client :

---

client
remote-cert-tls server
dev tun0
proto tcp
remote 192.168.1.200 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca VPNROMA.crt
cert regis.crt
key regis.key
comp-lzo
verb 3

---

conf du serveur
#################################################

Sample OpenVPN 2.0 config file for

multi-client server.

This file is for the server side

of a many-clients <-> one-server

OpenVPN configuration.

OpenVPN also supports

single-machine <-> single-machine

configurations (See the Examples page

on the web site for more info).

This config should work on Windows

or Linux/BSD systems. Remember on

Windows to quote pathnames and use

double backslashes, e.g.:

“C:\Program Files\OpenVPN\config\foo.key”

Comments are preceded with ‘#’ or ‘;’

#################################################

Which local IP address should OpenVPN

listen on? (optional)

;local a.b.c.d

Which TCP/UDP port should OpenVPN listen on?

If you want to run multiple OpenVPN instances

on the same machine, use a different port

number for each one. You will need to

open up this port on your firewall.

port 443

TCP or UDP server?

proto tcp
;proto udp

“dev tun” will create a routed IP tunnel,

“dev tap” will create an ethernet tunnel.

Use “dev tap0” if you are ethernet bridging

and have precreated a tap0 virtual interface

and bridged it with your ethernet interface.

If you want to control access policies

over the VPN, you must create firewall

rules for the the TUN/TAP interface.

On non-Windows systems, you can give

an explicit unit number, such as tun0.

On Windows, use “dev-node” for this.

On most systems, the VPN will not function

unless you partially or fully disable

the firewall for the TUN/TAP interface.

;dev tap
dev tun

Windows needs the TAP-Win32 adapter name

from the Network Connections panel if you

have more than one. On XP SP2 or higher,

you may need to selectively disable the

Windows firewall for the TAP adapter.

Non-Windows systems usually don’t need this.

;dev-node MyTap

SSL/TLS root certificate (ca), certificate

(cert), and private key (key). Each client

and the server must have their own cert and

key file. The server and all clients will

use the same ca file.

See the “easy-rsa” directory for a series

of scripts for generating RSA certificates

and private keys. Remember to use

a unique Common Name for the server

and each of the client certificates.

Any X509 key management system can be used.

OpenVPN can also use a PKCS #12 formatted key file

(see “pkcs12” directive in man page).

ca ca.crt
cert VPNROMA.crt
key VPNROMA.key # This file should be kept secret

Diffie hellman parameters.

Generate your own with:

openssl dhparam -out dh1024.pem 1024

Substitute 2048 for 1024 if you are using

2048 bit keys.

dh dh1024.pem

Configure server mode and supply a VPN subnet

for OpenVPN to draw client addresses from.

The server will take 10.8.0.1 for itself,

the rest will be made available to clients.

Each client will be able to reach the server

on 10.8.0.1. Comment this line out if you are

ethernet bridging. See the man page for more info.

server 10.8.0.0 255.255.255.0

Maintain a record of client <-> virtual IP address

associations in this file. If OpenVPN goes down or

is restarted, reconnecting clients can be assigned

the same virtual IP address from the pool that was

previously assigned.

ifconfig-pool-persist ipp.txt

Configure server mode for ethernet bridging.

You must first use your OS’s bridging capability

to bridge the TAP interface with the ethernet

NIC interface. Then you must manually set the

IP/netmask on the bridge interface, here we

assume 10.8.0.4/255.255.255.0. Finally we

must set aside an IP range in this subnet

(start=10.8.0.50 end=10.8.0.100) to allocate

to connecting clients. Leave this line commented

out unless you are ethernet bridging.

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

Configure server mode for ethernet bridging

using a DHCP-proxy, where clients talk

to the OpenVPN server-side DHCP server

to receive their IP address allocation

and DNS server addresses. You must first use

your OS’s bridging capability to bridge the TAP

interface with the ethernet NIC interface.

Note: this mode only works on clients (such as

Windows), where the client-side TAP adapter is

bound to a DHCP client.

;server-bridge

Push routes to the client to allow it

to reach other private subnets behind

the server. Remember that these

private subnets will also need

to know to route the OpenVPN client

address pool (10.8.0.0/255.255.255.0)

back to the OpenVPN server.

;push “route 192.168.10.0 255.255.255.0”
;push “route 192.168.20.0 255.255.255.0”

To assign specific IP addresses to specific

clients or if a connecting client has a private

subnet behind it that should also have VPN access,

use the subdirectory “ccd” for client-specific

configuration files (see man page for more info).

EXAMPLE: Suppose the client

having the certificate common name “Thelonious”

also has a small subnet behind his connecting

machine, such as 192.168.40.128/255.255.255.248.

First, uncomment out these lines:

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248

Then create a file ccd/Thelonious with this line:

iroute 192.168.40.128 255.255.255.248

This will allow Thelonious’ private subnet to

access the VPN. This example will only work

if you are routing, not bridging, i.e. you are

using “dev tun” and “server” directives.

EXAMPLE: Suppose you want to give

Thelonious a fixed VPN IP address of 10.9.0.1.

First uncomment out these lines:

;client-config-dir ccd
;route 10.9.0.0 255.255.255.252

Then add this line to ccd/Thelonious:

ifconfig-push 10.9.0.1 10.9.0.2

Suppose that you want to enable different

firewall access policies for different groups

of clients. There are two methods:

(1) Run multiple OpenVPN daemons, one for each

group, and firewall the TUN/TAP interface

for each group/daemon appropriately.

(2) (Advanced) Create a script to dynamically

modify the firewall in response to access

from different clients. See man

page for more info on learn-address script.

;learn-address ./script

If enabled, this directive will configure

all clients to redirect their default

network gateway through the VPN, causing

all IP traffic such as web browsing and

and DNS lookups to go through the VPN

(The OpenVPN server machine may need to NAT

or bridge the TUN/TAP interface to the internet

in order for this to work properly).

;push “redirect-gateway def1 bypass-dhcp”

Certain Windows-specific network settings

can be pushed to clients, such as DNS

or WINS server addresses. CAVEAT:

openvpn.net/faq.html#dhcpcaveats

The addresses below refer to the public

DNS servers provided by opendns.com.

;push “dhcp-option DNS 208.67.222.222”
;push “dhcp-option DNS 208.67.220.220”

Uncomment this directive to allow different

clients to be able to “see” each other.

By default, clients will only see the server.

To force clients to only see the server, you

will also need to appropriately firewall the

server’s TUN/TAP interface.

;client-to-client

Uncomment this directive if multiple clients

might connect with the same certificate/key

files or common names. This is recommended

only for testing purposes. For production use,

each client should have its own certificate/key

pair.

IF YOU HAVE NOT GENERATED INDIVIDUAL

CERTIFICATE/KEY PAIRS FOR EACH CLIENT,

EACH HAVING ITS OWN UNIQUE “COMMON NAME”,

UNCOMMENT THIS LINE OUT.

;duplicate-cn

The keepalive directive causes ping-like

messages to be sent back and forth over

the link so that each side knows when

the other side has gone down.

Ping every 10 seconds, assume that remote

peer is down if no ping received during

a 120 second time period.

keepalive 10 120

For extra security beyond that provided

by SSL/TLS, create an “HMAC firewall”

to help block DoS attacks and UDP port flooding.

Generate with:

openvpn --genkey --secret ta.key

The server and each client must have

a copy of this key.

The second parameter should be ‘0’

on the server and ‘1’ on the clients.

;tls-auth ta.key 0 # This file is secret

Select a cryptographic cipher.

This config item must be copied to

the client config file as well.

;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

Enable compression on the VPN link.

If you enable it here, you must also

enable it in the client config file.

comp-lzo

The maximum number of concurrently connected

clients we want to allow.

;max-clients 100

It’s a good idea to reduce the OpenVPN

daemon’s privileges after initialization.

You can uncomment this out on

non-Windows systems.

user openvpn
group openvpn

The persist options will try to avoid

accessing certain resources on restart

that may no longer be accessible because

of the privilege downgrade.

persist-key
persist-tun

Output a short status file showing

current connections, truncated

and rewritten every minute.

status openvpn-status.log

By default, log messages will go to the syslog (or

on Windows, if running as a service, they will go to

the “\Program Files\OpenVPN\log” directory).

Use log or log-append to override this default.

“log” will truncate the log file on OpenVPN startup,

while “log-append” will append to it. Use one

or the other (but not both).

;log openvpn.log
;log-append openvpn.log

Set the appropriate level of log

file verbosity.

0 is silent, except for fatal errors

4 is reasonable for general usage

5 and 6 can help to debug connection problems

9 is extremely verbose

verb 5

Silence repeating messages. At most 20

sequential messages of the same message

category will be output to the log.

;mute 20

Ce que je vois c’est un problème de certificat auto-signé qui apparemment ne devrait pas l’être, comment as-tu configuré ton certif sur le serveur ? Tu as juste généré un certif auto-signé ou t’as fait des manips supplémentaires ? Côté client, n’y aurait-il pas quelque-chose de configurable pour éviter de crier pour ton certif ?

Ce qui a l’air de se passer, c’est que le client récupère le certif de ton serveur et couine parcequ’il est autosigné, à la limite ce que tu pourrais faire, c’est créer un nouveau certificat sur ton serveur, le faire signer par le premier et retenter l’expérience avec le nouveau (il n’apparaîtra plus comme autosigné pour le client). Faudrait que je retrouve les commandes openssl pour le faire mais normalement c’est pas la mer à boire, la documentation (fort b**délique il est vrai) d’openssl peut peut être aider, même si personnellement pour m’y être mis il y a peu … j’ai du mal.

Enfin en tout cas “à l’école” pour créer un VPN entre plusieurs bécannes on créait un certif x509 autosigné pour signer celui qui servait à mettre en place le VPN (normalement il n’y a que les “autorités” qui ont des certifs autosignés, parcequ’à un moment on ne peut plus avoir une autorité au dessus de soi. Pourquoi le tunnel refuse de se monter avec un certif autosigné ça par contre ça doit être pour des raisons de sécurité sans doute.

Merci pour ta reponse ,
Alors voila ce que j’ai fait se trouve ici :
coagul.org/article.php3?id_article=422
En resumé, sur le serveur j’ai fait un :
./vars puis ./clean et enfin ./build-ca
et apres,
./build-key-server VPNROMA
et apres,
./build-key regis
et enfin
./build-dh
Si j’ai bien compris (ce qui n’est pas sur ?!) j’ai alors tous les certificats et clefs necessaires pour un serveur et un client.
J’ai ensuite copié tout ça dans les repertoires ad hoc (normalement ) coté client et serveur (/etc/openvpn) et finalement créé mes fichiers de conf joints plus haut.

Alors maintenant savoir si c’est auto signé … ou pas … je n’ai pas vraimeent une vue de dessus du probleme et du coup, je patoge un peu.
Si ce complement a pu être utile pour mieux cerner mon probleme merci de me faire signe en me donnant des idées complementaires.

Regis
PS : Au fait, debian lenny des deux cotés
PPS : le site d’openVPN a l’air chouette mais le forum est en allemand … pas facile de poster ! Aufwiedersehen les debiannistes et openvpnistes!

Vu que tout a l’air automatisé par openvpn et que je ne sais pas comment il gère ça, je ne sais pas quoi dire de plus pour l’instant là dessus …
As-tu bien copié tes clés/certifs aux endroits qui vont bien comme c’est précisé dans la suite du tuto ?

Je le pense puisque je l’ai fait 2 fois. Mais peut être ai-je fait deux fois la même erreur … ça s’est deja vu !!

Merci pour le coup de main en tous les cas
Je ne suis pas le seul a avoir ce probleme et les reponses ne sont pas légion !

Avis aux experts OpenVpn, siouplait

Regis

Bonjour,

juste pour dire que c’est Ok pour mon probleme. En fait, étant donnée mon ennnormmme experience dans le domaine (y a pas d’emoticone avec des grosses chevilles ?), je me suis d’abord tourné vers des erreurs evidentes faites sur coagul :smt003 :smt002 . Mais bon j’ai quand même recommencé tout depuis le debut (i.e. purge des install de openvpn et openssl) et là, ben tout est OK.
Finalement le tuto de coagul est nikel ( … vous aurez compris que je m’en doutais un peu ) donc foncez si vous avez besoin d’un vpn et suivez bien ce qu’ils disent … ne faites pas comme moi !!

Merci de votre aide.

Regis