LinuxQuestions.org
Visit Jeremy's Blog.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page Private OpenVPN infrastructure, failing authentication from Windows 10 client. Working perfectly from a Linux client
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-16-2019, 12:41 PM   #1
sparc86
Member
 
Registered: Jul 2006
Location: Joinville, Brazil
Distribution: Debian, CentOS
Posts: 301

Rep: Reputation: 31
Private OpenVPN infrastructure, failing authentication from Windows 10 client. Working perfectly from a Linux client

Hi,

I will try to bring as much information as I can.

I'm setting up a VPN infrastructure between a small SOHO (small office) and the Internet.

The server is a Debian Stable server (Debian 10) and, really, everything is working ok, in the sense that I can authenticate from the client side (LinuxMint) without any issues, however, I also have a Windows client, which for some reason is failing to authenticate.

I'm sharing the private keys with both clients. In fact, I'm not very interested in this Linux client, as the only user in the end of the day will be the one with a Windows 10 client.

Well, here's the sauce (output)::

My successful connection from my Linux client:
Code:
sudo openvpn --config /etc/openvpn/client.conf
Tue Oct 15 22:44:31 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Tue Oct 15 22:44:31 2019 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Tue Oct 15 22:44:31 2019 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Tue Oct 15 22:44:31 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:44:31 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:44:31 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:44:31 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Oct 15 22:44:31 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 22:44:32 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:44:32 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 22:44:32 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:44:32 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=8bfef20a e14c61b5
Tue Oct 15 22:44:32 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 22:44:32 2019 VERIFY OK: nsCertType=SERVER
Tue Oct 15 22:44:32 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 22:44:32 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 22:44:32 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:44:33 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 15 22:44:33 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Oct 15 22:44:33 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:44:33 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:44:33 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: route-related options modified
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: peer-id set
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Oct 15 22:44:33 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Oct 15 22:44:33 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:44:33 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:44:33 2019 TUN/TAP device tun0 opened
Tue Oct 15 22:44:33 2019 TUN/TAP TX queue length set to 100
Tue Oct 15 22:44:33 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Oct 15 22:44:33 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue Oct 15 22:44:33 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Tue Oct 15 22:44:33 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Oct 15 22:44:33 2019 Initialization Sequence Completed
It did work, but then I fixed the WARNING for "ns-cert-type" and got the following output:
Code:
 sudo openvpn --config /etc/openvpn/client.conf
Tue Oct 15 22:55:21 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Tue Oct 15 22:55:21 2019 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Tue Oct 15 22:55:21 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:55:21 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:55:21 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:21 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Oct 15 22:55:21 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 22:55:22 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:22 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 22:55:22 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:22 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=18890315 a25acdee
Tue Oct 15 22:55:22 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 22:55:22 2019 VERIFY KU OK
Tue Oct 15 22:55:22 2019 Validating certificate extended key usage
Tue Oct 15 22:55:22 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 15 22:55:22 2019 VERIFY EKU OK
Tue Oct 15 22:55:22 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 22:55:23 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 22:55:23 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:24 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 15 22:55:24 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Oct 15 22:55:24 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:55:24 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:55:24 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: route-related options modified
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: peer-id set
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Oct 15 22:55:24 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Oct 15 22:55:24 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:55:24 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:55:24 2019 TUN/TAP device tun0 opened
Tue Oct 15 22:55:24 2019 TUN/TAP TX queue length set to 100
Tue Oct 15 22:55:24 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Oct 15 22:55:24 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue Oct 15 22:55:24 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Tue Oct 15 22:55:24 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Oct 15 22:55:24 2019 Initialization Sequence Completed
Tue Oct 15 23:55:23 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 23:55:23 2019 VERIFY KU OK
Tue Oct 15 23:55:23 2019 Validating certificate extended key usage
Tue Oct 15 23:55:23 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 15 23:55:23 2019 VERIFY EKU OK
Tue Oct 15 23:55:23 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 23:55:23 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:55:23 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:55:23 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 23:58:01 2019 Connection reset, restarting [0]
Tue Oct 15 23:58:01 2019 SIGUSR1[soft,connection-reset] received, process restarting
Tue Oct 15 23:58:01 2019 Restart pause, 5 second(s)
Tue Oct 15 23:58:06 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:06 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Oct 15 23:58:06 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 23:58:07 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:07 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 23:58:07 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:07 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=9a0d4959 da0fd296
Tue Oct 15 23:58:07 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 23:58:07 2019 VERIFY KU OK
Tue Oct 15 23:58:07 2019 Validating certificate extended key usage
Tue Oct 15 23:58:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 15 23:58:07 2019 VERIFY EKU OK
Tue Oct 15 23:58:07 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 23:58:07 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 23:58:07 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:08 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 15 23:58:09 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Oct 15 23:58:09 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 23:58:09 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 23:58:09 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: route-related options modified
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: peer-id set
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Oct 15 23:58:09 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Oct 15 23:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:58:09 2019 Preserving previous TUN/TAP instance: tun0
Tue Oct 15 23:58:09 2019 Initialization Sequence Completed
Wed Oct 16 00:58:07 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 00:58:07 2019 VERIFY KU OK
Wed Oct 16 00:58:07 2019 Validating certificate extended key usage
Wed Oct 16 00:58:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 00:58:07 2019 VERIFY EKU OK
Wed Oct 16 00:58:07 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 00:58:07 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 00:58:07 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 00:58:07 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 01:58:07 2019 TLS: soft reset sec=0 bytes=27597/-1 pkts=705/0
Wed Oct 16 01:58:07 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 01:58:07 2019 VERIFY KU OK
Wed Oct 16 01:58:07 2019 Validating certificate extended key usage
Wed Oct 16 01:58:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 01:58:07 2019 VERIFY EKU OK
Wed Oct 16 01:58:07 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 01:58:08 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 01:58:08 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 01:58:08 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 02:58:07 2019 TLS: tls_process: killed expiring key
Wed Oct 16 02:58:08 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 02:58:08 2019 VERIFY KU OK
Wed Oct 16 02:58:08 2019 Validating certificate extended key usage
Wed Oct 16 02:58:08 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 02:58:08 2019 VERIFY EKU OK
Wed Oct 16 02:58:08 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 02:58:08 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 02:58:08 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 02:58:08 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 03:58:08 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 03:58:08 2019 VERIFY KU OK
Wed Oct 16 03:58:08 2019 Validating certificate extended key usage
Wed Oct 16 03:58:08 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 03:58:08 2019 VERIFY EKU OK
Wed Oct 16 03:58:08 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 03:58:08 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 03:58:08 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 03:58:08 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 04:58:09 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 04:58:09 2019 VERIFY KU OK
Wed Oct 16 04:58:09 2019 Validating certificate extended key usage
Wed Oct 16 04:58:09 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 04:58:09 2019 VERIFY EKU OK
Wed Oct 16 04:58:09 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 04:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 04:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 04:58:09 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 05:58:08 2019 TLS: tls_process: killed expiring key
Wed Oct 16 05:58:09 2019 TLS: soft reset sec=0 bytes=27597/-1 pkts=705/0
Wed Oct 16 05:58:09 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 05:58:09 2019 VERIFY KU OK
Wed Oct 16 05:58:09 2019 Validating certificate extended key usage
Wed Oct 16 05:58:09 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 05:58:09 2019 VERIFY EKU OK
Wed Oct 16 05:58:09 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 05:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 05:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 05:58:09 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 06:58:09 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 06:58:09 2019 VERIFY KU OK
Wed Oct 16 06:58:09 2019 Validating certificate extended key usage
Wed Oct 16 06:58:09 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 06:58:09 2019 VERIFY EKU OK
Wed Oct 16 06:58:09 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 06:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 06:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 06:58:09 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 07:58:09 2019 TLS: soft reset sec=0 bytes=27675/-1 pkts=707/0
Wed Oct 16 07:58:10 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 07:58:10 2019 VERIFY KU OK
Wed Oct 16 07:58:10 2019 Validating certificate extended key usage
Wed Oct 16 07:58:10 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 07:58:10 2019 VERIFY EKU OK
Wed Oct 16 07:58:10 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 07:58:10 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 07:58:10 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 07:58:10 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 08:58:09 2019 TLS: tls_process: killed expiring key
Wed Oct 16 08:58:10 2019 TLS: soft reset sec=0 bytes=27747/-1 pkts=707/0
Wed Oct 16 08:58:10 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 08:58:10 2019 VERIFY KU OK
Wed Oct 16 08:58:10 2019 Validating certificate extended key usage
Wed Oct 16 08:58:10 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 08:58:10 2019 VERIFY EKU OK
Wed Oct 16 08:58:10 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 08:58:11 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 08:58:11 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 08:58:11 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 09:53:41 2019 [server] Inactivity timeout (--ping-restart), restarting
Wed Oct 16 09:53:41 2019 SIGUSR1[soft,ping-restart] received, process restarting
Wed Oct 16 09:53:41 2019 Restart pause, 5 second(s)
Wed Oct 16 09:53:46 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:46 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Wed Oct 16 09:53:46 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Wed Oct 16 09:53:47 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:47 2019 TCP_CLIENT link local: (not bound)
Wed Oct 16 09:53:47 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:47 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=0c44d0e7 1576ad8d
Wed Oct 16 09:53:47 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 09:53:47 2019 VERIFY KU OK
Wed Oct 16 09:53:47 2019 Validating certificate extended key usage
Wed Oct 16 09:53:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 09:53:47 2019 VERIFY EKU OK
Wed Oct 16 09:53:47 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 09:53:47 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 09:53:47 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:49 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Oct 16 09:53:49 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Oct 16 09:53:49 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 09:53:49 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 09:53:49 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: route-related options modified
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: peer-id set
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Oct 16 09:53:49 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Oct 16 09:53:49 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 09:53:49 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 09:53:49 2019 Preserving previous TUN/TAP instance: tun0
Wed Oct 16 09:53:49 2019 Initialization Sequence Completed
Wed Oct 16 10:53:47 2019 TLS: soft reset sec=0 bytes=62402/-1 pkts=839/0
Wed Oct 16 10:53:47 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 10:53:47 2019 VERIFY KU OK
Wed Oct 16 10:53:47 2019 Validating certificate extended key usage
Wed Oct 16 10:53:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 10:53:47 2019 VERIFY EKU OK
Wed Oct 16 10:53:47 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 10:53:47 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 10:53:47 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 10:53:47 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 11:53:47 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 11:53:47 2019 VERIFY KU OK
Wed Oct 16 11:53:47 2019 Validating certificate extended key usage
Wed Oct 16 11:53:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 11:53:47 2019 VERIFY EKU OK
Wed Oct 16 11:53:47 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 11:53:48 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 11:53:48 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 11:53:48 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 12:53:47 2019 TLS: tls_process: killed expiring key
Wed Oct 16 12:53:48 2019 TLS: soft reset sec=0 bytes=27747/-1 pkts=707/0
Wed Oct 16 12:53:48 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 12:53:48 2019 VERIFY KU OK
Wed Oct 16 12:53:48 2019 Validating certificate extended key usage
Wed Oct 16 12:53:48 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 12:53:48 2019 VERIFY EKU OK
Wed Oct 16 12:53:48 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 12:53:49 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 12:53:49 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 12:53:49 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 13:19:57 2019 [server] Inactivity timeout (--ping-restart), restarting
Wed Oct 16 13:19:57 2019 SIGUSR1[soft,ping-restart] received, process restarting
Wed Oct 16 13:19:57 2019 Restart pause, 5 second(s)
Wed Oct 16 13:20:02 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:02 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Wed Oct 16 13:20:02 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Wed Oct 16 13:20:03 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:03 2019 TCP_CLIENT link local: (not bound)
Wed Oct 16 13:20:03 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:03 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=5c127c2c 65543524
Wed Oct 16 13:20:03 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 13:20:03 2019 VERIFY KU OK
Wed Oct 16 13:20:03 2019 Validating certificate extended key usage
Wed Oct 16 13:20:03 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 13:20:03 2019 VERIFY EKU OK
Wed Oct 16 13:20:03 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 13:20:03 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 13:20:03 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:04 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Oct 16 13:20:04 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Oct 16 13:20:04 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 13:20:04 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 13:20:04 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: route-related options modified
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: peer-id set
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Oct 16 13:20:04 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Oct 16 13:20:04 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 13:20:04 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 13:20:04 2019 Preserving previous TUN/TAP instance: tun0
Wed Oct 16 13:20:04 2019 Initialization Sequence Completed
 
Old 10-16-2019, 12:43 PM   #2
sparc86
Member
 
Registered: Jul 2006
Location: Joinville, Brazil
Distribution: Debian, CentOS
Posts: 301

Original Poster
Rep: Reputation: 31
From the Windows 10 client, I couldn't get OpenVPN to establish a connection. In fact, it is connecting. If I manually telnet against the port 1194, I get a connection. If OpenVPN tries to establish a connection, it gets immediately dropped, which makes me wonder if there is something wrong with the TLS setup on the client side. That being said, I can confirm that, from a low level perspective (layer 3 / Networking), I can get a connection from the Windows 10 laptop to the Linux OpenVPN server. I see the packets are hitting my Linux server (tcpdump), a ACK is forming, however, after hald second, my connection gets rejected, probably the OpenVPN service itself.






Here's an alternate output, from the Linux openvpn client, that I get whenever I change "ns-cert-type" to "remote-cert-tls", if that helps:
Code:
 sudo openvpn --config /etc/openvpn/client.conf
Tue Oct 15 22:55:21 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Tue Oct 15 22:55:21 2019 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Tue Oct 15 22:55:21 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:55:21 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:55:21 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:21 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Oct 15 22:55:21 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 22:55:22 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:22 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 22:55:22 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:22 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=18890315 a25acdee
Tue Oct 15 22:55:22 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 22:55:22 2019 VERIFY KU OK
Tue Oct 15 22:55:22 2019 Validating certificate extended key usage
Tue Oct 15 22:55:22 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 15 22:55:22 2019 VERIFY EKU OK
Tue Oct 15 22:55:22 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 22:55:23 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 22:55:23 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:24 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 15 22:55:24 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Oct 15 22:55:24 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:55:24 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:55:24 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: route-related options modified
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: peer-id set
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Oct 15 22:55:24 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Oct 15 22:55:24 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:55:24 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:55:24 2019 TUN/TAP device tun0 opened
Tue Oct 15 22:55:24 2019 TUN/TAP TX queue length set to 100
Tue Oct 15 22:55:24 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Oct 15 22:55:24 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue Oct 15 22:55:24 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Tue Oct 15 22:55:24 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Oct 15 22:55:24 2019 Initialization Sequence Completed
Tue Oct 15 23:55:23 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 23:55:23 2019 VERIFY KU OK
Tue Oct 15 23:55:23 2019 Validating certificate extended key usage
Tue Oct 15 23:55:23 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 15 23:55:23 2019 VERIFY EKU OK
Tue Oct 15 23:55:23 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 23:55:23 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:55:23 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:55:23 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 23:58:01 2019 Connection reset, restarting [0]
Tue Oct 15 23:58:01 2019 SIGUSR1[soft,connection-reset] received, process restarting
Tue Oct 15 23:58:01 2019 Restart pause, 5 second(s)
Tue Oct 15 23:58:06 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:06 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Oct 15 23:58:06 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 23:58:07 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:07 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 23:58:07 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:07 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=9a0d4959 da0fd296
Tue Oct 15 23:58:07 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 23:58:07 2019 VERIFY KU OK
Tue Oct 15 23:58:07 2019 Validating certificate extended key usage
Tue Oct 15 23:58:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 15 23:58:07 2019 VERIFY EKU OK
Tue Oct 15 23:58:07 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 23:58:07 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 23:58:07 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:08 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 15 23:58:09 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Oct 15 23:58:09 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 23:58:09 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 23:58:09 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: route-related options modified
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: peer-id set
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Oct 15 23:58:09 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Oct 15 23:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:58:09 2019 Preserving previous TUN/TAP instance: tun0
Tue Oct 15 23:58:09 2019 Initialization Sequence Completed
Wed Oct 16 00:58:07 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 00:58:07 2019 VERIFY KU OK
Wed Oct 16 00:58:07 2019 Validating certificate extended key usage
Wed Oct 16 00:58:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 00:58:07 2019 VERIFY EKU OK
Wed Oct 16 00:58:07 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 00:58:07 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 00:58:07 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 00:58:07 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 01:58:07 2019 TLS: soft reset sec=0 bytes=27597/-1 pkts=705/0
Wed Oct 16 01:58:07 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 01:58:07 2019 VERIFY KU OK
Wed Oct 16 01:58:07 2019 Validating certificate extended key usage
Wed Oct 16 01:58:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 01:58:07 2019 VERIFY EKU OK
Wed Oct 16 01:58:07 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 01:58:08 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 01:58:08 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 01:58:08 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 02:58:07 2019 TLS: tls_process: killed expiring key
Wed Oct 16 02:58:08 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 02:58:08 2019 VERIFY KU OK
Wed Oct 16 02:58:08 2019 Validating certificate extended key usage
Wed Oct 16 02:58:08 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 02:58:08 2019 VERIFY EKU OK
Wed Oct 16 02:58:08 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 02:58:08 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 02:58:08 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 02:58:08 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 03:58:08 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 03:58:08 2019 VERIFY KU OK
Wed Oct 16 03:58:08 2019 Validating certificate extended key usage
Wed Oct 16 03:58:08 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 03:58:08 2019 VERIFY EKU OK
Wed Oct 16 03:58:08 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 03:58:08 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 03:58:08 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 03:58:08 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 04:58:09 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 04:58:09 2019 VERIFY KU OK
Wed Oct 16 04:58:09 2019 Validating certificate extended key usage
Wed Oct 16 04:58:09 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 04:58:09 2019 VERIFY EKU OK
Wed Oct 16 04:58:09 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 04:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 04:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 04:58:09 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 05:58:08 2019 TLS: tls_process: killed expiring key
Wed Oct 16 05:58:09 2019 TLS: soft reset sec=0 bytes=27597/-1 pkts=705/0
Wed Oct 16 05:58:09 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 05:58:09 2019 VERIFY KU OK
Wed Oct 16 05:58:09 2019 Validating certificate extended key usage
Wed Oct 16 05:58:09 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 05:58:09 2019 VERIFY EKU OK
Wed Oct 16 05:58:09 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 05:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 05:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 05:58:09 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 06:58:09 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 06:58:09 2019 VERIFY KU OK
Wed Oct 16 06:58:09 2019 Validating certificate extended key usage
Wed Oct 16 06:58:09 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 06:58:09 2019 VERIFY EKU OK
Wed Oct 16 06:58:09 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 06:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 06:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 06:58:09 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 07:58:09 2019 TLS: soft reset sec=0 bytes=27675/-1 pkts=707/0
Wed Oct 16 07:58:10 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 07:58:10 2019 VERIFY KU OK
Wed Oct 16 07:58:10 2019 Validating certificate extended key usage
Wed Oct 16 07:58:10 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 07:58:10 2019 VERIFY EKU OK
Wed Oct 16 07:58:10 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 07:58:10 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 07:58:10 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 07:58:10 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 08:58:09 2019 TLS: tls_process: killed expiring key
Wed Oct 16 08:58:10 2019 TLS: soft reset sec=0 bytes=27747/-1 pkts=707/0
Wed Oct 16 08:58:10 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 08:58:10 2019 VERIFY KU OK
Wed Oct 16 08:58:10 2019 Validating certificate extended key usage
Wed Oct 16 08:58:10 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 08:58:10 2019 VERIFY EKU OK
Wed Oct 16 08:58:10 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 08:58:11 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 08:58:11 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 08:58:11 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 09:53:41 2019 [server] Inactivity timeout (--ping-restart), restarting
Wed Oct 16 09:53:41 2019 SIGUSR1[soft,ping-restart] received, process restarting
Wed Oct 16 09:53:41 2019 Restart pause, 5 second(s)
Wed Oct 16 09:53:46 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:46 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Wed Oct 16 09:53:46 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Wed Oct 16 09:53:47 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:47 2019 TCP_CLIENT link local: (not bound)
Wed Oct 16 09:53:47 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:47 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=0c44d0e7 1576ad8d
Wed Oct 16 09:53:47 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 09:53:47 2019 VERIFY KU OK
Wed Oct 16 09:53:47 2019 Validating certificate extended key usage
Wed Oct 16 09:53:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 09:53:47 2019 VERIFY EKU OK
Wed Oct 16 09:53:47 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 09:53:47 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 09:53:47 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:49 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Oct 16 09:53:49 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Oct 16 09:53:49 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 09:53:49 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 09:53:49 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: route-related options modified
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: peer-id set
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Oct 16 09:53:49 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Oct 16 09:53:49 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 09:53:49 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 09:53:49 2019 Preserving previous TUN/TAP instance: tun0
Wed Oct 16 09:53:49 2019 Initialization Sequence Completed
Wed Oct 16 10:53:47 2019 TLS: soft reset sec=0 bytes=62402/-1 pkts=839/0
Wed Oct 16 10:53:47 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 10:53:47 2019 VERIFY KU OK
Wed Oct 16 10:53:47 2019 Validating certificate extended key usage
Wed Oct 16 10:53:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 10:53:47 2019 VERIFY EKU OK
Wed Oct 16 10:53:47 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 10:53:47 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 10:53:47 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 10:53:47 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 11:53:47 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 11:53:47 2019 VERIFY KU OK
Wed Oct 16 11:53:47 2019 Validating certificate extended key usage
Wed Oct 16 11:53:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 11:53:47 2019 VERIFY EKU OK
Wed Oct 16 11:53:47 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 11:53:48 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 11:53:48 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 11:53:48 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 12:53:47 2019 TLS: tls_process: killed expiring key
Wed Oct 16 12:53:48 2019 TLS: soft reset sec=0 bytes=27747/-1 pkts=707/0
Wed Oct 16 12:53:48 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 12:53:48 2019 VERIFY KU OK
Wed Oct 16 12:53:48 2019 Validating certificate extended key usage
Wed Oct 16 12:53:48 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 12:53:48 2019 VERIFY EKU OK
Wed Oct 16 12:53:48 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 12:53:49 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 12:53:49 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 12:53:49 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 13:19:57 2019 [server] Inactivity timeout (--ping-restart), restarting
Wed Oct 16 13:19:57 2019 SIGUSR1[soft,ping-restart] received, process restarting
Wed Oct 16 13:19:57 2019 Restart pause, 5 second(s)
Wed Oct 16 13:20:02 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:02 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Wed Oct 16 13:20:02 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Wed Oct 16 13:20:03 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:03 2019 TCP_CLIENT link local: (not bound)
Wed Oct 16 13:20:03 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:03 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=5c127c2c 65543524
Wed Oct 16 13:20:03 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 13:20:03 2019 VERIFY KU OK
Wed Oct 16 13:20:03 2019 Validating certificate extended key usage
Wed Oct 16 13:20:03 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 13:20:03 2019 VERIFY EKU OK
Wed Oct 16 13:20:03 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 13:20:03 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 13:20:03 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:04 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Oct 16 13:20:04 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Oct 16 13:20:04 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 13:20:04 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 13:20:04 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: route-related options modified
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: peer-id set
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Oct 16 13:20:04 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Oct 16 13:20:04 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 13:20:04 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 13:20:04 2019 Preserving previous TUN/TAP instance: tun0
Wed Oct 16 13:20:04 2019 Initialization Sequence Completed





So far, so good, below contains the output I get from the Windows 10 client (which is failing):
Code:
Tue Oct 15 21:11:11 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL
(OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Tue Oct 15 21:11:11 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Oct 15 21:11:11 2019 library versions: OpenSSL 1.1.0j  20 Nov 2018,
LZO 2.10
Enter Management Password:
Tue Oct 15 21:11:11 2019 MANAGEMENT: TCP Socket listening on
[AF_INET]127.0.0.1:25340
Tue Oct 15 21:11:11 2019 Need hold release from management interface,
waiting...
Tue Oct 15 21:11:12 2019 MANAGEMENT: Client connected from
[AF_INET]127.0.0.1:25340
Tue Oct 15 21:11:12 2019 MANAGEMENT: CMD 'state on'
Tue Oct 15 21:11:12 2019 MANAGEMENT: CMD 'log all on'
Tue Oct 15 21:11:12 2019 MANAGEMENT: CMD 'echo all on'
Tue Oct 15 21:11:12 2019 MANAGEMENT: CMD 'bytecount 5'
Tue Oct 15 21:11:12 2019 MANAGEMENT: CMD 'hold off'
Tue Oct 15 21:11:12 2019 MANAGEMENT: CMD 'hold release'
Tue Oct 15 21:11:12 2019 WARNING: --ns-cert-type is DEPRECATED. Use
--remote-cert-tls instead.
Tue Oct 15 21:11:12 2019 Outgoing Control Channel Authentication: Using
512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 21:11:12 2019 Incoming Control Channel Authentication: Using
512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 21:11:12 2019 MANAGEMENT: >STATE:1571184672,RESOLVE,,,,,,
Tue Oct 15 21:11:12 2019 TCP/UDP: Preserving recently used remote
address: [AF_INET]179.223.134.82:1194
Tue Oct 15 21:11:12 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Oct 15 21:11:12 2019 Attempting to establish TCP connection with
[AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 21:11:12 2019 MANAGEMENT: >STATE:1571184672,TCP_CONNECT,,,,,,
Tue Oct 15 21:11:13 2019 TCP connection established with
[AF_INET]179.223.134.82:1194
Tue Oct 15 21:11:13 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 21:11:13 2019 TCP_CLIENT link remote:
[AF_INET]179.223.134.82:1194
Tue Oct 15 21:11:13 2019 MANAGEMENT: >STATE:1571184673,WAIT,,,,,,
Tue Oct 15 21:11:13 2019 Connection reset, restarting [0]
Tue Oct 15 21:11:13 2019 SIGUSR1[soft,connection-reset] received,
process restarting
Tue Oct 15 21:11:13 2019 MANAGEMENT:
 >STATE:1571184673,RECONNECTING,connection-reset,,,,,
Tue Oct 15 21:11:13 2019 Restart pause, 5 second(s)
Tue Oct 15 21:11:18 2019 WARNING: --ns-cert-type is DEPRECATED. Use
--remote-cert-tls instead.
Tue Oct 15 21:11:18 2019 MANAGEMENT: >STATE:1571184678,RESOLVE,,,,,,
Tue Oct 15 21:11:18 2019 TCP/UDP: Preserving recently used remote
address: [AF_INET]179.223.134.82:1194
Tue Oct 15 21:11:18 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Oct 15 21:11:18 2019 Attempting to establish TCP connection with
[AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 21:11:18 2019 MANAGEMENT: >STATE:1571184678,TCP_CONNECT,,,,,,
Tue Oct 15 21:11:19 2019 TCP connection established with
[AF_INET]179.223.134.82:1194
Tue Oct 15 21:11:19 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 21:11:19 2019 TCP_CLIENT link remote:
[AF_INET]179.223.134.82:1194
Tue Oct 15 21:11:19 2019 MANAGEMENT: >STATE:1571184679,WAIT,,,,,,
Tue Oct 15 21:11:19 2019 Connection reset, restarting [0]
Tue Oct 15 21:11:19 2019 SIGUSR1[soft,connection-reset] received,
process restarting
Tue Oct 15 21:11:19 2019 MANAGEMENT:
 >STATE:1571184679,RECONNECTING,connection-reset,,,,,
Tue Oct 15 21:11:19 2019 Restart pause, 5 second(s)
Tue Oct 15 21:11:21 2019 SIGTERM[hard,init_instance] received, process
exiting
Tue Oct 15 21:11:21 2019 MANAGEMENT:
 >STATE:1571184681,EXITING,init_instance,,,,,


My server side config, /etc/openvpn/server.conf:
Code:
port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
topology subnet
cipher AES-256-CBC
auth SHA512
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 7
tls-server
#tls-auth /etc/openvpn/pfs.key
tls-auth /etc/openvpn/easy-rsa/pfs.key
 
Old 10-16-2019, 12:43 PM   #3
sparc86
Member
 
Registered: Jul 2006
Location: Joinville, Brazil
Distribution: Debian, CentOS
Posts: 301

Original Poster
Rep: Reputation: 31
My FAILING Windows 10 OVPN config client (with a bogus certs and keys, which I have removed for security reasons):
Code:
client
dev tun
proto tcp
remote bratislava.chickenkiller.com 1194  
#ca server1/keys/ca.crt
#cert server1/keys/client.crt
#key server1/keys/client.key
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
cipher AES-256-CBC
auth SHA512
resolv-retry infinite
auth-retry none
nobind
route-nopull
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
tls-client
#tls-auth server1/keys/pfs.key
key-direction 1


<ca>
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIURr+LCONYo32QpY0U9XUFOA54GJEwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkxMDEwMjEwMjMzWhcNMjkx
MDA3MjEwMjMzWjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALsvABR95v1GC1yZhFi0j88MSnCJ74tgpFBEuIUf
J9a5XHgfsdi9af9awr7j9afcsaodfjoiasdfuoiasd5755475734************/VtPXlsUs
zmw630ut14l1jcTLsy7pqFGeO/hppH96+LS8AT/yMcVaGR5RzXJZV62ptbBc5bCV
3GzrGMgy4B6n5DICReTPPZYRlwe4JR+kkuPGZn1q6ni01th5or34/F/LqYO2F7YH
wvR8UxONrwMhElmcSAYAguRlTYkdFDOQjyjEYTPzQA==
-----END CERTIFICATE-----
</ca>

<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ce:a5:74:a1:10:80:d8:1f:fa:29:12:4f:c6:0e:30:26
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Easy-RSA CA
        Validity
            Not Before: Oct 10 21:10:21 2019 GMT
            Not After : Sep 24 21:10:21 2022 GMT
        Subject: CN=client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ac:ff:cb:9d:12:0f:99:ea:01:37:8e:f5:a1:3b:
                    6b:53:31:2a:9f:bb:0d:19:bc:0a:c9:ea:3d:76:3e:
                    79:57:47:5e:48:32:a6:a0:5c:67:28:a2:68:35:6f:
                    c4:ec:99:cb:5d:d7:ed:04:37:41:19:8d:bc:63:55:
                    c7:17:5b:f1:d8:7e:4d:ce:65:a9:87:7d:09:5e:c5:
                    6d:04:ef:05:39:6f:b2:9a:5e:0a:ea:b1:3f:5b:c9:
                    cb:bb:09:ee:8a:fc:23:9b:03:30:76:ab:d9:5e:d4:
                    c9:fa:a1:a3:f5:98:81:2c:10:e8:45:8e:02:ff:e8:
                    fd:a2:de:81:fd:32:8f:a3:6e:1e:12:28:52:61:3b:
                    1e:1b:61:d4:4e:79:8f:f6:85:9b:21:1f:4d:ec:d5:
                    81:a2:80:00:8a:d9:7f:f1:cc:a8:70:04:0b:30:a9:
                    cb:02:f7:72:a3:f1:2a:51:61:89:e5:3f:c6:2d:34:
                    6d:7e:cc:00:bb:81:9f:0e:3e:84:f6:fd:c5:6d:33:
                    ff:84:52:cb:2d:59:bd:15:b1:5d:7c:e2:aa:a1:8d:
                    c4:07:aa:74:f6:d7:bf:3c:46:5a:6b:e0:58:1d:0e:
                    ff:48:8e:ab:f7:46:9d:3a:42:60:43:78:ad:8d:0f:
                    67:be:de:ee:b4:fe:b6:77:5a:7d:4e:02:77:10:af:
                    9f:8d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                D8:38:E4:5A:E9:4F:25:28:62:DE:D8:CC:96:3A:5D:69:11:37:DC:CB
            X509v3 Authority Key Identifier: 
                keyid:62:0B:54:F7:5B:73:08:AF:71:75:D1:C3:CE:86:6E:77:89:B5:21:98
                DirName:/CN=Easy-RSA CA
                serial:46:BF:8B:08:E3:58:A3:7D:90:A5:8D:14:F5:75:05:38:0E:78:18:91

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
    Signature Algorithm: sha256WithRSAEncryption
         0f:2d:7f:d8:1a:f4:3d:3a:e7:4f:46:0a:f3:19:67:5d:50:cb:
         15:b0:d7:92:74:df:ba:83:eb:2c:b1:55:21:c7:81:31:0c:92:
         24:d9:a0:cb:c1:39:8f:32:4c:36:a0:c9:20:65:58:2e:5b:9b:
         c1:82:80:c5:95:b5:c9:f4:43:ea:37:3f:94:77:d4:cf:30:75:
         48:22:da:54:cc:1d:11:db:fd:7a:4e:02:d6:92:a1:29:d7:d3:
         2b:4d:eb:9a:75:78:59:95:71:7e:2e:30:4b:3d:5f:f3:ab:42:
         a2:30:a0:86:c6:03:2d:45:2f:36:46:51:56:b9:85:ab:b2:e4:
         11:9f:89:a8:84:08:d6:fb:42:c5:b5:83:59:61:02:05:f4:8a:
         59:9e:64:41:8c:a2:5b:d9:08:f6:f7:b5:e1:b3:92:96:5c:6a:
         6d:2a:ab:01:31:b1:54:8d:76:9a:53:85:2c:0e:5b:8b:42:01:
         fa:ee:ea:ed:48:a5:19:5e:1a:14:3b:89:4f:2f:34:96:4b:12:
         c9:d7:af:0b:35:e8:f1:5c:bb:1f:6a:18:20:51:96:b2:8d:40:
         0a:19:13:ec:3f:17:8b:81:a6:38:94:72:ee:c8:93:c3:3a:c4:
         52:8b:99:d6:c9:cd:ff:f8:56:61:30:a0:fa:fb:79:c9:5f:e5:
         e0:97:47:49
-----BEGIN CERTIFICATE-----
MIIDVTCCAj2gAwIBAgIRAM6ldKEQgNgf+ikST8YOMCYwDQYJKoZIhvcNAQELBQAw
FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkxMDEwMjExMDIxWhcNMjIwOTI0
MjEfarfsfhvsdalkfasdNBghRG
v4sI41ijfZCljRT1dQU4DngYkTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8E
BAMCB4AwDQYJKoZIhvcNAQELBQADggEBAA8tf9ga9D06509GCvMZZ11QyxWw15J0
37qD6yyxVSHHgTEMkiTZoMvBOY8yTDagySBlWC5bm8GCgMWVtcn0Q+o3P5R31M8w
dUgi2lTMHRHb/XpOAtaSoSnX0ytN65p1eFmVcX4uMEs9X/OrQqIwoIbGAy1FLzZG
UVa5hauy5BGfiaiECNb7QsW1g1lhAgX0ilmeZEGMolvZCPb3teGzkpZcam0qqwEx
sVSNdppThSwOW4tCAfru6u1IpRleGhQ7iU8vNJZLEsnXrws16PFcux9qGCBRlrKN
QAoZE+w/F4uBpjiUcu7Ik8M6xFKLmdbJzf/4VmEwoPr7eclf5eCXR0k=
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCs/8udEg+Z6gE3
jvWhO2tTMSqfuw0ZvArJ6j12PnlXR15IMqagXGcoomg1b8Tsmctd1+0EN0EZjbxj
VccXW/HYfk3OZamHfQlexW0E7wU5b7KaXgrqsT9bycu7Ce6K/CObAzB2q9le1Mn6
oaP1mIEsEOhFjgL/6P2i3oH9Mo+jbh4SKFJhOx4bYdROeY/2hZshH03s1YGigACK
2X/xzKhwBAswqcsC93Kj8SpRYYnlP8YtNG1+zAC7gZ8OPoT2/cVtM/+EUsstWb0V
sV184qqhjcQHqnT21788Rlpr4FgdDv9Ijqv3Rp06QmBDeK2ND2e+3u60/rZ3Wn1O
AncQr5+NAg443219847123hsjakhdfksadjfkasjfhasgdfgdsfp3Ct9zcg
0TYfNzHAizjM7163RHg9K6RJ6T1Iu1tdqw2bcShnISbAtDfGbgbuBSVbe1ng3H5w
NHWrGsv4fPiIcCZnwy/RronZ28vdSz+oanEqxV/amUUpD/HVf7oNYVCNAoGBALbF
GZiq/HtaqR7Elu3xrNynMTvzz1nlYDfjyCaiGgoG+SHYn+zjApr24QmuAIAyQ9DQ
s/aiR64/8joIDb6H15aZ76C70ogiSqhW62ipcyNaNQtFa5DzQJOLK3IhhgmjuylS
wy6gCGms3587mC0VKgiUTTFL/EI5VfFunpk1mcJXAoGBALkFh8ofn2KstEF3rynE
LSSWIu8PKlFLl9Ma3Z3ZsC+WlUj/aeFK7m11/kH/uczMpOpTYtXdTejTp1wC7yDV
JmGzlIzymGG5vERjkrO7JZBMA33kBmbY6ulckkKZokICFdytdYt3La0ap5kO/LPM
Skng9yNVgTLlumblbGs0Exch
-----END PRIVATE KEY-----
</key>

<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
b3290b6a58e50ac100c50cfb1009a755
fbdb74c6e06cb1eacb6614bee9002eb0
0696b55fbe956056ba925b24030ea47e
9531c51749ce4643436421c2663daceb
fa9bdfhsdfsdalkfhlkfa093423e0997
2418db6dce3d7d515af93a8e70baf477
09c2bfd38bffac07464e111b4aafa96a
7cc9b6df0f39db0126d1e27b3c8a1080
-----END OpenVPN Static key V1-----
</tls-auth>
 
Old 10-16-2019, 12:49 PM   #4
sparc86
Member
 
Registered: Jul 2006
Location: Joinville, Brazil
Distribution: Debian, CentOS
Posts: 301

Original Poster
Rep: Reputation: 31
and sorry, I had to segment the scenario through different posts, as there is a limitation of 30000 characters per post at LQ.
Last edited by sparc86; 10-16-2019 at 12:56 PM.
 
  


Reply

Tags
openvpn



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hard driving failing then working then failing again : SMART says it is OK BW-userx Linux - Hardware 4 10-20-2016 07:14 PM
LXer: The Toshiba Satellite L755D-S5204 Laptop: A Perfectly Priced (and Perfectly Awesome) Christmas LXer Syndicated Linux News 0 12-16-2011 03:10 PM
OpenVPN assigning public & static IPs to pcs/devices behind an OpenVPN client dgonzalezh Linux - Networking 6 07-18-2010 09:50 AM
OpenVPN client has not default gateway when connect to OpenVPN server sailershen Linux - Security 3 03-04-2010 02:20 AM
Does a modern Linux laptop perfectly working exist? teiafer Linux - Laptop and Netbook 11 05-21-2005 02:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:22 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration