Private OpenVPN infrastructure, failing authentication from Windows 10 client. Working perfectly from a Linux client
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Private OpenVPN infrastructure, failing authentication from Windows 10 client. Working perfectly from a Linux client
Hi,
I will try to bring as much information as I can.
I'm setting up a VPN infrastructure between a small SOHO (small office) and the Internet.
The server is a Debian Stable server (Debian 10) and, really, everything is working ok, in the sense that I can authenticate from the client side (LinuxMint) without any issues, however, I also have a Windows client, which for some reason is failing to authenticate.
I'm sharing the private keys with both clients. In fact, I'm not very interested in this Linux client, as the only user in the end of the day will be the one with a Windows 10 client.
Well, here's the sauce (output)::
My successful connection from my Linux client:
Code:
sudo openvpn --config /etc/openvpn/client.conf
Tue Oct 15 22:44:31 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Tue Oct 15 22:44:31 2019 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Tue Oct 15 22:44:31 2019 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Tue Oct 15 22:44:31 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:44:31 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:44:31 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:44:31 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Oct 15 22:44:31 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 22:44:32 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:44:32 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 22:44:32 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:44:32 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=8bfef20a e14c61b5
Tue Oct 15 22:44:32 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 22:44:32 2019 VERIFY OK: nsCertType=SERVER
Tue Oct 15 22:44:32 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 22:44:32 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 22:44:32 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:44:33 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 15 22:44:33 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Oct 15 22:44:33 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:44:33 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:44:33 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: route-related options modified
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: peer-id set
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Oct 15 22:44:33 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Oct 15 22:44:33 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:44:33 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:44:33 2019 TUN/TAP device tun0 opened
Tue Oct 15 22:44:33 2019 TUN/TAP TX queue length set to 100
Tue Oct 15 22:44:33 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Oct 15 22:44:33 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue Oct 15 22:44:33 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Tue Oct 15 22:44:33 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Oct 15 22:44:33 2019 Initialization Sequence Completed
It did work, but then I fixed the WARNING for "ns-cert-type" and got the following output:
Code:
sudo openvpn --config /etc/openvpn/client.conf
Tue Oct 15 22:55:21 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Tue Oct 15 22:55:21 2019 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Tue Oct 15 22:55:21 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:55:21 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:55:21 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:21 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Oct 15 22:55:21 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 22:55:22 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:22 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 22:55:22 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:22 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=18890315 a25acdee
Tue Oct 15 22:55:22 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 22:55:22 2019 VERIFY KU OK
Tue Oct 15 22:55:22 2019 Validating certificate extended key usage
Tue Oct 15 22:55:22 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 15 22:55:22 2019 VERIFY EKU OK
Tue Oct 15 22:55:22 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 22:55:23 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 22:55:23 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:24 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 15 22:55:24 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Oct 15 22:55:24 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:55:24 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:55:24 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: route-related options modified
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: peer-id set
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Oct 15 22:55:24 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Oct 15 22:55:24 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:55:24 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:55:24 2019 TUN/TAP device tun0 opened
Tue Oct 15 22:55:24 2019 TUN/TAP TX queue length set to 100
Tue Oct 15 22:55:24 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Oct 15 22:55:24 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue Oct 15 22:55:24 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Tue Oct 15 22:55:24 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Oct 15 22:55:24 2019 Initialization Sequence Completed
Tue Oct 15 23:55:23 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 23:55:23 2019 VERIFY KU OK
Tue Oct 15 23:55:23 2019 Validating certificate extended key usage
Tue Oct 15 23:55:23 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 15 23:55:23 2019 VERIFY EKU OK
Tue Oct 15 23:55:23 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 23:55:23 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:55:23 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:55:23 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 23:58:01 2019 Connection reset, restarting [0]
Tue Oct 15 23:58:01 2019 SIGUSR1[soft,connection-reset] received, process restarting
Tue Oct 15 23:58:01 2019 Restart pause, 5 second(s)
Tue Oct 15 23:58:06 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:06 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Oct 15 23:58:06 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 23:58:07 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:07 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 23:58:07 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:07 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=9a0d4959 da0fd296
Tue Oct 15 23:58:07 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 23:58:07 2019 VERIFY KU OK
Tue Oct 15 23:58:07 2019 Validating certificate extended key usage
Tue Oct 15 23:58:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 15 23:58:07 2019 VERIFY EKU OK
Tue Oct 15 23:58:07 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 23:58:07 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 23:58:07 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:08 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 15 23:58:09 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Oct 15 23:58:09 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 23:58:09 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 23:58:09 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: route-related options modified
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: peer-id set
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Oct 15 23:58:09 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Oct 15 23:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:58:09 2019 Preserving previous TUN/TAP instance: tun0
Tue Oct 15 23:58:09 2019 Initialization Sequence Completed
Wed Oct 16 00:58:07 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 00:58:07 2019 VERIFY KU OK
Wed Oct 16 00:58:07 2019 Validating certificate extended key usage
Wed Oct 16 00:58:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 00:58:07 2019 VERIFY EKU OK
Wed Oct 16 00:58:07 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 00:58:07 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 00:58:07 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 00:58:07 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 01:58:07 2019 TLS: soft reset sec=0 bytes=27597/-1 pkts=705/0
Wed Oct 16 01:58:07 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 01:58:07 2019 VERIFY KU OK
Wed Oct 16 01:58:07 2019 Validating certificate extended key usage
Wed Oct 16 01:58:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 01:58:07 2019 VERIFY EKU OK
Wed Oct 16 01:58:07 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 01:58:08 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 01:58:08 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 01:58:08 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 02:58:07 2019 TLS: tls_process: killed expiring key
Wed Oct 16 02:58:08 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 02:58:08 2019 VERIFY KU OK
Wed Oct 16 02:58:08 2019 Validating certificate extended key usage
Wed Oct 16 02:58:08 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 02:58:08 2019 VERIFY EKU OK
Wed Oct 16 02:58:08 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 02:58:08 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 02:58:08 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 02:58:08 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 03:58:08 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 03:58:08 2019 VERIFY KU OK
Wed Oct 16 03:58:08 2019 Validating certificate extended key usage
Wed Oct 16 03:58:08 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 03:58:08 2019 VERIFY EKU OK
Wed Oct 16 03:58:08 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 03:58:08 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 03:58:08 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 03:58:08 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 04:58:09 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 04:58:09 2019 VERIFY KU OK
Wed Oct 16 04:58:09 2019 Validating certificate extended key usage
Wed Oct 16 04:58:09 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 04:58:09 2019 VERIFY EKU OK
Wed Oct 16 04:58:09 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 04:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 04:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 04:58:09 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 05:58:08 2019 TLS: tls_process: killed expiring key
Wed Oct 16 05:58:09 2019 TLS: soft reset sec=0 bytes=27597/-1 pkts=705/0
Wed Oct 16 05:58:09 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 05:58:09 2019 VERIFY KU OK
Wed Oct 16 05:58:09 2019 Validating certificate extended key usage
Wed Oct 16 05:58:09 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 05:58:09 2019 VERIFY EKU OK
Wed Oct 16 05:58:09 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 05:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 05:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 05:58:09 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 06:58:09 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 06:58:09 2019 VERIFY KU OK
Wed Oct 16 06:58:09 2019 Validating certificate extended key usage
Wed Oct 16 06:58:09 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 06:58:09 2019 VERIFY EKU OK
Wed Oct 16 06:58:09 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 06:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 06:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 06:58:09 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 07:58:09 2019 TLS: soft reset sec=0 bytes=27675/-1 pkts=707/0
Wed Oct 16 07:58:10 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 07:58:10 2019 VERIFY KU OK
Wed Oct 16 07:58:10 2019 Validating certificate extended key usage
Wed Oct 16 07:58:10 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 07:58:10 2019 VERIFY EKU OK
Wed Oct 16 07:58:10 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 07:58:10 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 07:58:10 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 07:58:10 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 08:58:09 2019 TLS: tls_process: killed expiring key
Wed Oct 16 08:58:10 2019 TLS: soft reset sec=0 bytes=27747/-1 pkts=707/0
Wed Oct 16 08:58:10 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 08:58:10 2019 VERIFY KU OK
Wed Oct 16 08:58:10 2019 Validating certificate extended key usage
Wed Oct 16 08:58:10 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 08:58:10 2019 VERIFY EKU OK
Wed Oct 16 08:58:10 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 08:58:11 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 08:58:11 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 08:58:11 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 09:53:41 2019 [server] Inactivity timeout (--ping-restart), restarting
Wed Oct 16 09:53:41 2019 SIGUSR1[soft,ping-restart] received, process restarting
Wed Oct 16 09:53:41 2019 Restart pause, 5 second(s)
Wed Oct 16 09:53:46 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:46 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Wed Oct 16 09:53:46 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Wed Oct 16 09:53:47 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:47 2019 TCP_CLIENT link local: (not bound)
Wed Oct 16 09:53:47 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:47 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=0c44d0e7 1576ad8d
Wed Oct 16 09:53:47 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 09:53:47 2019 VERIFY KU OK
Wed Oct 16 09:53:47 2019 Validating certificate extended key usage
Wed Oct 16 09:53:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 09:53:47 2019 VERIFY EKU OK
Wed Oct 16 09:53:47 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 09:53:47 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 09:53:47 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:49 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Oct 16 09:53:49 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Oct 16 09:53:49 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 09:53:49 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 09:53:49 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: route-related options modified
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: peer-id set
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Oct 16 09:53:49 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Oct 16 09:53:49 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 09:53:49 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 09:53:49 2019 Preserving previous TUN/TAP instance: tun0
Wed Oct 16 09:53:49 2019 Initialization Sequence Completed
Wed Oct 16 10:53:47 2019 TLS: soft reset sec=0 bytes=62402/-1 pkts=839/0
Wed Oct 16 10:53:47 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 10:53:47 2019 VERIFY KU OK
Wed Oct 16 10:53:47 2019 Validating certificate extended key usage
Wed Oct 16 10:53:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 10:53:47 2019 VERIFY EKU OK
Wed Oct 16 10:53:47 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 10:53:47 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 10:53:47 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 10:53:47 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 11:53:47 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 11:53:47 2019 VERIFY KU OK
Wed Oct 16 11:53:47 2019 Validating certificate extended key usage
Wed Oct 16 11:53:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 11:53:47 2019 VERIFY EKU OK
Wed Oct 16 11:53:47 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 11:53:48 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 11:53:48 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 11:53:48 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 12:53:47 2019 TLS: tls_process: killed expiring key
Wed Oct 16 12:53:48 2019 TLS: soft reset sec=0 bytes=27747/-1 pkts=707/0
Wed Oct 16 12:53:48 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 12:53:48 2019 VERIFY KU OK
Wed Oct 16 12:53:48 2019 Validating certificate extended key usage
Wed Oct 16 12:53:48 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 12:53:48 2019 VERIFY EKU OK
Wed Oct 16 12:53:48 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 12:53:49 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 12:53:49 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 12:53:49 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 13:19:57 2019 [server] Inactivity timeout (--ping-restart), restarting
Wed Oct 16 13:19:57 2019 SIGUSR1[soft,ping-restart] received, process restarting
Wed Oct 16 13:19:57 2019 Restart pause, 5 second(s)
Wed Oct 16 13:20:02 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:02 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Wed Oct 16 13:20:02 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Wed Oct 16 13:20:03 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:03 2019 TCP_CLIENT link local: (not bound)
Wed Oct 16 13:20:03 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:03 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=5c127c2c 65543524
Wed Oct 16 13:20:03 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 13:20:03 2019 VERIFY KU OK
Wed Oct 16 13:20:03 2019 Validating certificate extended key usage
Wed Oct 16 13:20:03 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 13:20:03 2019 VERIFY EKU OK
Wed Oct 16 13:20:03 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 13:20:03 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 13:20:03 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:04 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Oct 16 13:20:04 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Oct 16 13:20:04 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 13:20:04 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 13:20:04 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: route-related options modified
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: peer-id set
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Oct 16 13:20:04 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Oct 16 13:20:04 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 13:20:04 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 13:20:04 2019 Preserving previous TUN/TAP instance: tun0
Wed Oct 16 13:20:04 2019 Initialization Sequence Completed
From the Windows 10 client, I couldn't get OpenVPN to establish a connection. In fact, it is connecting. If I manually telnet against the port 1194, I get a connection. If OpenVPN tries to establish a connection, it gets immediately dropped, which makes me wonder if there is something wrong with the TLS setup on the client side. That being said, I can confirm that, from a low level perspective (layer 3 / Networking), I can get a connection from the Windows 10 laptop to the Linux OpenVPN server. I see the packets are hitting my Linux server (tcpdump), a ACK is forming, however, after hald second, my connection gets rejected, probably the OpenVPN service itself.
Here's an alternate output, from the Linux openvpn client, that I get whenever I change "ns-cert-type" to "remote-cert-tls", if that helps:
Code:
sudo openvpn --config /etc/openvpn/client.conf
Tue Oct 15 22:55:21 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Tue Oct 15 22:55:21 2019 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Tue Oct 15 22:55:21 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:55:21 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:55:21 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:21 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Oct 15 22:55:21 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 22:55:22 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:22 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 22:55:22 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:22 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=18890315 a25acdee
Tue Oct 15 22:55:22 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 22:55:22 2019 VERIFY KU OK
Tue Oct 15 22:55:22 2019 Validating certificate extended key usage
Tue Oct 15 22:55:22 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 15 22:55:22 2019 VERIFY EKU OK
Tue Oct 15 22:55:22 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 22:55:23 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 22:55:23 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:24 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 15 22:55:24 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Oct 15 22:55:24 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:55:24 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:55:24 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: route-related options modified
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: peer-id set
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Oct 15 22:55:24 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Oct 15 22:55:24 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:55:24 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:55:24 2019 TUN/TAP device tun0 opened
Tue Oct 15 22:55:24 2019 TUN/TAP TX queue length set to 100
Tue Oct 15 22:55:24 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Oct 15 22:55:24 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue Oct 15 22:55:24 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Tue Oct 15 22:55:24 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Oct 15 22:55:24 2019 Initialization Sequence Completed
Tue Oct 15 23:55:23 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 23:55:23 2019 VERIFY KU OK
Tue Oct 15 23:55:23 2019 Validating certificate extended key usage
Tue Oct 15 23:55:23 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 15 23:55:23 2019 VERIFY EKU OK
Tue Oct 15 23:55:23 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 23:55:23 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:55:23 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:55:23 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 23:58:01 2019 Connection reset, restarting [0]
Tue Oct 15 23:58:01 2019 SIGUSR1[soft,connection-reset] received, process restarting
Tue Oct 15 23:58:01 2019 Restart pause, 5 second(s)
Tue Oct 15 23:58:06 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:06 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Oct 15 23:58:06 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 23:58:07 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:07 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 23:58:07 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:07 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=9a0d4959 da0fd296
Tue Oct 15 23:58:07 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 23:58:07 2019 VERIFY KU OK
Tue Oct 15 23:58:07 2019 Validating certificate extended key usage
Tue Oct 15 23:58:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 15 23:58:07 2019 VERIFY EKU OK
Tue Oct 15 23:58:07 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 23:58:07 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 23:58:07 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:08 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 15 23:58:09 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Oct 15 23:58:09 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 23:58:09 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 23:58:09 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: route-related options modified
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: peer-id set
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Oct 15 23:58:09 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Oct 15 23:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:58:09 2019 Preserving previous TUN/TAP instance: tun0
Tue Oct 15 23:58:09 2019 Initialization Sequence Completed
Wed Oct 16 00:58:07 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 00:58:07 2019 VERIFY KU OK
Wed Oct 16 00:58:07 2019 Validating certificate extended key usage
Wed Oct 16 00:58:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 00:58:07 2019 VERIFY EKU OK
Wed Oct 16 00:58:07 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 00:58:07 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 00:58:07 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 00:58:07 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 01:58:07 2019 TLS: soft reset sec=0 bytes=27597/-1 pkts=705/0
Wed Oct 16 01:58:07 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 01:58:07 2019 VERIFY KU OK
Wed Oct 16 01:58:07 2019 Validating certificate extended key usage
Wed Oct 16 01:58:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 01:58:07 2019 VERIFY EKU OK
Wed Oct 16 01:58:07 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 01:58:08 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 01:58:08 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 01:58:08 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 02:58:07 2019 TLS: tls_process: killed expiring key
Wed Oct 16 02:58:08 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 02:58:08 2019 VERIFY KU OK
Wed Oct 16 02:58:08 2019 Validating certificate extended key usage
Wed Oct 16 02:58:08 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 02:58:08 2019 VERIFY EKU OK
Wed Oct 16 02:58:08 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 02:58:08 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 02:58:08 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 02:58:08 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 03:58:08 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 03:58:08 2019 VERIFY KU OK
Wed Oct 16 03:58:08 2019 Validating certificate extended key usage
Wed Oct 16 03:58:08 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 03:58:08 2019 VERIFY EKU OK
Wed Oct 16 03:58:08 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 03:58:08 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 03:58:08 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 03:58:08 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 04:58:09 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 04:58:09 2019 VERIFY KU OK
Wed Oct 16 04:58:09 2019 Validating certificate extended key usage
Wed Oct 16 04:58:09 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 04:58:09 2019 VERIFY EKU OK
Wed Oct 16 04:58:09 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 04:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 04:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 04:58:09 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 05:58:08 2019 TLS: tls_process: killed expiring key
Wed Oct 16 05:58:09 2019 TLS: soft reset sec=0 bytes=27597/-1 pkts=705/0
Wed Oct 16 05:58:09 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 05:58:09 2019 VERIFY KU OK
Wed Oct 16 05:58:09 2019 Validating certificate extended key usage
Wed Oct 16 05:58:09 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 05:58:09 2019 VERIFY EKU OK
Wed Oct 16 05:58:09 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 05:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 05:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 05:58:09 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 06:58:09 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 06:58:09 2019 VERIFY KU OK
Wed Oct 16 06:58:09 2019 Validating certificate extended key usage
Wed Oct 16 06:58:09 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 06:58:09 2019 VERIFY EKU OK
Wed Oct 16 06:58:09 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 06:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 06:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 06:58:09 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 07:58:09 2019 TLS: soft reset sec=0 bytes=27675/-1 pkts=707/0
Wed Oct 16 07:58:10 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 07:58:10 2019 VERIFY KU OK
Wed Oct 16 07:58:10 2019 Validating certificate extended key usage
Wed Oct 16 07:58:10 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 07:58:10 2019 VERIFY EKU OK
Wed Oct 16 07:58:10 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 07:58:10 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 07:58:10 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 07:58:10 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 08:58:09 2019 TLS: tls_process: killed expiring key
Wed Oct 16 08:58:10 2019 TLS: soft reset sec=0 bytes=27747/-1 pkts=707/0
Wed Oct 16 08:58:10 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 08:58:10 2019 VERIFY KU OK
Wed Oct 16 08:58:10 2019 Validating certificate extended key usage
Wed Oct 16 08:58:10 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 08:58:10 2019 VERIFY EKU OK
Wed Oct 16 08:58:10 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 08:58:11 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 08:58:11 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 08:58:11 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 09:53:41 2019 [server] Inactivity timeout (--ping-restart), restarting
Wed Oct 16 09:53:41 2019 SIGUSR1[soft,ping-restart] received, process restarting
Wed Oct 16 09:53:41 2019 Restart pause, 5 second(s)
Wed Oct 16 09:53:46 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:46 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Wed Oct 16 09:53:46 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Wed Oct 16 09:53:47 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:47 2019 TCP_CLIENT link local: (not bound)
Wed Oct 16 09:53:47 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:47 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=0c44d0e7 1576ad8d
Wed Oct 16 09:53:47 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 09:53:47 2019 VERIFY KU OK
Wed Oct 16 09:53:47 2019 Validating certificate extended key usage
Wed Oct 16 09:53:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 09:53:47 2019 VERIFY EKU OK
Wed Oct 16 09:53:47 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 09:53:47 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 09:53:47 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:49 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Oct 16 09:53:49 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Oct 16 09:53:49 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 09:53:49 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 09:53:49 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: route-related options modified
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: peer-id set
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Oct 16 09:53:49 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Oct 16 09:53:49 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 09:53:49 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 09:53:49 2019 Preserving previous TUN/TAP instance: tun0
Wed Oct 16 09:53:49 2019 Initialization Sequence Completed
Wed Oct 16 10:53:47 2019 TLS: soft reset sec=0 bytes=62402/-1 pkts=839/0
Wed Oct 16 10:53:47 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 10:53:47 2019 VERIFY KU OK
Wed Oct 16 10:53:47 2019 Validating certificate extended key usage
Wed Oct 16 10:53:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 10:53:47 2019 VERIFY EKU OK
Wed Oct 16 10:53:47 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 10:53:47 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 10:53:47 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 10:53:47 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 11:53:47 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 11:53:47 2019 VERIFY KU OK
Wed Oct 16 11:53:47 2019 Validating certificate extended key usage
Wed Oct 16 11:53:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 11:53:47 2019 VERIFY EKU OK
Wed Oct 16 11:53:47 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 11:53:48 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 11:53:48 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 11:53:48 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 12:53:47 2019 TLS: tls_process: killed expiring key
Wed Oct 16 12:53:48 2019 TLS: soft reset sec=0 bytes=27747/-1 pkts=707/0
Wed Oct 16 12:53:48 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 12:53:48 2019 VERIFY KU OK
Wed Oct 16 12:53:48 2019 Validating certificate extended key usage
Wed Oct 16 12:53:48 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 12:53:48 2019 VERIFY EKU OK
Wed Oct 16 12:53:48 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 12:53:49 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 12:53:49 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 12:53:49 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 13:19:57 2019 [server] Inactivity timeout (--ping-restart), restarting
Wed Oct 16 13:19:57 2019 SIGUSR1[soft,ping-restart] received, process restarting
Wed Oct 16 13:19:57 2019 Restart pause, 5 second(s)
Wed Oct 16 13:20:02 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:02 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Wed Oct 16 13:20:02 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Wed Oct 16 13:20:03 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:03 2019 TCP_CLIENT link local: (not bound)
Wed Oct 16 13:20:03 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:03 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=5c127c2c 65543524
Wed Oct 16 13:20:03 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 13:20:03 2019 VERIFY KU OK
Wed Oct 16 13:20:03 2019 Validating certificate extended key usage
Wed Oct 16 13:20:03 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 13:20:03 2019 VERIFY EKU OK
Wed Oct 16 13:20:03 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 13:20:03 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 13:20:03 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:04 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Oct 16 13:20:04 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Oct 16 13:20:04 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 13:20:04 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 13:20:04 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: route-related options modified
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: peer-id set
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Oct 16 13:20:04 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Oct 16 13:20:04 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 13:20:04 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 13:20:04 2019 Preserving previous TUN/TAP instance: tun0
Wed Oct 16 13:20:04 2019 Initialization Sequence Completed
So far, so good, below contains the output I get from the Windows 10 client (which is failing):
Code:
Tue Oct 15 21:11:11 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL
(OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Tue Oct 15 21:11:11 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Oct 15 21:11:11 2019 library versions: OpenSSL 1.1.0j 20 Nov 2018,
LZO 2.10
Enter Management Password:
Tue Oct 15 21:11:11 2019 MANAGEMENT: TCP Socket listening on
[AF_INET]127.0.0.1:25340
Tue Oct 15 21:11:11 2019 Need hold release from management interface,
waiting...
Tue Oct 15 21:11:12 2019 MANAGEMENT: Client connected from
[AF_INET]127.0.0.1:25340
Tue Oct 15 21:11:12 2019 MANAGEMENT: CMD 'state on'
Tue Oct 15 21:11:12 2019 MANAGEMENT: CMD 'log all on'
Tue Oct 15 21:11:12 2019 MANAGEMENT: CMD 'echo all on'
Tue Oct 15 21:11:12 2019 MANAGEMENT: CMD 'bytecount 5'
Tue Oct 15 21:11:12 2019 MANAGEMENT: CMD 'hold off'
Tue Oct 15 21:11:12 2019 MANAGEMENT: CMD 'hold release'
Tue Oct 15 21:11:12 2019 WARNING: --ns-cert-type is DEPRECATED. Use
--remote-cert-tls instead.
Tue Oct 15 21:11:12 2019 Outgoing Control Channel Authentication: Using
512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 21:11:12 2019 Incoming Control Channel Authentication: Using
512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 21:11:12 2019 MANAGEMENT: >STATE:1571184672,RESOLVE,,,,,,
Tue Oct 15 21:11:12 2019 TCP/UDP: Preserving recently used remote
address: [AF_INET]179.223.134.82:1194
Tue Oct 15 21:11:12 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Oct 15 21:11:12 2019 Attempting to establish TCP connection with
[AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 21:11:12 2019 MANAGEMENT: >STATE:1571184672,TCP_CONNECT,,,,,,
Tue Oct 15 21:11:13 2019 TCP connection established with
[AF_INET]179.223.134.82:1194
Tue Oct 15 21:11:13 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 21:11:13 2019 TCP_CLIENT link remote:
[AF_INET]179.223.134.82:1194
Tue Oct 15 21:11:13 2019 MANAGEMENT: >STATE:1571184673,WAIT,,,,,,
Tue Oct 15 21:11:13 2019 Connection reset, restarting [0]
Tue Oct 15 21:11:13 2019 SIGUSR1[soft,connection-reset] received,
process restarting
Tue Oct 15 21:11:13 2019 MANAGEMENT:
>STATE:1571184673,RECONNECTING,connection-reset,,,,,
Tue Oct 15 21:11:13 2019 Restart pause, 5 second(s)
Tue Oct 15 21:11:18 2019 WARNING: --ns-cert-type is DEPRECATED. Use
--remote-cert-tls instead.
Tue Oct 15 21:11:18 2019 MANAGEMENT: >STATE:1571184678,RESOLVE,,,,,,
Tue Oct 15 21:11:18 2019 TCP/UDP: Preserving recently used remote
address: [AF_INET]179.223.134.82:1194
Tue Oct 15 21:11:18 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Oct 15 21:11:18 2019 Attempting to establish TCP connection with
[AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 21:11:18 2019 MANAGEMENT: >STATE:1571184678,TCP_CONNECT,,,,,,
Tue Oct 15 21:11:19 2019 TCP connection established with
[AF_INET]179.223.134.82:1194
Tue Oct 15 21:11:19 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 21:11:19 2019 TCP_CLIENT link remote:
[AF_INET]179.223.134.82:1194
Tue Oct 15 21:11:19 2019 MANAGEMENT: >STATE:1571184679,WAIT,,,,,,
Tue Oct 15 21:11:19 2019 Connection reset, restarting [0]
Tue Oct 15 21:11:19 2019 SIGUSR1[soft,connection-reset] received,
process restarting
Tue Oct 15 21:11:19 2019 MANAGEMENT:
>STATE:1571184679,RECONNECTING,connection-reset,,,,,
Tue Oct 15 21:11:19 2019 Restart pause, 5 second(s)
Tue Oct 15 21:11:21 2019 SIGTERM[hard,init_instance] received, process
exiting
Tue Oct 15 21:11:21 2019 MANAGEMENT:
>STATE:1571184681,EXITING,init_instance,,,,,
My server side config, /etc/openvpn/server.conf:
Code:
port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
topology subnet
cipher AES-256-CBC
auth SHA512
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 7
tls-server
#tls-auth /etc/openvpn/pfs.key
tls-auth /etc/openvpn/easy-rsa/pfs.key
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.