Closed SherZCHR closed 6 months ago
Try enabling legacy algorithms:
$ openvpn3 config-manage --config CONFIG_NAME --enable-legacy-algorithms true
You need to have pre-imported the configuration file first, though.
$ openvpn3 config-import --persistent --name CONFIG_NAME --config CONFIG_FILE
Then you can start the config using
$ openvpn3 session-start --config CONFIG_NAME
Hi, I enabled it but isn't working :/
My CA algorithm signature is : ecdsa-with-SHA256
I don't understand why I still have this error on my Openvpn Server :
I thank it was a issue from the module I want to use, but when I disable it on my openvpn server and client, isn't working. So the problem is really from openvpn3 client. I can try to change all my CA to have a 4096 bits RSA signature or maybe update to the latest version of openssl 3 on my ubuntu.
Regards
That sounds more like a messed up a CA than anything else.
But when I'm trying to use my conf with Openvpn (2.5.6) it's working well :/
OpenVPN 3 Linux and the OpenVPN 3 Core Library 3.8 is by default a lot stricter out-of-the-box than OpenVPN 2.x.
Can you post a log with --verb 4
from OpenVPN 2.x in that case?
Here is it openvpn.log
Please also run another test:
$ /usr/bin/openvpn2 --config CONFIG_FILE --verb 6
(this cannot use the pre-imported configuration, but will give a similar log output on the connection failure)
With the wrapper Openvpn 2.X for OpenVPN isn't working and I have the same problem.
But when I use the package Openvpn package from apt version 2.5.5 it's working well :/
It could be an issue from openvpn3 which is stricter than openvpn 2.5.5 ?
@SherZCHR We want to see the full log of openvpn2
until it errors out, to better compare
The interesting lines from the OpenVPN 2.x log:
2024-02-01 11:39:42 us=278990 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
secp256r1 is not the best cipher but it is still accepted in normal security levels of openssl
2024-02-01 11:39:38 us=616397 library versions: OpenSSL 3.1.0 14 Mar 2023, LZO 2.10
@SherZCHR do you have the possilbility to create certificates that you can share that would allow us to reproduce the problem?
@dsommers for the log with openvpn2 command I don't have any logs on the client side but for the server side : serv_ovpn.log
@schwabe I can't have the possilbility to create a certificat for you, I use a smallstep ca fyi
Hi, I try to change my CA, and it's working well when I use Easy-RSA, I don't know why when I'm trying to use smallstep CA, isn't working, have you an idea of what is the problem and if smallstep is managed ?
Regards,
For us to be able to understand why the "smallstep CA" isn't working, we need to see a smallstep created certificate to inspect it.
Since it is working with Easy-RSA, I'm closing this issue and converting it to a Q&A discussion. This is more a support case, not an issue in OpenVPN 3 Linux.
Hi ! I try to use openvpn3 in order to add a MFA on my VPN connection. I have a problem, I tried to enable my VPN connection but I got this error :
VERIFY ERROR: depth=0, error=unable to get local issuer certificate:
OpenSSL: error:0A000086:SSL routines::certificate verify failed:
I searched to find why I have this problem. It said it's a RSA problem because my CA isn't with a 4096 bits RSA. So I tried to change my algorithm to an ECDSA with a ECDSA-SHA256 signature but nothing too. I think the problem come with openvpn3 because when I try to up my VPN connection with openvpn (2.6.5) the connection is good. I also tried to deactivate my tls-ciphers security with : tls-cipher "DEFAULT:@SECLEVEL=0" but it's not working ...
Can we have more information on which ciphers are supported on this version of openvpn ? Or can you help me why this connection isn't working with openvpn3 ?
I really need to use it, because the oauth2 module doesn't work with openvpn 2.5.6. Regards,