TLS Error with openvpn3

[SherZCHR]

Hi ! I try to use openvpn3 in order to add a MFA on my VPN connection. I have a problem, I tried to enable my VPN connection but I got this error : VERIFY ERROR: depth=0, error=unable to get local issuer certificate: OpenSSL: error:0A000086:SSL routines::certificate verify failed:

I searched to find why I have this problem. It said it's a RSA problem because my CA isn't with a 4096 bits RSA. So I tried to change my algorithm to an ECDSA with a ECDSA-SHA256 signature but nothing too. I think the problem come with openvpn3 because when I try to up my VPN connection with openvpn (2.6.5) the connection is good. I also tried to deactivate my tls-ciphers security with : tls-cipher "DEFAULT:@SECLEVEL=0" but it's not working ...

Can we have more information on which ciphers are supported on this version of openvpn ? Or can you help me why this connection isn't working with openvpn3 ?

I really need to use it, because the oauth2 module doesn't work with openvpn 2.5.6. Regards,

[dsommers]

Try enabling legacy algorithms:

$ openvpn3 config-manage --config CONFIG_NAME --enable-legacy-algorithms true

You need to have pre-imported the configuration file first, though.

$ openvpn3 config-import --persistent --name CONFIG_NAME --config CONFIG_FILE

Then you can start the config using

$ openvpn3 session-start --config CONFIG_NAME

[SherZCHR]

Hi, I enabled it but isn't working :/

My CA algorithm signature is : ecdsa-with-SHA256 I don't understand why I still have this error on my Openvpn Server :

I thank it was a issue from the module I want to use, but when I disable it on my openvpn server and client, isn't working. So the problem is really from openvpn3 client. I can try to change all my CA to have a 4096 bits RSA signature or maybe update to the latest version of openssl 3 on my ubuntu.

Regards

[schwabe]

That sounds more like a messed up a CA than anything else.

[SherZCHR]

But when I'm trying to use my conf with Openvpn (2.5.6) it's working well :/

[dsommers]

OpenVPN 3 Linux and the OpenVPN 3 Core Library 3.8 is by default a lot stricter out-of-the-box than OpenVPN 2.x.

[schwabe]

Can you post a log with --verb 4 from OpenVPN 2.x in that case?

[SherZCHR]

Here is it openvpn.log

[dsommers]

Please also run another test:

 $ /usr/bin/openvpn2 --config CONFIG_FILE --verb 6

(this cannot use the pre-imported configuration, but will give a similar log output on the connection failure)

[SherZCHR]

With the wrapper Openvpn 2.X for OpenVPN isn't working and I have the same problem.

But when I use the package Openvpn package from apt version 2.5.5 it's working well :/

It could be an issue from openvpn3 which is stricter than openvpn 2.5.5 ?

[dsommers]

@SherZCHR We want to see the full log of openvpn2 until it errors out, to better compare

[schwabe]

The interesting lines from the OpenVPN 2.x log: 2024-02-01 11:39:42 us=278990 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256

secp256r1 is not the best cipher but it is still accepted in normal security levels of openssl

2024-02-01 11:39:38 us=616397 library versions: OpenSSL 3.1.0 14 Mar 2023, LZO 2.10

@SherZCHR do you have the possilbility to create certificates that you can share that would allow us to reproduce the problem?

[SherZCHR]

@dsommers for the log with openvpn2 command I don't have any logs on the client side but for the server side : serv_ovpn.log

@schwabe I can't have the possilbility to create a certificat for you, I use a smallstep ca fyi

[SherZCHR]

Hi, I try to change my CA, and it's working well when I use Easy-RSA, I don't know why when I'm trying to use smallstep CA, isn't working, have you an idea of what is the problem and if smallstep is managed ?

Regards,

[dsommers]

For us to be able to understand why the "smallstep CA" isn't working, we need to see a smallstep created certificate to inspect it.

Since it is working with Easy-RSA, I'm closing this issue and converting it to a Q&A discussion. This is more a support case, not an issue in OpenVPN 3 Linux.