VPN does not work with e.g. "Tunnelblick" anymore > ns-cert-type?

[hirschferkel]

Hi there,

I do not exactly know how to fix the following problem and appreciate any help. I can't connect to my VPN anymore. I used the app "Tunnelblick" to connect to the OPNsense VPN but since today I get the following errors:

Code: [Select]

2018-03-02 11:04:28 VERIFY ERROR: depth=1, error=certificate has expired: C=DE, ST=****, L=****, O=***, emailAddress=s.***@***.de, CN=internal-ca
2018-03-02 11:04:28 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2018-03-02 11:04:28 TLS_ERROR: BIO read tls_read_plaintext error
2018-03-02 11:04:28 TLS Error: TLS object -> incoming plaintext read error
2018-03-02 11:04:28 TLS Error: TLS handshake failed
And as I installed the current Beta Version of tunneblick, I got this message:

Code: [Select]

Achtung: Dieses VPN kann möglicherweise in der Zukunft nicht verbunden werden.

Die OpenVPN Konfigurationsdatei für "kerberos-udp-1194-***" enthält die folgenden OpenVPN Optionen:

[b]"ns-cert-type" gilt seit OpenVPN 2.4 als unerwünscht und wurde in OpenVPN 2.5 entfernt[/b]

Sie sollten die Konfiguration aktualisieren, damit sie mit modernen Versionen von OpenVPN genutzt werden kann.

Tunnelblick wird OpenVPN 2.4.4 - OpenSSL v1.0.2n nutzen, um diese Konfiguration zu verbinden.

Dennoch können Sie dieses VPN mit zukünftigen Versionen von Tunnelblick, die nicht eine Version von OpenVPN beinhalten, die diese Optionen akzeptiert, nicht verbinden.
und eben:

Code: [Select]

"WARNING: Your certificate has expired!".
All the best, hirschferkel

[BeNe]

Did you upgrade tunnelblick. They changed the SSL Version. In order to fix it so that the VPN client can connect again, change from using  Latest (2.4.4 - LibreSSL v2.6.2) to Default (2.3.18 - OpenSSL v1.0.2m).

Go to the section in Tunnelblick titled Settings.
Change the OpenVPN Version field from Latest (2.4.4 - LibreSSL v2.6.2) to Default (2.3.18 - OpenSSL v1.0.2m).

Hope this help!

[franco]

Expired messages will probably cause Tunnelblick to stop connecting. If that's the case, the certificate and/or CA need to be refreshed.

ns-cert-type is no longer available since 17.7.4. It's in the exported configuration only, so it was created before this particular version. It has the wrong value and needs to be edited accordingly, changing it to "remote-cert-tls".

https://github.com/opnsense/changelog/blob/59d575b04


Cheers,
Franco

[hirschferkel]

@Franco: Hi Franco actually your link causes a 404... could you send the proper link again? Best

[franco]

Sorry, trimmed the wrong link: https://github.com/opnsense/changelog/blob/59d575b04473f25e02b8573796121f8ef4a3c47a/doc/17.7/17.7.4#L22

[hirschferkel]

O.k. I updated the CAs an certificates and everything works again. Thanks for your help, best