OPNsense Forum

Hi all! Big Friday! lol

So... I installed OPNsense 24.1.6, created the CA, the server certificate and configured OpenVPN, but when I try to connect I am shown the errors below.

Packages:
base 24.1.5
openssh-portable 9.7.p1,1
openssl 3.0.13_3,1
easy-rsa 3.1.7
openvpn 2.6.10

MANAGEMENT: Client connected from /var/etc/openvpn/instance-f66d5a6f-08c6-49c3-bfb4-6497f183d284.sock
201.43.198.169:49300 SIGUSR1[soft,tls-error] received, client-instance restarting
201.43.198.169:49300 TLS Error: TLS handshake failed
201.43.198.169:49300 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
MANAGEMENT: Client disconnected
MANAGEMENT: CMD 'quit'
MANAGEMENT: CMD 'status 2'
MANAGEMENT: Client connected from /var/etc/openvpn/instance-f66d5a6f-08c6-49c3-bfb4-6497f183d284.sock
201.43.198.169:49300 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
201.43.198.169:49300 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
201.43.198.169:49300 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
201.43.198.169:49300 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
201.43.198.169:49300 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
201.43.198.169:49300 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
201.43.198.169:49300 Re-using SSL/TLS context
MULTI: multi_create_instance called
201.43.198.169:49300 SIGUSR1[soft,tls-error] received, client-instance restarting
201.43.198.169:49300 TLS Error: TLS handshake failed
201.43.198.169:49300 TLS Error: TLS object -> incoming plaintext read error
201.43.198.169:49300 TLS_ERROR: BIO read tls_read_plaintext error
201.43.198.169:49300 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
201.43.198.169:49300 Sent fatal SSL alert: unsupported certificate
201.43.198.169:49300 VERIFY ERROR: depth=0, error=unsuitable certificate purpose: C=XX, ST=XX, L=XXX, O=XXX, emailAddress=XXX, CN=sslvpn-certificate, serial=1
201.43.198.169:49300 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
201.43.198.169:49300 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
201.43.198.169:49300 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
201.43.198.169:49300 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
201.43.198.169:49300 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
201.43.198.169:49300 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
201.43.198.169:49300 Re-using SSL/TLS context
Connection Attempt MULTI: multi_create_instance called

PS1: I have another server with the same version and this problem does not occur.
PS2: For privacy reasons, I changed the certificate information in the post code.
PS3: I tested with several versions of OpenVPN Client.
PS4: If I don't require the certificate, it works.


Anyone with this same problem?
Cheers!

Double check your created Client & Server Certificates, you probably have the wrong "Extended Key Usage" configured.

Your server need id-kp-serverAuth and client id-kp-clientAuth. If you need both, so server is also client, you can assign both. You can configure this with the built in wizzard from OPNsense "SYSTEM: TRUST: CERTIFICATES", select the right "Type" when creating the specific certificate.