OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: hirschferkel on March 02, 2018, 11:11:24 am

Title: VPN does not work with e.g. "Tunnelblick" anymore > ns-cert-type?
Post by: hirschferkel on March 02, 2018, 11:11:24 am

Hi there,

I do not exactly know how to fix the following problem and appreciate any help. I can't connect to my VPN anymore. I used the app "Tunnelblick" to connect to the OPNsense VPN but since today I get the following errors:

Code: [Select]

2018-03-02 11:04:28 VERIFY ERROR: depth=1, error=certificate has expired: C=DE, ST=****, L=****, O=***, emailAddress=s.***@***.de, CN=internal-ca
2018-03-02 11:04:28 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2018-03-02 11:04:28 TLS_ERROR: BIO read tls_read_plaintext error
2018-03-02 11:04:28 TLS Error: TLS object -> incoming plaintext read error
2018-03-02 11:04:28 TLS Error: TLS handshake failed
And as I installed the current Beta Version of tunneblick, I got this message:

Code: [Select]

Achtung: Dieses VPN kann möglicherweise in der Zukunft nicht verbunden werden.

Die OpenVPN Konfigurationsdatei für "kerberos-udp-1194-***" enthält die folgenden OpenVPN Optionen:

[b]"ns-cert-type" gilt seit OpenVPN 2.4 als unerwünscht und wurde in OpenVPN 2.5 entfernt[/b]

Sie sollten die Konfiguration aktualisieren, damit sie mit modernen Versionen von OpenVPN genutzt werden kann.

Tunnelblick wird OpenVPN 2.4.4 - OpenSSL v1.0.2n nutzen, um diese Konfiguration zu verbinden.

Dennoch können Sie dieses VPN mit zukünftigen Versionen von Tunnelblick, die nicht eine Version von OpenVPN beinhalten, die diese Optionen akzeptiert, nicht verbinden.
und eben:

Code: [Select]

"WARNING: Your certificate has expired!".
All the best, hirschferkel

Title: Re: VPN does not work with e.g. "Tunnelblick" anymore > ns-cert-type?
Post by: BeNe on March 02, 2018, 01:58:02 pm

Did you upgrade tunnelblick. They changed the SSL Version. In order to fix it so that the VPN client can connect again, change from using  Latest (2.4.4 - LibreSSL v2.6.2) to Default (2.3.18 - OpenSSL v1.0.2m).

Go to the section in Tunnelblick titled Settings.
Change the OpenVPN Version field from Latest (2.4.4 - LibreSSL v2.6.2) to Default (2.3.18 - OpenSSL v1.0.2m).

Hope this help!

Title: Re: VPN does not work with e.g. "Tunnelblick" anymore > ns-cert-type?
Post by: franco on March 02, 2018, 02:25:56 pm

Expired messages will probably cause Tunnelblick to stop connecting. If that's the case, the certificate and/or CA need to be refreshed.

ns-cert-type is no longer available since 17.7.4. It's in the exported configuration only, so it was created before this particular version. It has the wrong value and needs to be edited accordingly, changing it to "remote-cert-tls".

https://github.com/opnsense/changelog/blob/59d575b04


Cheers,
Franco

Title: Re: VPN does not work with e.g. "Tunnelblick" anymore > ns-cert-type?
Post by: hirschferkel on March 05, 2018, 10:10:14 am

@Franco: Hi Franco actually your link causes a 404... could you send the proper link again? Best

Title: Re: VPN does not work with e.g. "Tunnelblick" anymore > ns-cert-type?
Post by: franco on March 05, 2018, 10:15:11 am

Sorry, trimmed the wrong link: https://github.com/opnsense/changelog/blob/59d575b04473f25e02b8573796121f8ef4a3c47a/doc/17.7/17.7.4#L22

Title: Re: VPN does not work with e.g. "Tunnelblick" anymore > ns-cert-type?
Post by: hirschferkel on March 06, 2018, 01:56:52 pm

O.k. I updated the CAs an certificates and everything works again. Thanks for your help, best