Hi all, this evening I sat down in the relaxing chair and try to setup my openVPN for openSUSE finally on my notebook as well... While using my "standard VPN config for this" (as none was provided) I faced the following issue: Mon Sep 11 21:35:52 2017 us=256843 VERIFY nsCertType ERROR: CN=scar.opensuse.org, require nsCertType=SERVER Mon Sep 11 21:35:52 2017 us=256903 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Mon Sep 11 21:35:52 2017 us=256911 TLS Error: TLS object -> incoming plaintext read error Mon Sep 11 21:35:52 2017 us=256919 TLS Error: TLS handshake failed Mon Sep 11 21:35:52 2017 us=256966 Fatal TLS error (check_tls_errors_co), restarting Mon Sep 11 21:35:52 2017 us=256993 TCP/UDP: Closing socket Mon Sep 11 21:35:52 2017 us=257018 SIGUSR1[soft,tls-error] received, process restarting Mon Sep 11 21:35:52 2017 us=257028 Restart pause, 5 second(s) The client (my computer) wants to verify the server (scar.o.o) and fails doing it, because the certificate (server cert) of scar is missing a specific FLAG which marks this cert as a "server cert" - the funny line is: Mon Sep 11 21:35:52 2017 us=256843 VERIFY nsCertType ERROR: CN=scar.opensuse.org, require nsCertType=SERVER So to achieve this, the nsCertType=SERVER should've been set on creation of the certificate of scar. While this is a "bit more" of security, when the server identifies itself correctly, we should maybe fix this and synchronize our configs. Here is my openvpn config - just for anyone interested ... by the way ...the regarding line is commented out now ... which makes VPN work. ####TCP config client dev tun tun-ipv6 keepalive 10 30 auth-user-pass script-security 3 pull dhcp-options persist-key persist-tun #ns-cert-type server comp-lzo verb 4 mute 20 mute-replay-warnings auth SHA512 cipher AES-256-CBC tls-cipher DHE-RSA-AES256-SHA ca /home/tbro/opensuse-openvpn/ca.crt cert /home/tbro/opensuse-openvpn/tbro.crt key /home/tbro/opensuse-openvpn/tbro.key tls-auth /home/tbro/opensuse-openvpn/ta.key 1 # scripts that should automatically update your DNS info when starting and stopping openvpn client. #up /etc/openvpn/client.up #down /etc/openvpn/client.down #Fallback port 443 TCP <connection> proto tcp remote scar.opensuse.org port 443 nobind </connection> ####UDP config client dev tun tun-ipv6 keepalive 10 30 auth-user-pass script-security 3 pull dhcp-options persist-key persist-tun #ns-cert-type server comp-lzo verb 4 mute 20 mute-replay-warnings auth SHA512 cipher AES-256-CBC tls-cipher DHE-RSA-AES256-SHA ca /home/tbro/opensuse-openvpn/ca.crt cert /home/tbro/opensuse-openvpn/tbro.crt key /home/tbro/opensuse-openvpn/tbro.key tls-auth /home/tbro/opensuse-openvpn/ta.key 1 # scripts that should automatically update your DNS info when starting and stopping openvpn client. #up /etc/openvpn/client.up #down /etc/openvpn/client.down Default port 1194 UDP <connection> proto udp remote scar.opensuse.org port 1194 nobind </connection> Cheers, Thorsten -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org