Patrik Hasibuan wrote:
But the client still can not connect to the openvpn-server. The error message is about TLS problem. I've tried to browse in the internet looking for the solution. It seems many people have the same problem.
What should I do now? What steps should I actually do to make the TLS negotiation works properly?
I put the content of my current 'client.conf' and the '/var/log/messages'. ========= Here's on the client-side. ========= sussy-MND:~ # cat /etc/openvpn/client.conf [..] ns-cert-type client ^^^^^^ Have you, sorry to be brute, even bothered to read openvpn's man page? --ns-cert-type client|server Require that peer certificate was signed with an explicit nsCertType des- ignation of "client" or "server".
This is a useful security option for clients, to ensure that the host they connect with is a designated server. See the easy-rsa/build-key-server script for an example of how to gener- ate a certificate with the nsCertType field set to "server". If the server certificate's nsCertType field is set to "server", then the clients can verify this with --ns-cert-type server. This is an important security precaution to protect against a man-in-the- middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --ns-cert- type, --tls-remote, or --tls-verify. Thus ns-sert-type must be 'server' on the clients' side.
========= Here's on the server-side. ========= mysussy:~ # cat /etc/openvpn/server.conf local 219.83.114.179
This *is* the server's external IP address right? To be clear: it must be the address of the WAN (external) interface, so if you're using e.g. a NAT device (e.g. an ADSL modem), you must set the address on the 'inside', e.g. 10.0.0.138.
ns-cert-type server
This doesn't belong in the server's config file.
mysussy:~ # tail -n 40 /var/log/messages Nov 1 10:07:59 mysussy kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
And you need to wise-up your firewall or your route-table. Theo -- Theo v. Werkhoven, NL (ICBM 52 13 26N , 4 29 47E). A casual stroll through the lunatic asylum shows that faith does not prove anything. Friedrich Nietzsche German philosopher (1844 - 1900) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org