openvpn WARNING: No server certificate verification method has been enabled

debian fedora openvpn

81,780

Solution 1

First you should change the permissions on your /home/login/client/client.key file so that it is not group or others accessable.

chmod 400 /home/login/client/client.key

Then as described here you should implement a method to check that your clients connect to the correct server and that no man-in-middle attack is possible.

Solution 2

There is a full list of problems here and you should take the warnings given by OpenVPN serious. But there are just warnings and not the reason for your problem to get a connection. The openvpn plugin of NetworkManager is trying to connect using UDP. I don't know which relation your client.conf has to your actual client configuration. Was it used to import the vpn settings into NetworkManager?
Anyway you have to check the TCP connection checkbox in the advanced settings dialog of your vpn connection profile.
As you don't seem to use tls-auth on either client nor server-side there should be no ta.key file missing (but using tls-auth is a good idea).
The cipher seems to be the same on both sides and shouldn't be a problem.
I really strongly suggest to verify the server certificate, as morlix stated.

Solution 3

To get rid of the No server certificate verification method has been enabled warning, generate your client and server certificates with the correct extendedKeyUsage extension and add remote-cert-tls server to the client's openvpn.conf.

Add two sections to your CA's openssl.cnf:

[server_cert]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[client_cert]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

Sign server certs at your CA like this:

openssl ca -config openssl.cnf -extensions server_cert -notext -md sha256 -in csr.pem -out cert.pem

Sign client certs like this:

openssl ca -config openssl.cnf -extensions client_cert -notext -md sha256 -in csr.pem -out cert.pem

Then in your client's openvpn.cnf add the following line:

remote-cert-tls server

and restart the openvpn service.

81,780

tmedtcom

Updated on September 18, 2022

Comments

tmedtcom over 1 year

I tried to install openvpn on debian squeez (server) and connect from my fedora 17 as (client). Here is my configuration:

server configuration

# Server TCP
proto tcp
port 1194
dev tun

# Keys and certificates
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

# Network
# Virtual address of the VPN network
server 192.170.70.0 255.255.255.0
# This line adds the client to the router network server
push "route 192.168.1.0 255.255.255.0"
# Create a route server to the tun interface
#route 192.170.70.0 255.255.255.0

# Security
keepalive 10 120
# type of data encryption
cipher AES-128-CBC
# enabling compression
comp-lzo
# maximum number of clients allowed
max-clients 10
# no user and group specific to the use of the VPN
user nobody
group nogroup

# to make persistent connection
persist-key
persist-tun

# Log of the OpenVPN status
status /var/log/openvpn-status.log

# logs openvpnlog /var/log/openvpn.log
log-append /var/log/openvpn.log

# verbosity
verb 5

client configuration

client
dev tun
proto tcp-client
remote <my server wan IP> 1194
resolv-retry infinite
cipher AES-128-CBC

# Keys
ca ca.crt
cert client.crt
key client.key

# Security
nobind
persist-key
persist-tun
comp-lzo
verb 3

Message from the host client (fedora 17) in the log file /var/log/messages:

Dec  6 21:56:00 GlobalTIC NetworkManager[691]: <info> Starting VPN service 'openvpn'...
Dec  6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 7470
Dec  6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' appeared; activating connections
Dec  6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN plugin state changed: starting (3)
Dec  6 21:56:01 GlobalTIC NetworkManager[691]: <info> VPN connection 'Connexion VPN 1' (Connect) reply received.
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]: OpenVPN 2.2.2 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep  5 2012
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"][U][B] WARNING: No server certificate verification method has been enabled.[/B][/U][/COLOR]  See http://openvpn.net/howto.html#mitm for more info.
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"] WARNING: file '/home/login/client/client.key' is group or others accessible[/COLOR]
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link local: [undef]
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link remote: [COLOR="Red"]<my server wan IP>[/COLOR]:1194
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4 [ECONNREFUSED]: Connection refused (code=111)[/COLOR]
Dec  6 21:56:03 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4[/COLOR] [ECONNREFUSED]: Connection refused (code=111)
Dec  6 21:56:07 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec  6 21:56:15 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec  6 21:56:31 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec  6 21:56:41 GlobalTIC NetworkManager[691]: <warn> VPN connection 'Connexion VPN 1' (IP Conf[/CODE]

ifconfig on server host(debian):

ifconfig 
eth0      Link encap:Ethernet  HWaddr 08:00:27:16:21:ac  
          inet addr:192.168.1.6  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe16:21ac/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9059 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5660 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:919427 (897.8 KiB)  TX bytes:1273891 (1.2 MiB)
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.170.70.1  P-t-P:192.170.70.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ifconfig on the client host (fedora 17)

as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 5.5.0.1  netmask 255.255.252.0  destination 5.5.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 321 (321.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

as0t1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 5.5.4.1  netmask 255.255.252.0  destination 5.5.4.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 321 (321.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

as0t2: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 5.5.8.1  netmask 255.255.252.0  destination 5.5.8.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 321 (321.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

as0t3: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 5.5.12.1  netmask 255.255.252.0  destination 5.5.12.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 321 (321.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

**p255p1**: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.2  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::21d:baff:fe20:b7e6  prefixlen 64  scopeid 0x20<link>
        ether 00:1d:ba:20:b7:e6  txqueuelen 1000  (Ethernet)
        RX packets 4842070  bytes 3579798184 (3.3 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3996158  bytes 2436442882 (2.2 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16

p255p1 is label for eth0 interface

and

on the server :

root@hoteserver:/etc/openvpn# tree
.
├── client
│** ├── ca.crt
│** ├── client.conf
│** ├── client.crt
│** ├── client.csr
│** ├── client.key
│** ├── client.ovpn
│*
│** 
├── easy-rsa
│** ├── build-ca
│** ├── build-dh
│** ├── build-inter
│** ├── build-key
│** ├── build-key-pass
│** ├── build-key-pkcs12
│** ├── build-key-server
│** ├── build-req
│** ├── build-req-pass
│** ├── clean-all
│** ├── inherit-inter
│** ├── keys
│** │** ├── 01.pem
│** │** ├── 02.pem
│** │** ├── ca.crt
│** │** ├── ca.key
│** │** ├── client.crt
│** │** ├── client.csr
│** │** ├── client.key
│** │** ├── dh1024.pem
│** │** ├── index.txt
│** │** ├── index.txt.attr
│** │** ├── index.txt.attr.old
│** │** ├── index.txt.old
│** │** ├── serial
│** │** ├── serial.old
│** │** ├── server.crt
│** │** ├── server.csr
│** │** └── server.key
│** ├── list-crl
│** ├── Makefile
│** ├── openssl-0.9.6.cnf.gz
│** ├── openssl.cnf
│** ├── pkitool
│** ├── README.gz
│** ├── revoke-full
│** ├── sign-req
│** ├── vars
│** └── whichopensslcnf
├── openvpn.log
├── openvpn-status.log
├── server.conf
└── update-resolv-conf

on the client:

[login@hoteclient openvpn]$ tree 
.
|-- easy-rsa
|   |-- 1.0
|   |   |-- build-ca
|   |   |-- build-dh
|   |   |-- build-inter
|   |   |-- build-key
|   |   |-- build-key-pass
|   |   |-- build-key-pkcs12
|   |   |-- build-key-server
|   |   |-- build-req
|   |   |-- build-req-pass
|   |   |-- clean-all
|   |   |-- list-crl
|   |   |-- make-crl
|   |   |-- openssl.cnf
|   |   |-- README
|   |   |-- revoke-crt
|   |   |-- revoke-full
|   |   |-- sign-req
|   |   `-- vars
|   `-- 2.0
|       |-- build-ca
|       |-- build-dh
|       |-- build-inter
|       |-- build-key
|       |-- build-key-pass
|       |-- build-key-pkcs12
|       |-- build-key-server
|       |-- build-req
|       |-- build-req-pass
|       |-- clean-all
|       |-- inherit-inter
|       |-- keys [error opening dir]
|       |-- list-crl
|       |-- Makefile
|       |-- openssl-0.9.6.cnf
|       |-- openssl-0.9.8.cnf
|       |-- openssl-1.0.0.cnf
|       |-- pkitool
|       |-- README
|       |-- revoke-full
|       |-- sign-req
|       |-- vars
|       `-- whichopensslcnf
|-- keys -> ./easy-rsa/2.0/keys/
`-- server.conf

Is the source of the problem cipher AES-128-CBC, proto tcp-client or UDP or the interface p255p1 on Fedora17 or that file authentification ta.key is not found?