Can not connect to VPN

Shiba asked a question...

Hi,
Did everything according to this instruction https://riseup.net/en/vpn/vpn-red/windows
I try to connect, I enter login / password, but there is a connection error. (Windows 7 x64). Help please,
Log:
Wed Apr 05 18:27:34 2017 us=594766 TLS_ERROR: BIO read tls_read_plaintext error
Wed Apr 05 18:27:34 2017 us=594766 TLS Error: TLS object -> incoming plaintext read error
Wed Apr 05 18:27:34 2017 us=594766 TLS Error: TLS handshake failed
Wed Apr 05 18:27:34 2017 us=641567 TCP/UDP: Closing socket
Wed Apr 05 18:27:34 2017 us=641567 SIGUSR1[soft,tls-error] received, process restarting
Wed Apr 05 18:27:34 2017 us=641567 MANAGEMENT: >STATE:1491398854,RECONNECTING,tls-error,,,,,
Wed Apr 05 18:27:34 2017 us=641567 Restart pause, 5 second(s)
Wed Apr 05 18:27:39 2017 us=711575 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Apr 05 18:27:39 2017 us=711575 Control Channel MTU parms [ L:1653 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Wed Apr 05 18:27:39 2017 us=711575 MANAGEMENT: >STATE:1491398859,RESOLVE,,,,,,
Wed Apr 05 18:27:39 2017 us=711575 Data Channel MTU parms [ L:1653 D:1450 EF:121 EB:411 ET:32 EL:3 ]
Wed Apr 05 18:27:39 2017 us=711575 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1601,tun-mtu 1532,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Wed Apr 05 18:27:39 2017 us=711575 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1601,tun-mtu 1532,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Wed Apr 05 18:27:39 2017 us=711575 TCP/UDP: Preserving recently used remote address: [AF_INET]198.252.153.226:80
Wed Apr 05 18:27:39 2017 us=711575 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Apr 05 18:27:39 2017 us=711575 UDP link local (bound): [AF_INET][undef]:1194
Wed Apr 05 18:27:39 2017 us=711575 UDP link remote: [AF_INET]198.252.153.226:80
Wed Apr 05 18:27:39 2017 us=711575 MANAGEMENT: >STATE:1491398859,WAIT,,,,,,
Wed Apr 05 18:27:39 2017 us=883176 TLS Error: Unroutable control packet received from [AF_INET]198.252.153.226:80 (si=3 op=P_CONTROL_V1)
Wed Apr 05 18:27:39 2017 us=961176 MANAGEMENT: >STATE:1491398859,AUTH,,,,,,
Wed Apr 05 18:27:39 2017 us=961176 TLS: Initial packet from [AF_INET]198.252.153.226:80, sid=a2270f11 67b79658
Wed Apr 05 18:27:40 2017 us=257576 OpenSSL: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
Wed Apr 05 18:27:40 2017 us=257576 TLS_ERROR: BIO read tls_read_plaintext error
Wed Apr 05 18:27:40 2017 us=257576 TLS Error: TLS object -> incoming plaintext read error
Wed Apr 05 18:27:40 2017 us=257576 TLS Error: TLS handshake failed
Wed Apr 05 18:27:40 2017 us=257576 TCP/UDP: Closing socket
Wed Apr 05 18:27:40 2017 us=257576 SIGUSR1[soft,tls-error] received, process restarting
Wed Apr 05 18:27:40 2017 us=257576 MANAGEMENT: >STATE:1491398860,RECONNECTING,tls-error,,,,,
Wed Apr 05 18:27:40 2017 us=257576 Restart pause, 5 second(s)
Wed Apr 05 18:27:44 2017 us=313584 SIGTERM[hard,init_instance] received, process exiting
Wed Apr 05 18:27:44 2017 us=313584 MANAGEMENT: >STATE:1491398864,EXITING,init_instance,,,,,

Upvote | 5
Flag for Review
Basal replied...

Hi Shiba,
I had the same issue and had to do a couple things to fix it:
1. Make sure to put config files where OpenVPN is looking for them. For me this was C:\Users\[username]\OpenVPN\config\ instead of C:\Program Files\OpenVPN\config\
2. Use the example configuration file at https://riseup.net/en/vpn/vpn-red it was updated in March 2017 but the other documentation doesn't seem to have gotten the same update.
cheers!

Upvote | 1
Flag for Review
Kholid replied...

Hi Shiba and Basal,

I'm using Tunnelblick 3.7.1b for Mac. Now I'm using MacOSX El Capitan. Can I use https://riseup.net/en/vpn/vpn-red too for configuration file? Because when I using the configuration file from Mac documentation https://riseup.net/en/vpn/vpn-red/mac, it so hard to start the VPN. But, when I use the configuration from link that you've suggest to Shiba, my Mac can connect the VPN clearly.

Please let me know if it was ok to use the configuration file from https://riseup.net/en/vpn/vpn-red

Best regards,

Upvote | 0
Flag for Review
Gren replied...

Hi Shiba

Well but you can try to change this line from config file (ovpn)
tls-version-min 1.x

into
tls-version-min 1.0

Upvote | 1
Flag for Review
Seg Grit replied...

Windows 10, latest OVPN client. Receiving the error message:


Fri Oct 20 18:49:25 2017 Fri Oct 20 18:49:25 2017 OpenVPN Management Interface 1.0.0/3.1.1 win x86_64 64-bit [PolarSSL] built on Sep 29 2016 14:26:53
Fri Oct 20 18:49:25 2017 Fri Oct 20 18:49:25 2017 OMI Connecting to [127.0.0.1]:38957 [tcp]
Fri Oct 20 18:49:41 2017 Fri Oct 20 18:49:41 2017 CLIENT_EXCEPTION : connect error: Missing External PKI alias [FATAL-ERR]
Fri Oct 20 18:49:41 2017 Fri Oct 20 18:49:41 2017 >FATAL:CLIENT_EXCEPTION: connect error: Missing External PKI alias

Tried the following, without success:
# moved the .pem and .ovpn files into both locations suggested, as well as the the core .EXE directory of OVPN Connect.
# ran the ovpn client as administrator
# changed the .ovpn file minimum TLS to 1.0 (windows 10, not really necessary) (and it didn't help, of course)
# researched the error on the internet (did that first, actually)

IT looks as though RiseUp is running in a mode that doesn't support the bundle the way they have it set up. Here is what OpenVPN message boards have to say:


When managing an Access Server setup that is configured for external PKI usage, distribution of the client must be made over two channels rather than one:
Connection profile - distribution of the OpenVPN Connect client and bundled server-locked profile. These would contain instructions on how to connect to the server, and the software to make a connection. This can be done via normal means, either via the client web UI, or by generating and distributing the client installer via the command line tools and installing it on the client machines. Please note to use the instructions to create server-locked profiles/installers only when using External PKI mode.
Certificate/key - while the standard Access Server (without External PKI enabled) transparently bundles the client certificate/key using the connection profiles themselves, External PKI mode separates this function. Generation of client certificates/keys would be done using a third-party tool for management of the External PKI solution, and installation on client machines would be done using the host OS certificate/key store (iOS, Mac OS X, or Android Keychain, Windows certificate store, or Linux OpenSC).
When operating in External PKI mode, the Access Server only supports server-locked profiles, not user-locked profiles. On the client, the server-locked profile can only be used to make a VPN tunnel connection if a suitable client certificate/key pair has already been installed into the host OS Keychain or certificate/key store. Some hardware devices or tokens contain a certificate inside that is registered with the certificate store with additional software when the token device/card is plugged in.

Hey, RiseUp! Can you take a look at this? I don't want to use different VPN services on my Linux and Windows machines if at all possible.

Thank you

Upvote | 0
Flag for Review
Seg Grit replied...

PS - looks like Markup is only partially supported here. The text in full from my breakouts:
---------------------------------------
Fri Oct 20 18:49:25 2017 Fri Oct 20 18:49:25 2017 OpenVPN Management Interface 1.0.0/3.1.1 win x86_64 64-bit [PolarSSL] built on Sep 29 2016 14:26:53
Fri Oct 20 18:49:25 2017 Fri Oct 20 18:49:25 2017 OMI Connecting to [127.0.0.1]:38957 [tcp]
Fri Oct 20 18:49:41 2017 Fri Oct 20 18:49:41 2017 CLIENT_EXCEPTION : connect error: Missing External PKI alias [FATAL-ERR]
Fri Oct 20 18:49:41 2017 Fri Oct 20 18:49:41 2017 >FATAL:CLIENT_EXCEPTION: connect error: Missing External PKI alias
----------------------------------------------------------------------------------------------------------------------------------------------------------------
https://docs.openvpn.net/configuration/external-public-key-infrastructure-pki/

When managing an Access Server setup that is configured for external PKI usage, distribution of the client must be made over two channels rather than one:
Connection profile - distribution of the OpenVPN Connect client and bundled server-locked profile. These would contain instructions on how to connect to the server, and the software to make a connection. This can be done via normal means, either via the client web UI, or by generating and distributing the client installer via the command line tools and installing it on the client machines. Please note to use the instructions to create server-locked profiles/installers only when using External PKI mode.
Certificate/key - while the standard Access Server (without External PKI enabled) transparently bundles the client certificate/key using the connection profiles themselves, External PKI mode separates this function. Generation of client certificates/keys would be done using a third-party tool for management of the External PKI solution, and installation on client machines would be done using the host OS certificate/key store (iOS, Mac OS X, or Android Keychain, Windows certificate store, or Linux OpenSC).
When operating in External PKI mode, the Access Server only supports server-locked profiles, not user-locked profiles. On the client, the server-locked profile can only be used to make a VPN tunnel connection if a suitable client certificate/key pair has already been installed into the host OS Keychain or certificate/key store. Some hardware devices or tokens contain a certificate inside that is registered with the certificate store with additional software when the token device/card is plugged in.

Upvote | 0
Flag for Review