openvpn WARNING: No server certificate verification method has been enabled

Posted by tmedtcom on Server Fault See other posts from Server Fault or by tmedtcom
Published on 2012-12-06T22:26:44Z Indexed on 2012/12/06 23:05 UTC
Read the original article Hit count: 13315

I tried to install openvpn on debian squeez (server) and connect from my fedora 17 as (client). Here is my configuration:

server configuration

  ###cat server.conf
    # Serveur TCP

    ** proto tcp**

    port 1194

    dev tun

    # Cles et certificats

    ca /etc/openvpn/easy-rsa/keys/ca.crt

    cert /etc/openvpn/easy-rsa/keys/server.crt

    key /etc/openvpn/easy-rsa/keys/server.key

    dh /etc/openvpn/easy-rsa/keys/dh1024.pem

    # Reseau

#Adresse virtuel du reseau vpn
server 192.170.70.0 255.255.255.0

#Cette ligne ajoute sur le client la route du reseau vers le serveur
push "route 192.168.1.0 255.255.255.0"

#Creer une route du server vers l'interface tun.
#route 192.170.70.0 255.255.255.0

    # Securite

keepalive 10 120

#type d'encryptage des données
**cipher AES-128-CBC**

#activation de la compression
comp-lzo

#nombre maximum de clients autorisés
max-clients 10

#pas d'utilisateur et groupe particuliers pour l'utilisation du VPN
user nobody
group nogroup

#pour rendre la connexion persistante
persist-key
persist-tun

#Log d'etat d'OpenVPN
status /var/log/openvpn-status.log

#logs openvpnlog /var/log/openvpn.log
log-append /var/log/openvpn.log

#niveau de verbosité
verb 5


###cat client.conf
  # Client

    client

    dev tun

    [COLOR="Red"]proto tcp-client[/COLOR]

    remote <my server wan IP> 1194

    resolv-retry infinite

    **cipher AES-128-CBC**

    # Cles

    ca ca.crt

    cert client.crt

    key client.key

    # Securite

    nobind

    persist-key

    persist-tun

    comp-lzo

    verb 3

Message from the host client (fedora 17) in the log file / var / log / messages:

Dec  6 21:56:00 GlobalTIC NetworkManager[691]: <info> Starting VPN service 'openvpn'...
Dec  6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 7470
Dec  6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN service 'openvpn' appeared; activating connections
Dec  6 21:56:00 GlobalTIC NetworkManager[691]: <info> VPN plugin state changed: starting (3)
Dec  6 21:56:01 GlobalTIC NetworkManager[691]: <info> VPN connection 'Connexion VPN 1' (Connect) reply received.
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]: OpenVPN 2.2.2 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep  5 2012
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"][U][B] WARNING: No server certificate verification method has been enabled.[/B][/U][/COLOR]  See http://openvpn.net/howto.html#mitm for more info.
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]:[COLOR="Red"] WARNING: file '/home/login/client/client.key' is group or others accessible[/COLOR]
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link local: [undef]
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]: UDPv4 link remote: [COLOR="Red"]<my server wan IP>[/COLOR]:1194
Dec  6 21:56:01 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4 [ECONNREFUSED]: Connection refused (code=111)[/COLOR]
Dec  6 21:56:03 GlobalTIC nm-openvpn[7472]: [COLOR="Red"]read UDPv4[/COLOR] [ECONNREFUSED]: Connection refused (code=111)
Dec  6 21:56:07 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec  6 21:56:15 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec  6 21:56:31 GlobalTIC nm-openvpn[7472]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Dec  6 21:56:41 GlobalTIC NetworkManager[691]: <warn> VPN connection 'Connexion VPN 1' (IP Conf[/CODE]

ifconfig on server host(debian):

ifconfig 
eth0      Link encap:Ethernet  HWaddr 08:00:27:16:21:ac  
          inet addr:192.168.1.6  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe16:21ac/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9059 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5660 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:919427 (897.8 KiB)  TX bytes:1273891 (1.2 MiB)
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.170.70.1  P-t-P:192.170.70.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ifconfig on the client host (fedora 17)

as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 5.5.0.1  netmask 255.255.252.0  destination 5.5.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 321 (321.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

as0t1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 5.5.4.1  netmask 255.255.252.0  destination 5.5.4.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 321 (321.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

as0t2: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 5.5.8.1  netmask 255.255.252.0  destination 5.5.8.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 321 (321.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

as0t3: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 5.5.12.1  netmask 255.255.252.0  destination 5.5.12.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 200  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 321 (321.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

**p255p1**: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.2  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::21d:baff:fe20:b7e6  prefixlen 64  scopeid 0x20<link>
        ether 00:1d:ba:20:b7:e6  txqueuelen 1000  (Ethernet)
        RX packets 4842070  bytes 3579798184 (3.3 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3996158  bytes 2436442882 (2.2 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  

p255p1 is label for eth0 interface

and

on the server :

root@hoteserver:/etc/openvpn# tree
.
+-- client
¦** +-- ca.crt
¦** +-- client.conf
¦** +-- client.crt
¦** +-- client.csr
¦** +-- client.key
¦** +-- client.ovpn
¦*
¦** 
+-- easy-rsa
¦** +-- build-ca
¦** +-- build-dh
¦** +-- build-inter
¦** +-- build-key
¦** +-- build-key-pass
¦** +-- build-key-pkcs12
¦** +-- build-key-server
¦** +-- build-req
¦** +-- build-req-pass
¦** +-- clean-all
¦** +-- inherit-inter
¦** +-- keys
¦** ¦** +-- 01.pem
¦** ¦** +-- 02.pem
¦** ¦** +-- ca.crt
¦** ¦** +-- ca.key
¦** ¦** +-- client.crt
¦** ¦** +-- client.csr
¦** ¦** +-- client.key
¦** ¦** +-- dh1024.pem
¦** ¦** +-- index.txt
¦** ¦** +-- index.txt.attr
¦** ¦** +-- index.txt.attr.old
¦** ¦** +-- index.txt.old
¦** ¦** +-- serial
¦** ¦** +-- serial.old
¦** ¦** +-- server.crt
¦** ¦** +-- server.csr
¦** ¦** +-- server.key
¦** +-- list-crl
¦** +-- Makefile
¦** +-- openssl-0.9.6.cnf.gz
¦** +-- openssl.cnf
¦** +-- pkitool
¦** +-- README.gz
¦** +-- revoke-full
¦** +-- sign-req
¦** +-- vars
¦** +-- whichopensslcnf
+-- openvpn.log
+-- openvpn-status.log
+-- server.conf
+-- update-resolv-conf

on the client:

[login@hoteclient openvpn]$ tree 
.
|-- easy-rsa
|   |-- 1.0
|   |   |-- build-ca
|   |   |-- build-dh
|   |   |-- build-inter
|   |   |-- build-key
|   |   |-- build-key-pass
|   |   |-- build-key-pkcs12
|   |   |-- build-key-server
|   |   |-- build-req
|   |   |-- build-req-pass
|   |   |-- clean-all
|   |   |-- list-crl
|   |   |-- make-crl
|   |   |-- openssl.cnf
|   |   |-- README
|   |   |-- revoke-crt
|   |   |-- revoke-full
|   |   |-- sign-req
|   |   `-- vars
|   `-- 2.0
|       |-- build-ca
|       |-- build-dh
|       |-- build-inter
|       |-- build-key
|       |-- build-key-pass
|       |-- build-key-pkcs12
|       |-- build-key-server
|       |-- build-req
|       |-- build-req-pass
|       |-- clean-all
|       |-- inherit-inter
|       |-- keys [error opening dir]
|       |-- list-crl
|       |-- Makefile
|       |-- openssl-0.9.6.cnf
|       |-- openssl-0.9.8.cnf
|       |-- openssl-1.0.0.cnf
|       |-- pkitool
|       |-- README
|       |-- revoke-full
|       |-- sign-req
|       |-- vars
|       `-- whichopensslcnf
|-- keys -> ./easy-rsa/2.0/keys/
`-- server.conf

the problem source is cipher AES-128-CBC ,proto tcp-client or UDP or the interface p255p1 on fedora17 or file authentification ta.key is not found ????

© Server Fault or respective owner

Related posts about openvpn

Related posts about debian-squeeze