Re: [Openvpn-users] How to check if OpenVPN server is working properly?

Thu, 23 Feb 2023 07:18:15 -0800 

On 23/02/2023 16:10, Bo Berglund wrote:

On Thu, 23 Feb 2023 13:25:46 +0100, Gert Doering <g...@greenie.muc.de> wrote:


Hi,

On Thu, Feb 23, 2023 at 09:04:13AM +0100, Bo Berglund wrote:

But now when I connect on 1194 or 1195 from a remote location nothing happens
whereas on 1198 or 1199 I get instant connection.


Basically there's two reasons why "nothing" could happen - one is
"packets never make it to the server" (Firewall/NAT box being confused),
the other is "something cert has expired, so the server does not want
to talk to you".




For debugging the OpenVPN server, you need to find out where it logs
to - usually the OpenVPN server log is pretty clear on "I do not like
this client because..."



The logs are in /etc/openvpn/log so was simple to locate...

When I first try (and fail) to connect then go in via the other server to read
the log I find this:

217.31.190.108:63723 TLS: Initial packet from [AF_INET]217.31.190.108:63723,
sid=863c9ad5 e9b05ce9
217.31.190.108:63723 VERIFY ERROR: depth=0, error=CRL has expired: C=US, ST=TX,
L=Austin, O=Companyname, OU=IT, CN=BosseB_AGI, name=BosseB_AGI, emailAddress=***
217.31.190.108:63723 OpenSSL: error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed
217.31.190.108:63723 TLS_ERROR: BIO read tls_read_plaintext error
217.31.190.108:63723 TLS Error: TLS object -> incoming plaintext read error
217.31.190.108:63723 TLS Error: TLS handshake failed
217.31.190.108:63723 SIGUSR1[soft,tls-error] received, client-instance
restarting

So it seems like some client cert has expired...

Question:

How can I update the cert (which cert) to extend the lifetime?

For some other certs, I have such a simple check in a script:

    openssl x509 -noout -checkend $((40*24*3600)) -in $CERT_FILE
    if [ $? -eq 1 ]; then # Certificate is expiring
        echo "** EXPIRING ** Certificate dates (current): "
        openssl x509 -noout -dates -in $CERF_FILE
    fi


This will check if the certificate will expire in less than 40 days.


--
kind regards,

David Sommerseth
OpenVPN Inc




_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to