Hi there,

I am trying to setup up the openvpn server on EFW(2.2Beta3) for road-warriors with the following configurations:

The Certificate Authority and the server keys/certs were created using the tools available in easy-rsa (openvpn installation directory) and imported to XCA.

The server has been configured with following setup:

1. Authentication - (X.509 certificate).
2. Certificate - PKCS#12 format - imported from XCA.

The server configuration as taken from the "openvpn.conf" (/etc/openvpn/)
------------------------------------------
Server.conf

; daemon configuration
daemon
mode server
tls-server
proto udp
port 1194
multihome
user openvpn
group openvpn

cd /var/openvpn
client-config-dir clients


; tunnel configuration

dev tap1
server-bridge 192.168.1.123 255.255.255.0 192.168.1.1 192.168.1.10
push "route-gateway 192.168.1.123"

push "dhcp-option DNS 192.168.1.254"

passtos
comp-lzo
management 127.0.0.1 5555
keepalive 8 30

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

persist-key
persist-tun
persist-local-ip
persist-remote-ip


; logging and status

writepid /var/run/openvpn/openvpn.pid
ifconfig-pool-persist openvpn.leases
status /var/log/openvpn/openvpn-status.log
verb 1


client-connect "/usr/local/bin/dir.d-exec /etc/openvpn/client-connect.d/"
client-disconnect "/usr/local/bin/dir.d-exec /etc/openvpn/client-disconnect.d/"


; certificates and authentication

dh /var/efw/openvpn/dh1024.pem
pkcs12 /var/efw/openvpn/pkcs12.p12

ns-cert-type client

--------------------------------------------
Client conf



client
dev tap
proto udp
remote xxxxxxxx:1194
resolv-retry infinite
nobind
persist-key
persist-tun
keepalive 10 120
pkcs12 pradeep.p12
ns-cert-type server
comp-lzo
verb 2


--------------------------------------------

When trying to connect to the server from client (road-warrior), I get the following errors


Tue Mar 18 16:59:42 2008 us=484000 UDPv4 link local: [undef]
Tue Mar 18 16:59:42 2008 us=484000 UDPv4 link remote: 192.168.1.123:1194
WRRTue Mar 18 16:59:42 2008 us=484000 TLS: Initial packet from 192.168.1.123:119
4, sid=755edcde 2ba1f3f4
WWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRTue Mar 18 16:59:42 2008 us=640000 VERIFY ERROR
: depth=1, error=self signed certificate in certificate chain: /C=AE/ST=DXB/L=DX
B/O=PJ/OU=IT/CN=CA/emailAddress=ca@primajava.com
Tue Mar 18 16:59:42 2008 us=656000 TLS_ERROR: BIO read tls_read_plaintext error:
 error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify fail
ed
Tue Mar 18 16:59:42 2008 us=656000 TLS Error: TLS object -> incoming plaintext r
ead error
Tue Mar 18 16:59:42 2008 us=656000 TLS Error: TLS handshake failed
Tue Mar 18 16:59:42 2008 us=656000 TCP/UDP: Closing socket
Tue Mar 18 16:59:42 2008 us=656000 SIGUSR1[soft,tls-error] received, process res
tarting
Tue Mar 18 16:59:42 2008 us=656000 Restart pause, 2 second(s)
Tue Mar 18 16:59:44 2008 us=656000 WARNING: No server certificate verification m
ethod has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Mar 18 16:59:44 2008 us=656000 Re-using SSL/TLS context
Tue Mar 18 16:59:44 2008 us=656000 LZO compression initialized
Tue Mar 18 16:59:44 2008 us=656000 Control Channel MTU parms [ L:1574 D:138 EF:3
8 EB:0 ET:0 EL:0 ]
Tue Mar 18 16:59:44 2008 us=671000 Data Channel MTU parms [ L:1574 D:1450 EF:42
EB:135 ET:32 EL:0 AF:3/1 ]
Tue Mar 18 16:59:44 2008 us=671000 Local Options String: 'V4,dev-type tap,link-m
tu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,ke
y-method 2,tls-client'
Tue Mar 18 16:59:44 2008 us=671000 Expected Remote Options String: 'V4,dev-type
tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keys
ize 128,key-method 2,tls-server'
Tue Mar 18 16:59:44 2008 us=671000 Local Options hash (VER=V4): 'd79ca330'
Tue Mar 18 16:59:44 2008 us=671000 Expected Remote Options hash (VER=V4): 'f7df5
6b8'
Tue Mar 18 16:59:44 2008 us=671000 Socket Buffers: R=[8192->8192] S=[8192->8192]

Tue Mar 18 16:59:44 2008 us=671000 UDPv4 link local: [undef]
Tue Mar 18 16:59:44 2008 us=687000 UDPv4 link remote: 192.168.1.123:1194
WRRTue Mar 18 16:59:44 2008 us=687000 TLS: Initial packet from 192.168.1.123:119
4, sid=734bc3d7 8d214af5
WWTue Mar 18 16:59:44 2008 us=734000 TCP/UDP: Closing socket
Tue Mar 18 16:59:44 2008 us=734000 SIGTERM[hard,] received, process exiting




I am not sure where I have gone wrong. Any help would be highly appreciated.

cheers...

./pradeep