Comments on How to install OpenVPN Server and Client on CentOS 7

HI ,

please help me for resolv Issue

Mon Jun 29 22:45:02 2015 us=901224 UDPv4 link remote: 192.168.10.10:1194

Mon Jun 29 22:45:02 2015 us=903476 TLS: Initial packet from 192.168.10.10:1194, sid=e5eb0187 bec9e5d7

Mon Jun 29 22:45:02 2015 us=925972 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=PE/ST=CIX/L=Chiclayo/O=IPC/OU=IT/CN=IPC_CA/name=ca/[email protected]

Mon Jun 29 22:45:02 2015 us=926041 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Mon Jun 29 22:45:02 2015 us=926055 TLS Error: TLS object -> incoming plaintext read error

Mon Jun 29 22:45:02 2015 us=926066 TLS Error: TLS handshake failed

Mon Jun 29 22:45:02 2015 us=936003 TCP/UDP: Closing socket

Mon Jun 29 22:45:02 2015 us=937630 SIGUSR1[soft,tls-error] received, process restarting

Mon Jun 29 22:45:02 2015 us=943245 Restart pause, 2 second(s)

many thanks.

best regards

jhon rivera

Hello,

Are you sure that the iptables setup is correct? It looks like you forward a single ip instead of all possible connected clients. With the current setup, clients connect but not allowed on the internet.

```

iptables -t nat -A POSTROUTING -s 192.168.200.024 -o eth0 -j MASQUERADEiptables-save > /etc/sysconfig/iptablesvpn

Hi, back with how it worked for me ;)

```

[root@vpn ~]# iptables -F

[root@vpn ~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

[root@vpn ~]# iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

```

IMPORTANT: change "eth0" to your ethernet device that your server connects to the internet (mine was venet0, where the real traffic comes through venet0:0).

Please stop disabling selinux and start learning firewalld!

Selinux provides useful security enhancements, especially interesting for a server which is exposed on the internet!

Firewalld is the future, so you should accept that change, and stop using legacy tools.

Nice try with firewalld Dirk. If you were simply to accept changes, you would (likely) never use Linux. Linux is all about choices really, one does not tell me the tool I have to use to do the job just because RedHat introduced it. I might switch from iptables to firewalld one day when I see benefits. 

Thank you Dirk.. I signed up for an account to make this comment, and found your already beat me to the punch. Firewalld, systems, and SELinux are really not that hard to figure out.

The config is partially incorrect, it should read:

#See the size a dh key in /etc/openvpn/keys/dh /etc/openvpn/keys/dh2048.pem

Since we built the keys as 2048, it needs to exist :)

Kinda agree with Dirk you really need to adapt the choices/direction centos/redhat is going.

Thanks for the post. Can anybody suggest some usefull mobile OpenVPN client?

Hello,

Can you help me?

I want config OpenVPN using cerificate of EJBCA.

Thanks so much.

All good but can't start server:

[root@openvpn ~]# systemctl status [email protected]

? [email protected] - OpenVPN Robust And Highly Flexible Tunneling Application On server

   Loaded: loaded (/usr/lib/systemd/system/[email protected]; disabled; vendor preset: disabled)

   Active: failed (Result: exit-code) since Sat 2016-02-27 12:10:29 EST; 11s ago

  Process: 2021 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=1/FAILURE)

Feb 27 12:10:29 openvpn.hjsnetworks.net systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...

Feb 27 12:10:29 openvpn.hjsnetworks.net systemd[1]: [email protected]: control process exited, code=exited status=1

Feb 27 12:10:29 openvpn.hjsnetworks.net systemd[1]: Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On server.

Feb 27 12:10:29 openvpn.hjsnetworks.net systemd[1]: Unit [email protected] entered failed state.

Feb 27 12:10:29 openvpn.hjsnetworks.net systemd[1]: [email protected] failed.

how did you solve the [email protected] failed?

Small mistake in the config file:

should be dh2018.pem I believe. 

great article untill you said disable SELinux ..... dont disable it, figure it out, and use it correctly.. or youll just have more problems.. 

THANK YOU!!

when you add iptable forward rules, use "iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o eth0 -j MASQUERADE"  

instead of

"iptables -t nat -A POSTROUTING -s 192.168.200.024 -o eth0 -j MASQUERADE"

run `man iptables`  for more details

Or in my case, I had to substitute my NIC name instead of eth0.  Make sure to get the results of ifconfig before entering the device.

Isnt it suppose to be: 

yum -y install epel-release      

Right at the start of the document?

So many small errors... Really need to fix this article. Especially the missing / in the iptables line.

1080p  hech D bb.

Hi,

In /etc/openvpn/server.conf

it's should be dh /etc/openvpn/keys/dh2048.pem not dh1024.pem

 Hi very goog configuration thanks  ....if is not working look in log you need to change in cliet.ovpn 1024 to 2048

All the best

Why jump through a million hoops? Just download the official package from openvpn and yum install it. Voila. Everything is installed, configured and working out of the box. 2 commands. wget, rpm. All done. Takes 20 seconds.

Can someone help me to understand how to determine my openvpn subnet that I set the route to?

Thanks!

Hi and Thanks for helping me , can i set Signed Certificate instead easy rsa and create profile after set Signed Valid Certificate?

also i want authentication with Radius , can you help me please??

Fri May 12 19:01:23 2017 OpenVPN 2.4.2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 11 2017

Fri May 12 19:01:23 2017 Windows version 6.1 (Windows 7) 32bit

Fri May 12 19:01:23 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.10

Enter Management Password:

Fri May 12 19:01:23 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341

Fri May 12 19:01:23 2017 Need hold release from management interface, waiting...

Fri May 12 19:01:24 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341

Fri May 12 19:01:24 2017 MANAGEMENT: CMD 'state on'

Fri May 12 19:01:24 2017 MANAGEMENT: CMD 'log all on'

Fri May 12 19:01:24 2017 MANAGEMENT: CMD 'echo all on'

Fri May 12 19:01:24 2017 MANAGEMENT: CMD 'hold off'

Fri May 12 19:01:24 2017 MANAGEMENT: CMD 'hold release'

Fri May 12 19:01:24 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri May 12 19:01:24 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri May 12 19:01:24 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]88.198.50.201:4500

Fri May 12 19:01:24 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]

Fri May 12 19:01:24 2017 UDP link local: (not bound)

Fri May 12 19:01:24 2017 UDP link remote: [AF_INET]88.198.50.201:4500

Fri May 12 19:01:24 2017 MANAGEMENT: >STATE:1494594084,WAIT,,,,,,

Fri May 12 19:02:24 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Fri May 12 19:02:24 2017 TLS Error: TLS handshake failed

Fri May 12 19:02:24 2017 SIGUSR1[soft,tls-error] received, process restarting

Fri May 12 19:02:24 2017 MANAGEMENT: >STATE:1494594144,RECONNECTING,tls-error,,,,,

Fri May 12 19:02:24 2017 Restart pause, 5 second(s)

Fri May 12 19:02:29 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]88.198.50.201:4500

Fri May 12 19:02:29 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]

Fri May 12 19:02:29 2017 UDP link local: (not bound)

Fri May 12 19:02:29 2017 UDP link remote: [AF_INET]88.198.50.201:4500

Fri May 12 19:02:29 2017 MANAGEMENT: >STATE:1494594149,WAIT,,,,,,

Fri May 12 19:03:29 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Fri May 12 19:03:29 2017 TLS Error: TLS handshake failed

Fri May 12 19:03:29 2017 SIGUSR1[soft,tls-error] received, process restarting

Fri May 12 19:03:29 2017 MANAGEMENT: >STATE:1494594209,RECONNECTING,tls-error,,,,,

Fri May 12 19:03:29 2017 Restart pause, 5 second(s)

Fri May 12 19:03:34 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]88.198.50.201:4500

Fri May 12 19:03:34 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]

Fri May 12 19:03:34 2017 UDP link local: (not bound)

Fri May 12 19:03:34 2017 UDP link remote: [AF_INET]88.198.50.201:4500

Fri May 12 19:03:34 2017 MANAGEMENT: >STATE:1494594214,WAIT,,,,,,

Fri May 12 19:04:15 2017 SIGTERM[hard,] received, process exiting

Fri May 12 19:04:15 2017 MANAGEMENT: >STATE:1494594255,EXITING,SIGTERM,,,,,

I have 2 NAT vps from 2 different provider. both vps for vpn only. 1 is working well,connect but other one is showing this error in client device while trying to connect. Both on centos 7 and both server is configured exactly same.

this is a nat vps on gullo use one of them nat ports 

Thank you for this great document. I have complated the tuttorial. Everything looks okay but i am having "connection timeout" error while connecting to my VPN. I used port 443 (SSH) to prevent blocked ports on some routers(companies, schools, etc.). I am receiving packages from outside of my server on port 443. openvpn@server is running OK without error. I have checked too many thing but i do not know what i am missing. Could you please help me to solve my problem?

[root@tienrno openvpn]# systemctl start openvpn@serverJob for [email protected] failed because the control process exited with error code. See "systemctl status [email protected]" and "journalctl -xe" for details.

i don't know. thank 

You should never disable selinux. This is very bad practice and I also don't really know why you are masking firewalld as that's a perfectly fine firewall and the default for centos.

Hello,

I can't install openvpn as your instruction on CentOS Linux release 7.6.1810 which is hostgator dedicated server. basically i need to connect with https://www.dnsflex.com. would you kindly help regarding this. also, is it possible to share your email/skype?

Hi, 

How can i change the config file, if i changed the openvpn server config.

I encountered this problem when i changed the client.ovpn file. 

It likes this  "SIGTERM[soft,auth-failure] received, process exiting

Hi, I am new to Openvpn, I have followed this document and it is working fine. however, Once Client machine connected to VPN server , there is a drop in internet (google pae doesnt't open on client)

Regards,

Zain

HI all, 

Please help me out to resolve this issue, When i am trying to connect VPN, i am getting below error from my Win8 machine

Sat Aug 29 12:39:57 2020 OpenVPN 2.4.9 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 16 2020

Sat Aug 29 12:39:57 2020 Windows version 6.2 (Windows 8 or greater) 64bit

Sat Aug 29 12:39:57 2020 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10

Sat Aug 29 12:40:02 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]IPaddress:1337

Sat Aug 29 12:40:02 2020 UDP link local: (not bound)

Sat Aug 29 12:40:02 2020 UDP link remote: [AF_INET]IPaddress:1337

Sat Aug 29 12:41:02 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Sat Aug 29 12:41:02 2020 TLS Error: TLS handshake failed

Sat Aug 29 12:41:02 2020 SIGUSR1[soft,tls-error] received, process restarting

Regards,

Zain

How to revoke or delete openvpn user/usercertificates and profiles from the command line

Regards,

Zain