Unable to connect to VPN Server

kennysskennyss
in Linux VPN Setup
Hi,

I am running on 

PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)"
NAME="Raspbian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=raspbian
ID_LIKE=debian
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs

Basically I have followed the instructions listed in 
https://gist.github.com/superjamie/ac55b6d2c080582a3e64

When i try to connect to the server, it gives me this error

[email protected]:/etc/openvpn $ sudo openvpn --config /etc/openvpn/Japan.conf
Tue May  8 13:20:09 2018 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Tue May  8 13:20:09 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Tue May  8 13:20:09 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]103.208.220.134:443
Tue May  8 13:20:09 2018 Attempting to establish TCP connection with [AF_INET]103.208.220.134:443 [nonblock]
Tue May  8 13:20:10 2018 TCP connection established with [AF_INET]103.208.220.134:443
Tue May  8 13:20:10 2018 TCP_CLIENT link local: (not bound)
Tue May  8 13:20:10 2018 TCP_CLIENT link remote: [AF_INET]103.208.220.134:443
Tue May  8 13:20:10 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue May  8 13:20:10 2018 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, [email protected]
Tue May  8 13:20:10 2018 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Tue May  8 13:20:10 2018 TLS_ERROR: BIO read tls_read_plaintext error
Tue May  8 13:20:10 2018 TLS Error: TLS object -> incoming plaintext read error
Tue May  8 13:20:10 2018 TLS Error: TLS handshake failed
Tue May  8 13:20:10 2018 Fatal TLS error (check_tls_errors_co), restarting
Tue May  8 13:20:10 2018 SIGUSR1[soft,tls-error] received, process restarting
^CTue May  8 13:20:11 2018 SIGINT[hard,init_instance] received, process exiting

Could some kind soul please help me with this issue?

Comments

  • martoufmartouf
    the server auth certificate got damaged. could be the CR-LF issue (it's a text file). probably easier just to grab a fresh copy of the openvpn.zip (contains all the ovpn files and the cert files) from PIA and unpack it on your Raspberry.
  • Max-PMax-P
    Yeah sounds like a corrupted/invalid certificate.

    There's also a direct link to the file if you need. In your case since you're connecting to the legacy port, this is the one you want: http://www.privateinternetaccess.com/openvpn/ca.crt
  • kennysskennyss
    Hi guys,

    Thanks for your advice. I have finally got the tunnel up and running.

    [email protected]:/etc/openvpn $ sudo openvpn --config /etc/openvpn/Japan.conf
    Wed May  9 04:57:45 2018 WARNING: file '/etc/openvpn/login' is group or others accessible
    Wed May  9 04:57:45 2018 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
    Wed May  9 04:57:45 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
    Wed May  9 04:57:45 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]103.208.220.132:443
    Wed May  9 04:57:45 2018 Attempting to establish TCP connection with [AF_INET]103.208.220.132:443 [nonblock]
    Wed May  9 04:57:46 2018 TCP connection established with [AF_INET]103.208.220.132:443
    Wed May  9 04:57:46 2018 TCP_CLIENT link local: (not bound)
    Wed May  9 04:57:46 2018 TCP_CLIENT link remote: [AF_INET]103.208.220.132:443
    Wed May  9 04:57:46 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Wed May  9 04:57:47 2018 [da65d2c93480811cbd4d09100a739c58] Peer Connection Initiated with [AF_INET]103.208.220.132:443
    Wed May  9 04:57:49 2018 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
    Wed May  9 04:57:49 2018 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
    Wed May  9 04:57:49 2018 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
    Wed May  9 04:57:49 2018 TUN/TAP device tun0 opened
    Wed May  9 04:57:49 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Wed May  9 04:57:49 2018 /sbin/ip link set dev tun0 up mtu 1500
    Wed May  9 04:57:49 2018 /sbin/ip addr add dev tun0 local 10.35.1.6 peer 10.35.1.5
    Wed May  9 04:57:49 2018 Initialization Sequence Completed

    However I cannot ping the tunnel endpoint or surf web after the tunnel is established. What could possibly gone wrong?
  • martoufmartouf
    check your routing table.  ip route and/or route -n
    what's the default route?
Sign In or Register to comment.