Dears, I’ve used this script: https://github.com/Nyr/openvpn-install
To install an OpenVPN server on my DigitalOcean VPS/Droplet
However I had some rough time getting this to work on my DD-WRT Router: DD-WRT v3.0-r28788 std (01/13/16) Router: Linksys WRT1200AC
I’m getting error: TLS Handshake Failed
I just can’t figure out the correct settings and I would really appreciate it if you give me some help or tell me at least where to search
P.S.: My OpenVPN file works perfectly on Tunnelblick on Mac so I’m sure that there’s nothing wrong with my server installation
My OpenVPN file:
client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote 46.101.222.212 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3
<ca>
-----BEGIN CERTIFICATE-----
[XXXXXXXXX]
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=ChangeMe
Validity
Not Before: Dec 7 07:17:46 2016 GMT
Not After : Dec 5 07:17:46 2026 GMT
Subject: CN=client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e2:77:66:d0:5b:84:1d:c5:cd:1f:15:db:67:e9:
67:70:18:1f:44:ce:be:e2:27:ae:53:e8:2b:75:7e:
23:48:c5:3d:c2:af:4d:51:cf:c9:2e:99:00:72:85:
e2:2e:d3:0f:56:06:dc:24:3a:85:5f:05:a7:12:ae:
a1:3d:66:14:ab:83:ef:dc:5c:d7:61:59:97:f3:73:
e8:6f:08:36:3d:2f:07:7a:00:bc:ed:4c:1b:f0:fe:
4e:c3:80:91:3d:ae:2f:9f:f4:93:41:09:37:20:18:
83:9c:33:f1:68:22:e7:2c:b2:19:59:c0:a6:ca:ca:
8e:4f:02:8e:16:8f:4c:47:36:ef:56:7b:8f:e4:52:
d2:88:3c:2d:d1:00:7a:ca:ee:e9:b5:59:11:79:5d:
24:d3:e2:a9:fa:88:34:70:1e:b2:92:f0:88:0b:7d:
b1:a3:84:f1:a9:05:c7:cc:9b:29:55:c6:1a:5c:ef:
40:50:65:e0:07:0c:ee:ce:91:00:87:33:39:2a:1f:
3c:fd:29:41:77:14:c3:ea:25:88:b1:84:75:8d:9b:
98:24:f8:ec:60:fa:71:cc:ef:0d:46:f0:be:dd:b4:
82:5e:01:ff:8e:0a:de:ce:aa:50:3a:74:3b:79:12:
41:1c:05:ae:2b:67:a8:83:c0:ae:49:8c:04:c8:c2:
24:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
26:EB:C5:D6:DF:E3:2B:33:D0:70:66:02:7A:84:93:8F:76:2F:95:81
X509v3 Authority Key Identifier:
keyid:BF:F6:38:8F:C6:E1:8F:15:C4:0A:E7:9E:50:49:48:D4:BA:93:39:20
DirName:/CN=ChangeMe
serial:ED:A1:36:6E:60:F6:C9:13
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
c6:52:64:97:ba:dd:1a:9c:7e:78:0e:12:b8:93:3b:ba:6f:6a:
89:d3:3f:a9:e8:54:80:b4:0d:5a:37:6d:ff:02:82:17:1a:10:
fd:fb:69:e0:a7:67:55:1b:cd:c8:19:61:ec:c7:69:b8:d0:46:
40:29:e5:e6:a6:3a:77:12:75:c5:0d:59:a5:67:02:18:1e:66:
dd:61:01:c7:d2:9b:0d:a3:5e:cd:49:14:2b:c3:79:45:14:23:
78:f4:78:e4:96:70:f7:f2:e5:f8:1a:31:16:9d:04:bb:52:cf:
bc:e4:e2:1c:1c:e6:a2:5f:2d:b1:8d:b9:71:4a:da:08:25:f3:
f3:46:98:8f:28:11:ce:dc:63:9d:d8:4a:43:19:52:6f:bf:fc:
38:e6:31:9c:d7:40:e7:0f:1a:45:75:71:e3:16:0b:81:fe:bb:
00:aa:be:31:dc:45:2c:65:07:00:67:97:6e:ad:7f:a2:80:20:
82:98:59:c4:5b:7b:15:0d:88:60:14:75:e2:ec:5e:1b:c2:d4:
2d:99:d8:04:d2:b3:e5:52:6a:9f:d9:d0:a1:d4:28:e1:29:b5:
8c:3e:ad:b2:04:a7:78:8b:5d:2a:ae:2e:d7:a4:20:c6:e3:3d:
c6:56:33:3c:80:84:ef:83:ff:70:02:7b:ab:95:9c:1b:3a:c3:
fe:fb:0c:41
-----BEGIN CERTIFICATE-----
[XXXXXXXX]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[XXXXXXXXXX]
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
[XXXXXXXX]
-----END OpenVPN Static key V1-----
</tls-auth>
An image which shows my current config: http://static.msaleh.me/ddwrt.jpg
My error log:
20161212 11:09:16 I OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 13 2016
20161212 11:09:16 I library versions: OpenSSL 1.0.2e 3 Dec 2015 LZO 2.09
20161212 11:09:16 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20161212 11:09:16 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20161212 11:09:16 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
20161212 11:09:16 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
20161212 11:09:16 I Control Channel Authentication: using '/tmp/openvpncl/ta.key' as a OpenVPN static key file
20161212 11:09:16 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
20161212 11:09:16 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
20161212 11:09:16 Socket Buffers: R=[180224->131072] S=[180224->131072]
20161212 11:09:16 I UDPv4 link local: [undef]
20161212 11:09:16 I UDPv4 link remote: [AF_INET]46.101.222.212:443
20161212 11:09:16 TLS: Initial packet from [AF_INET]46.101.222.212:443 sid=99851032 d5ab07b6
20161212 11:09:16 VERIFY OK: depth=1 CN=ChangeMe
20161212 11:09:16 VERIFY nsCertType ERROR: CN=server require nsCertType=SERVER
20161212 11:09:16 N TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134)
20161212 11:09:16 N TLS Error: TLS object -> incoming plaintext read error
20161212 11:09:16 N TLS Error: TLS handshake failed
20161212 11:09:16 I SIGUSR1[soft tls-error] received process restarting
20161212 11:09:16 Restart pause 2 second(s)
20161212 11:09:18 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20161212 11:09:18 Socket Buffers: R=[180224->131072] S=[180224->131072]
20161212 11:09:18 I UDPv4 link local: [undef]
20161212 11:09:18 I UDPv4 link remote: [AF_INET]46.101.222.212:443
20161212 11:09:20 TLS: Initial packet from [AF_INET]46.101.222.212:443 sid=89e2422e ef2a8c8c
20161212 11:09:20 VERIFY OK: depth=1 CN=ChangeMe
20161212 11:09:20 VERIFY nsCertType ERROR: CN=server require nsCertType=SERVER
20161212 11:09:20 N TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134)
20161212 11:09:20 N TLS Error: TLS object -> incoming plaintext read error
20161212 11:09:20 N TLS Error: TLS handshake failed
20161212 11:09:20 I SIGUSR1[soft tls-error] received process restarting
20161212 11:09:20 Restart pause 2 second(s)
20161212 11:09:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20161212 11:09:21 D MANAGEMENT: CMD 'state'
20161212 11:09:21 MANAGEMENT: Client disconnected
20161212 11:09:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20161212 11:09:21 D MANAGEMENT: CMD 'state'
20161212 11:09:21 MANAGEMENT: Client disconnected
20161212 11:09:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20161212 11:09:21 D MANAGEMENT: CMD 'state'
20161212 11:09:21 MANAGEMENT: Client disconnected
20161212 11:09:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20161212 11:09:21 D MANAGEMENT: CMD 'status 2'
20161212 11:09:21 MANAGEMENT: Client disconnected
20161212 11:09:21 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20161212 11:09:21 D MANAGEMENT: CMD 'log 500'
19700101 01:00:00
I’m not really sure if it’s fine to post this question :) If it’s not then I apologize and please delete it
But really I would appreciate any help Thanks.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.
Hi @ryanpq Thanks a lot for your reply I got it to work finally
I removed all of the extra config and left only:
persist-key persist-tun
and removed also the checkmark on nsCertType and finally it connected successfully
For anyone stuck with this kindly check the answer here as well: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=306070&sid=7e4ee3c75056a710003cb40a8b88d61e
You’re likely going to need to follow a guide focused on dd-wrt. As an embedded distribution it can not be assumed that all utilities and prerequisites that would be available on a full server distro would be there. I would start here with the dd-wrt documentation regarding OpenVPN.