No server certificate verification method has been enabled.

[haylebob]

Hallo,

habe eine mit OpenVPN einen Tunnel von meinem LG Nexus 4 zur DS710+ eingerichtet.
Ich komme auf meine DS710+ und kann von da dann surfen durch den Tunnel
soweit so gut leider kommt immer diese Warning

"No server certificate verification method has been enabled"

beim starten der OpenVPN Verbindung am Handy und ich weiss nicht wie ich
die wegbekomme. Der Hinweisauf der Page http://openvpn.net/howto.html#mitm
nach weiteren Infos suchen hat mir bisher nicht geholfen. ich muss wohl ein Server
Certi erstellen aber das script build-key-server gibt es nicht oder ich finde es nicht
und verstehe die Punkte zum Thema Server Certi auf der o.g. Howto Seite nicht.
kann mir bitte jemand weiterhelfen?
danke

meine Konfig-Datei für OpenVPN-Client sieht so aus:
dev tun
tls-client
remote externe-meine-ip 1194
#float
redirect-gateway
#dhcp-option DNS DNS_IP_ADDRESS
pull
proto udp
script-security 2
ca ca.crt
comp-lzo
reneg-sec 0
auth-user-pass

 

[jahlives]

mal probiert in der Clientconf das noch zu setzen?

ns-cert-type server

 

[haylebob]

Hallo,

das war's suuuper daaanke lol

jetzt kommt dafür ein anderer Error
P:TLS Error: local/remote TLS keys are out of sync: [AF_INET]meine-remote-ip:1194

was ist denn das?
gruß

 

[jahlives]

das passiert scheinbar wenn der Server neugestartet wird und es der Client nicht mitbekommt. Eigentlich sollte der Client nach einigen Minuten sich neuverbinden und damit die Schlüssel neuaushandeln. Verschwindet denn die Meldung nach einiger Zeit? Die OpenVPN Mailingliste empfiehlt falls die Verbbindung nicht von selber wieder kommt

http://openvpn.net/archive/openvpn-users/2004-12/msg00022.html
If you continue to get "out of sync" errors and the link does not come up, then it means that something is probably wrong with your config file.
You must use either ping and ping-restart on both sides of the connection, or keepalive on the server side of a client/server connection,
in order to gracefully recover from "local/remote TLS keys are out of sync" errors.

 

[haylebob]

you must use either ping and ping-restart on both sides of the connection, or keepalive

ööhm was bedeuted das ? ping kenne ich aber nur als prüfung ob ein server erreichbar ist
ping-restart und keepalive kenne ich gar nicht.

 

[jahlives]

OpenVPN kennt auch ping (siehe Manual http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html)

--ping n Ping remote over the TCP/UDP control channel if no packets have been sent for at least n seconds (specify --ping on both peers to cause ping packets to be sent in both directions since OpenVPN ping packets are not echoed like IP ping packets). When used in one of OpenVPN's secure modes (where --secret, --tls-server, or --tls-client is specified), the ping packet will be cryptographically secure. This option has two intended uses:
(1) Compatibility with stateful firewalls. The periodic ping will ensure that a stateful firewall rule which allows OpenVPN UDP packets to pass will not time out.
(2) To provide a basis for the remote to test the existence of its peer using the --ping-exit option.

--ping-exit n Causes OpenVPN to exit after n seconds pass without reception of a ping or other packet from remote. This option can be combined with --inactive, --ping, and --ping-exit to create a two-tiered inactivity disconnect. For example,
openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60
when used on both peers will cause OpenVPN to exit within 60 seconds if its peer disconnects, but will exit after one hour if no actual tunnel data is exchanged.

--ping-restart n Similar to --ping-exit, but trigger a SIGUSR1 restart after n seconds pass without reception of a ping or other packet from remote. This option is useful in cases where the remote peer has a dynamic IP address and a low-TTL DNS name is used to track the IP address using a service such as http://dyndns.org/ + a dynamic DNS client such as ddclient.
If the peer cannot be reached, a restart will be triggered, causing the hostname used with --remote to be re-resolved (if --resolv-retry is also specified).
In server mode, --ping-restart, --inactive, or any other type of internally generated signal will always be applied to individual client instance objects, never to whole server itself. Note also in server mode that any internally generated signal which would normally cause a restart, will cause the deletion of the client instance object instead.
In client mode, the --ping-restart parameter is set to 120 seconds by default. This default will hold until the client pulls a replacement value from the server, based on the --keepalive setting in the server configuration. To disable the 120 second default, set --ping-restart 0 on the client.

See the signals section below for more information on SIGUSR1.
Note that the behavior of SIGUSR1 can be modified by the --persist-tun, --persist-key, --persist-local-ip, and --persist-remote-ip options.
Also note that --ping-exit and --ping-restart are mutually exclusive and cannot be used together.

 

[msiegberg]

mal probiert in der Clientconf das noch zu setzen?

ns-cert-type server

Hi,

ich hatte auch diese Warnung und die Zeile in meine Client Config eingefügt und die Warnung ist jetzt weg.

Erstmal vielen Dank dafür.

Was genau besagt denn diese Zeile, was bedeutet sie?

Ich will es ja verstehen

Vielen Dank und viele Grüße,
Michael

 

[jahlives]

https://openvpn.net/index.php/open-source/documentation/howto.html#secnotes

 

[Kind]

Hi,

ich bin gerade auf diesen Beitrag gestoßen.
Ich hab den gleichen Fehler wie eingangs genannt bekommen.

Ist es vollkommen egal wo ich die zeile "ns-cert-type server" einfüge?

Falls ja:
Dann bekomme ich diesen fehler:
WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.


bleibt "server" oder kommt da meine dyndns oder irgendwas rein?

meine Konfig sieht so aus:

dev tun
tls-client

remote XXX.feste-ip.net 27646


# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

# redirect-gateway def1

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

#dhcp-option DNS DNS_IP_ADDRESS

pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp

script-security 2


comp-lzo

reneg-sec 0

cipher AES-256-CBC

auth SHA512

auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----

</ca>