Private OpenVPN infrastructure, failing authentication from Windows 10 client. Working perfectly from a Linux client
by sparc86 from LinuxQuestions.org on (#4SPTN)
Hi,
I will try to bring as much information as I can.
I'm setting up a VPN infrastructure between a small SOHO (small office) and the Internet.
The server is a Debian Stable server (Debian 10) and, really, everything is working ok, in the sense that I can authenticate from the client side (LinuxMint) without any issues, however, I also have a Windows client, which for some reason is failing to authenticate.
I'm sharing the private keys with both clients. In fact, I'm not very interested in this Linux client, as the only user in the end of the day will be the one with a Windows 10 client.
Well, here's the sauce (output)::
My successful connection from my Linux client:
Code:sudo openvpn --config /etc/openvpn/client.conf
Tue Oct 15 22:44:31 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Tue Oct 15 22:44:31 2019 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Tue Oct 15 22:44:31 2019 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Tue Oct 15 22:44:31 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:44:31 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:44:31 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:44:31 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Oct 15 22:44:31 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 22:44:32 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:44:32 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 22:44:32 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:44:32 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=8bfef20a e14c61b5
Tue Oct 15 22:44:32 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 22:44:32 2019 VERIFY OK: nsCertType=SERVER
Tue Oct 15 22:44:32 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 22:44:32 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 22:44:32 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:44:33 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 15 22:44:33 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Oct 15 22:44:33 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:44:33 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:44:33 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: route-related options modified
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: peer-id set
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Oct 15 22:44:33 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Oct 15 22:44:33 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:44:33 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:44:33 2019 TUN/TAP device tun0 opened
Tue Oct 15 22:44:33 2019 TUN/TAP TX queue length set to 100
Tue Oct 15 22:44:33 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Oct 15 22:44:33 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue Oct 15 22:44:33 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Tue Oct 15 22:44:33 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Oct 15 22:44:33 2019 Initialization Sequence CompletedIt did work, but then I fixed the WARNING for "ns-cert-type" and got the following output:
Code: sudo openvpn --config /etc/openvpn/client.conf
Tue Oct 15 22:55:21 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Tue Oct 15 22:55:21 2019 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Tue Oct 15 22:55:21 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:55:21 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:55:21 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:21 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Oct 15 22:55:21 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 22:55:22 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:22 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 22:55:22 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:22 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=18890315 a25acdee
Tue Oct 15 22:55:22 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 22:55:22 2019 VERIFY KU OK
Tue Oct 15 22:55:22 2019 Validating certificate extended key usage
Tue Oct 15 22:55:22 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 15 22:55:22 2019 VERIFY EKU OK
Tue Oct 15 22:55:22 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 22:55:23 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 22:55:23 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:24 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 15 22:55:24 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Oct 15 22:55:24 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:55:24 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:55:24 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: route-related options modified
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: peer-id set
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Oct 15 22:55:24 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Oct 15 22:55:24 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:55:24 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:55:24 2019 TUN/TAP device tun0 opened
Tue Oct 15 22:55:24 2019 TUN/TAP TX queue length set to 100
Tue Oct 15 22:55:24 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Oct 15 22:55:24 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue Oct 15 22:55:24 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Tue Oct 15 22:55:24 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Oct 15 22:55:24 2019 Initialization Sequence Completed
Tue Oct 15 23:55:23 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 23:55:23 2019 VERIFY KU OK
Tue Oct 15 23:55:23 2019 Validating certificate extended key usage
Tue Oct 15 23:55:23 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 15 23:55:23 2019 VERIFY EKU OK
Tue Oct 15 23:55:23 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 23:55:23 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:55:23 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:55:23 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 23:58:01 2019 Connection reset, restarting [0]
Tue Oct 15 23:58:01 2019 SIGUSR1[soft,connection-reset] received, process restarting
Tue Oct 15 23:58:01 2019 Restart pause, 5 second(s)
Tue Oct 15 23:58:06 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:06 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Oct 15 23:58:06 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 23:58:07 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:07 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 23:58:07 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:07 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=9a0d4959 da0fd296
Tue Oct 15 23:58:07 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 23:58:07 2019 VERIFY KU OK
Tue Oct 15 23:58:07 2019 Validating certificate extended key usage
Tue Oct 15 23:58:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 15 23:58:07 2019 VERIFY EKU OK
Tue Oct 15 23:58:07 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 23:58:07 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 23:58:07 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:08 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 15 23:58:09 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Oct 15 23:58:09 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 23:58:09 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 23:58:09 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: route-related options modified
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: peer-id set
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Oct 15 23:58:09 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Oct 15 23:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:58:09 2019 Preserving previous TUN/TAP instance: tun0
Tue Oct 15 23:58:09 2019 Initialization Sequence Completed
Wed Oct 16 00:58:07 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 00:58:07 2019 VERIFY KU OK
Wed Oct 16 00:58:07 2019 Validating certificate extended key usage
Wed Oct 16 00:58:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 00:58:07 2019 VERIFY EKU OK
Wed Oct 16 00:58:07 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 00:58:07 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 00:58:07 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 00:58:07 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 01:58:07 2019 TLS: soft reset sec=0 bytes=27597/-1 pkts=705/0
Wed Oct 16 01:58:07 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 01:58:07 2019 VERIFY KU OK
Wed Oct 16 01:58:07 2019 Validating certificate extended key usage
Wed Oct 16 01:58:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 01:58:07 2019 VERIFY EKU OK
Wed Oct 16 01:58:07 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 01:58:08 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 01:58:08 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 01:58:08 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 02:58:07 2019 TLS: tls_process: killed expiring key
Wed Oct 16 02:58:08 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 02:58:08 2019 VERIFY KU OK
Wed Oct 16 02:58:08 2019 Validating certificate extended key usage
Wed Oct 16 02:58:08 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 02:58:08 2019 VERIFY EKU OK
Wed Oct 16 02:58:08 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 02:58:08 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 02:58:08 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 02:58:08 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 03:58:08 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 03:58:08 2019 VERIFY KU OK
Wed Oct 16 03:58:08 2019 Validating certificate extended key usage
Wed Oct 16 03:58:08 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 03:58:08 2019 VERIFY EKU OK
Wed Oct 16 03:58:08 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 03:58:08 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 03:58:08 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 03:58:08 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 04:58:09 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 04:58:09 2019 VERIFY KU OK
Wed Oct 16 04:58:09 2019 Validating certificate extended key usage
Wed Oct 16 04:58:09 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 04:58:09 2019 VERIFY EKU OK
Wed Oct 16 04:58:09 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 04:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 04:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 04:58:09 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 05:58:08 2019 TLS: tls_process: killed expiring key
Wed Oct 16 05:58:09 2019 TLS: soft reset sec=0 bytes=27597/-1 pkts=705/0
Wed Oct 16 05:58:09 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 05:58:09 2019 VERIFY KU OK
Wed Oct 16 05:58:09 2019 Validating certificate extended key usage
Wed Oct 16 05:58:09 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 05:58:09 2019 VERIFY EKU OK
Wed Oct 16 05:58:09 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 05:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 05:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 05:58:09 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 06:58:09 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 06:58:09 2019 VERIFY KU OK
Wed Oct 16 06:58:09 2019 Validating certificate extended key usage
Wed Oct 16 06:58:09 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 06:58:09 2019 VERIFY EKU OK
Wed Oct 16 06:58:09 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 06:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 06:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 06:58:09 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 07:58:09 2019 TLS: soft reset sec=0 bytes=27675/-1 pkts=707/0
Wed Oct 16 07:58:10 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 07:58:10 2019 VERIFY KU OK
Wed Oct 16 07:58:10 2019 Validating certificate extended key usage
Wed Oct 16 07:58:10 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 07:58:10 2019 VERIFY EKU OK
Wed Oct 16 07:58:10 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 07:58:10 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 07:58:10 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 07:58:10 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 08:58:09 2019 TLS: tls_process: killed expiring key
Wed Oct 16 08:58:10 2019 TLS: soft reset sec=0 bytes=27747/-1 pkts=707/0
Wed Oct 16 08:58:10 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 08:58:10 2019 VERIFY KU OK
Wed Oct 16 08:58:10 2019 Validating certificate extended key usage
Wed Oct 16 08:58:10 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 08:58:10 2019 VERIFY EKU OK
Wed Oct 16 08:58:10 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 08:58:11 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 08:58:11 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 08:58:11 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 09:53:41 2019 [server] Inactivity timeout (--ping-restart), restarting
Wed Oct 16 09:53:41 2019 SIGUSR1[soft,ping-restart] received, process restarting
Wed Oct 16 09:53:41 2019 Restart pause, 5 second(s)
Wed Oct 16 09:53:46 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:46 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Wed Oct 16 09:53:46 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Wed Oct 16 09:53:47 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:47 2019 TCP_CLIENT link local: (not bound)
Wed Oct 16 09:53:47 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:47 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=0c44d0e7 1576ad8d
Wed Oct 16 09:53:47 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 09:53:47 2019 VERIFY KU OK
Wed Oct 16 09:53:47 2019 Validating certificate extended key usage
Wed Oct 16 09:53:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 09:53:47 2019 VERIFY EKU OK
Wed Oct 16 09:53:47 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 09:53:47 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 09:53:47 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:49 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Oct 16 09:53:49 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Oct 16 09:53:49 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 09:53:49 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 09:53:49 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: route-related options modified
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: peer-id set
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Oct 16 09:53:49 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Oct 16 09:53:49 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 09:53:49 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 09:53:49 2019 Preserving previous TUN/TAP instance: tun0
Wed Oct 16 09:53:49 2019 Initialization Sequence Completed
Wed Oct 16 10:53:47 2019 TLS: soft reset sec=0 bytes=62402/-1 pkts=839/0
Wed Oct 16 10:53:47 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 10:53:47 2019 VERIFY KU OK
Wed Oct 16 10:53:47 2019 Validating certificate extended key usage
Wed Oct 16 10:53:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 10:53:47 2019 VERIFY EKU OK
Wed Oct 16 10:53:47 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 10:53:47 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 10:53:47 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 10:53:47 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 11:53:47 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 11:53:47 2019 VERIFY KU OK
Wed Oct 16 11:53:47 2019 Validating certificate extended key usage
Wed Oct 16 11:53:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 11:53:47 2019 VERIFY EKU OK
Wed Oct 16 11:53:47 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 11:53:48 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 11:53:48 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 11:53:48 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 12:53:47 2019 TLS: tls_process: killed expiring key
Wed Oct 16 12:53:48 2019 TLS: soft reset sec=0 bytes=27747/-1 pkts=707/0
Wed Oct 16 12:53:48 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 12:53:48 2019 VERIFY KU OK
Wed Oct 16 12:53:48 2019 Validating certificate extended key usage
Wed Oct 16 12:53:48 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 12:53:48 2019 VERIFY EKU OK
Wed Oct 16 12:53:48 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 12:53:49 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 12:53:49 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 12:53:49 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 13:19:57 2019 [server] Inactivity timeout (--ping-restart), restarting
Wed Oct 16 13:19:57 2019 SIGUSR1[soft,ping-restart] received, process restarting
Wed Oct 16 13:19:57 2019 Restart pause, 5 second(s)
Wed Oct 16 13:20:02 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:02 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Wed Oct 16 13:20:02 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Wed Oct 16 13:20:03 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:03 2019 TCP_CLIENT link local: (not bound)
Wed Oct 16 13:20:03 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:03 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=5c127c2c 65543524
Wed Oct 16 13:20:03 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 13:20:03 2019 VERIFY KU OK
Wed Oct 16 13:20:03 2019 Validating certificate extended key usage
Wed Oct 16 13:20:03 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 13:20:03 2019 VERIFY EKU OK
Wed Oct 16 13:20:03 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 13:20:03 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 13:20:03 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:04 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Oct 16 13:20:04 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Oct 16 13:20:04 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 13:20:04 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 13:20:04 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: route-related options modified
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: peer-id set
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Oct 16 13:20:04 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Oct 16 13:20:04 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 13:20:04 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 13:20:04 2019 Preserving previous TUN/TAP instance: tun0
Wed Oct 16 13:20:04 2019 Initialization Sequence Completed
I will try to bring as much information as I can.
I'm setting up a VPN infrastructure between a small SOHO (small office) and the Internet.
The server is a Debian Stable server (Debian 10) and, really, everything is working ok, in the sense that I can authenticate from the client side (LinuxMint) without any issues, however, I also have a Windows client, which for some reason is failing to authenticate.
I'm sharing the private keys with both clients. In fact, I'm not very interested in this Linux client, as the only user in the end of the day will be the one with a Windows 10 client.
Well, here's the sauce (output)::
My successful connection from my Linux client:
Code:sudo openvpn --config /etc/openvpn/client.conf
Tue Oct 15 22:44:31 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Tue Oct 15 22:44:31 2019 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Tue Oct 15 22:44:31 2019 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Tue Oct 15 22:44:31 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:44:31 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:44:31 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:44:31 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Oct 15 22:44:31 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 22:44:32 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:44:32 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 22:44:32 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:44:32 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=8bfef20a e14c61b5
Tue Oct 15 22:44:32 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 22:44:32 2019 VERIFY OK: nsCertType=SERVER
Tue Oct 15 22:44:32 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 22:44:32 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 22:44:32 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:44:33 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 15 22:44:33 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Oct 15 22:44:33 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:44:33 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:44:33 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: route-related options modified
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: peer-id set
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Oct 15 22:44:33 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Oct 15 22:44:33 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Oct 15 22:44:33 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:44:33 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:44:33 2019 TUN/TAP device tun0 opened
Tue Oct 15 22:44:33 2019 TUN/TAP TX queue length set to 100
Tue Oct 15 22:44:33 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Oct 15 22:44:33 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue Oct 15 22:44:33 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Tue Oct 15 22:44:33 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Oct 15 22:44:33 2019 Initialization Sequence CompletedIt did work, but then I fixed the WARNING for "ns-cert-type" and got the following output:
Code: sudo openvpn --config /etc/openvpn/client.conf
Tue Oct 15 22:55:21 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Tue Oct 15 22:55:21 2019 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Tue Oct 15 22:55:21 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:55:21 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Oct 15 22:55:21 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:21 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Oct 15 22:55:21 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 22:55:22 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:22 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 22:55:22 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:22 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=18890315 a25acdee
Tue Oct 15 22:55:22 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 22:55:22 2019 VERIFY KU OK
Tue Oct 15 22:55:22 2019 Validating certificate extended key usage
Tue Oct 15 22:55:22 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 15 22:55:22 2019 VERIFY EKU OK
Tue Oct 15 22:55:22 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 22:55:23 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 22:55:23 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Tue Oct 15 22:55:24 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 15 22:55:24 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Oct 15 22:55:24 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:55:24 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:55:24 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: route-related options modified
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: peer-id set
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Oct 15 22:55:24 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Oct 15 22:55:24 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Oct 15 22:55:24 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:55:24 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 22:55:24 2019 TUN/TAP device tun0 opened
Tue Oct 15 22:55:24 2019 TUN/TAP TX queue length set to 100
Tue Oct 15 22:55:24 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Oct 15 22:55:24 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue Oct 15 22:55:24 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Tue Oct 15 22:55:24 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Oct 15 22:55:24 2019 Initialization Sequence Completed
Tue Oct 15 23:55:23 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 23:55:23 2019 VERIFY KU OK
Tue Oct 15 23:55:23 2019 Validating certificate extended key usage
Tue Oct 15 23:55:23 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 15 23:55:23 2019 VERIFY EKU OK
Tue Oct 15 23:55:23 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 23:55:23 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:55:23 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:55:23 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 23:58:01 2019 Connection reset, restarting [0]
Tue Oct 15 23:58:01 2019 SIGUSR1[soft,connection-reset] received, process restarting
Tue Oct 15 23:58:01 2019 Restart pause, 5 second(s)
Tue Oct 15 23:58:06 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:06 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Oct 15 23:58:06 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Tue Oct 15 23:58:07 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:07 2019 TCP_CLIENT link local: (not bound)
Tue Oct 15 23:58:07 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:07 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=9a0d4959 da0fd296
Tue Oct 15 23:58:07 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Oct 15 23:58:07 2019 VERIFY KU OK
Tue Oct 15 23:58:07 2019 Validating certificate extended key usage
Tue Oct 15 23:58:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 15 23:58:07 2019 VERIFY EKU OK
Tue Oct 15 23:58:07 2019 VERIFY OK: depth=0, CN=server
Tue Oct 15 23:58:07 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Oct 15 23:58:07 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Tue Oct 15 23:58:08 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 15 23:58:09 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Oct 15 23:58:09 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 23:58:09 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 23:58:09 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: route-related options modified
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: peer-id set
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Oct 15 23:58:09 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Oct 15 23:58:09 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Oct 15 23:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 15 23:58:09 2019 Preserving previous TUN/TAP instance: tun0
Tue Oct 15 23:58:09 2019 Initialization Sequence Completed
Wed Oct 16 00:58:07 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 00:58:07 2019 VERIFY KU OK
Wed Oct 16 00:58:07 2019 Validating certificate extended key usage
Wed Oct 16 00:58:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 00:58:07 2019 VERIFY EKU OK
Wed Oct 16 00:58:07 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 00:58:07 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 00:58:07 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 00:58:07 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 01:58:07 2019 TLS: soft reset sec=0 bytes=27597/-1 pkts=705/0
Wed Oct 16 01:58:07 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 01:58:07 2019 VERIFY KU OK
Wed Oct 16 01:58:07 2019 Validating certificate extended key usage
Wed Oct 16 01:58:07 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 01:58:07 2019 VERIFY EKU OK
Wed Oct 16 01:58:07 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 01:58:08 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 01:58:08 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 01:58:08 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 02:58:07 2019 TLS: tls_process: killed expiring key
Wed Oct 16 02:58:08 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 02:58:08 2019 VERIFY KU OK
Wed Oct 16 02:58:08 2019 Validating certificate extended key usage
Wed Oct 16 02:58:08 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 02:58:08 2019 VERIFY EKU OK
Wed Oct 16 02:58:08 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 02:58:08 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 02:58:08 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 02:58:08 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 03:58:08 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 03:58:08 2019 VERIFY KU OK
Wed Oct 16 03:58:08 2019 Validating certificate extended key usage
Wed Oct 16 03:58:08 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 03:58:08 2019 VERIFY EKU OK
Wed Oct 16 03:58:08 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 03:58:08 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 03:58:08 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 03:58:08 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 04:58:09 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 04:58:09 2019 VERIFY KU OK
Wed Oct 16 04:58:09 2019 Validating certificate extended key usage
Wed Oct 16 04:58:09 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 04:58:09 2019 VERIFY EKU OK
Wed Oct 16 04:58:09 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 04:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 04:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 04:58:09 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 05:58:08 2019 TLS: tls_process: killed expiring key
Wed Oct 16 05:58:09 2019 TLS: soft reset sec=0 bytes=27597/-1 pkts=705/0
Wed Oct 16 05:58:09 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 05:58:09 2019 VERIFY KU OK
Wed Oct 16 05:58:09 2019 Validating certificate extended key usage
Wed Oct 16 05:58:09 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 05:58:09 2019 VERIFY EKU OK
Wed Oct 16 05:58:09 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 05:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 05:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 05:58:09 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 06:58:09 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 06:58:09 2019 VERIFY KU OK
Wed Oct 16 06:58:09 2019 Validating certificate extended key usage
Wed Oct 16 06:58:09 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 06:58:09 2019 VERIFY EKU OK
Wed Oct 16 06:58:09 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 06:58:09 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 06:58:09 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 06:58:09 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 07:58:09 2019 TLS: soft reset sec=0 bytes=27675/-1 pkts=707/0
Wed Oct 16 07:58:10 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 07:58:10 2019 VERIFY KU OK
Wed Oct 16 07:58:10 2019 Validating certificate extended key usage
Wed Oct 16 07:58:10 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 07:58:10 2019 VERIFY EKU OK
Wed Oct 16 07:58:10 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 07:58:10 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 07:58:10 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 07:58:10 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 08:58:09 2019 TLS: tls_process: killed expiring key
Wed Oct 16 08:58:10 2019 TLS: soft reset sec=0 bytes=27747/-1 pkts=707/0
Wed Oct 16 08:58:10 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 08:58:10 2019 VERIFY KU OK
Wed Oct 16 08:58:10 2019 Validating certificate extended key usage
Wed Oct 16 08:58:10 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 08:58:10 2019 VERIFY EKU OK
Wed Oct 16 08:58:10 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 08:58:11 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 08:58:11 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 08:58:11 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 09:53:41 2019 [server] Inactivity timeout (--ping-restart), restarting
Wed Oct 16 09:53:41 2019 SIGUSR1[soft,ping-restart] received, process restarting
Wed Oct 16 09:53:41 2019 Restart pause, 5 second(s)
Wed Oct 16 09:53:46 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:46 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Wed Oct 16 09:53:46 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Wed Oct 16 09:53:47 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:47 2019 TCP_CLIENT link local: (not bound)
Wed Oct 16 09:53:47 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:47 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=0c44d0e7 1576ad8d
Wed Oct 16 09:53:47 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 09:53:47 2019 VERIFY KU OK
Wed Oct 16 09:53:47 2019 Validating certificate extended key usage
Wed Oct 16 09:53:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 09:53:47 2019 VERIFY EKU OK
Wed Oct 16 09:53:47 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 09:53:47 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 09:53:47 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Wed Oct 16 09:53:49 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Oct 16 09:53:49 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Oct 16 09:53:49 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 09:53:49 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 09:53:49 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: route-related options modified
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: peer-id set
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Wed Oct 16 09:53:49 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Oct 16 09:53:49 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Oct 16 09:53:49 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 09:53:49 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 09:53:49 2019 Preserving previous TUN/TAP instance: tun0
Wed Oct 16 09:53:49 2019 Initialization Sequence Completed
Wed Oct 16 10:53:47 2019 TLS: soft reset sec=0 bytes=62402/-1 pkts=839/0
Wed Oct 16 10:53:47 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 10:53:47 2019 VERIFY KU OK
Wed Oct 16 10:53:47 2019 Validating certificate extended key usage
Wed Oct 16 10:53:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 10:53:47 2019 VERIFY EKU OK
Wed Oct 16 10:53:47 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 10:53:47 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 10:53:47 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 10:53:47 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 11:53:47 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 11:53:47 2019 VERIFY KU OK
Wed Oct 16 11:53:47 2019 Validating certificate extended key usage
Wed Oct 16 11:53:47 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 11:53:47 2019 VERIFY EKU OK
Wed Oct 16 11:53:47 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 11:53:48 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 11:53:48 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 11:53:48 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 12:53:47 2019 TLS: tls_process: killed expiring key
Wed Oct 16 12:53:48 2019 TLS: soft reset sec=0 bytes=27747/-1 pkts=707/0
Wed Oct 16 12:53:48 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 12:53:48 2019 VERIFY KU OK
Wed Oct 16 12:53:48 2019 Validating certificate extended key usage
Wed Oct 16 12:53:48 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 12:53:48 2019 VERIFY EKU OK
Wed Oct 16 12:53:48 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 12:53:49 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 12:53:49 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 12:53:49 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 13:19:57 2019 [server] Inactivity timeout (--ping-restart), restarting
Wed Oct 16 13:19:57 2019 SIGUSR1[soft,ping-restart] received, process restarting
Wed Oct 16 13:19:57 2019 Restart pause, 5 second(s)
Wed Oct 16 13:20:02 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:02 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
Wed Oct 16 13:20:02 2019 Attempting to establish TCP connection with [AF_INET]179.223.134.82:1194 [nonblock]
Wed Oct 16 13:20:03 2019 TCP connection established with [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:03 2019 TCP_CLIENT link local: (not bound)
Wed Oct 16 13:20:03 2019 TCP_CLIENT link remote: [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:03 2019 TLS: Initial packet from [AF_INET]179.223.134.82:1194, sid=5c127c2c 65543524
Wed Oct 16 13:20:03 2019 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Oct 16 13:20:03 2019 VERIFY KU OK
Wed Oct 16 13:20:03 2019 Validating certificate extended key usage
Wed Oct 16 13:20:03 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 13:20:03 2019 VERIFY EKU OK
Wed Oct 16 13:20:03 2019 VERIFY OK: depth=0, CN=server
Wed Oct 16 13:20:03 2019 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Oct 16 13:20:03 2019 [server] Peer Connection Initiated with [AF_INET]179.223.134.82:1194
Wed Oct 16 13:20:04 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Oct 16 13:20:04 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Oct 16 13:20:04 2019 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 13:20:04 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 13:20:04 2019 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: route-related options modified
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: peer-id set
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: adjusting link_mtu to 1627
Wed Oct 16 13:20:04 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Oct 16 13:20:04 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Oct 16 13:20:04 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 13:20:04 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Oct 16 13:20:04 2019 Preserving previous TUN/TAP instance: tun0
Wed Oct 16 13:20:04 2019 Initialization Sequence Completed