temuco
Goto Top

OpenVPN - Ethernet-Tunnel - VERIFY ERROR...

Ethernet-Tunnel – VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=...


Hallo!

Ich möchte einen Ethernet-Tunnel zwischen mobilen Rechnern (Notebooks) und lokalem Netz realisieren. Das ganze soll mit Zertifikaten abgesichert werden und unter Windows 8.1 64 Bit laufen.

  • Auf dem OpenVPN-Server wurde eine Brücke zwischen dem TAP- und dem Ethernet-Adapter errichtet. Diese hat eine feste IP-Adresse, einen Standardgateway und einen DNS-Server zugewiesen. Der OpenVPN-Server ist darunter im LAN erreichbar und kommt auch ins Internet.
  • Der Router im LAN (Fritz!Box 7490) hat die jeweils für UDP und TCP eine Weiterleitung auf den OpenVPN-Server.
  • Die Firewalls (auf dem OpenVPN-Server und dem Testclient) für die Tests vorsorglich deaktiviert. Dabei handelt es sich auf beiden Rechnern um die Windows-Firewall.
  • easy-rsa ist installiert und konfiguriert. Damit wurden die Zertifikate erstellt:
      • Eine Zeile der Datei openssl-1.0.0.cnf wurde aus Sicherheitsgründen geändert: Aus default_md = md5 wurde default_md = sha512.
      • vars.bat wurde angepasst (u. a. "set KEY_SIZE=2048").
      • Commandline geöffnet.
      • vars.bat ausgeführt.
      • clean-all.bat ausgeführt.
      • Stammzertifikat mit build-ca.bat erstellt.
      • Diffie-Hellman-Parameter für den Schlüsselaustausch mit build-dh.bat erstellt
      • Server-Zertifikat mit build-key-server.bat erstellt.
      • Client-Zertifikat mit build-key.bat erstellt.
      • Zertifikate mit build-key-pkcs12.bat zusammengefasst.
      • Alle Zertifikate mit unterschiedlichen CNs
      • Zertifikate verteilt – Serverzertifikat auf dem OpenVPN-Server und das Clientzertifikat auf ein Notebook.
  • Konfigurationsdateien erstellt:

Server:
#
# Der gesamte Ethernet-Verkehr soll über den Tunnel fließen.

# OpenVPN soll indas Kofigurationsverzeichnis wechseln.
cd "C:/Program Files/OpenVPN/config/"  

#Device für den den Tunnel
dev tap0

# Port und Protokoll
port 1194
proto udp

# Paketgrößen
tun-mtu 1500
fragment 1300
mssfix

# Server
# 192.168.70.180 192.168.70.199 im DHCP ausgeschlossen.
mode server
server-bridge 192.168.70.205 255.255.255.0 192.168.70.180 192.168.70.199

# Teilnehmer eines virtuellen Netzwerkes sollen sich untereinander sehen.
client-to-client

connect-freq 1 sec
keepalive 10 120
persist-key
persist-tun

# Client eine neue Route und einen neuen Gateway zuweisen.
push "route 192.168.70.0 255.255.255.0"  
push "redirect-gateway def1 local"  

# IPs merken.
ifconfig-pool-persist ipp.txt

# Auth.-Server
tls-server
crl-verify crls/crl.pem

#Zertifikat
pkcs12 certs/server.p12

# Diffie-Hellman-Parameter
dh dh2048.pem

# Kompression einschalten.
comp-lzo yes

# Debug-Level
verb 5

Client:
#
# Der gesamte Ethernet-Verkehr soll über den Tunnel fließen.
#

# OpenVPN soll indas Kofigurationsverzeichnis wechseln.
cd "C:/Program Files/OpenVPN/config/"  

# IP des Gateways (OpenVPN-Server)
# remote aaa.bbb.ccc.ddd
remote sub.example.tld    # Wird richtig in aaa.bbb.ccc.ddd aufgelöst.

#Device für den den Tunnel
dev tap0

# Port und Protokoll
port 1194
proto udp

# Paketgrößen
tun-mtu 1500
fragment 1300
mssfix

# Auth.-Client
tls-client
pull

#Zertifikat
# ca ca.crt
# cert client1.crt
# key client1.key
pkcs12 certs/client1.p12

# Kompression einschalten.
comp-lzo yes

# Debug-Level
verb 3

Der Server startet ohne Probleme und wartet munter auf eine Verbindung. Nun starte ich den Testclient: Das merkt der Server, aber dann kommt auf der Clientseite zu einem Fehler. Hier die Logs (Adressen unkenntlich gemacht, da zum Teil statisch und ich nicht weiß, ob ich sie veröffentlichen darf):

Server (www.xxx.yyy.zzz ist die öffentliche Adresse am Client-Router):
Tue Dec 30 08:25:42 2014 us=198766 Current Parameter Settings:
Tue Dec 30 08:25:42 2014 us=198766   config = 'ethernet.ovpn'  
Tue Dec 30 08:25:42 2014 us=198766   mode = 1
Tue Dec 30 08:25:42 2014 us=198766   show_ciphers = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   show_digests = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   show_engines = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   genkey = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   key_pass_file = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   show_tls_ciphers = DISABLED
Tue Dec 30 08:25:42 2014 us=198766 Connection profiles [default]:
Tue Dec 30 08:25:42 2014 us=198766   proto = udp
Tue Dec 30 08:25:42 2014 us=198766   local = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   local_port = 1194
Tue Dec 30 08:25:42 2014 us=198766   remote = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   remote_port = 1194
Tue Dec 30 08:25:42 2014 us=198766   remote_float = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   bind_defined = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   bind_local = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   connect_retry_seconds = 5
Tue Dec 30 08:25:42 2014 us=198766   connect_timeout = 10
Tue Dec 30 08:25:42 2014 us=198766   connect_retry_max = 0
Tue Dec 30 08:25:42 2014 us=198766   socks_proxy_server = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   socks_proxy_port = 0
Tue Dec 30 08:25:42 2014 us=198766   socks_proxy_retry = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   tun_mtu = 1500
Tue Dec 30 08:25:42 2014 us=198766   tun_mtu_defined = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   link_mtu = 1500
Tue Dec 30 08:25:42 2014 us=198766   link_mtu_defined = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   tun_mtu_extra = 32
Tue Dec 30 08:25:42 2014 us=198766   tun_mtu_extra_defined = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   mtu_discover_type = -1
Tue Dec 30 08:25:42 2014 us=198766   fragment = 1300
Tue Dec 30 08:25:42 2014 us=198766   mssfix = 1300
Tue Dec 30 08:25:42 2014 us=198766   explicit_exit_notification = 0
Tue Dec 30 08:25:42 2014 us=198766 Connection profiles END
Tue Dec 30 08:25:42 2014 us=198766   remote_random = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   ipchange = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   dev = 'tap0'  
Tue Dec 30 08:25:42 2014 us=198766   dev_type = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   dev_node = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   lladdr = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   topology = 1
Tue Dec 30 08:25:42 2014 us=198766   tun_ipv6 = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_local = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_remote_netmask = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_noexec = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_nowarn = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_ipv6_local = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_ipv6_netbits = 0
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_ipv6_remote = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   shaper = 0
Tue Dec 30 08:25:42 2014 us=198766   mtu_test = 0
Tue Dec 30 08:25:42 2014 us=198766   mlock = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   keepalive_ping = 10
Tue Dec 30 08:25:42 2014 us=198766   keepalive_timeout = 120
Tue Dec 30 08:25:42 2014 us=198766   inactivity_timeout = 0
Tue Dec 30 08:25:42 2014 us=198766   ping_send_timeout = 10
Tue Dec 30 08:25:42 2014 us=198766   ping_rec_timeout = 240
Tue Dec 30 08:25:42 2014 us=198766   ping_rec_timeout_action = 2
Tue Dec 30 08:25:42 2014 us=198766   ping_timer_remote = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   remap_sigusr1 = 0
Tue Dec 30 08:25:42 2014 us=198766   persist_tun = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   persist_local_ip = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   persist_remote_ip = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   persist_key = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   passtos = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   resolve_retry_seconds = 1000000000
Tue Dec 30 08:25:42 2014 us=198766   username = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   groupname = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   chroot_dir = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   cd_dir = 'C:/Program Files/OpenVPN/config/'  
Tue Dec 30 08:25:42 2014 us=198766   writepid = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   up_script = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   down_script = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   down_pre = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   up_restart = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   up_delay = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   daemon = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   inetd = 0
Tue Dec 30 08:25:42 2014 us=198766   log = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   suppress_timestamps = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   nice = 0
Tue Dec 30 08:25:42 2014 us=198766   verbosity = 5
Tue Dec 30 08:25:42 2014 us=198766   mute = 0
Tue Dec 30 08:25:42 2014 us=198766   status_file = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   status_file_version = 1
Tue Dec 30 08:25:42 2014 us=198766   status_file_update_freq = 60
Tue Dec 30 08:25:42 2014 us=198766   occ = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   rcvbuf = 0
Tue Dec 30 08:25:42 2014 us=198766   sndbuf = 0
Tue Dec 30 08:25:42 2014 us=198766   sockflags = 0
Tue Dec 30 08:25:42 2014 us=198766   fast_io = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   lzo = 3
Tue Dec 30 08:25:42 2014 us=198766   route_script = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   route_default_gateway = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   route_default_metric = 0
Tue Dec 30 08:25:42 2014 us=198766   route_noexec = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   route_delay = 0
Tue Dec 30 08:25:42 2014 us=198766   route_delay_window = 30
Tue Dec 30 08:25:42 2014 us=198766   route_delay_defined = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   route_nopull = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   route_gateway_via_dhcp = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   max_routes = 100
Tue Dec 30 08:25:42 2014 us=198766   allow_pull_fqdn = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   management_addr = '127.0.0.1'  
Tue Dec 30 08:25:42 2014 us=198766   management_port = 25340
Tue Dec 30 08:25:42 2014 us=198766   management_user_pass = 'stdin'  
Tue Dec 30 08:25:42 2014 us=198766   management_log_history_cache = 250
Tue Dec 30 08:25:42 2014 us=198766   management_echo_buffer_size = 100
Tue Dec 30 08:25:42 2014 us=198766   management_write_peer_info_file = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   management_client_user = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   management_client_group = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   management_flags = 6
Tue Dec 30 08:25:42 2014 us=198766   shared_secret_file = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   key_direction = 0
Tue Dec 30 08:25:42 2014 us=198766   ciphername_defined = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   ciphername = 'BF-CBC'  
Tue Dec 30 08:25:42 2014 us=198766   authname_defined = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   authname = 'SHA1'  
Tue Dec 30 08:25:42 2014 us=198766   prng_hash = 'SHA1'  
Tue Dec 30 08:25:42 2014 us=198766   prng_nonce_secret_len = 16
Tue Dec 30 08:25:42 2014 us=198766   keysize = 0
Tue Dec 30 08:25:42 2014 us=198766   engine = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   replay = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   mute_replay_warnings = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   replay_window = 64
Tue Dec 30 08:25:42 2014 us=198766   replay_time = 15
Tue Dec 30 08:25:42 2014 us=198766   packet_id_file = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   use_iv = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   test_crypto = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   tls_server = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   tls_client = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   key_method = 2
Tue Dec 30 08:25:42 2014 us=198766   ca_file = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   ca_path = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   dh_file = 'dh2048.pem'  
Tue Dec 30 08:25:42 2014 us=198766   cert_file = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   priv_key_file = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   pkcs12_file = 'certs/server.p12'  
Tue Dec 30 08:25:42 2014 us=198766   cryptoapi_cert = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   cipher_list = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   tls_verify = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   tls_export_cert = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   verify_x509_type = 0
Tue Dec 30 08:25:42 2014 us=198766   verify_x509_name = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   crl_file = 'crls/crl.pem'  
Tue Dec 30 08:25:42 2014 us=198766   ns_cert_type = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_eku = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   ssl_flags = 0
Tue Dec 30 08:25:42 2014 us=198766   tls_timeout = 2
Tue Dec 30 08:25:42 2014 us=198766   renegotiate_bytes = 0
Tue Dec 30 08:25:42 2014 us=198766   renegotiate_packets = 0
Tue Dec 30 08:25:42 2014 us=198766   renegotiate_seconds = 3600
Tue Dec 30 08:25:42 2014 us=198766   handshake_window = 60
Tue Dec 30 08:25:42 2014 us=198766   transition_window = 3600
Tue Dec 30 08:25:42 2014 us=198766   single_session = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   push_peer_info = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   tls_exit = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   tls_auth_file = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_pin_cache_period = -1
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_id = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_id_management = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   server_network = 0.0.0.0
Tue Dec 30 08:25:42 2014 us=198766   server_netmask = 0.0.0.0
Tue Dec 30 08:25:42 2014 us=198766   server_network_ipv6 = ::
Tue Dec 30 08:25:42 2014 us=198766   server_netbits_ipv6 = 0
Tue Dec 30 08:25:42 2014 us=198766   server_bridge_ip = 192.168.70.205
Tue Dec 30 08:25:42 2014 us=198766   server_bridge_netmask = 255.255.255.0
Tue Dec 30 08:25:42 2014 us=198766   server_bridge_pool_start = 192.168.70.180
Tue Dec 30 08:25:42 2014 us=198766   server_bridge_pool_end = 192.168.70.199
Tue Dec 30 08:25:42 2014 us=198766   push_entry = 'route 192.168.70.0 255.255.255.0'  
Tue Dec 30 08:25:42 2014 us=198766   push_entry = 'redirect-gateway def1 local'  
Tue Dec 30 08:25:42 2014 us=198766   push_entry = 'route-gateway 192.168.70.205'  
Tue Dec 30 08:25:42 2014 us=198766   push_entry = 'ping 10'  
Tue Dec 30 08:25:42 2014 us=198766   push_entry = 'ping-restart 120'  
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_pool_defined = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_pool_start = 192.168.70.180
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_pool_end = 192.168.70.199
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_pool_netmask = 255.255.255.0
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_pool_persist_filename = 'ipp.txt'  
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_pool_persist_refresh_freq = 600
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_ipv6_pool_defined = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_ipv6_pool_base = ::
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_ipv6_pool_netbits = 0
Tue Dec 30 08:25:42 2014 us=198766   n_bcast_buf = 256
Tue Dec 30 08:25:42 2014 us=198766   tcp_queue_limit = 64
Tue Dec 30 08:25:42 2014 us=198766   real_hash_size = 256
Tue Dec 30 08:25:42 2014 us=198766   virtual_hash_size = 256
Tue Dec 30 08:25:42 2014 us=198766   client_connect_script = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   learn_address_script = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   client_disconnect_script = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   client_config_dir = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   ccd_exclusive = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   tmp_dir = 'C:\Users\ADMINI~1\AppData\Local\Temp\'  
Tue Dec 30 08:25:42 2014 us=198766   push_ifconfig_defined = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   push_ifconfig_local = 0.0.0.0
Tue Dec 30 08:25:42 2014 us=198766   push_ifconfig_remote_netmask = 0.0.0.0
Tue Dec 30 08:25:42 2014 us=198766   push_ifconfig_ipv6_defined = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   push_ifconfig_ipv6_local = ::/0
Tue Dec 30 08:25:42 2014 us=198766   push_ifconfig_ipv6_remote = ::
Tue Dec 30 08:25:42 2014 us=198766   enable_c2c = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   duplicate_cn = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   cf_max = 1
Tue Dec 30 08:25:42 2014 us=198766   cf_per = 0
Tue Dec 30 08:25:42 2014 us=198766   max_clients = 1024
Tue Dec 30 08:25:42 2014 us=198766   max_routes_per_client = 256
Tue Dec 30 08:25:42 2014 us=198766   auth_user_pass_verify_script = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   auth_user_pass_verify_script_via_file = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   client = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pull = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   auth_user_pass_file = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=198766   show_net_up = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   route_method = 0
Tue Dec 30 08:25:42 2014 us=198766   ip_win32_defined = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   ip_win32_type = 3
Tue Dec 30 08:25:42 2014 us=198766   dhcp_masq_offset = 0
Tue Dec 30 08:25:42 2014 us=198766   dhcp_lease_time = 31536000
Tue Dec 30 08:25:42 2014 us=198766   tap_sleep = 10
Tue Dec 30 08:25:42 2014 us=214392   dhcp_options = DISABLED
Tue Dec 30 08:25:42 2014 us=214392   dhcp_renew = DISABLED
Tue Dec 30 08:25:42 2014 us=214392   dhcp_pre_release = DISABLED
Tue Dec 30 08:25:42 2014 us=214392   dhcp_release = DISABLED
Tue Dec 30 08:25:42 2014 us=214392   domain = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=214392   netbios_scope = '[UNDEF]'  
Tue Dec 30 08:25:42 2014 us=214392   netbios_node_type = 0
Tue Dec 30 08:25:42 2014 us=214392   disable_nbt = DISABLED
Tue Dec 30 08:25:42 2014 us=214392 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  7 2014
Tue Dec 30 08:25:42 2014 us=214392 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Enter Management Password:
Tue Dec 30 08:25:42 2014 us=214392 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Dec 30 08:25:42 2014 us=214392 Need hold release from management interface, waiting...
Tue Dec 30 08:25:42 2014 us=230016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Dec 30 08:25:42 2014 us=355033 MANAGEMENT: CMD 'state on'  
Tue Dec 30 08:25:42 2014 us=355033 MANAGEMENT: CMD 'log all on'  
Tue Dec 30 08:25:42 2014 us=651896 MANAGEMENT: CMD 'hold off'  
Tue Dec 30 08:25:42 2014 us=667521 MANAGEMENT: CMD 'hold release'  
Tue Dec 30 08:25:42 2014 us=667521 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Tue Dec 30 08:25:42 2014 us=855021 Diffie-Hellman initialized with 2048 bit key
Tue Dec 30 08:25:42 2014 us=870648 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Dec 30 08:25:42 2014 us=870648 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Dec 30 08:25:42 2014 us=886272 open_tun, tt->ipv6=0
Tue Dec 30 08:25:42 2014 us=886272 TAP-WIN32 device [OpenVPN-Netzwerkadapter (TAP)] opened: \\.\Global\{B74C9838-2755-4FB1-850D-2DA4C461EF2B}.tap
Tue Dec 30 08:25:42 2014 us=886272 TAP-Windows Driver Version 9.21
Tue Dec 30 08:25:42 2014 us=886272 TAP-Windows MTU=1500
Tue Dec 30 08:25:42 2014 us=901899 Sleeping for 10 seconds...
Tue Dec 30 08:25:52 2014 us=978343 NOTE: FlushIpNetTable failed on interface [9] {B74C9838-2755-4FB1-850D-2DA4C461EF2B} (status=1168) : Element nicht gefunden. 
Tue Dec 30 08:25:52 2014 us=978343 Data Channel MTU parms [ L:1574 D:1300 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Dec 30 08:25:52 2014 us=978343 UDPv4 link local (bound): [undef]
Tue Dec 30 08:25:52 2014 us=993952 UDPv4 link remote: [undef]
Tue Dec 30 08:25:52 2014 us=993952 MULTI: multi_init called, r=256 v=256
Tue Dec 30 08:25:52 2014 us=993952 IFCONFIG POOL: base=192.168.70.180 size=20, ipv6=0
Tue Dec 30 08:25:52 2014 us=993952 IFCONFIG POOL LIST
Tue Dec 30 08:25:52 2014 us=993952 Initialization Sequence Completed
Tue Dec 30 08:25:52 2014 us=993952 MANAGEMENT: >STATE:1419924352,CONNECTED,SUCCESS,,
Tue Dec 30 08:26:56 2014 us=947772 MULTI: multi_create_instance called
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 Re-using SSL/TLS context
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 LZO compression initialized
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 Control Channel MTU parms [ L:1578 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 Data Channel MTU parms [ L:1578 D:1300 EF:46 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 Fragmentation MTU parms [ L:1578 D:1300 EF:45 EB:135 ET:33 EL:0 AF:3/1 ]
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 Local Options String: 'V4,dev-type tap,link-mtu 1578,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'  
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1578,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'  
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 Local Options hash (VER=V4): 'e2a912d8'  
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 Expected Remote Options hash (VER=V4): '9a22532e'  
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 TLS: Initial packet from [AF_INET]www.xxx.yyy.zzz:1194, sid=04b565aa c4d2edc7
Tue Dec 30 08:26:57 2014 us=259317 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 30 08:26:59 2014 us=195110 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 30 08:26:59 2014 us=278196 www.xxx.yyy.zzz:1194 TLS: new session incoming connection from [AF_INET]www.xxx.yyy.zzz:1194
Tue Dec 30 08:27:00 2014 us=603141 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 30 08:27:01 2014 us=589768 www.xxx.yyy.zzz:1194 TLS: new session incoming connection from [AF_INET]www.xxx.yyy.zzz:1194
Tue Dec 30 08:27:04 2014 us=45768 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 30 08:27:05 2014 us=988190 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 30 08:27:07 2014 us=753290 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 30 08:27:11 2014 us=210858 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 30 08:27:13 2014 us=766473 TCP/UDP: Closing socket
Tue Dec 30 08:27:13 2014 us=766473 Closing TUN/TAP interface
Tue Dec 30 08:27:13 2014 us=766473 SIGTERM[hard,] received, process exiting
Tue Dec 30 08:27:13 2014 us=766473 MANAGEMENT: >STATE:1419924433,EXITING,SIGTERM,,
RWRRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWRWRRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWWWRWWWWWRWWWWWWWWWWW

Client (aaa.bbb.ccc.ddd ist die öffentliche Adresse am LAN-Router):
Tue Dec 30 08:26:48 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  7 2014
Tue Dec 30 08:26:48 2014 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Enter Management Password:
Tue Dec 30 08:26:48 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Dec 30 08:26:48 2014 Need hold release from management interface, waiting...
Tue Dec 30 08:26:49 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Dec 30 08:26:49 2014 MANAGEMENT: CMD 'state on'  
Tue Dec 30 08:26:49 2014 MANAGEMENT: CMD 'log all on'  
Tue Dec 30 08:26:49 2014 MANAGEMENT: CMD 'hold off'  
Tue Dec 30 08:26:49 2014 MANAGEMENT: CMD 'hold release'  
Tue Dec 30 08:26:49 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Dec 30 08:26:56 2014 MANAGEMENT: CMD 'password [...]'  
Tue Dec 30 08:26:56 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Dec 30 08:26:56 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Dec 30 08:26:56 2014 MANAGEMENT: >STATE:1419924416,RESOLVE,,,
Tue Dec 30 08:26:56 2014 UDPv4 link local (bound): [undef]
Tue Dec 30 08:26:56 2014 UDPv4 link remote: [AF_INET]aaa.bbb.ccc.ddd:1194
Tue Dec 30 08:26:56 2014 MANAGEMENT: >STATE:1419924416,WAIT,,,
Tue Dec 30 08:26:57 2014 MANAGEMENT: >STATE:1419924417,AUTH,,,
Tue Dec 30 08:26:57 2014 TLS: Initial packet from [AF_INET]aaa.bbb.ccc.ddd:1194, sid=2bfd9772 de0ecbcd
Tue Dec 30 08:26:57 2014 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=DE, ST=BUNDESLAND, L="MeineStadt", O="MeineFirma", OU=Netzwerk, CN=server, name=server, emailAddress=name@example.tld  
Tue Dec 30 08:26:57 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Dec 30 08:26:57 2014 TLS Error: TLS object -> incoming plaintext read error
Tue Dec 30 08:26:57 2014 TLS Error: TLS handshake failed
Tue Dec 30 08:26:57 2014 SIGUSR1[soft,tls-error] received, process restarting
Tue Dec 30 08:26:57 2014 MANAGEMENT: >STATE:1419924417,RECONNECTING,tls-error,,
Tue Dec 30 08:26:57 2014 Restart pause, 2 second(s)
Tue Dec 30 08:26:59 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Dec 30 08:26:59 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Dec 30 08:26:59 2014 MANAGEMENT: >STATE:1419924419,RESOLVE,,,
Tue Dec 30 08:26:59 2014 UDPv4 link local (bound): [undef]
Tue Dec 30 08:26:59 2014 UDPv4 link remote: [AF_INET]aaa.bbb.ccc.ddd:1194
Tue Dec 30 08:26:59 2014 MANAGEMENT: >STATE:1419924419,WAIT,,,
Tue Dec 30 08:26:59 2014 MANAGEMENT: >STATE:1419924419,AUTH,,,
Tue Dec 30 08:26:59 2014 TLS: Initial packet from [AF_INET]aaa.bbb.ccc.ddd:1194, sid=62aa52c3 88548315
Tue Dec 30 08:26:59 2014 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=DE, ST=BUNDESLAND, L="MeineStadt", O="MeineFirma", OU=Netzwerk, CN=server, name=server, emailAddress=name@example.tld  
Tue Dec 30 08:26:59 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Dec 30 08:26:59 2014 TLS Error: TLS object -> incoming plaintext read error
Tue Dec 30 08:26:59 2014 TLS Error: TLS handshake failed
Tue Dec 30 08:26:59 2014 SIGUSR1[soft,tls-error] received, process restarting
Tue Dec 30 08:26:59 2014 MANAGEMENT: >STATE:1419924419,RECONNECTING,tls-error,,
Tue Dec 30 08:26:59 2014 Restart pause, 2 second(s)
Tue Dec 30 08:27:01 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Dec 30 08:27:01 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Dec 30 08:27:01 2014 MANAGEMENT: >STATE:1419924421,RESOLVE,,,
Tue Dec 30 08:27:01 2014 UDPv4 link local (bound): [undef]
Tue Dec 30 08:27:01 2014 UDPv4 link remote: [AF_INET]aaa.bbb.ccc.ddd:1194
Tue Dec 30 08:27:01 2014 MANAGEMENT: >STATE:1419924421,WAIT,,,
Tue Dec 30 08:27:01 2014 TLS Error: Unroutable control packet received from [AF_INET]aaa.bbb.ccc.ddd:1194 (si=3 op=P_CONTROL_V1)
Tue Dec 30 08:27:01 2014 TLS Error: Unroutable control packet received from [AF_INET]aaa.bbb.ccc.ddd:1194 (si=3 op=P_CONTROL_V1)
Tue Dec 30 08:27:01 2014 TLS Error: Unroutable control packet received from [AF_INET]aaa.bbb.ccc.ddd:1194 (si=3 op=P_ACK_V1)
Tue Dec 30 08:27:02 2014 TLS Error: Unroutable control packet received from [AF_INET]aaa.bbb.ccc.ddd:1194 (si=3 op=P_CONTROL_V1)
Tue Dec 30 08:27:02 2014 TLS Error: Unroutable control packet received from [AF_INET]aaa.bbb.ccc.ddd:1194 (si=3 op=P_CONTROL_V1)
Tue Dec 30 08:27:03 2014 TLS Error: Unroutable control packet received from [AF_INET]aaa.bbb.ccc.ddd:1194 (si=3 op=P_CONTROL_V1)
Tue Dec 30 08:27:03 2014 TLS Error: Unroutable control packet received from [AF_INET]aaa.bbb.ccc.ddd:1194 (si=3 op=P_CONTROL_V1)
Tue Dec 30 08:27:03 2014 TLS Error: Unroutable control packet received from [AF_INET]aaa.bbb.ccc.ddd:1194 (si=3 op=P_ACK_V1)
Tue Dec 30 08:27:03 2014 SIGTERM[hard,] received, process exiting
Tue Dec 30 08:27:03 2014 MANAGEMENT: >STATE:1419924423,EXITING,SIGTERM,,

Nun man sieht im Client-Log folgendes Fehlermuster:
Tue Dec 30 08:26:57 2014 TLS: Initial packet from [AF_INET]aaa.bbb.ccc.ddd:1194, sid=2bfd9772 de0ecbcd
Tue Dec 30 08:26:57 2014 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=DE, ST=BUNDESLAND, L="MeineStadt", O="MeineFirma", OU=Netzwerk, CN=server, name=server, emailAddress=name@example.tld  
Tue Dec 30 08:26:57 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Dec 30 08:26:57 2014 TLS Error: TLS object -> incoming plaintext read error
Tue Dec 30 08:26:57 2014 TLS Error: TLS handshake failed
Tue Dec 30 08:26:57 2014 SIGUSR1[soft,tls-error] received, process restarting
Tue Dec 30 08:26:57 2014 MANAGEMENT: >STATE:1419924417,RECONNECTING,tls-error,,
Tue Dec 30 08:26:57 2014 Restart pause, 2 second(s)
Tue Dec 30 08:26:59 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Dec 30 08:26:59 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Dec 30 08:26:59 2014 MANAGEMENT: >STATE:1419924419,RESOLVE,,,
Tue Dec 30 08:26:59 2014 UDPv4 link local (bound): [undef]
Tue Dec 30 08:26:59 2014 UDPv4 link remote: [AF_INET]aaa.bbb.ccc.ddd:1194

Das wiederholt sich und es kommt keine richtige Verbindung zustande. Ich habe bereits die Zertifikate mehrmals erstellt, aber ich erhalte immer wieder denselben Fehler und komme leider nicht weiter.

Ich wäre euch unendlich dankbar, wenn ihr mir weiterhelfen könntet.

Grüße

temuco

Content-ID: 258686

Url: https://administrator.de/forum/openvpn-ethernet-tunnel-verify-error-258686.html

Ausgedruckt am: 22.12.2024 um 16:12 Uhr

Chonta
Chonta 30.12.2014 um 11:14:25 Uhr
Goto Top
Hallo,

auf die Schnelle, in der Serverkonfig fehlt das ca Zertifikat.
In der Clientconfig fehlt das ca. Zertifikat und das Diffie-Hellman-Parameter.

Gruß

Chonta
orcape
orcape 30.12.2014 um 11:28:20 Uhr
Goto Top
Hi temuco,
erst mal hast Du einen TLS-Fehler, der schon mal auf ein Problem mit Deinen Zertifikaten hindeutet.
Ich weiß, Du hast Sie mehrmals erstellt, ging mir auch schon so und hier wird wohl....
@Chonta schon einen Ansatz geliefert haben.
Weiter..
musst Du zwingend das TAP-Device verwenden? Das bedeutet kein Routing sondern Bridging und aller Traffic incl. Broadcasts belasten Dir Deinen Tunnel.
Ausserdem zwingend gleicher IP-Range auf beiden Seiten des Tunnels.
Normalerweise ist das TUN-Device dem vor zu ziehen.
In diesem Zusammenhang wäre interessant, wie denn Deine Clients ins Netz gehen.
Gruß orcape
temuco
temuco 30.12.2014 um 12:30:28 Uhr
Goto Top
Hallo Chonta,

ich benutze das pkcs#12-Format. Darin sind ca.crt, server.crt und server.key enthalten.

#Zertifikat 
pkcs12 certs/server.p12

Dasselbe gilt für den Client. Darüber hinaus ist nach meinem Verständnis kein Diffie-Hellman-Parameter auf dem Client notwendig – lasse mich aber gerne eines besseren belehren.

Herzlichen Dank!

temuco
temuco
temuco 30.12.2014 um 12:47:51 Uhr
Goto Top
Hallo orcape!

Zunächst vielen Dank für deine Antwort!

Zitat von @orcape:

Hi temuco,
erst mal hast Du einen TLS-Fehler, der schon mal auf ein Problem mit Deinen Zertifikaten hindeutet.
Ich weiß, Du hast Sie mehrmals erstellt, ging mir auch schon so und hier wird wohl....
@Chonta schon einen Ansatz geliefert haben.

Bitte siehe meine Antwort an Chronta. Habe ich vielleicht etwas falsch verstanden?

Weiter..
musst Du zwingend das TAP-Device verwenden? Das bedeutet kein Routing sondern Bridging und aller Traffic incl. Broadcasts belasten Dir Deinen Tunnel.
Ausserdem zwingend gleicher IP-Range auf beiden Seiten des Tunnels.
Normalerweise ist das TUN-Device dem vor zu ziehen.
In diesem Zusammenhang wäre interessant, wie denn Deine Clients ins Netz gehen.
Gruß orcape

Es ist eigentlich gewollt. Der DHCP-Server hat einen Ausschlussbereich, der von OpenVPN für die Adressvergabe im gleichen Netz verwendet wird (192.168.70.180 - 192.168.70.199). Die Clients sollen komplett in das Netz eingebunden werden. Das hat zum Teil technische als auch historische Gründe. Wenn das funktioniert, ändert sich gegenüber früher nichts (Windows-Netz über nicht mehr sicheres PPTP). Danach kann ich mir das Routing genauer anschauen, aber jetzt hätte ich Angst, dass vielleicht die eine oder andere alte Anwendung nicht mehr funktioniert.
orcape
orcape 30.12.2014 um 12:49:46 Uhr
Goto Top
Darüber hinaus ist nach meinem Verständnis kein Diffie-Hellman-Parameter auf dem Client notwendig – lasse mich aber
gerne eines besseren belehren.
Das ist wohl richtig, ändert aber nichts an der Tatsache das Du irgendeinen Fehler integriert hast.
Die Logs sind eindeutig...
temuco
temuco 30.12.2014 aktualisiert um 12:54:03 Uhr
Goto Top
Richtig, aber ich finde den Fehler nicht. Deswegen habe ich mich nach einer schlaflosen Nacht an euch gewandt. Das ist mein erstes OpenVPN und die Lernkurve ist doch ein wenig steil, wenn man windowsverseucht ist...
orcape
orcape 30.12.2014 um 13:16:50 Uhr
Goto Top
Na ja, so ganz trivial ist die Sache ja nicht, muss ich zu Deiner Ehrenrettung zugeben..face-wink
Aqui hat hier ein sehr schönes Tutorial geschrieben....
OpenVPN Server installieren auf pfSense Firewall, Mikrotik. DD-WRT oder GL.inet Router
Zieh Dir das mal rein, vielleicht fällt Dir ja irgend etwas auf.
Sonst würde ich das ganze noch an Deiner Stelle mal mit CA, Server.crt, Server.key / Client.crt /..key testen.
Irgend ein Kopier-Fehler wird sich da wohl eingeschlichen haben.
Übrigens...
....aber jetzt hätte ich Angst, dass vielleicht die eine oder andere alte Anwendung nicht mehr funktioniert.
Kann ich nachvollziehen und würde ich wohl auch so ran gehen.
temuco
temuco 30.12.2014 um 13:38:54 Uhr
Goto Top
Habe mir das Tutorial zu Gemüte geführt und nur eins entdeckt, was ich nicht gemacht habe. Beim erstellen des Serverzertifikats ist mir im Tutorial folgende Zeile aufgefallen:

Common Name (eg, your name or your server's hostname) :ovpn-adm-de.dyndns.org

Muss hier die öffentliche Adresse bzw. der (D)DNS-Name stehen, der in der Clientkonfiguration verwendet wird?

Wenn es so wäre, dann habe ich an dieser Stelle den Fehler gemacht.

Nun muss ich alles sichern, um dann neue Zertifikate zu erstellen, die als CN meine öffentliche IP bzw. den DNS-Name enthalten. Ich hoffe, dass dies der Fehler ist.
orcape
orcape 30.12.2014 um 14:25:55 Uhr
Goto Top
Wenn es so wäre, dann habe ich an dieser Stelle den Fehler gemacht.
Das ist wohl nicht die Ursache, war nur als Beispiel genannt und hat so sicher keine Bedeutung.
Common Name (eg, your name or your server's hostname)
Der Common Name sollte frei wählbar sein, wenn mehrere Instanzen aktiv sind, kann man diese dadurch unterscheiden bzw. zuordnen.
Bei der Zertifikatserstellung spielt es keine Rolle wie der Server von Client aus erreichbar ist.
Die statische- bzw. dyndns-Adresse gehört in die Client.conf, damit der Client weiß, wo er den Server findet.
orcape
orcape 30.12.2014 um 15:45:13 Uhr
Goto Top
Die Fehlermeldung ist für mich eigentlich klar....
error=unsupported certificate
Warum versuchst Du nicht mal Zertifikate ohne pkcs12 zu erstellen.
Es ist einiges im Netz über Probleme von OpenVPN mit pkcs12 zu finden.
http://www.ip-phone-forum.de/showthread.php?t=262460
Na mal schauen ob Dir das OpenVPN-Forum weiter hilft....face-wink
temuco
temuco 30.12.2014 um 16:04:36 Uhr
Goto Top
Die Zertifikate habe ich bereits alle einzeln erstellt. Erst in einem anschließenden Schritt werden diese (ca.crt, xyz.crt und xyz.key) in einen pkcs#12-Container zusammengepackt.

Nichtsdestotrotz habe ich deinem Vorschlag befolgt und die Zertifikate einzeln eingebunden – allerdings hat sich dadurch am Fehlerbild nichts geändert. Daher gehe ich davon aus, dass es nicht am pkcs#12--Format liegt und dass dieses richtig bzw. genauso falsch wie die einzelnen Zertifikate arbeitet.

Ich glaube, ich drehe durch!

Herzlichen Dank!

temuco
temuco
temuco 30.12.2014 um 18:52:05 Uhr
Goto Top
Habe einige Beiträge im Internet gefunden, die auf den Fehler hinweisen. Allerdings fehlt mir ein wenig der Background, um eine Lösung daraus zu machen. Abgesehen davon bin ich sehr müde, nachdem ich Stunden erfolglos damit verbracht habe.

Vielleicht kann mir anhand der gefundenen Links weiterhelfen:

http://blog.schmoigl-online.de/?p=787

https://forum.linode.com/viewtopic.php?t=8099%3E

http://openvpn.net/index.php/open-source/documentation/howto.html#mitm

Ich stehe voll auf dem Schlauch.

Herzlichen Dank!

temuco
orcape
orcape 30.12.2014 aktualisiert um 19:38:32 Uhr
Goto Top
Wie ich das verstehe, liegt das Problem bei der Zertifikatserstellung mit folgendem Eintrag...
nsCertType=server
Die Zertifikate werden fälschlicherweise mit diesem Eintrag auch für die Clients verwendet.
Wirst das schon vor Jahresabschluss noch hinbekommen....face-wink
temuco
temuco 30.12.2014 um 20:00:21 Uhr
Goto Top
Hatte ich auch so verstanden. Ich habe die Zertifikate testweise neu erstellt, wobei bevor ich den Testclient gemacht hatte, den Eintrag in "openssl-1.0.0.cnf" auskommentiert habe – ein Schuss ins Blaue, denn das hat auch nicht funktioniert. Mit Sicherheit muss ich ein Bisschen mehr machen, aber mein Hirn schaltet gerade ab.

Vielleicht erbarmt sich ein OpenVPN-Experten-Guru und entlässt mich ins Neue Jahr mit einem kleinen Erfolgserlebnis.

Nochmals herzlichen Dank!

temuco
orcape
orcape 31.12.2014 um 08:36:24 Uhr
Goto Top
In Sachen Zertifikatserstellung bin ich leider auch nicht wirklich fit, gleich gar nicht mit Windows.
Das macht für mich immer die pfSense und da konnte ich mich noch nicht beschweren.
Ausser mit easy-rsa dürfte das aber auch mit weiteren Windows-Programmen machbar sein.
Ob Du das allerdings bis zur Jahreswende schaffst, steht wohl auf einem anderen Blatt.face-wink
Trotzdem Guten Rutsch !

orcape
aqui
aqui 31.12.2014 um 14:52:24 Uhr
Goto Top
Das hiesige OpenVPN Tutorial beschreibt außer Easy RSA noch andere Verfahren wie es unter Winblows gemacht werden kann.
Mittlerweise gibt es auch einen Webservice um solche Zertifikate zu erstellen:
http://www.mobilefish.com/services/ssl_certificates/ssl_certificates.ph ...
Bei sowas sollte man aber immer Vorsicht walten lassen da man solchen Anbietern nicht unbedingt vertrauen kann !
Die anderen Verfahren beschreibt das Tutorial:
OpenVPN Server installieren auf pfSense Firewall, Mikrotik. DD-WRT oder GL.inet Router
temuco
temuco 01.01.2015 um 20:11:37 Uhr
Goto Top
Zunächst ein schönes, gesundes und erfolgreiches neues Jahr!

Nach dem gestrigen Raclette mit vielleicht etwas zu viel Rotwein musste ich mich zunächst von den Strapazen erholen. Nun fühle ich mich wieder fit und daher habe ich mir das Problem nochmals angenommen.

Ich habe gegoogelt und viele ähnliche Berichte gelesen, richtig habe ich das Problem aber nicht verstanden. Zumindest weiß ich, dass ich nicht alleine damit bin. Ich erfuhr z. B. dass ab einer gewissen Version (2.1.x) von OpenVPN ein Parameter obsolet und dafür ein anders eingeführt wurde:

Anstelle von ns-cert-type server muss remote-cert-tls server in der Konfigurationsdatei des Client verwendet werden. Damit komme ich ein kleines Stück weiter, denn auf dem Client kommt erscheint im Log kein Fehler mehr:

Client-Log:
Thu Jan 01 19:37:05 2015 us=668164 Current Parameter Settings:
Thu Jan 01 19:37:05 2015 us=668164   config = 'client1.ovpn'  
Thu Jan 01 19:37:05 2015 us=668164   mode = 0
Thu Jan 01 19:37:05 2015 us=668164   show_ciphers = DISABLED
Thu Jan 01 19:37:05 2015 us=668164   show_digests = DISABLED
Thu Jan 01 19:37:05 2015 us=668164   show_engines = DISABLED
Thu Jan 01 19:37:05 2015 us=668164   genkey = DISABLED
Thu Jan 01 19:37:05 2015 us=668164   key_pass_file = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=668164   show_tls_ciphers = DISABLED
Thu Jan 01 19:37:05 2015 us=668164 Connection profiles [default]:
Thu Jan 01 19:37:05 2015 us=668164   proto = udp
Thu Jan 01 19:37:05 2015 us=668164   local = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=668164   local_port = 1194
Thu Jan 01 19:37:05 2015 us=669165   remote = 'openvpn.example.tld'  
Thu Jan 01 19:37:05 2015 us=669165   remote_port = 1194
Thu Jan 01 19:37:05 2015 us=669165   remote_float = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   bind_defined = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   bind_local = ENABLED
Thu Jan 01 19:37:05 2015 us=669165   connect_retry_seconds = 5
Thu Jan 01 19:37:05 2015 us=669165   connect_timeout = 10
Thu Jan 01 19:37:05 2015 us=669165   connect_retry_max = 0
Thu Jan 01 19:37:05 2015 us=669165   socks_proxy_server = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   socks_proxy_port = 0
Thu Jan 01 19:37:05 2015 us=669165   socks_proxy_retry = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   tun_mtu = 1500
Thu Jan 01 19:37:05 2015 us=669165   tun_mtu_defined = ENABLED
Thu Jan 01 19:37:05 2015 us=669165   link_mtu = 1500
Thu Jan 01 19:37:05 2015 us=669165   link_mtu_defined = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   tun_mtu_extra = 32
Thu Jan 01 19:37:05 2015 us=669165   tun_mtu_extra_defined = ENABLED
Thu Jan 01 19:37:05 2015 us=669165   mtu_discover_type = -1
Thu Jan 01 19:37:05 2015 us=669165   fragment = 1300
Thu Jan 01 19:37:05 2015 us=669165   mssfix = 1300
Thu Jan 01 19:37:05 2015 us=669165   explicit_exit_notification = 0
Thu Jan 01 19:37:05 2015 us=669165 Connection profiles END
Thu Jan 01 19:37:05 2015 us=669165   remote_random = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   ipchange = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   dev = 'tap0'  
Thu Jan 01 19:37:05 2015 us=669165   dev_type = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   dev_node = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   lladdr = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   topology = 1
Thu Jan 01 19:37:05 2015 us=669165   tun_ipv6 = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   ifconfig_local = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   ifconfig_remote_netmask = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   ifconfig_noexec = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   ifconfig_nowarn = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   ifconfig_ipv6_local = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   ifconfig_ipv6_netbits = 0
Thu Jan 01 19:37:05 2015 us=669165   ifconfig_ipv6_remote = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   shaper = 0
Thu Jan 01 19:37:05 2015 us=669165   mtu_test = 0
Thu Jan 01 19:37:05 2015 us=669165   mlock = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   keepalive_ping = 0
Thu Jan 01 19:37:05 2015 us=669165   keepalive_timeout = 0
Thu Jan 01 19:37:05 2015 us=669165   inactivity_timeout = 0
Thu Jan 01 19:37:05 2015 us=669165   ping_send_timeout = 0
Thu Jan 01 19:37:05 2015 us=669165   ping_rec_timeout = 0
Thu Jan 01 19:37:05 2015 us=669165   ping_rec_timeout_action = 0
Thu Jan 01 19:37:05 2015 us=669165   ping_timer_remote = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   remap_sigusr1 = 0
Thu Jan 01 19:37:05 2015 us=669165   persist_tun = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   persist_local_ip = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   persist_remote_ip = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   persist_key = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   passtos = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   resolve_retry_seconds = 1000000000
Thu Jan 01 19:37:05 2015 us=669165   username = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   groupname = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   chroot_dir = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   cd_dir = 'C:/Program Files/OpenVPN/config/'  
Thu Jan 01 19:37:05 2015 us=669165   writepid = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   up_script = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   down_script = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   down_pre = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   up_restart = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   up_delay = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   daemon = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   inetd = 0
Thu Jan 01 19:37:05 2015 us=669165   log = ENABLED
Thu Jan 01 19:37:05 2015 us=669165   suppress_timestamps = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   nice = 0
Thu Jan 01 19:37:05 2015 us=669165   verbosity = 5
Thu Jan 01 19:37:05 2015 us=669165   mute = 0
Thu Jan 01 19:37:05 2015 us=669165   status_file = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   status_file_version = 1
Thu Jan 01 19:37:05 2015 us=669165   status_file_update_freq = 60
Thu Jan 01 19:37:05 2015 us=669165   occ = ENABLED
Thu Jan 01 19:37:05 2015 us=669165   rcvbuf = 0
Thu Jan 01 19:37:05 2015 us=669165   sndbuf = 0
Thu Jan 01 19:37:05 2015 us=669165   sockflags = 0
Thu Jan 01 19:37:05 2015 us=669165   fast_io = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   lzo = 3
Thu Jan 01 19:37:05 2015 us=669165   route_script = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   route_default_gateway = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   route_default_metric = 0
Thu Jan 01 19:37:05 2015 us=669165   route_noexec = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   route_delay = 5
Thu Jan 01 19:37:05 2015 us=669165   route_delay_window = 30
Thu Jan 01 19:37:05 2015 us=669165   route_delay_defined = ENABLED
Thu Jan 01 19:37:05 2015 us=669165   route_nopull = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   route_gateway_via_dhcp = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   max_routes = 100
Thu Jan 01 19:37:05 2015 us=669165   allow_pull_fqdn = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   management_addr = '127.0.0.1'  
Thu Jan 01 19:37:05 2015 us=669165   management_port = 25340
Thu Jan 01 19:37:05 2015 us=669165   management_user_pass = 'stdin'  
Thu Jan 01 19:37:05 2015 us=669165   management_log_history_cache = 250
Thu Jan 01 19:37:05 2015 us=669165   management_echo_buffer_size = 100
Thu Jan 01 19:37:05 2015 us=669165   management_write_peer_info_file = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   management_client_user = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   management_client_group = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   management_flags = 6
Thu Jan 01 19:37:05 2015 us=669165   shared_secret_file = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   key_direction = 0
Thu Jan 01 19:37:05 2015 us=669165   ciphername_defined = ENABLED
Thu Jan 01 19:37:05 2015 us=669165   ciphername = 'BF-CBC'  
Thu Jan 01 19:37:05 2015 us=669165   authname_defined = ENABLED
Thu Jan 01 19:37:05 2015 us=669165   authname = 'SHA1'  
Thu Jan 01 19:37:05 2015 us=669165   prng_hash = 'SHA1'  
Thu Jan 01 19:37:05 2015 us=669165   prng_nonce_secret_len = 16
Thu Jan 01 19:37:05 2015 us=669165   keysize = 0
Thu Jan 01 19:37:05 2015 us=669165   engine = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   replay = ENABLED
Thu Jan 01 19:37:05 2015 us=669165   mute_replay_warnings = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   replay_window = 64
Thu Jan 01 19:37:05 2015 us=669165   replay_time = 15
Thu Jan 01 19:37:05 2015 us=669165   packet_id_file = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   use_iv = ENABLED
Thu Jan 01 19:37:05 2015 us=669165   test_crypto = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   tls_server = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   tls_client = ENABLED
Thu Jan 01 19:37:05 2015 us=669165   key_method = 2
Thu Jan 01 19:37:05 2015 us=669165   ca_file = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   ca_path = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   dh_file = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   cert_file = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   priv_key_file = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   pkcs12_file = 'certs/client1.p12'  
Thu Jan 01 19:37:05 2015 us=669165   cryptoapi_cert = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   cipher_list = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   tls_verify = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   tls_export_cert = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   verify_x509_type = 0
Thu Jan 01 19:37:05 2015 us=669165   verify_x509_name = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   crl_file = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   ns_cert_type = 0
Thu Jan 01 19:37:05 2015 us=669165   remote_cert_ku[i] = 160
Thu Jan 01 19:37:05 2015 us=669165   remote_cert_ku[i] = 136
Thu Jan 01 19:37:05 2015 us=669165   remote_cert_ku[i] = 0
Thu Jan 01 19:37:05 2015 us=669165   remote_cert_ku[i] = 0
Thu Jan 01 19:37:05 2015 us=669165   remote_cert_ku[i] = 0
Thu Jan 01 19:37:05 2015 us=669165   remote_cert_ku[i] = 0
Thu Jan 01 19:37:05 2015 us=669165   remote_cert_ku[i] = 0
Thu Jan 01 19:37:05 2015 us=669165   remote_cert_ku[i] = 0
Thu Jan 01 19:37:05 2015 us=669165   remote_cert_ku[i] = 0
Thu Jan 01 19:37:05 2015 us=669165   remote_cert_ku[i] = 0
Thu Jan 01 19:37:05 2015 us=669165   remote_cert_ku[i] = 0
Thu Jan 01 19:37:05 2015 us=669165   remote_cert_ku[i] = 0
Thu Jan 01 19:37:05 2015 us=669165   remote_cert_ku[i] = 0
Thu Jan 01 19:37:05 2015 us=669165   remote_cert_ku[i] = 0
Thu Jan 01 19:37:05 2015 us=669165   remote_cert_ku[i] = 0
Thu Jan 01 19:37:05 2015 us=669165   remote_cert_ku[i] = 0
Thu Jan 01 19:37:05 2015 us=669165   remote_cert_eku = 'TLS Web Server Authentication'  
Thu Jan 01 19:37:05 2015 us=669165   ssl_flags = 0
Thu Jan 01 19:37:05 2015 us=669165   tls_timeout = 2
Thu Jan 01 19:37:05 2015 us=669165   renegotiate_bytes = 0
Thu Jan 01 19:37:05 2015 us=669165   renegotiate_packets = 0
Thu Jan 01 19:37:05 2015 us=669165   renegotiate_seconds = 3600
Thu Jan 01 19:37:05 2015 us=669165   handshake_window = 60
Thu Jan 01 19:37:05 2015 us=669165   transition_window = 3600
Thu Jan 01 19:37:05 2015 us=669165   single_session = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   push_peer_info = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   tls_exit = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   tls_auth_file = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_private_mode = 00000000
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_private_mode = 00000000
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_private_mode = 00000000
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_private_mode = 00000000
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_private_mode = 00000000
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_private_mode = 00000000
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_private_mode = 00000000
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_private_mode = 00000000
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_private_mode = 00000000
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_private_mode = 00000000
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_private_mode = 00000000
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_private_mode = 00000000
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_private_mode = 00000000
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_private_mode = 00000000
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_private_mode = 00000000
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_private_mode = 00000000
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_cert_private = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_cert_private = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_cert_private = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_cert_private = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_cert_private = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_cert_private = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_cert_private = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_cert_private = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_cert_private = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_cert_private = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_cert_private = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_cert_private = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_cert_private = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_cert_private = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_cert_private = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_cert_private = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_pin_cache_period = -1
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_id = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=669165   pkcs11_id_management = DISABLED
Thu Jan 01 19:37:05 2015 us=669165   server_network = 0.0.0.0
Thu Jan 01 19:37:05 2015 us=669165   server_netmask = 0.0.0.0
Thu Jan 01 19:37:05 2015 us=670164   server_network_ipv6 = ::
Thu Jan 01 19:37:05 2015 us=670164   server_netbits_ipv6 = 0
Thu Jan 01 19:37:05 2015 us=670164   server_bridge_ip = 0.0.0.0
Thu Jan 01 19:37:05 2015 us=670164   server_bridge_netmask = 0.0.0.0
Thu Jan 01 19:37:05 2015 us=670164   server_bridge_pool_start = 0.0.0.0
Thu Jan 01 19:37:05 2015 us=670164   server_bridge_pool_end = 0.0.0.0
Thu Jan 01 19:37:05 2015 us=670164   ifconfig_pool_defined = DISABLED
Thu Jan 01 19:37:05 2015 us=670164   ifconfig_pool_start = 0.0.0.0
Thu Jan 01 19:37:05 2015 us=670164   ifconfig_pool_end = 0.0.0.0
Thu Jan 01 19:37:05 2015 us=670164   ifconfig_pool_netmask = 0.0.0.0
Thu Jan 01 19:37:05 2015 us=670164   ifconfig_pool_persist_filename = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=670164   ifconfig_pool_persist_refresh_freq = 600
Thu Jan 01 19:37:05 2015 us=670164   ifconfig_ipv6_pool_defined = DISABLED
Thu Jan 01 19:37:05 2015 us=670164   ifconfig_ipv6_pool_base = ::
Thu Jan 01 19:37:05 2015 us=670164   ifconfig_ipv6_pool_netbits = 0
Thu Jan 01 19:37:05 2015 us=670164   n_bcast_buf = 256
Thu Jan 01 19:37:05 2015 us=670164   tcp_queue_limit = 64
Thu Jan 01 19:37:05 2015 us=670164   real_hash_size = 256
Thu Jan 01 19:37:05 2015 us=670164   virtual_hash_size = 256
Thu Jan 01 19:37:05 2015 us=670164   client_connect_script = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=670164   learn_address_script = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=670164   client_disconnect_script = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=670164   client_config_dir = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=670164   ccd_exclusive = DISABLED
Thu Jan 01 19:37:05 2015 us=670164   tmp_dir = 'C:\Users\ADMINI~1\AppData\Local\Temp\'  
Thu Jan 01 19:37:05 2015 us=670164   push_ifconfig_defined = DISABLED
Thu Jan 01 19:37:05 2015 us=670164   push_ifconfig_local = 0.0.0.0
Thu Jan 01 19:37:05 2015 us=670164   push_ifconfig_remote_netmask = 0.0.0.0
Thu Jan 01 19:37:05 2015 us=670164   push_ifconfig_ipv6_defined = DISABLED
Thu Jan 01 19:37:05 2015 us=670164   push_ifconfig_ipv6_local = ::/0
Thu Jan 01 19:37:05 2015 us=670164   push_ifconfig_ipv6_remote = ::
Thu Jan 01 19:37:05 2015 us=670164   enable_c2c = DISABLED
Thu Jan 01 19:37:05 2015 us=670164   duplicate_cn = DISABLED
Thu Jan 01 19:37:05 2015 us=670164   cf_max = 0
Thu Jan 01 19:37:05 2015 us=670164   cf_per = 0
Thu Jan 01 19:37:05 2015 us=670164   max_clients = 1024
Thu Jan 01 19:37:05 2015 us=670164   max_routes_per_client = 256
Thu Jan 01 19:37:05 2015 us=670164   auth_user_pass_verify_script = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=670164   auth_user_pass_verify_script_via_file = DISABLED
Thu Jan 01 19:37:05 2015 us=670164   client = DISABLED
Thu Jan 01 19:37:05 2015 us=670164   pull = ENABLED
Thu Jan 01 19:37:05 2015 us=670164   auth_user_pass_file = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=670164   show_net_up = DISABLED
Thu Jan 01 19:37:05 2015 us=670164   route_method = 0
Thu Jan 01 19:37:05 2015 us=670164   ip_win32_defined = DISABLED
Thu Jan 01 19:37:05 2015 us=670164   ip_win32_type = 3
Thu Jan 01 19:37:05 2015 us=670164   dhcp_masq_offset = 0
Thu Jan 01 19:37:05 2015 us=670164   dhcp_lease_time = 31536000
Thu Jan 01 19:37:05 2015 us=670164   tap_sleep = 0
Thu Jan 01 19:37:05 2015 us=670164   dhcp_options = DISABLED
Thu Jan 01 19:37:05 2015 us=670164   dhcp_renew = DISABLED
Thu Jan 01 19:37:05 2015 us=670164   dhcp_pre_release = DISABLED
Thu Jan 01 19:37:05 2015 us=670164   dhcp_release = DISABLED
Thu Jan 01 19:37:05 2015 us=670164   domain = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=670164   netbios_scope = '[UNDEF]'  
Thu Jan 01 19:37:05 2015 us=670164   netbios_node_type = 0
Thu Jan 01 19:37:05 2015 us=670164   disable_nbt = DISABLED
Thu Jan 01 19:37:05 2015 us=670164 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  7 2014
Thu Jan 01 19:37:05 2015 us=670164 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Enter Management Password:
Thu Jan 01 19:37:05 2015 us=670164 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Jan 01 19:37:05 2015 us=670164 Need hold release from management interface, waiting...
Thu Jan 01 19:37:06 2015 us=165636 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Jan 01 19:37:06 2015 us=266643 MANAGEMENT: CMD 'state on'  
Thu Jan 01 19:37:06 2015 us=266643 MANAGEMENT: CMD 'log all on'  
Thu Jan 01 19:37:06 2015 us=330621 MANAGEMENT: CMD 'hold off'  
Thu Jan 01 19:37:06 2015 us=330621 MANAGEMENT: CMD 'hold release'  
Thu Jan 01 19:37:13 2015 us=665034 MANAGEMENT: CMD 'password [...]'  
Thu Jan 01 19:37:13 2015 us=665034 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jan 01 19:37:13 2015 us=666986 LZO compression initialized
Thu Jan 01 19:37:13 2015 us=666986 Control Channel MTU parms [ L:1578 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Jan 01 19:37:13 2015 us=666986 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Jan 01 19:37:13 2015 us=667986 MANAGEMENT: >STATE:1420137433,RESOLVE,,,
Thu Jan 01 19:37:13 2015 us=668986 Data Channel MTU parms [ L:1578 D:1300 EF:46 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Jan 01 19:37:13 2015 us=668986 Fragmentation MTU parms [ L:1578 D:1300 EF:45 EB:135 ET:33 EL:0 AF:3/1 ]
Thu Jan 01 19:37:13 2015 us=668986 Local Options String: 'V4,dev-type tap,link-mtu 1578,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'  
Thu Jan 01 19:37:13 2015 us=668986 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1578,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'  
Thu Jan 01 19:37:13 2015 us=668986 Local Options hash (VER=V4): '9a22532e'  
Thu Jan 01 19:37:13 2015 us=668986 Expected Remote Options hash (VER=V4): 'e2a912d8'  
Thu Jan 01 19:37:13 2015 us=668986 UDPv4 link local (bound): [undef]
Thu Jan 01 19:37:13 2015 us=668986 UDPv4 link remote: [AF_INET]aaa.bbb.ccc.ddd:1194
Thu Jan 01 19:37:13 2015 us=668986 MANAGEMENT: >STATE:1420137433,WAIT,,,
Thu Jan 01 19:37:13 2015 us=708257 MANAGEMENT: >STATE:1420137433,AUTH,,,
Thu Jan 01 19:37:13 2015 us=708257 TLS: Initial packet from [AF_INET]aaa.bbb.ccc.ddd:1194, sid=366f82b9 77b9a014
Thu Jan 01 19:37:13 2015 us=993432 VERIFY OK: depth=1, C=DE, ST=BUNDESLAND, L="STADT", O="FIRMA", OU=OPENVPN-ROOT-CA, CN=openvpn.example.tld, name=openvpn.example.tld, emailAddress=info@example.tld  
Thu Jan 01 19:37:13 2015 us=993432 Validating certificate key usage
Thu Jan 01 19:37:13 2015 us=993432 ++ Certificate has key usage  00a0, expects 00a0
Thu Jan 01 19:37:13 2015 us=993432 VERIFY KU OK
Thu Jan 01 19:37:13 2015 us=993432 Validating certificate extended key usage
Thu Jan 01 19:37:13 2015 us=993432 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Jan 01 19:37:13 2015 us=993432 VERIFY EKU OK
Thu Jan 01 19:37:13 2015 us=993432 VERIFY OK: depth=0, C=DE, ST=BUNDESLAND, L="STADT", O="FIRMA", OU=Netzwerk, CN=OPENVPN, name=OPENVPN, emailAddress=info@example.tld  
Thu Jan 01 19:37:37 2015 us=816890 TCP/UDP: Closing socket
Thu Jan 01 19:37:37 2015 us=816890 SIGTERM[hard,] received, process exiting
Thu Jan 01 19:37:37 2015 us=816890 MANAGEMENT: >STATE:1420137457,EXITING,SIGTERM,,
WRWWWWRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWWWWWWWWWWWW

Server-Log:
Thu Jan 01 19:36:46 2015 us=265008 Current Parameter Settings:
Thu Jan 01 19:36:46 2015 us=265008   config = 'openvpnsserver.ovpn'  
Thu Jan 01 19:36:46 2015 us=265008   mode = 1
Thu Jan 01 19:36:46 2015 us=265008   show_ciphers = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   show_digests = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   show_engines = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   genkey = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   key_pass_file = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   show_tls_ciphers = DISABLED
Thu Jan 01 19:36:46 2015 us=265008 Connection profiles [default]:
Thu Jan 01 19:36:46 2015 us=265008   proto = udp
Thu Jan 01 19:36:46 2015 us=265008   local = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   local_port = 1194
Thu Jan 01 19:36:46 2015 us=265008   remote = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   remote_port = 1194
Thu Jan 01 19:36:46 2015 us=265008   remote_float = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   bind_defined = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   bind_local = ENABLED
Thu Jan 01 19:36:46 2015 us=265008   connect_retry_seconds = 5
Thu Jan 01 19:36:46 2015 us=265008   connect_timeout = 10
Thu Jan 01 19:36:46 2015 us=265008   connect_retry_max = 0
Thu Jan 01 19:36:46 2015 us=265008   socks_proxy_server = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   socks_proxy_port = 0
Thu Jan 01 19:36:46 2015 us=265008   socks_proxy_retry = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   tun_mtu = 1500
Thu Jan 01 19:36:46 2015 us=265008   tun_mtu_defined = ENABLED
Thu Jan 01 19:36:46 2015 us=265008   link_mtu = 1500
Thu Jan 01 19:36:46 2015 us=265008   link_mtu_defined = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   tun_mtu_extra = 32
Thu Jan 01 19:36:46 2015 us=265008   tun_mtu_extra_defined = ENABLED
Thu Jan 01 19:36:46 2015 us=265008   mtu_discover_type = -1
Thu Jan 01 19:36:46 2015 us=265008   fragment = 1300
Thu Jan 01 19:36:46 2015 us=265008   mssfix = 1300
Thu Jan 01 19:36:46 2015 us=265008   explicit_exit_notification = 0
Thu Jan 01 19:36:46 2015 us=265008 Connection profiles END
Thu Jan 01 19:36:46 2015 us=265008   remote_random = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   ipchange = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   dev = 'tap0'  
Thu Jan 01 19:36:46 2015 us=265008   dev_type = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   dev_node = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   lladdr = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   topology = 1
Thu Jan 01 19:36:46 2015 us=265008   tun_ipv6 = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   ifconfig_local = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   ifconfig_remote_netmask = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   ifconfig_noexec = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   ifconfig_nowarn = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   ifconfig_ipv6_local = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   ifconfig_ipv6_netbits = 0
Thu Jan 01 19:36:46 2015 us=265008   ifconfig_ipv6_remote = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   shaper = 0
Thu Jan 01 19:36:46 2015 us=265008   mtu_test = 0
Thu Jan 01 19:36:46 2015 us=265008   mlock = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   keepalive_ping = 10
Thu Jan 01 19:36:46 2015 us=265008   keepalive_timeout = 120
Thu Jan 01 19:36:46 2015 us=265008   inactivity_timeout = 0
Thu Jan 01 19:36:46 2015 us=265008   ping_send_timeout = 10
Thu Jan 01 19:36:46 2015 us=265008   ping_rec_timeout = 240
Thu Jan 01 19:36:46 2015 us=265008   ping_rec_timeout_action = 2
Thu Jan 01 19:36:46 2015 us=265008   ping_timer_remote = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   remap_sigusr1 = 0
Thu Jan 01 19:36:46 2015 us=265008   persist_tun = ENABLED
Thu Jan 01 19:36:46 2015 us=265008   persist_local_ip = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   persist_remote_ip = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   persist_key = ENABLED
Thu Jan 01 19:36:46 2015 us=265008   passtos = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   resolve_retry_seconds = 1000000000
Thu Jan 01 19:36:46 2015 us=265008   username = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   groupname = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   chroot_dir = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   cd_dir = 'C:/Program Files/OpenVPN/config/'  
Thu Jan 01 19:36:46 2015 us=265008   writepid = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   up_script = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   down_script = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   down_pre = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   up_restart = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   up_delay = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   daemon = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   inetd = 0
Thu Jan 01 19:36:46 2015 us=265008   log = ENABLED
Thu Jan 01 19:36:46 2015 us=265008   suppress_timestamps = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   nice = 0
Thu Jan 01 19:36:46 2015 us=265008   verbosity = 5
Thu Jan 01 19:36:46 2015 us=265008   mute = 0
Thu Jan 01 19:36:46 2015 us=265008   status_file = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   status_file_version = 1
Thu Jan 01 19:36:46 2015 us=265008   status_file_update_freq = 60
Thu Jan 01 19:36:46 2015 us=265008   occ = ENABLED
Thu Jan 01 19:36:46 2015 us=265008   rcvbuf = 0
Thu Jan 01 19:36:46 2015 us=265008   sndbuf = 0
Thu Jan 01 19:36:46 2015 us=265008   sockflags = 0
Thu Jan 01 19:36:46 2015 us=265008   fast_io = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   lzo = 3
Thu Jan 01 19:36:46 2015 us=265008   route_script = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   route_default_gateway = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   route_default_metric = 0
Thu Jan 01 19:36:46 2015 us=265008   route_noexec = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   route_delay = 0
Thu Jan 01 19:36:46 2015 us=265008   route_delay_window = 30
Thu Jan 01 19:36:46 2015 us=265008   route_delay_defined = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   route_nopull = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   route_gateway_via_dhcp = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   max_routes = 100
Thu Jan 01 19:36:46 2015 us=265008   allow_pull_fqdn = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   management_addr = '127.0.0.1'  
Thu Jan 01 19:36:46 2015 us=265008   management_port = 25340
Thu Jan 01 19:36:46 2015 us=265008   management_user_pass = 'stdin'  
Thu Jan 01 19:36:46 2015 us=265008   management_log_history_cache = 250
Thu Jan 01 19:36:46 2015 us=265008   management_echo_buffer_size = 100
Thu Jan 01 19:36:46 2015 us=265008   management_write_peer_info_file = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   management_client_user = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   management_client_group = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   management_flags = 6
Thu Jan 01 19:36:46 2015 us=265008   shared_secret_file = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   key_direction = 0
Thu Jan 01 19:36:46 2015 us=265008   ciphername_defined = ENABLED
Thu Jan 01 19:36:46 2015 us=265008   ciphername = 'BF-CBC'  
Thu Jan 01 19:36:46 2015 us=265008   authname_defined = ENABLED
Thu Jan 01 19:36:46 2015 us=265008   authname = 'SHA1'  
Thu Jan 01 19:36:46 2015 us=265008   prng_hash = 'SHA1'  
Thu Jan 01 19:36:46 2015 us=265008   prng_nonce_secret_len = 16
Thu Jan 01 19:36:46 2015 us=265008   keysize = 0
Thu Jan 01 19:36:46 2015 us=265008   engine = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   replay = ENABLED
Thu Jan 01 19:36:46 2015 us=265008   mute_replay_warnings = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   replay_window = 64
Thu Jan 01 19:36:46 2015 us=265008   replay_time = 15
Thu Jan 01 19:36:46 2015 us=265008   packet_id_file = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   use_iv = ENABLED
Thu Jan 01 19:36:46 2015 us=265008   test_crypto = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   tls_server = ENABLED
Thu Jan 01 19:36:46 2015 us=265008   tls_client = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   key_method = 2
Thu Jan 01 19:36:46 2015 us=265008   ca_file = 'certs/ca.crt'  
Thu Jan 01 19:36:46 2015 us=265008   ca_path = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   dh_file = 'dh2048.pem'  
Thu Jan 01 19:36:46 2015 us=265008   cert_file = 'certs/openvpnserver.crt'  
Thu Jan 01 19:36:46 2015 us=265008   priv_key_file = 'private/openvpnserver.key'  
Thu Jan 01 19:36:46 2015 us=265008   pkcs12_file = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   cryptoapi_cert = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   cipher_list = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   tls_verify = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   tls_export_cert = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   verify_x509_type = 0
Thu Jan 01 19:36:46 2015 us=265008   verify_x509_name = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   crl_file = 'crls/crl.pem'  
Thu Jan 01 19:36:46 2015 us=265008   ns_cert_type = 0
Thu Jan 01 19:36:46 2015 us=265008   remote_cert_ku[i] = 0
Thu Jan 01 19:36:46 2015 us=265008   remote_cert_ku[i] = 0
Thu Jan 01 19:36:46 2015 us=265008   remote_cert_ku[i] = 0
Thu Jan 01 19:36:46 2015 us=265008   remote_cert_ku[i] = 0
Thu Jan 01 19:36:46 2015 us=265008   remote_cert_ku[i] = 0
Thu Jan 01 19:36:46 2015 us=265008   remote_cert_ku[i] = 0
Thu Jan 01 19:36:46 2015 us=265008   remote_cert_ku[i] = 0
Thu Jan 01 19:36:46 2015 us=265008   remote_cert_ku[i] = 0
Thu Jan 01 19:36:46 2015 us=265008   remote_cert_ku[i] = 0
Thu Jan 01 19:36:46 2015 us=265008   remote_cert_ku[i] = 0
Thu Jan 01 19:36:46 2015 us=265008   remote_cert_ku[i] = 0
Thu Jan 01 19:36:46 2015 us=265008   remote_cert_ku[i] = 0
Thu Jan 01 19:36:46 2015 us=265008   remote_cert_ku[i] = 0
Thu Jan 01 19:36:46 2015 us=265008   remote_cert_ku[i] = 0
Thu Jan 01 19:36:46 2015 us=265008   remote_cert_ku[i] = 0
Thu Jan 01 19:36:46 2015 us=265008   remote_cert_ku[i] = 0
Thu Jan 01 19:36:46 2015 us=265008   remote_cert_eku = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   ssl_flags = 0
Thu Jan 01 19:36:46 2015 us=265008   tls_timeout = 2
Thu Jan 01 19:36:46 2015 us=265008   renegotiate_bytes = 0
Thu Jan 01 19:36:46 2015 us=265008   renegotiate_packets = 0
Thu Jan 01 19:36:46 2015 us=265008   renegotiate_seconds = 3600
Thu Jan 01 19:36:46 2015 us=265008   handshake_window = 60
Thu Jan 01 19:36:46 2015 us=265008   transition_window = 3600
Thu Jan 01 19:36:46 2015 us=265008   single_session = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   push_peer_info = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   tls_exit = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   tls_auth_file = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_protected_authentication = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_private_mode = 00000000
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_private_mode = 00000000
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_private_mode = 00000000
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_private_mode = 00000000
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_private_mode = 00000000
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_private_mode = 00000000
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_private_mode = 00000000
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_private_mode = 00000000
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_private_mode = 00000000
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_private_mode = 00000000
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_private_mode = 00000000
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_private_mode = 00000000
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_private_mode = 00000000
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_private_mode = 00000000
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_private_mode = 00000000
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_private_mode = 00000000
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_cert_private = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_cert_private = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_cert_private = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_cert_private = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_cert_private = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_cert_private = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_cert_private = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_cert_private = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_cert_private = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_cert_private = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_cert_private = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_cert_private = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_cert_private = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_cert_private = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_cert_private = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_cert_private = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_pin_cache_period = -1
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_id = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   pkcs11_id_management = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   server_network = 0.0.0.0
Thu Jan 01 19:36:46 2015 us=265008   server_netmask = 0.0.0.0
Thu Jan 01 19:36:46 2015 us=265008   server_network_ipv6 = ::
Thu Jan 01 19:36:46 2015 us=265008   server_netbits_ipv6 = 0
Thu Jan 01 19:36:46 2015 us=265008   server_bridge_ip = 192.168.70.205
Thu Jan 01 19:36:46 2015 us=265008   server_bridge_netmask = 255.255.255.0
Thu Jan 01 19:36:46 2015 us=265008   server_bridge_pool_start = 192.168.70.180
Thu Jan 01 19:36:46 2015 us=265008   server_bridge_pool_end = 192.168.70.199
Thu Jan 01 19:36:46 2015 us=265008   push_entry = 'route 192.168.70.0 255.255.255.0'  
Thu Jan 01 19:36:46 2015 us=265008   push_entry = 'redirect-gateway def1 local'  
Thu Jan 01 19:36:46 2015 us=265008   push_entry = 'route-gateway 192.168.70.205'  
Thu Jan 01 19:36:46 2015 us=265008   push_entry = 'ping 10'  
Thu Jan 01 19:36:46 2015 us=265008   push_entry = 'ping-restart 120'  
Thu Jan 01 19:36:46 2015 us=265008   ifconfig_pool_defined = ENABLED
Thu Jan 01 19:36:46 2015 us=265008   ifconfig_pool_start = 192.168.70.180
Thu Jan 01 19:36:46 2015 us=265008   ifconfig_pool_end = 192.168.70.199
Thu Jan 01 19:36:46 2015 us=265008   ifconfig_pool_netmask = 255.255.255.0
Thu Jan 01 19:36:46 2015 us=265008   ifconfig_pool_persist_filename = 'ipp.txt'  
Thu Jan 01 19:36:46 2015 us=265008   ifconfig_pool_persist_refresh_freq = 600
Thu Jan 01 19:36:46 2015 us=265008   ifconfig_ipv6_pool_defined = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   ifconfig_ipv6_pool_base = ::
Thu Jan 01 19:36:46 2015 us=265008   ifconfig_ipv6_pool_netbits = 0
Thu Jan 01 19:36:46 2015 us=265008   n_bcast_buf = 256
Thu Jan 01 19:36:46 2015 us=265008   tcp_queue_limit = 64
Thu Jan 01 19:36:46 2015 us=265008   real_hash_size = 256
Thu Jan 01 19:36:46 2015 us=265008   virtual_hash_size = 256
Thu Jan 01 19:36:46 2015 us=265008   client_connect_script = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   learn_address_script = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   client_disconnect_script = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   client_config_dir = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   ccd_exclusive = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   tmp_dir = 'C:\Users\ADMINI~1\AppData\Local\Temp\'  
Thu Jan 01 19:36:46 2015 us=265008   push_ifconfig_defined = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   push_ifconfig_local = 0.0.0.0
Thu Jan 01 19:36:46 2015 us=265008   push_ifconfig_remote_netmask = 0.0.0.0
Thu Jan 01 19:36:46 2015 us=265008   push_ifconfig_ipv6_defined = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   push_ifconfig_ipv6_local = ::/0
Thu Jan 01 19:36:46 2015 us=265008   push_ifconfig_ipv6_remote = ::
Thu Jan 01 19:36:46 2015 us=265008   enable_c2c = ENABLED
Thu Jan 01 19:36:46 2015 us=265008   duplicate_cn = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   cf_max = 1
Thu Jan 01 19:36:46 2015 us=265008   cf_per = 0
Thu Jan 01 19:36:46 2015 us=265008   max_clients = 1024
Thu Jan 01 19:36:46 2015 us=265008   max_routes_per_client = 256
Thu Jan 01 19:36:46 2015 us=265008   auth_user_pass_verify_script = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   auth_user_pass_verify_script_via_file = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   client = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   pull = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   auth_user_pass_file = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   show_net_up = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   route_method = 0
Thu Jan 01 19:36:46 2015 us=265008   ip_win32_defined = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   ip_win32_type = 3
Thu Jan 01 19:36:46 2015 us=265008   dhcp_masq_offset = 0
Thu Jan 01 19:36:46 2015 us=265008   dhcp_lease_time = 31536000
Thu Jan 01 19:36:46 2015 us=265008   tap_sleep = 10
Thu Jan 01 19:36:46 2015 us=265008   dhcp_options = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   dhcp_renew = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   dhcp_pre_release = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   dhcp_release = DISABLED
Thu Jan 01 19:36:46 2015 us=265008   domain = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   netbios_scope = '[UNDEF]'  
Thu Jan 01 19:36:46 2015 us=265008   netbios_node_type = 0
Thu Jan 01 19:36:46 2015 us=265008   disable_nbt = DISABLED
Thu Jan 01 19:36:46 2015 us=265008 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  7 2014
Thu Jan 01 19:36:46 2015 us=265008 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Enter Management Password:
Thu Jan 01 19:36:46 2015 us=265008 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Jan 01 19:36:46 2015 us=265008 Need hold release from management interface, waiting...
Thu Jan 01 19:36:46 2015 us=718156 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Jan 01 19:36:46 2015 us=827534 MANAGEMENT: CMD 'state on'  
Thu Jan 01 19:36:46 2015 us=827534 MANAGEMENT: CMD 'log all on'  
Thu Jan 01 19:36:47 2015 us=108771 MANAGEMENT: CMD 'hold off'  
Thu Jan 01 19:36:47 2015 us=108771 MANAGEMENT: CMD 'hold release'  
Thu Jan 01 19:36:47 2015 us=108771 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Thu Jan 01 19:36:47 2015 us=311898 Diffie-Hellman initialized with 2048 bit key
Thu Jan 01 19:36:47 2015 us=311898 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Jan 01 19:36:47 2015 us=311898 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Jan 01 19:36:47 2015 us=311898 open_tun, tt->ipv6=0
Thu Jan 01 19:36:47 2015 us=327525 TAP-WIN32 device [OpenVPN-Netzwerkadapter (TAP)] opened: \\.\Global\{B74C9838-2755-4FB1-850D-2DA4C461EF2B}.tap
Thu Jan 01 19:36:47 2015 us=327525 TAP-Windows Driver Version 9.21 
Thu Jan 01 19:36:47 2015 us=327525 TAP-Windows MTU=1500
Thu Jan 01 19:36:47 2015 us=327525 Sleeping for 10 seconds...
Thu Jan 01 19:36:57 2015 us=399841 NOTE: FlushIpNetTable failed on interface [9] {B74C9838-2755-4FB1-850D-2DA4C461EF2B} (status=1168) : Element nicht gefunden.  
Thu Jan 01 19:36:57 2015 us=399841 Data Channel MTU parms [ L:1574 D:1300 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Jan 01 19:36:57 2015 us=399841 UDPv4 link local (bound): [undef]
Thu Jan 01 19:36:57 2015 us=399841 UDPv4 link remote: [undef]
Thu Jan 01 19:36:57 2015 us=399841 MULTI: multi_init called, r=256 v=256
Thu Jan 01 19:36:57 2015 us=399841 IFCONFIG POOL: base=192.168.70.180 size=20, ipv6=0
Thu Jan 01 19:36:57 2015 us=399841 IFCONFIG POOL LIST
Thu Jan 01 19:36:57 2015 us=399841 Initialization Sequence Completed
Thu Jan 01 19:36:57 2015 us=399841 MANAGEMENT: >STATE:1420137417,CONNECTED,SUCCESS,,
Thu Jan 01 19:37:13 2015 us=668401 MULTI: multi_create_instance called
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 Re-using SSL/TLS context
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 LZO compression initialized
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 Control Channel MTU parms [ L:1578 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 Data Channel MTU parms [ L:1578 D:1300 EF:46 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 Fragmentation MTU parms [ L:1578 D:1300 EF:45 EB:135 ET:33 EL:0 AF:3/1 ]
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 Local Options String: 'V4,dev-type tap,link-mtu 1578,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'  
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1578,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'  
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 Local Options hash (VER=V4): 'e2a912d8'  
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 Expected Remote Options hash (VER=V4): '9a22532e'  
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 TLS: Initial packet from [AF_INET]www.xxx.yyy.zzz:1194, sid=82f936eb 4d2ddec3
Thu Jan 01 19:37:14 2015 us=303934 www.xxx.yyy.zzz:1194 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=DE, ST=BUNDESLAND, L="STADT", O="FIRMA", OU=GF, CN=client1, name=client1, emailAddress=client1@example.tld  
Thu Jan 01 19:37:14 2015 us=303934 www.xxx.yyy.zzz:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Thu Jan 01 19:37:14 2015 us=303934 www.xxx.yyy.zzz:1194 TLS Error: TLS object -> incoming plaintext read error
Thu Jan 01 19:37:14 2015 us=303934 www.xxx.yyy.zzz:1194 TLS Error: TLS handshake failed
Thu Jan 01 19:37:14 2015 us=303934 www.xxx.yyy.zzz:1194 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Jan 01 19:37:49 2015 us=280427 TCP/UDP: Closing socket
Thu Jan 01 19:37:49 2015 us=280427 Closing TUN/TAP interface
Thu Jan 01 19:37:49 2015 us=280427 SIGTERM[hard,] received, process exiting
Thu Jan 01 19:37:49 2015 us=280427 MANAGEMENT: >STATE:1420137469,EXITING,SIGTERM,,
RWRRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWR

Aus dem Serverlog:

Thu Jan 01 19:37:13 2015 us=668401 MULTI: multi_create_instance called
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 Re-using SSL/TLS context
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 LZO compression initialized
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 Control Channel MTU parms [ L:1578 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 Data Channel MTU parms [ L:1578 D:1300 EF:46 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 Fragmentation MTU parms [ L:1578 D:1300 EF:45 EB:135 ET:33 EL:0 AF:3/1 ]
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 Local Options String: 'V4,dev-type tap,link-mtu 1578,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'  
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1578,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'  
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 Local Options hash (VER=V4): 'e2a912d8'  
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 Expected Remote Options hash (VER=V4): '9a22532e'  
Thu Jan 01 19:37:13 2015 us=668401 www.xxx.yyy.zzz:1194 TLS: Initial packet from [AF_INET]www.xxx.yyy.zzz:1194, sid=82f936eb 4d2ddec3
Thu Jan 01 19:37:14 2015 us=303934 www.xxx.yyy.zzz:1194 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=DE, ST=BUNDESLAND, L="STADT", O="FIRMA", OU=GF, CN=client1, name=client1, emailAddress=client1@example.tld  
Thu Jan 01 19:37:14 2015 us=303934 www.xxx.yyy.zzz:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Thu Jan 01 19:37:14 2015 us=303934 www.xxx.yyy.zzz:1194 TLS Error: TLS object -> incoming plaintext read error
Thu Jan 01 19:37:14 2015 us=303934 www.xxx.yyy.zzz:1194 TLS Error: TLS handshake failed
Thu Jan 01 19:37:14 2015 us=303934 www.xxx.yyy.zzz:1194 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Jan 01 19:37:49 2015 us=280427 TCP/UDP: Closing socket
Thu Jan 01 19:37:49 2015 us=280427 Closing TUN/TAP interface
Thu Jan 01 19:37:49 2015 us=280427 SIGTERM[hard,] received, process exiting
Thu Jan 01 19:37:49 2015 us=280427 MANAGEMENT: >STATE:1420137469,EXITING,SIGTERM,,

Man sieht in den letzten 20 Zeilen den Fehler, mit dem ich aber wirklich nichts anzufangen weiß. Es gibt viele Beiträge im Internet, die sich damit befassen, ich finde aber keine Linie und damit keine Lösung. Daher würde es mich riesig freuen, wenn ein Experte mir hier weiterhilft.

Im Voraus herzlichen Dank und ein erfolgreiches Jahr 2015!

temuco
orcape
orcape 02.01.2015 um 09:54:01 Uhr
Goto Top
Zunächst ein schönes, gesundes und erfolgreiches neues Jahr!
Das wünsche ich Dir auch!
...und das Du irgendwann die Lösung bei Deinen Zertifikaten findest, denn diese bzw. die Übertragung in die Config-Dateien sind Dein Problem, Du bist weiter auf dem "Holzweg"..face-wink
Nach wie vor hast Du nur "kosmetische Operationen" durchgeführt, die definitiv nicht zum Ziel führen.
Thu Jan 01 19:37:14 2015 us=303934 www.xxx.yyy.zzz:1194 TLS Error: TLS handshake failed
..ist eindeutig und...
Anstelle von ns-cert-type server muss remote-cert-tls server in der Konfigurationsdatei des Client verwendet werden.
...ist ebenfalls nicht zutreffend.
Hier mal die funktionierende OpenVPN.conf eines Laptops (Debian, die Plattform spielt aber keine Rolle)....
client
dev tun
proto udp
remote xxxx.yyyyy.org 1196
resolv-retry infinite
nobind
persist-key
persist-tun
tun-mtu 1500
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
ns-cert-type server
comp-lzo
verb 3
Die o.g. OpenVPN-Client.conf ist OpenVPN 2.3.4 x86_64 und funktioniert bestens mit ns-cert-type server.
Gruß orcape
temuco
temuco 02.01.2015 um 12:25:26 Uhr
Goto Top
Ich habe die Lösung gefunden. Da der Client das Zertifikat des Servers akzeptiert, nicht jedoch der Server das des Client, habe ich mir letzteres genau angeschaut. Dabei ist mir aufgefallen, dass dieses als Serverzertifikat ausgewiesen wird. Daher habe ich mir die "openssl-1.0.0.cnf" genau angeschaut und folgendes unter "[ usr_cert ]" entdeckt:
[ usr_cert ]

[...]

# This is OK for an SSL server.
nsCertType = server

# For normal client use this is typical
# nsCertType = client, email

[...]
Nun habe ich die Zeilen mit "Server" auskommentiert und die mit "client, email" aktiviert:
[ usr_cert ]

[...]

# This is OK for an SSL server.
# nsCertType = server

# For normal client use this is typical
nsCertType = client, email

[...]
Anschließend ein neues Clientzertifikat erstellt und eingebunden: Es funktioniert.

Nun kann ich mich jetzt mit der weiteren Konfiguration beschäftigen, wobei ich mit den Routen und dem Standardgateway noch Probleme habe. Aber jetzt habe ich zumindest eine stabile Verbindung unf kann den Rest angehen.

Falls ich weitere Fragen habe sollte – was sicher der Fall sein wird –, werde ich einen neuen Thread erstellen. Diesen markiere ich als gelöst.

Vielen herzlichen Dank für die Hilfe!

temuco
orcape
orcape 02.01.2015 um 12:44:18 Uhr
Goto Top
Vielen herzlichen Dank für die Hilfe!
Gerne doch...face-wink

orcape
aqui
aqui 02.01.2015 um 13:02:27 Uhr
Goto Top
wobei ich mit den Routen und dem Standardgateway noch Probleme habe.
Tips dazu findest du hier:
OpenVPN Server installieren auf pfSense Firewall, Mikrotik. DD-WRT oder GL.inet Router
Grundlagen auch hier:
Routing von 2 und mehr IP Netzen mit Windows, Linux und Router