TLS Error while configuring OpenVPN server

[Ralphshep]

I'm trying to use OpenVPN to connect two TrueNAS servers together and configure one as the offsite backup. So, I was able to create the necessary CAs and certificates and configure the OpenVPN Server service parameters on my main server (truenas.local). Then, I was able to download the .ovpn file, load it into OpenVPN Connect on my PC and remotely access my main TrueNAS server. So, I think the server configuration should be correct.

.ovpn File:

client
dev tun
proto udp4
port 1194
remote "openvpn.mydomain.com"
user nobody
group nobody
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----

</key>
verb 3
remote-cert-tls server
auth SHA1
cipher AES-256-CBC
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
3991c23449a0b7da8c09499038b46075

-----END OpenVPN Static key V1-----
</tls-crypt>

Now, I want to enable the OpenVPN Client service on my offsite TrueNAS server (truenas-backup.local). So, I followed these directions [https://www.truenas.com/community/resources/truenas-and-openvpn-client-configuration.158/] which were helpful in setting up the CAs, certificates, and other parameters. However, I still can't get it to work. I keep getting these TLS errors and that the CN could not be verified.

truenas-backup.local Console report:

Jul 2 15:49:42 truenas-backup 1 2022-07-02T15:49:42.000380-07:00 truenas-backup.local openvpn_client 2161 - - VERIFY ERROR: could not extract CN from X509 subject string ('C=US, ST=NC, L=WS, O=myname, emailAddress=myemail@email.com') -- note that the username length is limited to 64 characters

Jul 2 15:49:42 truenas-backup 1 2022-07-02T15:49:42.000404-07:00 truenas-backup.local openvpn_client 2161 - - OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Jul 2 15:49:42 truenas-backup 1 2022-07-02T15:49:42.000408-07:00 truenas-backup.local openvpn_client 2161 - - TLS_ERROR: BIO read tls_read_plaintext error
Jul 2 15:49:42 truenas-backup 1 2022-07-02T15:49:42.000412-07:00 truenas-backup.local openvpn_client 2161 - - TLS Error: TLS object -> incoming plaintext read error
Jul 2 15:49:42 truenas-backup 1 2022-07-02T15:49:42.000415-07:00 truenas-backup.local openvpn_client 2161 - - TLS Error: TLS handshake failed
Jul 2 15:49:42 truenas-backup 1 2022-07-02T15:49:42.000461-07:00 truenas-backup.local openvpn_client 2161 - - SIGUSR1[soft,tls-error] received, process restarting
Jul 2 15:49:42 truenas-backup 1 2022-07-02T15:49:42.000476-07:00 truenas-backup.local openvpn_client 2161 - - Restart pause, 160 second(s)

I have yet to find a straightforward answer on why you can't just import the .ovpn file especially when it was generated on another TrueNAS server.

Anyways, how do it fix these TLS and CN errors?

Thanks

 

[SuperWhisk]

Jul 2 15:49:42 truenas-backup 1 2022-07-02T15:49:42.000380-07:00 truenas-backup.local openvpn_client 2161 - - VERIFY ERROR: could not extract CN from X509 subject string ('C=US, ST=NC, L=WS, O=myname, emailAddress=myemail@email.com') -- note that the username length is limited to 64 characters

That X509 subject string does indeed lack a common name (CN) field. Check your certificates. They all need to have a common name, and the CN for the server's certificate needs to match the domain name you will be accessing it from, which would be openvpn.mydomain.com in your config above.

 

[Ralphshep]

Thanks for the Help! That seemed to fix my first problem.

Now I'm getting two new error messages. 1) that the host address does not resolve and 2) it could not determine the IPv4/IPV6 protocol. Any ideas?

I would also like to note that the OpenVPN server is being hosted on another TrueNAS server and that I have been able to download the same user configuration file, load it into OpenVPN connect on my Mac and connect to it with no problems.