Hello all!

I didn't start an openVPN connection between FreeBSD and Windows 2k operating systems.

Software versions are:
Freebsd6.4 Openvpn 2.0.6_9 Openssl 0.9.7e - integrated in the FreeBSD system
win2000 openvpn 2.1 gui

The openssl.cnf and script for keys generation with commands are listed below. I have got receive all needed files after script execution. Config's of FreeBSD server and Windows2000 client are downstream in the topic.

I try to start the connection from client side and have given these errors:

Code:
Fri Dec 19 11:01:21 2008 OpenVPN 2.1_rc13 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Oct 7 2008
      Fri Dec 19 11:01:21 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
      Fri Dec 19 11:01:21 2008 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
      Fri Dec 19 11:01:21 2008 Control Channel Authentication: using 'c:\program files\openvpn\config\ta.key' as a OpenVPN static key file
      Fri Dec 19 11:01:21 2008 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
      Fri Dec 19 11:01:21 2008 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
      Fri Dec 19 11:01:21 2008 LZO compression initialized
      Fri Dec 19 11:01:21 2008 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
      Fri Dec 19 11:01:21 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
      Fri Dec 19 11:01:21 2008 Local Options hash (VER=V4): '504e774e'
      Fri Dec 19 11:01:21 2008 Expected Remote Options hash (VER=V4): '14168603'
      Fri Dec 19 11:01:21 2008 Socket Buffers: R=[8192->8192] S=[8192->8192]
      Fri Dec 19 11:01:21 2008 UDPv4 link local (bound): [undef]:1194
      Fri Dec 19 11:01:21 2008 UDPv4 link remote: 192.168.0.2:1194
      Fri Dec 19 11:01:21 2008 TLS: Initial packet from 192.168.0.2:1194, sid=7beb943a e65adbb7
      Fri Dec 19 11:01:21 2008 VERIFY ERROR: depth=0, error=self signed certificate: /O=design/CN=srv.design.org
      Fri Dec 19 11:01:21 2008 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
      Fri Dec 19 11:01:21 2008 TLS Error: TLS object -> incoming plaintext read error
      Fri Dec 19 11:01:21 2008 TLS Error: TLS handshake failed
      Fri Dec 19 11:01:21 2008 TCP/UDP: Closing socket
      Fri Dec 19 11:01:21 2008 SIGUSR1[soft,tls-error] received, process restarting
      Fri Dec 19 11:01:21 2008 Restart pause, 2 second(s)

Server's log:

Code:
Fri Dec 19 11:02:43 2008 us=374189 192.168.0.1:1194 Re-using SSL/TLS context
      Fri Dec 19 11:02:43 2008 us=374255 192.168.0.1:1194 LZO compression initialized
      Fri Dec 19 11:02:43 2008 us=374444 192.168.0.1:1194 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
      Fri Dec 19 11:02:43 2008 us=374509 192.168.0.1:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
      Fri Dec 19 11:02:43 2008 us=374614 192.168.0.1:1194 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
      Fri Dec 19 11:02:43 2008 us=374672 192.168.0.1:1194 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
      Fri Dec 19 11:02:43 2008 us=374744 192.168.0.1:1194 Local Options hash (VER=V4): '14168603'
      Fri Dec 19 11:02:43 2008 us=374813 192.168.0.1:1194 Expected Remote Options hash (VER=V4): '504e774e'
      RFri Dec 19 11:02:43 2008 us=374988 192.168.0.1:1194 TLS: Initial packet from 192.168.0.1:1194, sid=6ff3eefe 3f2a32d4
      WRRWWWWRWRWRWRWRWRWRWRWRFri Dec 19 11:02:45 2008 us=512761 192.168.0.1:1194 TLS: new session incoming connection from 192.168.0.1:1194
      WWWWWRRWWWWRWRWRWRWRWRWRWRWRFri Dec 19 11:02:47 2008 us=693153 192.168.0.1:1194 TLS: new session incoming connection from 192.168.0.1:1194
      WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW

openssl.cnf:

Code:
# $FreeBSD: src/crypto/openssl/apps/openssl.cnf,v 1.7 2005/02/25 05:49:43 nectar Exp $

      HOME = .
      RANDFILE = $ENV::HOME/.rnd

      [ ca ]
      default_ca = CA_default # The default ca section

      [ CA_default ]

      dir = /usr/local/etc/openvpn # Where everything is kept
      crl_dir = $dir/crl # Where the issued crl are kept
      database = $dir/index.txt # database index file
      new_certs_dir = $dir/certs # default place for new certs
      certificate = $dir/ca.crt # The CA certificate
      serial = $dir/serial # The current serial number
      crl = $dir/crl.pem # The current CRL
      private_key = $dir/private/privkey.key # The private key
      RANDFILE = $dir/private/.rand # private random number file
      default_days = 3650 # how long to certify for
      default_crl_days= 365 # how long before next CRL
      default_md = md5 # which md to use
      unique_subject = yes # Set to 'no' to allow certs with same subject
      policy = policy_any
      x509_extensions = user_extensions # The extentions to add to the cert

      [ policy_any ]
      organizationName = match
      organizationalUnitName = optional
      commonName = supplied
      #localityName = match

      [ req ]
      default_bits = 2048
      default_keyfile = privkey.key
      distinguished_name = req_distinguished_name
      x509_extensions = CA_extensions

      [ req_distinguished_name ]
      #countryName = Country Name (2 letter code)
      #countryName_default = AU
      #countryName_min = 2
      #countryName_max = 2
      #localityName = Locality Name (eg, city)
      organizationName = Organization Name (must mach CA)
      organizationName_default = Company
      organizationalUnitName = Organizational Unit Name (eg, section)
      commonName = Common Name (common FQDN, ORG or YOUR name)
      commonName_max = 64
      #emailAddress = Email Address
      #emailAddress_max = 64

      [ user_extensions ]
      basicConstraints = CA:FALSE
      #subjectKeyIdentifier = hash
      #authorityKeyIdentifier = keyid,issuer:always

      [ CA_extensions ]
      basicConstraints = CA:TRUE
      #subjectKeyIdentifier = hash
      #authorityKeyIdentifier = keyid:always,issuer:always

      [ server ]
      basicConstraints = CA:FALSE
      nsCertType = server
Code:
#!/bin/sh
# SSH keygen script
# The Common Name must be match with server's FQDN

DIR=/usr/local/etc/openvpn
OPENSSL=/usr/local/etc/openvpn/openssl.cnf
KEYLENGTH=2048
OUT=/home/ftp/pub

cd ${DIR}
# Configs of remote clients /ccd
# Server and client certs /certs
# CRL - certificate revocation list /crl
# Closed keys of certs for a server and clients /keys
# Closed key form subscribed certificate - CA /private
# certs requests (limit access rights to keys and private directories) /req

mkdir ccd certs crl keys private req
echo "Creating directores..."
echo "${DIR}/ccd"
echo "${DIR}/certs"
echo "${DIR}/crl"
echo "${DIR}/keys"
echo "${DIR}/private"
echo "${DIR}/req"
echo ""

echo "01" >> serial
echo "Creating files..."
echo "${DIR}/serial"
touch index.txt
echo "${DIR}/index.txt"
echo ""

# Generating key and sert
openssl req -config ${OPENSSL} -new -nodes -x509 -keyout private/privkey.key -out ca.crt -days 3650

# Server certificates
# Generate shared server key and cert
openssl req -config ${OPENSSL} -new -nodes -keyout keys/server.key -out req/server.pem

# For creation of server's cert need to sign CA
# For make CA cert roll-over easier add option -selfsign
# and set unique_subject=no in the openssl.cnf file
openssl ca -config ${OPENSSL} -extensions server -out certs/server.crt -infiles req/server.pem

# Diffie-Hellman params generation
openssl dhparam -out dh${KEYLENGTH}.pem ${KEYLENGTH}

# Client keys and certificates
openssl req -config ${OPENSSL} -new -nodes -keyout keys/Kclient.key -out req/Rclient.pem
openssl ca -batch -config ${OPENSSL} -out certs/Cclient.crt -infiles req/Rclient.pem

# List of certificate revocation list (CRL)
openssl ca -config ${OPENSSL} -gencrl -out crl/crl.pem

# List of revoke certs
#openssl ca -config ${OPENSSL} -revoke certs/Cclient.crt

# HMAC key generation
openvpn --genkey --secret ta.key

openssl verify -CAfile ca.crt certs/Cclient.crt

# Client configuration
cd ${DIR}/ccd
echo ""
echo "Adding client's configuration to the $DIR/ccd/client"
echo 'push "route 192.168.0.0 255.255.255.0"' >> client
echo ""

cd $DIR
chmod -R 600 keys private

echo "Starting OpenVPN server..."
/usr/local/etc/rc.d/openvpn restart
echo ""

# Copy user keys
echo "Copying user keys..."
echo ""
cp certs/Cclient.crt $OUT
cp keys/Kclient.key $OUT
cp ca.crt $OUT
cp ta.key $OUT
Server's configuration openvpn.conf

Code:
dev tun0
      local 192.168.0.2
      port 1194
      proto udp

      server 10.0.0.0 255.255.255.0
      push "route 10.0.0.0 255.255.255.0"
      route 192.168.0.0 255.255.255.0

      client-config-dir ccd
      client-to-client
      max-clients 10

      tls-server

      dh /usr/local/etc/openvpn/dh2048.pem
      ca /usr/local/etc/openvpn/ca.crt
      cert /usr/local/etc/openvpn/certs/server.crt
      key /usr/local/etc/openvpn/keys/server.key
      crl-verify /usr/local/etc/openvpn/crl/crl.pem
      tls-auth /usr/local/etc/openvpn/ta.key 0

      #cipher BF-CBC # Blowfish (default)
      #cipher AES-128-CBC # AES
      #cipher DES-EDE3-CBC # Triple-DES

      comp-lzo
      keepalive 10 120
      tun-mtu 1500
      mssfix 1450

      user nobody
      group nobody

      persist-key
      persist-tun

      status /var/log/openvpn-status.log
      log /var/log/openvpn.log

      verb 5
      mute 10
Client's configuration client.ovpn

Code:
# Client receive infirmation from server
      client

      dev tun
      proto udp
      remote 192.168.0.2 1194

      tls-client
      tls-remote srv.design.org
      ca "c:\\program files\\openvpn\\config\\ca.crt"
      cert "c:\\program files\\openvpn\\config\\Cclient.crt"
      key "c:\\program files\\openvpn\\config\\Kclient.key"
      tls-auth "c:\\program files\\openvpn\\config\\ta.key" 1

      ns-cert-type server

      comp-lzo
      tun-mtu 1500
      mssfix 1450

      verb 3