Estou configurando uma LAN para LAN VPN usando o openvpn. Por razões de fácil gerenciamento de certificados, desejo reutilizar os certificados do servidor que já existem em cada host. Eu coloquei no arquivo de configuração remote-cert-tls server
, mas isso ainda erros:
Sun Aug 10 19:33:45 2014 176.126.242.99:37837 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=GB, ST=x, L=x, O=x x, OU=x, CN=x.x.x
Sun Aug 10 19:33:45 2014 176.126.242.99:37837 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sun Aug 10 19:33:45 2014 176.126.242.99:37837 TLS Error: TLS object -> incoming plaintext read error
Sun Aug 10 19:33:45 2014 176.126.242.99:37837 TLS Error: TLS handshake failed
Os certificados do cliente são da seguinte forma:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 16 (0x10)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=y, ST=y, L=y, O=y y, OU=y, CN=y
Validity
Not Before: Aug 9 13:23:53 2014 GMT
Not After : Aug 9 13:23:53 2015 GMT
Subject: C=x, ST=x, L=x, O=x, OU=x, CN=x
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Comment:
Signed by y y
X509v3 Subject Key Identifier:
...
X509v3 Subject Alternative Name:
DNS:x.x.x
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
X509v3 Authority Key Identifier:
...
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection
Estou ciente de que exatamente o recurso do arquivo de certificado está causando o erro e o que alterar no arquivo de configuração para corrigi-lo.
Editar
Para detalhes adicionais, veja a configuração do servidor e do cliente
server 172.19.1.0 255.255.255.0
local 192.168.10.10
port 1195
proto udp
dev tun
ca /etc/ssl/certs/me.pem
cert /etc/ssl/certs/local/server.crt
key /etc/ssl/private/server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
keepalive 60 720
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
e
client
dev tun
proto udp
remote x.x.x 1195
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca /etc/ssl/certs/me.pem
cert /etc/ssl/certs/local/server.crt
key /etc/ssl/private/server.key
ns-cert-type server
comp-lzo
verb 3
Tags openvpn