[SOLVED] OpenVPN Unsupported certificate purpose

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Night1979
DD-WRT Novice


Joined: 20 Sep 2022
Posts: 6

PostPosted: Thu Sep 22, 2022 15:51    Post subject: [SOLVED] OpenVPN Unsupported certificate purpose Reply with quote
I'm trying to connect OpenVPN between DD-WRT (Server) and pfsense (Client) and getting this error:
Code:
20220922 11:34:40 N ---.---.---.---:2204 VERIFY ERROR: depth=0 error=unsupported certificate purpose: CN=------------ serial=8
20220922 11:34:40 N ---.---.---.---:2204 OpenSSL: error:1417C086:lib(20):func(380):reason(134)
20220922 11:34:40 N ---.---.---.---:2204 TLS_ERROR: BIO read tls_read_plaintext error

Now pfsense says that
Quote:
Server type certificates include Extended Key Usage attributes indicating they may be used for server authentication as well as the OID 1.3.6.1.5.5.8.2.2 which is used by Microsoft to signifiy that a certificate may be used as an IKE intermediate.

Which I've verified:
Code:
 X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication, 1.3.6.1.5.5.8.2.2

What could be the problem?
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 5257
Location: UK, London, just across the river..

PostPosted: Thu Sep 22, 2022 16:33    Post subject: Reply with quote
i guess as you didn't let us know witch firmware build number you use...and router model..
you use an old build...
update to a new build...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 49934 WAP
TP-Link WR1043NDv2 -DD-WRT 50146 Gateway,DNS,AP Isolation,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -DD-WRT 50146 Gateway,DNS,Ad-Block,Firewall,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 -Gargoyle OS 1.13.0 AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 50146 Gateway,DNS,AD-Block,AP&Net Isolation,VLAN's,Firewall,DoT,Vanilla
Netgear R9000 --DD-WRT 50146 Gateway,DNS,AD-Block,AP Isolation,Firewall,Forced DNS,DoT,2,4Ghz only,Vanilla
Broadcom
Netgear R7000 ---DD-WRT 50146 Gateway,DNS,AD-Block,Firewall,Forced DNS,VLAN's,DoT,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10348
Location: Netherlands

PostPosted: Thu Sep 22, 2022 16:53    Post subject: Reply with quote
Moved this to the Advanced Networking forum as it can be of interest to us all.

It looks like a problem with your certs/keys. Maybe generate new ones

The OpenVPN documentation is a sticky in the Advanced Networking forum, you need the the OpenVPN Server setup guide, there is also a chapter about generating certs/keys.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

Edit: https://security.stackexchange.com/questions/211795/openvpn-error-unsupported-certificate-purpose

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Night1979
DD-WRT Novice


Joined: 20 Sep 2022
Posts: 6

PostPosted: Mon Sep 26, 2022 18:35    Post subject: Reply with quote
Alozaros wrote:
i guess as you didn't let us know witch firmware build number you use...and router model..
you use an old build...
update to a new build...

v3.0-r44715 mega on Linksys E3000.. I don't think there is anything newer?
Night1979
DD-WRT Novice


Joined: 20 Sep 2022
Posts: 6

PostPosted: Mon Sep 26, 2022 18:39    Post subject: Reply with quote
egc wrote:
The OpenVPN documentation is a sticky in the Advanced Networking forum, you need the the OpenVPN Server setup guide, there is also a chapter about generating certs/keys.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

Edit: https://security.stackexchange.com/questions/211795/openvpn-error-unsupported-certificate-purpose


In this instance DD-WRT is the server but OpenVPN on pfSense is the client.
The cert has both the client and server use set as I noted. You're saying there should be different certificates on each side? Where would they come from? I've set up OpenVPN between pfSense and Synology before, I don't get why this should be so much more difficult. Confused


Last edited by Night1979 on Mon Sep 26, 2022 18:43; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10348
Location: Netherlands

PostPosted: Mon Sep 26, 2022 18:41    Post subject: Reply with quote
Your build is not the latest, not by a long shot

See: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Upgrade to the latest 50176, *after* upgrade reset to defaults and setup manually, do not restore from a backup (to a different build)

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Mon Sep 26, 2022 18:53; edited 2 times in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10348
Location: Netherlands

PostPosted: Mon Sep 26, 2022 18:50    Post subject: Reply with quote
Unless you set up as static key, the server and client need different keys/cert.

Why not consult the manual Wink

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Night1979
DD-WRT Novice


Joined: 20 Sep 2022
Posts: 6

PostPosted: Mon Sep 26, 2022 19:14    Post subject: Reply with quote
egc wrote:
Upgrade to the latest 50176

Done.
Night1979
DD-WRT Novice


Joined: 20 Sep 2022
Posts: 6

PostPosted: Mon Sep 26, 2022 19:39    Post subject: Reply with quote
https://forum.dd-wrt.com/phpBB2/download.php?id=44043

Now, this is helpful.
Night1979
DD-WRT Novice


Joined: 20 Sep 2022
Posts: 6

PostPosted: Mon Sep 26, 2022 19:50    Post subject: Reply with quote
By god, it works. Well.. almost. No traffic is traversing the tunnel but I'll figure that out.
Thank you for the pointers.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10348
Location: Netherlands

PostPosted: Tue Sep 27, 2022 6:39    Post subject: Reply with quote
Great to hear :thumbsup:
_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum