I'm trying to connect OpenVPN between DD-WRT (Server) and pfsense (Client) and getting this error:
Code:
20220922 11:34:40 N ---.---.---.---:2204 VERIFY ERROR: depth=0 error=unsupported certificate purpose: CN=------------ serial=8
20220922 11:34:40 N ---.---.---.---:2204 OpenSSL: error:1417C086:lib(20):func(380):reason(134)
20220922 11:34:40 N ---.---.---.---:2204 TLS_ERROR: BIO read tls_read_plaintext error
Now pfsense says that
Quote:
Server type certificates include Extended Key Usage attributes indicating they may be used for server authentication as well as the OID 1.3.6.1.5.5.8.2.2 which is used by Microsoft to signifiy that a certificate may be used as an IKE intermediate.
Which I've verified:
Code:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, 1.3.6.1.5.5.8.2.2
Joined: 16 Nov 2015 Posts: 6388 Location: UK, London, just across the river..
Posted: Thu Sep 22, 2022 16:33 Post subject:
i guess as you didn't let us know witch firmware build number you use...and router model..
you use an old build...
update to a new build... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 55363 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55363 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 18 Mar 2014 Posts: 12812 Location: Netherlands
Posted: Thu Sep 22, 2022 16:53 Post subject:
Moved this to the Advanced Networking forum as it can be of interest to us all.
It looks like a problem with your certs/keys. Maybe generate new ones
The OpenVPN documentation is a sticky in the Advanced Networking forum, you need the the OpenVPN Server setup guide, there is also a chapter about generating certs/keys.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
The OpenVPN documentation is a sticky in the Advanced Networking forum, you need the the OpenVPN Server setup guide, there is also a chapter about generating certs/keys.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
In this instance DD-WRT is the server but OpenVPN on pfSense is the client.
The cert has both the client and server use set as I noted. You're saying there should be different certificates on each side? Where would they come from? I've set up OpenVPN between pfSense and Synology before, I don't get why this should be so much more difficult.
Last edited by Night1979 on Mon Sep 26, 2022 18:43; edited 1 time in total