Setting up OpenVPN to work with tls\ssl?

W

wlad11642018-08-06 17:00:18

VPN

wlad1164, 2018-08-06 17:00:18

I ask for help, tell me where to dig.
There is a VPN server and 4 clients (1 mobile phone, 2 home PCs, 3 and 4 work PCs) PCs 3 and 4 are on the same local network
Everyone is connected to the server, but some sites do not work on PCs 3 and 4, browsers give out error related to TLS\SSL

The site may be using outdated or weak TLS security settings. If this keeps happening, contact the website owner.

Server config:

port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
client-to-client
server 10.8.0.0 255.255.255.0
ifconfig -pool-persist ipp.txt
#push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
push "route 1.1.1.1 255.255.255.255 vpn_gateway"
push "route 8.8.8.8 255.255.255.255 vpn_gateway"
push "route 149.154.164.0 255.255.252.0 vpn_gateway"
push "route 178.62.9.0 255.255.255.0 vpn_gateway"
keep alive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem

All client configs are identical, 1 and 2 work without problems, 3 and 4 with an error, I suspect that the matter is in the firewall behind which 3 and 4 are located, but shouldn't all traffic be wrapped in VPN? I don't understand why this is happening...

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

Alexander, 2018-08-06
@UPSA

The site may be using outdated or weak TLS security settings. If this keeps happening, contact the website owner.

On all browsers? OPenVPN has nothing to do with it)
Check the antiviruses ....
These "radishes" with the certificate verification option enabled slip their certificates - why?!!!?
Open the page in a browser. There is a padlock in front of the address. We are trying to see the server certificate (on different browsers in different ways). And sometimes the certificate says that there is no trust in the certificate provider. Using a search engine, we are looking for the root certificate of AVAST, Kaspersky ... (they were like dancing with a tambourine). And add them as trusted certification authorities.
OR we are looking in the settings for how to disable SSL / TLS verification.

M

Maxim, 2018-08-06
@freezl

To wrap all traffic in the VPN, you need to register it push "redirect-gateway def1"in the server config, and you have this option commented out. + To this, configure nat on the server so that it replaces the source addresses in packets and sends them to the Internet.
With this config, it seems to me that only dns traffic goes through vpn to 8.8.8.8 and 1.1.1.1 + 2 subnets 149.154.164.0/22 and 178.62.9.0/24. Is that how it was intended?
For example, you can open https://2ip.ru , remember the address. Then turn on ovpn if it was turned off or vice versa, and open the site in a new tab - the address should change (the IP address of the VPN server should be displayed)

W

wlad1164, 2018-08-06
@wlad1164

How a temporary option wrapped google traffic inside a VPN

# Part of GOOGLE servers
push "route 216.58.192.0 255.255.224.0 vpn_gateway"
push "route 172.217.0.0 255.255.0.0 vpn_gateway"
push "route 64.233.160.0 255.255.224.0 vpn_gateway"

Question is still open...