In the earlier thread about this specific subject it did not end with certificate problems, to my knowledge.
Just now I downloaded the certificates again and the zip file contains two files in the cert directory: ca.crt and ca1.crt.
ca.crt with datestamp 7-12-2010 and valid from april 6 2009 until april 4 2019, published by 'Fort-Funston CA'
ca1.crt with datestamp 26-7-2012 and valid from december 9 2011 until december 6 2021 by 'changeme'
Windows doesn't trust the certificates.
When opened with notepad I can see that it starts both times like this:
-----BEGIN CERTIFICATE-----MII
with an intermediate array similar like this:
C1GdW5zdG9uMRgwFgYD
VQQDEw9Gb3J0LUZ1bnN0b24gQ0ExITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5t
eWRvbWFpbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuPJ8Rim4azRKjCKU
900yoyzWGxYN5KqDaeDyF7/M2al9bGmPQ/ZFfh/O9g7O+YfyIGM5ia3y8XwSuHQe
2k1pwhYeIpwzxZNDlgUjtSZMdEpaaakZO3vxqGmqK+DewC/H2cNGBI1IOX4uapzd
qOVvyFN1ArdKC6HVpvJAWP7kWV8CAwEAAaOB7TCB6jAdBgNVHQ4EFgQUPaQwCEOf
FHjwVxTGcEnkepprGAQwgboGA1UdIwSBsjCBr4AUPaQwCEOfFHjwVxTGcEnkeppr
and ends like this:
-----END CERTIFICATE-----
Could it make a difference if one would try it again without the ---- stuff? Probably not, but I don't know???? Also it is copied with the ---- stuff into interface dd-wrt as wel as tomatovpn, so very likely leave this alone.
Also, maybe the certificate with 26-7-2012 datestamp hasn't been tried by the topicstarter?
--> Did TS also try ca1.crt?
Also, on a windows 7 pc without openvpn gui application, I installed this and established an openvpn connection.
This is what the log says:
connecting to host: SE06
Fri Aug 17 16:50:59 2012 OpenVPN 2.2.0 Win32-MSVC++ [SSL] [LZO2] built on Apr 26 2011
Enter Auth Username:Enter Auth Password:
Fri Aug 17 16:50:59 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Aug 17 16:51:00 2012 LZO compression initialized
Fri Aug 17 16:51:00 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Aug 17 16:51:00 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Aug 17 16:51:00 2012 Local Options hash (VER=V4): '41690919'
Fri Aug 17 16:51:00 2012 Expected Remote Options hash (VER=V4): '530fdded'
Fri Aug 17 16:51:00 2012 UDPv4 link local: [undef]
Fri Aug 17 16:51:00 2012 UDPv4 link remote: 178.73.abc.xyz:10030
Fri Aug 17 16:51:00 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Aug 17 16:51:00 2012 VERIFY OK: depth=1, /C=SE/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/[email protected]
Fri Aug 17 16:51:00 2012 VERIFY OK: nsCertType=SERVER
Fri Aug 17 16:51:00 2012 VERIFY OK: depth=0, /C=SE/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/[email protected]
Fri Aug 17 16:51:01 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Aug 17 16:51:01 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 17 16:51:01 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Aug 17 16:51:01 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 17 16:51:01 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Aug 17 16:51:01 2012 [server] Peer Connection Initiated with 178.73.abc.xyz:10030
Fri Aug 17 16:51:03 2012 TAP-WIN32 device [LAN-verbinding 2] opened: \\.\Global\{bla96002-655A-47C1-B024-C82AE107Abla}.tap
Fri Aug 17 16:51:03 2012 TAP-Win32 MTU=1500
Fri Aug 17 16:51:03 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.99.3.182/255.255.255.252 on interface {bla96002-655A-47C1-B024-C82AE107Abla} [DHCP-serv: 10.99.3.181, lease-time: 31536000]
Fri Aug 17 16:51:03 2012 Successful ARP Flush on interface [31] {bla96002-655A-47C1-B024-C82AE107Abla}
Fri Aug 17 16:51:13 2012 Warning: route gateway is ambiguous: 192.168.178.1 (2 matches)
OK
Fri Aug 17 16:51:13 2012 Initialization Sequence Completed
The log ends with a warning that the route gateway is ambiguous... also I see something with 'Fort-funston', so I guess this application uses the ca.crt internally... so not the 'changeme' ca1.crt. If I try several times to establish this, it also uses 'changeme', so it somehow alternates...
Just now I downloaded the certificates again and the zip file contains two files in the cert directory: ca.crt and ca1.crt.
ca.crt with datestamp 7-12-2010 and valid from april 6 2009 until april 4 2019, published by 'Fort-Funston CA'
ca1.crt with datestamp 26-7-2012 and valid from december 9 2011 until december 6 2021 by 'changeme'
Windows doesn't trust the certificates.
When opened with notepad I can see that it starts both times like this:
-----BEGIN CERTIFICATE-----MII
with an intermediate array similar like this:
C1GdW5zdG9uMRgwFgYD
VQQDEw9Gb3J0LUZ1bnN0b24gQ0ExITAfBgkqhkiG9w0BCQEWEm1lQG15aG9zdC5t
eWRvbWFpbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuPJ8Rim4azRKjCKU
900yoyzWGxYN5KqDaeDyF7/M2al9bGmPQ/ZFfh/O9g7O+YfyIGM5ia3y8XwSuHQe
2k1pwhYeIpwzxZNDlgUjtSZMdEpaaakZO3vxqGmqK+DewC/H2cNGBI1IOX4uapzd
qOVvyFN1ArdKC6HVpvJAWP7kWV8CAwEAAaOB7TCB6jAdBgNVHQ4EFgQUPaQwCEOf
FHjwVxTGcEnkepprGAQwgboGA1UdIwSBsjCBr4AUPaQwCEOfFHjwVxTGcEnkeppr
and ends like this:
-----END CERTIFICATE-----
Could it make a difference if one would try it again without the ---- stuff? Probably not, but I don't know???? Also it is copied with the ---- stuff into interface dd-wrt as wel as tomatovpn, so very likely leave this alone.
Also, maybe the certificate with 26-7-2012 datestamp hasn't been tried by the topicstarter?
--> Did TS also try ca1.crt?
Also, on a windows 7 pc without openvpn gui application, I installed this and established an openvpn connection.
This is what the log says:
connecting to host: SE06
Fri Aug 17 16:50:59 2012 OpenVPN 2.2.0 Win32-MSVC++ [SSL] [LZO2] built on Apr 26 2011
Enter Auth Username:Enter Auth Password:
Fri Aug 17 16:50:59 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Aug 17 16:51:00 2012 LZO compression initialized
Fri Aug 17 16:51:00 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Aug 17 16:51:00 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Aug 17 16:51:00 2012 Local Options hash (VER=V4): '41690919'
Fri Aug 17 16:51:00 2012 Expected Remote Options hash (VER=V4): '530fdded'
Fri Aug 17 16:51:00 2012 UDPv4 link local: [undef]
Fri Aug 17 16:51:00 2012 UDPv4 link remote: 178.73.abc.xyz:10030
Fri Aug 17 16:51:00 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Aug 17 16:51:00 2012 VERIFY OK: depth=1, /C=SE/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/[email protected]
Fri Aug 17 16:51:00 2012 VERIFY OK: nsCertType=SERVER
Fri Aug 17 16:51:00 2012 VERIFY OK: depth=0, /C=SE/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/[email protected]
Fri Aug 17 16:51:01 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Aug 17 16:51:01 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 17 16:51:01 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Aug 17 16:51:01 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 17 16:51:01 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Aug 17 16:51:01 2012 [server] Peer Connection Initiated with 178.73.abc.xyz:10030
Fri Aug 17 16:51:03 2012 TAP-WIN32 device [LAN-verbinding 2] opened: \\.\Global\{bla96002-655A-47C1-B024-C82AE107Abla}.tap
Fri Aug 17 16:51:03 2012 TAP-Win32 MTU=1500
Fri Aug 17 16:51:03 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.99.3.182/255.255.255.252 on interface {bla96002-655A-47C1-B024-C82AE107Abla} [DHCP-serv: 10.99.3.181, lease-time: 31536000]
Fri Aug 17 16:51:03 2012 Successful ARP Flush on interface [31] {bla96002-655A-47C1-B024-C82AE107Abla}
Fri Aug 17 16:51:13 2012 Warning: route gateway is ambiguous: 192.168.178.1 (2 matches)
OK
Fri Aug 17 16:51:13 2012 Initialization Sequence Completed
The log ends with a warning that the route gateway is ambiguous... also I see something with 'Fort-funston', so I guess this application uses the ca.crt internally... so not the 'changeme' ca1.crt. If I try several times to establish this, it also uses 'changeme', so it somehow alternates...
