Welcome to TP-LINK Tech Support Forum
+ Reply to Thread
Results 1 to 5 of 5
  1. #1

    C3150 v2 firmware v2 OpenVPN: generates bad certificate/config file

    Model :

    Hardware Version :

    Firmware Version :

    ISP : [/COLOR]

    Neither the OpenVPN client on my Mac nor on my Android phone will connect to the OpenVPN in the new firmware. This worked perfectly with the v1 firmware. Here is an extract from the Viscosity (mac client) log. The Androd client (OpenVPN Connect) detects the cert is bad without even trying to connect. It complains that "ASN1 tag was of an unexpected value".


    Code:
    2017-11-07 19:35:44: State changed to Connecting
    2017-11-07 19:35:44: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    2017-11-07 19:35:44: TCP/UDP: Preserving recently used remote address: [AF_INET]61.123.123.123:1194
    2017-11-07 19:35:44: UDP link local: (not bound)
    2017-11-07 19:35:44: UDP link remote: [AF_INET]61.123.123.123:1194
    2017-11-07 19:35:44: State changed to Authenticating
    2017-11-07 19:35:44: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=CN, ST=GD, L=ShenZhen, O=TPLINK, OU=SOHO, CN=TPLINK CA, name=myuserver02, emailAddress=me@myhost.mydomain
    2017-11-07 19:35:44: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    2017-11-07 19:35:44: TLS_ERROR: BIO read tls_read_plaintext error
    2017-11-07 19:35:44: TLS Error: TLS object -> incoming plaintext read error
    2017-11-07 19:35:44: TLS Error: TLS handshake failed
    2017-11-07 19:35:44: SIGUSR1[soft,tls-error] received, process restarting
    2017-11-07 19:35:44: Viscosity Mac 1.7.5 (1420)
    2017-11-07 19:35:44: Viscosity OpenVPN Engine Started
    2017-11-07 19:35:44: Running on macOS 10.13.1

  2. #2

  3. #3
    The firmware was rejected by the router. I expect because I've got the US version.

    I tried the new update which mentions IOS and OpenVPN in the headline changes but that is bad too (I'm out so I can't give the the version number.) The certificate is ok but, unlike the v1 firmware it doesn't take into account that I'm using dynamic dns. The remote field in the configuration file is populated with the wan ip address which is a private ip handed out by my fibre modem. This worked out-of-the-box before.
    Last edited by shazoom; 11-12-2017 at 12:10.

  4. #4
    Do you mean the C3150 is connected to your main router, and has private IP on WAN? Do you mean V1 worked out-of-the-box before or V2?
    What's the current firmware version of your V2 router ?

  5. #5
    > Do you mean the C3150 is connected to your main router, and has private IP on WAN?
    No, it's connected to a ONT fiber modem.

    > Do you mean V1 worked out-of-the-box before or V2?
    The current release for my router is: 3.0.0 0.9.1 v005f.0 Build 170926 Rel.63400n; I would say this is a v3 release. I bought the router in January and it was in a v1 release. About a two weeks ago I updated it to a v2 release.

    By out of the box I mean it just worked. No fuss. Actually, I misread the interface in the Dynamic DNS section. It listed the dynamic dns I'd registerd with the router before and I thought it was bound but I was wrong and hence it was binding the the WAN ip address. When it was bound the remote field in the openvpn client config file listed the dynamic dns name as you would expect. However, although my openvpn clients would connect to it I still couldn't connect to anything on my network.

    The pptp vpn did work correctly and I could connect to computers on my network. However, I disabled it again as, from what I read, is relatively insecure. A message in the log even suggested that encryption was disabled (ppp20 rcvd [LCP TermReq id=0x4 "MPPE disabled"].)

    I've since setup L2TP on my NAS because I don't really want to mess around with this anymore.


 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Copyright 1996-2017 TP-LINK Technologies Co., Ltd. All rights reserved.