Pi-Hole-PiVPN-on-Google-Compute-Engine-Free-Tier-with-Full-Tunnel-and-Split-Tunnel-OpenVPN-Configs
Pi-Hole-PiVPN-on-Google-Compute-Engine-Free-Tier-with-Full-Tunnel-and-Split-Tunnel-OpenVPN-Configs copied to clipboard
Published
20 hours ago •
rajannpatel
rajannpatel
CN Verification fails out-of-the-box
HI there. I have an Asus RT-AC68U running Asuswrt-Merlin 384.19
Turning on the VPN client after following the instructions prints "Error - check configuration!". These are the logs:
Nov 14 12:40:08 rc_service: httpd 261:notify_rc start_vpnclient1
Nov 14 12:40:10 ovpn-client1[20212]: OpenVPN 2.4.9 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 14 2020
Nov 14 12:40:10 ovpn-client1[20212]: library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.08
Nov 14 12:40:10 ovpn-client1[20213]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 14 12:40:10 ovpn-client1[20213]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Nov 14 12:40:10 ovpn-client1[20213]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Nov 14 12:40:10 ovpn-client1[20213]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Nov 14 12:40:10 ovpn-client1[20213]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Nov 14 12:40:10 ovpn-client1[20213]: TCP/UDP: Preserving recently used remote address: [AF_INET]<redacted external IP>:1194
Nov 14 12:40:10 ovpn-client1[20213]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Nov 14 12:40:10 ovpn-client1[20213]: UDP link local: (not bound)
Nov 14 12:40:10 ovpn-client1[20213]: UDP link remote: [AF_INET]<redacted external IP>:1194
Nov 14 12:40:11 ovpn-client1[20213]: TLS: Initial packet from [AF_INET]<redacted external IP>:1194, sid=9144dd9c 04130c74
Nov 14 12:40:11 ovpn-client1[20213]: VERIFY OK: depth=1, CN=ChangeMe
Nov 14 12:40:11 ovpn-client1[20213]: VERIFY KU OK
Nov 14 12:40:11 ovpn-client1[20213]: Validating certificate extended key usage
Nov 14 12:40:11 ovpn-client1[20213]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Nov 14 12:40:11 ovpn-client1[20213]: VERIFY EKU OK
Nov 14 12:40:11 ovpn-client1[20213]: VERIFY X509NAME ERROR: CN=pihole_e05ebf22-b14c-43ab-9a83-dedeaa0e2d6a, must be pihole_e05ebf22-b14c-43ab-9a83-
Nov 14 12:40:11 ovpn-client1[20213]: OpenSSL: error:1416F086:lib(20):func(367):reason(134)
Nov 14 12:40:11 ovpn-client1[20213]: TLS_ERROR: BIO read tls_read_plaintext error
Nov 14 12:40:11 ovpn-client1[20213]: TLS Error: TLS object -> incoming plaintext read error
Nov 14 12:40:11 ovpn-client1[20213]: TLS Error: TLS handshake failed
Nov 14 12:40:11 ovpn-client1[20213]: SIGUSR1[soft,tls-error] received, process restarting
The certificate authority on the PiHole is set up with a common name (CN) of "ChangeMe". I confirmed this by running this on my PiHole:
$ sudo openssl x509 -noout -subject -in /etc/openvpn/easy-rsa/pki/ca.crt
subject=CN = ChangeMe
Of course, ChangeMe ≠ to the expected pihole_e05ebf22-b14c-43ab-9a83-dedeaa0e2d6a, so this check fails. I can work around it by setting Verify Server Certificate Name to No under Advanced Settings of the VPN client.
Is there a way to configure this system with a real CN?
