Good to hear.
As for the wiki account that is described on the main page: http://wiki.ampr.org/wiki/Main_Page
I believe Chris, G1FEF will set an account up for you.
On Tue, Sep 3, 2019 at 10:48 AM KM4EXS via 44Net 44net@mailman.ampr.org wrote:
I finally made some progress after a few hours of troubleshooting, spread over several days. It turns out that my callsign certificate was issued (signed) by an intermediate CA that expired in 2017. So I think the OH7LZB OpenVPN server was seeing that expired intermediate CA, and blocking the connection. I did not end up needing to use the "tls-version-min 1.0" command.
I toyed around with trying to use different (valid) intermediate CA certificates, but none of it worked. What did work is when I renewed my callsign certificate thru tQSL. Then after it was renewed and installed, I determined which certificate block (from certs file), intermediate block (from authorities file), and key block (from CALLSIGN (literally your callsign)) was the renewed one. For me, the last block in each file was the most recent. I used the 'openssl x509 --text < filename' command on Linux, to convert the ASCII encoded certificate to clear language.
Once I used that latest set of certificate, intermediate CA, and key, I was able to get connected. I'm not sure routing is working yet, but will work on validating that. I need to find some good IPs that have something hosted on them.
I do think that the wiki documentation needs an update. I'd happily contribute, but I'm not sure how to go about getting an account.
- Matt / KM4EXS
September 3, 2019 9:26 PM, "EA1HET Jonathan Gonzalez via 44Net" 44net@mailman.ampr.org wrote:
You shouldn’t use any other version than 1.2 as all of them are weak or broken.
Vy73 de EA1HET, Jonathan 0x539C9FAF
Sent from my tablet/mobile. Please, excuse my brevity and the presence of typos.
El 3 sept 2019, a las 6:56, Steve L via 44Net 44net@mailman.ampr.org escribió:
Have you tried adding this to the client.conf file?: tls-version-min 1.0
On Sat, Aug 31, 2019 at 5:32 AM Marcel Neupauer via 44Net 44net@mailman.ampr.org wrote:
Hi all,
I am newbee on AMPRNet, I have the same problem with connecting to VPN, TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) but tls-cipher "DEFAULT:@SECLEVEL=0" not working for me (it is not regular config expresion on linux, only windows maybe).
Please, can you help me ?
same information:
- linux Mint enviroment, openvpn.
- setup by http://wiki.ampr.org/wiki/AMPRNet_VPN
- LoTW certificates stored in regular files and cleared to ---BEGIN
......END CERTIFICATE ---.
- amprnet-vpn-ca.crt used as CA-cert too.
log: Sat Aug 31 12:24:42 2019 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017 Sat Aug 31 12:24:42 2019 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 Sat Aug 31 12:24:42 2019 Socket Buffers: R=[212992->212992] S=[212992->212992] Sat Aug 31 12:24:43 2019 UDPv4 link local: [undef] Sat Aug 31 12:24:43 2019 UDPv4 link remote: [AF_INET]85.188.1.118:1773 Sat Aug 31 12:24:43 2019 TLS: Initial packet from [AF_INET]85.188.1.118:1773, sid=9972ac7c 3c9d23bc Sat Aug 31 12:24:43 2019 VERIFY OK: depth=1, O=AMPRnet, CN=OH7LZB VPN service CA Sat Aug 31 12:24:43 2019 VERIFY OK: nsCertType=SERVER Sat Aug 31 12:24:43 2019 VERIFY OK: depth=0, CN=ampr-gw.he.fi Sat Aug 31 12:25:44 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sat Aug 31 12:25:44 2019 TLS Error: TLS handshake failed Sat Aug 31 12:25:44 2019 SIGUSR1[soft,tls-error] received, process restarting Sat Aug 31 12:25:44 2019 Restart pause, 2 second(s)
Thanks. Marcel OM0ATE
ut 20. 8. 2019 o 4:52 David McAnally via 44Net 44net@mailman.ampr.org napísal(a):
I'm connecting after adding the tls-cipher line as suggested by Scott. I also had to clean up my key file to contain the last (active / not deleted) key with only the part between and including "-----BEGIN PUBLIC KEY-----" and "-----END ENCRYPTED PRIVATE KEY-----", which differs slightly from the description in the instructions. I also added "askpass" to the config file to prompt me for my key password. Also, on Windows OpenVPN 2.4.7 the config file is imported to "C:\Users%USERPROFILE%\OpenVPN\config\amprnet-vpn", so key and other files are manually copied there as well. I have not yet tried to connect from my Linux systems, but expect it should work there as well.
David M. WD5M
On Sun, Aug 18, 2019 at 8:23 PM KM4EXS via 44Net 44net@mailman.ampr.org wrote:
Hi everyone, new 44Net list member here. I'm trying to setup the OpenVPN connection to the OH7LZB VPN server. I'm primarily using this link ( http://wiki.ampr.org/wiki/AMPRNet_VPN), but I am planning to update it once I get my connection working. Looking thru the archives, it seems a number of us have had challenges with the setup.
If someone has successfully configured it recently, maybe you can help me out with my setup? The encryption and auth seems to not negotiate, the connection never sets up. Per Hessu's response to my email (below), perhaps it has to do with the newer version / algorithms trying to get along with the server version.
Thanks in advance for any assist.
- Matt / KM4EXS
-------- Forwarded message ------- From: "Heikki Hannikainen" <hessu@hes.iki.fi (hessu@hes.iki.fi)> To: matthew@alberti.us (matthew@alberti.us) Sent: August 18, 2019 12:13 PM Subject: Re: 44Net VPN Setup Hi,
I generally prefer to have these discussions on a mailing list so that the answers are archived publicly, and others can look for existing answers from the archive instead of asking the same question again. I run aprs.fi so I get a lot of questions and emails.
The log, at this verbosity level, doesn't actually say what went wrong in the negotiation. I think there was a thread on the 44list before where someone resolved this issue, something to do with new versions of openvpn openssl refusing to use the older algorithms currently configured on the VPN server.
https://mailman.ampr.org/mailman/private/44net ( https://mailman.ampr.org/mailman/private/44net)
On Sat, 17 Aug 2019, matthew@alberti.us (matthew@alberti.us) wrote: Hi Hessu, I pulled your e-mail address off the 44net mailman list. Didn't want to spam it, as I think I am missing something easy. I'm trying to setup an OpenVPN connection to your server, so that I can get an AMPRNet IP. I have followed the instructions at http://wiki.ampr.org/wiki/AMPRNet_VPN ( http://wiki.ampr.org/wiki/AMPRNet_VPN). It looks like I'm stuck after the CA is verified, but before the data channel encryption/auth is negotiated. Below are my logs. I was hoping you could take a look at the server side, my public IP is 184.82.197.68. I think I'm probably using the wrong client settings. I'm trying to set this up on a pfSense router.... so I have to enter all the settings manually. I am trying to use BF-CBC and SHA1... but also tried a few other combos. No luck. Thanks in advance!
- Matt Alberti / KM4EXS
Aug 17 16:47:52 openvpn 18908 SIGUSR1[soft,tls-error] received, process restarting Aug 17 16:47:52 openvpn 18908 Restart pause, 5 second(s) Aug 17 16:47:57 openvpn 18908 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm (http://openvpn.net/howto.html#mitm) for more info. Aug 17 16:47:57 openvpn 18908 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Aug 17 16:47:57 openvpn 18908 TCP/UDP: Preserving recently used remote address: [AF_INET] 85.188.1.118:1773 Aug 17 16:47:57 openvpn 18908 Socket Buffers: R=[42080->42080] S=[57344->57344] Aug 17 16:47:57 openvpn 18908 UDP link local (bound): [AF_INET][undef]:0 Aug 17 16:47:57 openvpn 18908 UDP link remote: [AF_INET]85.188.1.118:1773 Aug 17 16:47:57 openvpn 18908 TLS: Initial packet from [AF_INET]85.188.1.118:1773 (via [AF_INET]184.82.197.68%), sid=368827b7 79c57373 Aug 17 16:47:59 openvpn 18908 VERIFY OK: depth=1, O=AMPRnet, CN=OH7LZB VPN service CA Aug 17 16:47:59 openvpn 18908 VERIFY OK: depth=0, CN=ampr-gw.he.fi Aug 17 16:48:57 openvpn 18908 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Aug 17 16:48:57 openvpn 18908 TLS Error: TLS handshake failed
- Hessu
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net