Can you answer 2) questions on OpenVPN client with TrustConnect Free?

Security Products & Services Comodo TrustConnect - CTC
1

When I start the OpenVPN client program using the below command (via the downloaded files delineated further below), I enter my Username and Password (the same that work fine in my disconnected TrustConnect Windows Client) and Ubuntu 10.04 responds with error messages below:

  1. What did I do wrong?:

ubuntu@ubuntu-4:~$ openvpn --config /etc/openvpn/free_client.conf
Mon Nov 1 06:30:16 2010 OpenVPN 2.1.0 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
Enter Auth Username:EnteredMyUsernameHere
Enter Auth Password:EnteredMyPasswordHere
Mon Nov 1 06:31:08 2010 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Mon Nov 1 06:31:08 2010 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
Mon Nov 1 06:31:08 2010 Cannot load CA certificate file ca.crt path (null) (SSL_CTX_load_verify_locations): error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
Mon Nov 1 06:31:08 2010 Exiting

Note: I installed the OpenVPN client via Synaptic in Ubuntu 10.04, and I copied the ca.crt and free_client.conf Comodo files I downloaded into the /etc/openvpn directory that already contained a update-resolv-conf file. That’s all the files in the /etc/openvpn directory.

  1. What command do I type in to disconnect the OpenVPN session?

    Note I tried these other variants of the 1) command that appears to be wrong in the Comodo Linux documentation and got the responses shown:

ubuntu@ubuntu-4:~$ openvpn–openvpn config /etc/openvpn/client.conf
openvpn–openvpn: command not found

ubuntu@ubuntu-4:~$ openvpn–openvpn config /etc/openvpn/free_client.conf
openvpn–openvpn: command not found

ubuntu@ubuntu-4:~$ openvpn --openvpn config /etc/openvpn/free_client.conf
Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: openvpn (2.1.0)
Use --help for more information.

ubuntu@ubuntu-4:~$ openvpn config /etc/openvpn/free_client.conf
Options error: I’m trying to parse “config” as an --option parameter but I don’t see a leading ‘–’
Use --help for more information.

Thanks for any help you can provide.

2
  1. Edit the /etc/openvpn/free_client.conf and specify absolute path to ca.crt:

ca /etc/openvpn/ca.crt

  1. Try to execute /etc/init.d/openvpn You’ll be able to see help. You can usually start(stop) openvpn with /etc/init.d/openvpn start(stop) command.
3

dlimonov and others:

Thanks for your reply. openVPN ALMOST works with TrustConnect Free now! Could you take a look and suggest what else I need to change?

If I read this right, a TCP connection now gets made but the Comodo cerrtificate somehow fails. Thanks again.

After I edited the free_client.conf file line as you suggested, here’s the command and responses I get now:

ubuntu@ubuntu-4:~$ openvpn --config /etc/openvpn/free_client.conf
Tue Nov 2 15:24:51 2010 OpenVPN 2.1.0 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
Enter Auth Username:EnteredMyUsernameHere
Enter Auth Password:EnteredMyPasswordHere
Tue Nov 2 15:25:03 2010 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Tue Nov 2 15:25:03 2010 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
Tue Nov 2 15:25:03 2010 LZO compression initialized
Tue Nov 2 15:25:03 2010 Attempting to establish TCP connection with [AF_INET]91.212.12.68:443 [nonblock]
Tue Nov 2 15:25:04 2010 TCP connection established with [AF_INET]91.212.12.68:443
Tue Nov 2 15:25:04 2010 TCPv4_CLIENT link local: [undef]
Tue Nov 2 15:25:04 2010 TCPv4_CLIENT link remote: [AF_INET]91.212.12.68:443
Tue Nov 2 15:25:05 2010 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Tue Nov 2 15:25:08 2010 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=UA/L=Odessa/O=Comodo/OU=CSP/CN=Comodo_CA/emailAddress=csp@comodo.od.ua
Tue Nov 2 15:25:08 2010 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Nov 2 15:25:08 2010 NOTE: --mute triggered…
Tue Nov 2 15:25:08 2010 2 variation(s) on previous 2 message(s) suppressed by --mute
Tue Nov 2 15:25:08 2010 Fatal TLS error (check_tls_errors_co), restarting
Tue Nov 2 15:25:08 2010 SIGTERM[soft,tls-error] received, process exiting
ubuntu@ubuntu-4:~$

4

Seems like you attempt to use the wrong certificate.
Try to re-download .conf and .crt files from here:
https://download.comodo.com/trustconnect/free_client.conf
https://accounts.comodo.com/download/trustconnect/ca.crt
and put them into /etc/openvpn/.
Then edit free_client.conf as described above to specify path to ca.crt or you may leave it unchanged, in this case you should change dir to /etc/openvpn/ and launch openVPN from there.

5

dlimonov and others:

I tried to re-download the free_client.conf and ca.crt files, but these seem to be the same files I already have (see below):

-The free_client.conf file was originally downloaded from the same URL you gave me, except it was an http rather than an https address. Since the https address download aborted saying “the source file could not be read”, I believe there is no free_client.conf file currently there. And since the manual says use an http address, I believe the http address is currently correct. I re-downloaded from the http address the free_client.conf file to be safe, but when I used gedit to compare it to the original download, the contents of both files were the same, except for the editing of the ca line you suggested which finally got openvpn to start up. The contents of the edited free_client.conf file as displayed in gedit are listed below.

-I cannot re-download ca.crt because when I try I get the message: “This certificate is already installed as a certificate authority”. However, since this was originally downloaded from the exact same URL you gave me and I did’t see a download error, I don’t think a re-download would be any different anyway. Gedit is the only program I could get to display the ca.crt contents, such as they are. To see if the current version is correct, the contents of my ca.crt file as displayed in gedit are listed below.

*** NOTE: when I downloaded ca.crt originally, I was given a choice of checking 3) boxes when I downloaded i.e. did I want to use ca.crt for:

  1. web site
  2. email users
  3. software developers
    I checked all 3 boxes.
    *** Was checking all 3 boxes wrong; if so, how can I fix this?

*** Any suggestions on what to do next? Should I edit either of the files below? Download new ones from another URL? Modify my openvpn command? Other suggestions? You can review the openvpn --config /etc/openvpn/free_client.conf command and its responses in my last post above. Please see the file contents below:

The contents of the edited free_client.conf file as displayed in gedit are:

client
dev tap
proto tcp

remote uk2.vpn.comodo.com 443
remote-random

auth-user-pass
resolv-retry infinite
nobind
persist-key
persist-tun
pull
remap-usr1 SIGTERM

ca ca.crt
ns-cert-type server
tls-remote ComodoVPNS

mute-replay-warnings
mute 2
comp-lzo
verb 1

The contents of my ca.crt file as displayed in gedit are:

-----BEGIN CERTIFICATE-----
MIIESzCCAzOgAwIBAgIJAJigUTEEXRQpMA0GCSqGSIb3DQEBBQUAMHYxCzAJBgNV
BAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xDjAMBgNVBAcTBUZ1bGRhMRAwDgYDVQQK
EwdEZWJjb25mMRMwEQYDVQQDEwpEZWJjb25mIENBMR8wHQYJKoZIhvcNAQkBFhBq
b2VyZ0BkZWJpYW4ub3JnMB4XDTA1MTEwNTE3NTUxNFoXDTE1MTEwMzE3NTUxNFow
djELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3NlbjEOMAwGA1UEBxMFRnVsZGEx
EDAOBgNVBAoTB0RlYmNvbmYxEzARBgNVBAMTCkRlYmNvbmYgQ0ExHzAdBgkqhkiG
9w0BCQEWEGpvZXJnQGRlYmlhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCvbOo0SrIwI5IMlsshH8WF3dHB9r9JlSKhMPaybawa1EyvZspMQ3wa
F5qxNf3Sj+NElEmjseEqvCZiIIzqwerHu0Qw62cDYCdCd2+Wb5m0bPYB5CGHiyU1
eNP0je42O0YeXG2BvUujN8AviocVo39X2YwNQ0ryy4OaqYgm2pRlbtT2ESbF+SfV
Y2iqQj/f8ymF+lHo/pz8tbAqxWcqaSiHFAVQJrdqtFhtoodoNiE3q76zJoUkZTXB
k60Yc3MJSnatZCpnsSBr/D7zpntl0THrUjjtdRWCjQVhqfhM1yZJV+ApbLdheFh0
ZWlSxdnp25p0q0XYw/7G92ELyFDfBUUNAgMBAAGjgdswgdgwHQYDVR0OBBYEFMuV
dFNb4mCWUFbcP5LOtxFLrEVTMIGoBgNVHSMEgaAwgZ2AFMuVdFNb4mCWUFbcP5LO
txFLrEVToXqkeDB2MQswCQYDVQQGEwJERTEPMA0GA1UECBMGSGVzc2VuMQ4wDAYD
VQQHEwVGdWxkYTEQMA4GA1UEChMHRGViY29uZjETMBEGA1UEAxMKRGViY29uZiBD
QTEfMB0GCSqGSIb3DQEJARYQam9lcmdAZGViaWFuLm9yZ4IJAJigUTEEXRQpMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAGZXxHg4mnkvilRIM1EQfGdY
S5b/WcyF2MYSTeTvK4aIB6VHwpZoZCnDGj2m2D3CkHT0upAD9o0zM1tdsfncLzV+
mDT/jNmBtYo4QXx5vEPwvEIcgrWjwk7SyaEUhZjtolTkHB7ACl0oD0r71St4iEPR
qTUCEXk2E47bg1Fz58wNt/yo2+4iqiRjg1XCH4evkQuhpW+dTZnDyFNqwSYZapOE
TBA+9zBb6xD1KM2DdY7r4GiyYItN0BKLfuWbh9LXGbl1C+f4P11g+m2MPiavIeCe
1iazG5pcS3KoTLACsYlEX24TINtg4kcuS81XdllcnsV3Kdts0nIqPj6uhTTZD0k=
-----END CERTIFICATE-----

Thanks for any information you can provide.

6

Correction:

Whoops, I goofed and listed the original free_client.conf instead of the edited free_client.conf that I modified for the openvpn command above.

so the line above listed as
ca ca.crt
should really be
ca /etc/openvpn/ca.crt

the correct modified free_client.conf file I’m using is listed below:

dev tap
proto tcp

remote uk2.vpn.comodo.com 443
remote-random

auth-user-pass
resolv-retry infinite
nobind
persist-key
persist-tun
pull
remap-usr1 SIGTERM

ca /etc/openvpn/ca.crt
ns-cert-type server
tls-remote ComodoVPNS

mute-replay-warnings
mute 2
comp-lzo
verb 1

7

Your certificate is really wrong. It’s subject: C=DE, ST=Hessen, L=Fulda, O=Debconf, CN=Debconf CA/emailAddress=joerg@debian.org
You should delete your current ca.crt from /etc/openvpn/ (or move to any temporary dir, if you need it). Then download certificate from https://accounts.comodo.com/download/trustconnect/ca.crt
You can do it by right-mouse-click (see attached screenshot) or by command:
wget https://accounts.comodo.com/download/trustconnect/ca.crt
Then place the certificate into /etc/openvpn/

[attachment deleted by admin]

8

dlimonov and others:

Thanks again. Sorry for delay in responding with my results. Busy.

After following your advice, I now seem to have some sort of operating state, but the following happens:

  1. OpenVPN on Ubuntu terminal sits there with no final return prompt (is this normal?) as you can see in a copy of the open VPN dialog below.

  2. When I try to go to any web site with Firefox, I get a Server Not Found message. AFter that happens, the only way I know to connect using Firefox with this openVPN state is to reboot.

*** Do you have any suggestions on what I might do now? I can’t find any added steps I need to do in the Comodo Linux Configuration Guide–have I missed something? I’ve been busy getting ready for a 4-day trip; I leave for tomorrow. I hope to use TrustConnect Free with openVPN on this trip.

Here’s the dialog of what happens:

ubuntu@ubuntu-4:~$ sudo openvpn --config /etc/openvpn/free_client.conf
[sudo] password for ubuntu:
Thu Nov 11 14:20:38 2010 OpenVPN 2.1.0 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
Enter Auth Username:EnteredMyUsernameHere
Enter Auth Password:EnteredMyPasswordHere
Thu Nov 11 14:20:49 2010 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Thu Nov 11 14:20:49 2010 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
Thu Nov 11 14:20:49 2010 LZO compression initialized
Thu Nov 11 14:20:49 2010 Attempting to establish TCP connection with [AF_INET]91.212.12.68:443 [nonblock]
Thu Nov 11 14:20:50 2010 TCP connection established with [AF_INET]91.212.12.68:443
Thu Nov 11 14:20:50 2010 TCPv4_CLIENT link local: [undef]
Thu Nov 11 14:20:50 2010 TCPv4_CLIENT link remote: [AF_INET]91.212.12.68:443
Thu Nov 11 14:20:51 2010 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Thu Nov 11 14:20:57 2010 [ComodoVPNS-3] Peer Connection Initiated with [AF_INET]91.212.12.68:443
Thu Nov 11 14:20:59 2010 TUN/TAP device tap0 opened
Thu Nov 11 14:20:59 2010 /sbin/ifconfig tap0 172.20.2.38 netmask 255.255.255.0 mtu 1500 broadcast 172.20.2.255
Thu Nov 11 14:21:00 2010 Initialization Sequence Completed

Appreciate your help.

9
1) OpenVPN on Ubuntu terminal sits there with no final return prompt (is this normal?) as you can see in a copy of the open VPN dialog below.

Yes, this is normal because you run client manually and it’s running in foreground. To get the return prompt, you should use system init script (/etc/init.d/openvpn start/stop/status) to start/stop/check status of openVPN client. (In this case you should remove/rename unneeded *.conf files fom /etc/openvpn/).

2) When I try to go to any web site with Firefox, I get a Server Not Found message. AFter that happens, the only way I know to connect using Firefox with this openVPN state is to reboot.2) When I try to go to any web site with Firefox, I get a Server Not Found message. AFter that happens, the only way I know to connect using Firefox with this openVPN state is to reboot.

You should define the DNS server that you’re using by openVPN connection.

Try to add the following line into /etc/openvpn/free_client.conf:

route DNS_IP 255.255.255.255 DEF_ROUTE_IP

where DNS_IP - your DNS server’s IP (see /etc/resolv.conf)
and DEF_ROUTE_IP - IP of your default router.

example:
route 192.168.1.77 255.255.255.255 192.168.1.1

Also you may add in this file the line:
log /var/log/openvpn.log
to log the openvpn’s messages.