OpenVPN Profile Peer certificate verification Failure

Product Discussion
1

I am working with a Balance One FW 8.3.0 build 5514 trying to setup openVPN server.

After enabling Remote User access and download the OpenVPN profile file from the status page I get this error:

Error message: Peer certificate verification failure

screenshot 1084.png
screenshot 1084.png748×494 22.9 KB

I have tried both profiles (route all dns or not) and both results in same error.

On the client computer this is what I can see in the logs, any ideas what I’m doing wrong?
P.S when tested L2TPP server I am able to connect just fine, however its very slow hence the hope OpenVPN will be faster.

⏎[Dec 26, 2023, 14:56:17] Frame=512/2048/512 mssfix-ctrl=1250

⏎[Dec 26, 2023, 14:56:17] UNUSED OPTIONS

5 [resolv-retry] [infinite]

6 [nobind]

7 [persist-key]

8 [persist-tun]

10 [verb] [3]

13 [tls-client]

⏎[Dec 26, 2023, 14:56:17] EVENT: RESOLVE ⏎[Dec 26, 2023, 14:56:17] Contacting 50.***.***.161:1194 via UDP

⏎[Dec 26, 2023, 14:56:17] EVENT: WAIT ⏎[Dec 26, 2023, 14:56:17] UnixCommandAgent: transmitting bypass route to /var/run/agent_ovpnconnect.sock

{

	"host" : "50.***.***.161",

	"ipv6" : false,

	"pid" : 812

}



⏎[Dec 26, 2023, 14:56:17] Connecting to [50.***.***.161]:1194 (50.***.***.161) via UDPv4

⏎[Dec 26, 2023, 14:56:17] EVENT: CONNECTING ⏎[Dec 26, 2023, 14:56:17] Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client

⏎[Dec 26, 2023, 14:56:17] Creds: Username/Password

⏎[Dec 26, 2023, 14:56:17] Peer Info:

IV_VER=3.git::d06e216e

IV_PLAT=mac

IV_NCP=2

IV_TCPNL=1

IV_PROTO=30

IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305

IV_GUI_VER=OCmacOS_3.3.1-4000

IV_SSO=openurl,crtext



⏎[Dec 26, 2023, 14:56:18] Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

⏎[Dec 26, 2023, 14:56:18] EVENT: CERT_VERIFY_FAIL OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed⏎[Dec 26, 2023, 14:56:18] EVENT: DISCONNECTED ⏎[Dec 26, 2023, 14:56:22] Raw stats on disconnect:

 BYTES_IN : 3171

 BYTES_OUT : 521

 PACKETS_IN : 5

 PACKETS_OUT : 4

 SSL_ERROR : 1

 CERT_VERIFY_FAIL : 1
2

I installed another VPN Client that support OpenVPN (TunnelBlick) and in its log I can see something about expired certificate. but I have just enabled and created the profile on the Balnce one.
Under Certificates in the sidebar I only see Default Certificate is used w/o option to revoke or regenerate.

2023-12-26 18:27:26.742826 VERIFY ERROR: depth=1, error=certificate has expired: C=US, O=Peplink, CN=OpenVPN CA/[email protected], serial=71978259974721770160327875745257801959083863175

2023-12-26 18:27:26.742982 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

2023-12-26 18:27:26.743054 TLS_ERROR: BIO read tls_read_plaintext error

2023-12-26 18:27:26.743306 TLS Error: TLS object -> incoming plaintext read error

2023-12-26 18:27:26.743351 TLS Error: TLS handshake failed

2023-12-26 18:27:26.744632 SIGUSR1[soft,tls-error] received, process restarting

2023-12-26 18:27:26.744745 MANAGEMENT: >STATE:1703590046,RECONNECTING,tls-error,,,,,

2023-12-26 18:27:26.755475 MANAGEMENT: CMD 'hold release'
3

updated to 8.4.0 but that didn’t help.

4

contacting support didn’t help. no one bothered replying my ticket. great.

solution for me was to install my own generated valid OpenVPN certs.
in case someone else hitting same issue, ran this on my local machine to generate the CA and then copy/pasted the files content into the OpenSSL certificate section in Certificate Manager section (Network → Misc → Certificate Manager)

run this one liner and fill the details in the prompts. this is valid for 10 years. adjust your line as needed.

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650
5

Mind sharing the ticket number? This allows me to understand what is going wrong. Fyi, I don’t see the reported issue with the latest firmware version.

6

Last year I set up Remote User Access for a Pepwave Surf SOHO using OpenVPN. I had it working and was able to connect to the router and perform work remotely on a local area network both from an OpenVPN Connect 3.4.7 client on a MacBook Pro and from an OpenVPN Connect client on an iPad. It has now stopped working with “Peer certificate verification failure” error messages at both clients.

The SOHO’s firmware is 8.3.0. The client operating systems are the latest available, macOS Sequoia 15.5 and iPadOS 18.5.

I noticed that in the SOHO’s Certificate Manager panel there is a yellow triangle with an exclamation mark next to the OpenVPN CA label (see attached)

Image 6-9-25 at 15.28
Image 6-9-25 at 15.28848×560 103 KB

. Hovering a pointer over it pops up the message “Redistribution of OpenVPN client profile is mandatory after factory restore unless the same CA certificate is uploaded.” There has been no factory restore.

I did try again generating and downloading a new OpenVPN client profile to both clients, but the same error message appears when an attempt is made to connect remotely.

I then tried creating a Self-Signed certificate, importing it into the SOHO router, following all the steps in the Knowledge document “How to create a Self-Signed Certificate and Import it to a Peplink Product” (Generate a private key; generate a Certificate Signing Request, generate a self-signed certificate using the PK and the CSR; import the4 PK and self-signed certificate into the router; verify the certificate), then generated and downloaded a new OpenVPN client profile to my client devices. Attempts to connect from both clients produced the same error message as before.

I am stymied at this point. Can anyone advise me on why it may have stopped working and what is needed to get it working again?

Thanks!

Steve Westfall