OpenVPN Notes
- Time-difference between Client/Server
  - Symptom: OpenVPN refused connecting due to time-difference server-client

OpenVPN Notes

Links to local pages:

Time-difference between Client/Server

OpenVPN is relying on a proper time consistency between Client and Server. This can result in problems on 2 levels:

TLS/SSL certificates validity/expiration is based on time
the encrypted packets have a time-tag to conquer replay-attacks and out-of-sequence delivery

Symptom: OpenVPN refused connecting due to time-difference server-client

with default replay-protection

Client-side

TLS Error: Unroutable control packet received from 80.69.65.224:10494 (si=3 op=P_CONTROL_V1)

Server-side

TLS: new session incoming connection from 80.100.97.87:54702
read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

with disabled replay-protection (no-replay)

Client-side

VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=CO/ST=Province/L=City/O=Organisation/CN=ca.auxmgt.ncbv/emailAddress=email@domain.com
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed

Server-side

Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #21 / time = (1199146245) Tue Jan  1 01:10:45 2008 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

Table of Contents

OpenVPN Notes

Time-difference between Client/Server

Symptom: OpenVPN refused connecting due to time-difference server-client

with default replay-protection

with disabled replay-protection (no-replay)