Louis Matthijssen

After upgrading to OpenVPN 2.4.0, I got the following error when trying to connect to OpenVPN:

TLS: Initial packet from [AF_INET]x.x.x.x:50263, sid=2bd2de7a bd6f8694
VERIFY ERROR: depth=0, error=CRL has expired: CN=louis
OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, client-instance restarting

It appears that OpenVPN 2.4 doesn't accept CRLs with a nextUpdate value that is in the past.

Fixing this issue is simple: regenerate the CRL.

I used EasyRSA to generate my CRL in the past, so I was able to fix it using these commands:

cd /etc/openvpn/easy-rsa
./easyrsa gen-crl
systemctl restart openvpn
Louis Matthijssen

This post explains how to add IPv6 to OpenVPN and route to the internet.

Some steps in this post may not be necessary or optimal. This post only contains the steps I took to make IPv6 work: I didn't do any research.

Environment information

Name Value
Server IPv6 2a00:d880:5:7fe::6ad8
OpenVPN IPv6 pool 2001:db8:0:123::/64
Server OS Debian Sid
OpenVPN version OpenVPN 2.4.0

Enable IPv6 forwarding

Execute the following command to enable IPv6 forwarding:

sysctl net.ipv6.conf.all.forwarding=1

Add (or uncomment) the following line to /etc/sysctl.conf to auto enable forwarding on next boot as well:

net.ipv6.conf.all.forwarding=1

Enable IPv6 NAT

This requires iptables, so install it:

apt install iptables

Execute the following commands, this will route OpenVPN clients to and from the server's IPv6 address and open the OpenVPN interface (make sure to replace the server IPv6 address):

ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -I FORWARD -s 2001:db8:0:123::/64 -j ACCEPT
ip6tables -I INPUT -p udp --dport 1194 -j ACCEPT
ip6tables -t nat -A POSTROUTING -s 2001:db8:0:123::/64 -j SNAT --to 2a00:d880:5:7fe::6ad8

You can add these commands to /etc/rc.local (for example) to apply them on boot as well.

Enable IPv6 in OpenVPN

Add the following lines to the server configuration:

server-ipv6 2001:db8:0:123::/64
push "route-ipv6 2000::/3"

Restart OpenVPN

All required configuration has been completed, restart OpenVPN:

systemctl restart openvpn
Louis Matthijssen

To allow only specific IP addresses to connect to a specific port, use the following iptables commands:

iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 3306 -j DROP
iptables -I INPUT -p tcp -s 192.168.1.100 --dport 3306 -j ACCEPT

Where:

  • tcp is the protocol (may also be udp)
  • 192.168.1.100 is the IP address (change it to the one you want to allow)
  • 3306 is the port number (change it as well)

The first command blocks all communiation for this port. The second command then adds an exception for a specific IP address. The second command can be repeated for any IP address that should be allowed.

Louis Matthijssen

To use drop shadow on text in GIMP:

  • Insert text
  • Right click the text layer and choose Text to Path
  • Open the Select menu and choose From Path
  • Open the Filters menu, choose Lights and Shadow, and click Drop Shadow...
  • Adjust the settings to your needs and click OK
Louis Matthijssen

KeePass 2.x only supports SSL 3 and TLS 1.0. As I don't want to enable TLS 1.0 for my websites, I couldn't use KeePass with WebDAV.

I've opened a bug report for this problem.

Simple workaround

Recently I thought of a solution for this problem: I simply created a virtual host on a different port so I could enable TLS 1.0 just on that port.

Fixing the code yourself

Another solution would be building KeePass yourself. This requires a bit of programming language, but I'll explain:

  • Download the latest KeePass source
  • Open the solution using Visual Studio
  • Set the target framework for each project in the solution to .NET 4.5 (this is the first version that supports TLS 1.1 and TLS 1.2):
    • Right click on the project in the solution explorer and choose Properties
    • Under Target framework: choose .NET Framework 4.5
    • Click Yes in the dialog that shows up
  • Open KeePassLib\Serialization\IOConnection.cs using the solution explorer
  • Find the method PrepareWebAccess
  • Add the following line to the method:
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
  • Change Debug to Release in the toolbar at the top
  • Open the Build menu and choose Build Solution

Now you have KeePass with TLS 1.1 and TLS 1.2 support. The executable is located in the Build\KeePass\Release directory in the source code directory.

Louis Matthijssen

Recently, a computer (Windows 10) had a limited network connection, and when using the troubleshooter I got "one or more network protocols are missing".

I've tried many software fixes, but not any of them worked. I reinstalled Windows completely, upgraded the UEFI and even reset it, installed an additional NIC and even tried a cable from a PC that had a working internet connection, but the issue persisted.

Eventually I found the problem. It was another network device that was somehow interfering with the network. I unplugged that device from the network, and everything worked perfectly fine again.