Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,795 questions
OpenVPN connect to azure VNET: Peer certificate verification failure
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 47%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Edvard
0
Reputation points
Hello anyone!
I'm trying to configure VPN Gateway to provide access to VNET in Azure. For this I used following documentation:
https://learn.microsoft.com/en-us/azure/vpn-gateway/create-routebased-vpn-gateway-cli
In the result I wrote following bash script for creating required services in Azure:
#!/bin/bash
set -e
eval $(grep -v -e '^#' .env | xargs -I {} echo export \'{}\')
az network vnet subnet create \
--vnet-name $VNET_NAME \
--name GatewaySubnet \
--resource-group $RESOURCE_GROUP_NAME \
--address-prefix "10.0.17.0/27"
az network public-ip create \
--name "${VNET_NAME}-vpn-ip" \
--resource-group $RESOURCE_GROUP_NAME \
--allocation-method Dynamic
az network vnet-gateway create \
--name $VNET_GETEWAY_NAME \
--location $VNET_LOCATION \
--public-ip-address "${VNET_NAME}-vpn-ip" \
--resource-group $RESOURCE_GROUP_NAME \
--vnet $VNET_NAME \
--gateway-type Vpn \
--sku VpnGw1 \
--vpn-type RouteBased \
--address-prefixes "172.16.201.0/24" \
--vpn-gateway-generation Generation1 \
--client-protocol OpenVPN \
--root-cert-name RootCert \
--root-cert-data caCert.pem \
--vpn-auth-type Certificate \
--no-wait
For generation of self-signed certificates I use strongSwan and openssl by documentation from following topics:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site-linux
Сorrectness of created certificates I checked by openssl verify util
Next step was Download VPN Client for OpenVPN
After that I filled in user <cert> and <key> blocks in vpnconfig.ovpn
# P2S client certificate
# Please fill this field with a PEM formatted client certificate
# Alternatively, configure 'cert PATH_TO_CLIENT_CERT' to use input from a PEM certificate file. <cert>
# Content of userCert.pem or client-cert.pem files
</cert>
# P2S client certificate private key
# Please fill this field with a PEM formatted private key of the client certificate.
# Alternatively, configure 'key PATH_TO_CLIENT_KEY' to use input from a PEM key file.
<key>
# Content of userKey.pem or clientKey.pem files
</key>
For running OpenVPN connection I used Windows OpenVPN client. When used vpnconfig.ovpn to connect to Azure I get message error: Peer certificate verification failure.
OpenVPN logs
[Aug 4, 2023, 11:27:46] OpenVPN core 3.git::d3f8b18b win x86_64 64-bit built on Feb 7 2023 16:08:10
[Aug 4, 2023, 11:27:46] Frame=512/2048/512 mssfix-ctrl=1250
[Aug 4, 2023, 11:27:46] UNUSED OPTIONS 6 [resolv-retry] [infinite] 7 [nobind] 10 [persist-key] 11 [persist-tun] 15 [log] [openvpn.log] 16 [verb] [3]
[Aug 4, 2023, 11:27:46] EVENT: RESOLVE
[Aug 4, 2023, 11:27:46] EVENT: WAIT
[Aug 4, 2023, 11:27:46] WinCommandAgent: transmitting bypass route to 52.191.28.72 { "host" : "52.191.28.72", "ipv6" : false }
[Aug 4, 2023, 11:27:46] Connecting to [azuregateway-651a0077-6bec-43a5-9738-fb84b4090d03-55fa834d773d.vpn.azure.com]:443 (52.191.28.72) via TCPv4
[Aug 4, 2023, 11:27:46] EVENT: CONNECTING
[Aug 4, 2023, 11:27:46] Tunnel Options:V4,dev-type tun,link-mtu 1523,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client
[Aug 4, 2023, 11:27:46] Creds: UsernameEmpty/PasswordEmpty
[Aug 4, 2023, 11:27:46] Peer Info: IV_VER=3.git::d3f8b18b IV_PLAT=win IV_NCP=2 IV_TCPNL=1 IV_PROTO=30 IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305 IV_AUTO_SESS=1 IV_GUI_VER=OCWindows_3.3.7-2979 IV_SSO=webauth,openurl,crtext
[Aug 4, 2023, 11:27:47] Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
[Aug 4, 2023, 11:27:47] EVENT: CERT_VERIFY_FAIL OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed⏎[Aug 4, 2023, 11:27:47] EVENT: DISCONNECTED
I used 2 different ways to generate certificates (mentioned above) but no one give me the same result. I found similar issue but provided advices did not help to solve problem.
Anybody have any thoughts how I can fix it?
I would be grateful for any advice!
Azure VPN Gateway
{count} votes
-
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator2023-08-04T10:25:18.81+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to configure Certificate authentication for Azure P2S Connections with OpenVPN tunnel type.
May I ask if there is any specific requirement for you to use Windows OpenVPN Client and not Azure VPN Client for windows?
- Please note that Azure VPN Client does support OpenVPN Tunnel type for certificate authentication.
- If you can use Azure VPN Client,
- Generate and export Self signed certificates : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site#rootcert
- And follow the steps for OpenVPN: Azure VPN Client steps
Few of the reasons I can think of for certificate failure issues are:
- Improper bundling of the certificate
- Root certificate and Client certificate not being installed on the client machine
Let us know if the Certificate authentication works with Azure VPN Client.
Cheers.
Kapil
-
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator
2023-08-07T05:15:01.56+00:00 May I know if you got a chance to review my previous comment?
Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.
Thanks,
Kapil
-
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator
2023-08-08T05:14:48.5866667+00:00 Reaching out to check if there are any questions on this.
Please let us know if we can be of any further assistance here.
Thanks,
Kapil
-
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator
2023-08-09T05:06:40.0533333+00:00 Can you please update us if the action plan provided was helpful?
Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
Thanks,
Kapil
Sign in to comment
Sign in to answer