I'm glad you sorted your certificate issue. I wonder if you still have a certificate issue for IMAP. When I hunted down certificates in ClearOS to see if I dare change everything to my domain, I bumped into a load of other certificates. Have a look in /etc/pki/tls/ and I think you'll find either an imap or cyrus folder with a certificate. I've no idea what needs to be done with that (and how you do it) if you change your cacert. It *may* just be a case of stopping cyrus deleting the certificate and then starting it again.

I fixed the OpenVPN domain change issue and posted the solution here. It seems that the ClearOS domain change routine needs som polishing. I've filed three bugs on it so far and who knows what else is not working. If I get the time I may try to have a look at that syncaction command as I've checked just about all the files for remaining instances of my old domain. I know there is still one entry in the LDAP database and all my certificates point to the old name but I think that is it.

Thank you Nick, it was just a matter of you asking me the right question -

Is your new cacert the one used to sign the client certificates?

I recreated the user certificates from My Accounts -> Accounts -> User Certificates -> Reset and using them solved the VPN issue.

However, the other issue related to not being able to use SSL for IMAP still persists and that is a matter of another thread.

For you domain change, not that I understand the exact scenario you are putting forth. Yet, have you checked the settings in .conf files at /etc/openvpn and the .opvn file details? I assume you must have already as you are an advanced user but just in case.

PS: The documentation herein needs to be updated with the Reset procedure and its implications.

I struggle with certificates. I was considering resetting mine following a domain name change but I've become too scared.

I've already had enough issues with things I don't know about. Certificates would be one too many........ and I don't know if it is related but my domain change has now stopped me reaching my OpenVPN user. I can ping her from the server but not my PC which I don't understand.

Your problem is almost certainly a certificate one. Are the new ones on your server the ones referenced in /etc/openvpn/clients.conf? Is your new cacert the one used to sign the client certificates?

Nick,

Apologies for not clarifying that I had changed the hostname with an intent to obfuscate. The hostname is iadahu.intelliant.net and I don't see any real utility in hiding it.

I was earlier using the "main" client. Now am using the community client (I have managed to clean-up the mess in Windoze and reboot it) which shows up as a OpenVPN GUI icon. It has not been working with both of these after I migrated my configuration from an intermediate 6.5 test server on which all was running perfect. Yes, I have regenerated the server and user certificates and re-downloaded the configuration files as well as the certificates and placed them in the C:\Program Files\OpenVPN\config folder as instructed in the OpenVPN client's readme.

No, I have not and won't update OpenVPN from clearos-epel.

Despite all the above, this is the current state -
Client side logs-

Wed May 28 00:20:49 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed May 28 00:20:49 2014 MANAGEMENT: >STATE:1401216649,RESOLVE,,,
Wed May 28 00:20:49 2014 UDPv4 link local: [undef]
Wed May 28 00:20:49 2014 UDPv4 link remote: [AF_INET]182.73.216.82:1194
Wed May 28 00:20:49 2014 MANAGEMENT: >STATE:1401216649,WAIT,,,
Wed May 28 00:20:49 2014 MANAGEMENT: >STATE:1401216649,AUTH,,,
Wed May 28 00:20:49 2014 TLS: Initial packet from [AF_INET]182.73.216.82:1194, sid=9ba414e8 5ecd281e
Wed May 28 00:20:49 2014 VERIFY OK: depth=1, C=IN, L=Kolkata, OU=4B Short Street, CN=ca.iadahu.intelliant.net, [email protected], O=Intelliant, ST=West Bengal
Wed May 28 00:20:49 2014 VERIFY OK: nsCertType=SERVER
Wed May 28 00:20:49 2014 VERIFY OK: depth=0, C=IN, ST=West Bengal, L=Kolkata, O=Intelliant, OU=4B Short Street, CN=iadahu.intelliant.net, [email protected]
Wed May 28 00:21:49 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed May 28 00:21:49 2014 TLS Error: TLS handshake failed
Wed May 28 00:21:49 2014 SIGUSR1[soft,tls-error] received, process restarting
Wed May 28 00:21:49 2014 MANAGEMENT: >STATE:1401216709,RECONNECTING,tls-error,,
Wed May 28 00:21:49 2014 Restart pause, 2 second(s)
Wed May 28 00:21:51 2014 MANAGEMENT: CMD 'proxy NONE '
Wed May 28 00:21:52 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed May 28 00:21:52 2014 MANAGEMENT: >STATE:1401216712,RESOLVE,,,
Wed May 28 00:21:52 2014 UDPv4 link local: [undef]
Wed May 28 00:21:52 2014 UDPv4 link remote: [AF_INET]182.73.216.82:1194
Wed May 28 00:21:52 2014 MANAGEMENT: >STATE:1401216712,WAIT,,,
Wed May 28 00:21:52 2014 MANAGEMENT: >STATE:1401216712,AUTH,,,
Wed May 28 00:21:52 2014 TLS: Initial packet from [AF_INET]182.73.216.82:1194, sid=716f22ff 54cbef35
Wed May 28 00:21:53 2014 VERIFY OK: depth=1, C=IN, L=Kolkata, OU=4B Short Street, CN=ca.iadahu.intelliant.net, [email protected], O=Intelliant, ST=West Bengal
Wed May 28 00:21:53 2014 VERIFY OK: nsCertType=SERVER
Wed May 28 00:21:53 2014 VERIFY OK: depth=0, C=IN, ST=West Bengal, L=Kolkata, O=Intelliant, OU=4B Short Street, CN=iadahu.intelliant.net, [email protected]

Server side logs -

May 28 00:22:56 iadahu openvpn[68981]: MULTI: multi_create_instance called
May 28 00:22:56 iadahu openvpn[68981]: 117.194.99.168:10470 Re-using SSL/TLS context
May 28 00:22:56 iadahu openvpn[68981]: 117.194.99.168:10470 LZO compression initialized
May 28 00:22:56 iadahu openvpn[68981]: 117.194.99.168:10470 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
May 28 00:22:56 iadahu openvpn[68981]: 117.194.99.168:10470 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
May 28 00:22:56 iadahu openvpn[68981]: 117.194.99.168:10470 Local Options hash (VER=V4): '530fdded'
May 28 00:22:56 iadahu openvpn[68981]: 117.194.99.168:10470 Expected Remote Options hash (VER=V4): '41690919'
May 28 00:22:56 iadahu openvpn[68981]: 117.194.99.168:10470 TLS: Initial packet from 117.194.99.168:10470 (via 182.73.216.82), sid=d4e0ae18 aa5576b2
May 28 00:22:58 iadahu openvpn[68981]: 117.194.99.168:10470 VERIFY OK: depth=1, /C=IN/L=Kolkata/OU=4B_Short_Street/CN=ca.iadahu.intelliant.net/[email protected]/O=Intelliant/ST=West_Bengal
May 28 00:22:58 iadahu openvpn[68981]: 117.194.99.168:10470 VERIFY ERROR: depth=0, error=certificate signature failure: /C=IN/ST=West_Bengal/L=Kolkata/O=Intelliant/OU=4B_Short_Street/CN=shrenik.bhura/[email protected]
May 28 00:22:58 iadahu openvpn[68981]: 117.194.99.168:10470 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
May 28 00:22:58 iadahu openvpn[68981]: 117.194.99.168:10470 TLS Error: TLS object -> incoming plaintext read error
May 28 00:22:58 iadahu openvpn[68981]: 117.194.99.168:10470 TLS Error: TLS handshake failed
May 28 00:22:58 iadahu openvpn[68981]: 117.194.99.168:10470 SIGUSR1[soft,tls-error] received, client-instance restarting

I am starting to suspect that this issue has a lot in common with this one as both seem to be struggling with SSL certificates. :unsure:

Would any other information from my end be helpful?

In your clients.conf does it really contain cos.domain.net? If so, this may be your internal LAN name for your server. Change it to your WAN IP or to your external FQDN. If you have a dynamic IP, use ClearOS's Dynamic DNS facility and your xxx.poweredbyclear.com FQDN. I suspect you are OK on this one as you would not be getting any ClearOS logs if you were not.

There are at least two clients you can use, there is a community client (which I use) and the main OpenVPN client (I don't know the link to that and the web site has changed). They should both work but with Windoze Vista or later they must be run as administrator. Where are you putting the certificates you've downloaded? They should go in the same folder as the .ovpn file unless you edit the paths in the .ovpn file.

The full CLearOS documentation is here but the download link now takes you to the community version whereas the images show the OpenVPN main version.

Do not be tempted to update OpenVPN on ClearOS to the clearos-epel version. It will break your set up.

@hatted were you able to solve your problem?

@Tim, guess the documentation needs to be updated as the OpenVPN client installation method doesn't seem to be the same any more. I may be wrong but I assume that the documentation needs an update as I could not find the openvpn desktop client package any more that I remember having used with ClearOS 5.2.
Now there seems to exist a single package with openvpn daemon service and the other supporting tools all packaged into one. Unfortunately, my first attempt to upgrade to it and get it all working failed.

Have been getting these in /var/log/messages incessantly after my first attempt to connect -

May 27 22:34:34 cos openvpn[68981]: MULTI: multi_create_instance called
May 27 22:34:34 cos openvpn[68981]: 117.194.99.168:26656 Re-using SSL/TLS context
May 27 22:34:34 cos openvpn[68981]: 117.194.99.168:26656 LZO compression initialized
May 27 22:34:34 cos openvpn[68981]: 117.194.99.168:26656 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
May 27 22:34:34 cos openvpn[68981]: 117.194.99.168:26656 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
May 27 22:34:34 cos openvpn[68981]: 117.194.99.168:26656 Local Options hash (VER=V4): '530fdded'
May 27 22:34:34 cos openvpn[68981]: 117.194.99.168:26656 Expected Remote Options hash (VER=V4): '41690919'
May 27 22:34:34 cos openvpn[68981]: 117.194.99.168:26656 TLS: Initial packet from 117.194.99.168:26656 (via 182.73.216.82), sid=853cf29d 2a6f4f44
May 27 22:34:35 cos openvpn[68981]: 117.194.99.168:26623 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 27 22:34:35 cos openvpn[68981]: 117.194.99.168:26623 TLS Error: TLS handshake failed
May 27 22:34:35 cos openvpn[68981]: 117.194.99.168:26623 SIGUSR1[soft,tls-error] received, client-instance restarting

Have checked upon this particular error - "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" and verified that all the points mentioned
herein have been taken care of.

Even after having stopped any attempt to connect from my Windows system, the logs kept on flooding for at least another 2 minutes with these -

May 27 22:35:35 cos openvpn[68981]: 117.194.99.168:26656 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 27 22:35:35 cos openvpn[68981]: 117.194.99.168:26656 TLS Error: TLS handshake failed
May 27 22:35:35 cos openvpn[68981]: 117.194.99.168:26656 SIGUSR1[soft,tls-error] received, client-instance restarting
May 27 22:35:37 cos openvpn[68981]: 117.194.99.168:26658 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 27 22:35:37 cos openvpn[68981]: 117.194.99.168:26658 TLS Error: TLS handshake failed
May 27 22:35:37 cos openvpn[68981]: 117.194.99.168:26658 SIGUSR1[soft,tls-error] received, client-instance restarting

My client configuration file looks like this -

client
remote cos.domain.net 1194
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca-cert.pem
cert client-fname.lname-cert.pem
key client-fname.lname-key.pem
ns-cert-type server
comp-lzo
verb 3
auth-user-pass

Next I am attempting to uninstall all traces of the OpenVPN client as I suspect that the upgrade may be playing truant. It shall require a Windows reboot, so will be a bit delayed. Shall post my final findings once done.

However, would appreciate if anyone can throw some light on what's going on, in case someone has experienced the same.
Or can anyone confirm that they have got OpenVPN working just fine with ClearOS Pro 6.5? If yes, then with which OpenVPN client?

Do let me know if any other information is required.

This documentation is for 6.x - might help?
http://www.clearcenter.com/support/documentation/user_guide/openvpn