OpenVPN Connection Issue: Invalid Certificate - Azure VM (Central India) from Bangladesh (2 Free Connections) Azure 12 months free trial on B1s VM #31570
Description
Describe the bug
I have deployed an OpenVPN server on an Azure Virtual Machine (VM) located in the Central India region. I am attempting to establish a connection to this OpenVPN server from my location in Bangladesh.
Upon initiating the connection, the OpenVPN client consistently returns the following error: "Invalid certificate to accept."
Questions for the Community:
Certificate Error Resolution: What are the most common causes and effective troubleshooting steps for an "Invalid certificate" error when connecting to an OpenVPN server deployed on Azure?
Network Architecture: Given this setup (OpenVPN on an Azure VM), is it necessary or recommended to additionally configure an Azure VPN Gateway for secure network routing, or is the OpenVPN server on the VM sufficient for establishing a secure tunnel?
Optimal Network Access Strategy (Regional Restrictions): Considering the presence of regional restrictions, would utilizing this OpenVPN connection for continuous network access be an ideal and sustainable solution? Are there any specific considerations or best practices for maintaining secure and reliable connectivity under these circumstances?
Any guidance, insights, or best practices from individuals with experience in similar OpenVPN deployments on Azure would be greatly appreciated.
Related command
az vm create
Errors
Connections to the client server are occasionally disconnected.
Issue script & Debug output
⏎[May 28, 2025, 10:01:45] Session token: [redacted]
⏎[May 28, 2025, 10:01:45] PROTOCOL OPTIONS:
key-derivation: TLS Keying Material Exporter [RFC5705]
control channel: tls-crypt v2 enabled
data channel: cipher AES-256-GCM, peer-id 0
⏎[May 28, 2025, 10:01:45] EVENT: ASSIGN_IP ⏎[May 28, 2025, 10:01:45] Unknown pushed DHCP option: [dhcp-option] [NBT] [1]
⏎[May 28, 2025, 10:01:45] CAPTURED OPTIONS:
Session Name: 98.70.27.51
Layer: OSI_LAYER_3
MTU: 1500
Remote Address: 98.70.27.51
Tunnel Addresses:
172.27.232.4/21 -> 172.27.232.1
Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW AUTO_LOCAL DEF1 BYPASS_DHCP IPv4 ]
Block IPv4: no
Block IPv6: yes
Block local DNS: no
Route Metric Default: 101
Add Routes:
Exclude Routes:
DNS Servers:
Priority: 0
Addresses:
168.63.129.16
Values from dhcp-options: true
⏎[May 28, 2025, 10:01:58] SetupClient: transmitting tun setup list to \.\pipe\agent_ovpnconnect
{
"allow_local_dns_resolvers" : false,
"confirm_event" : "240e000000000000",
"destroy_event" : "200e000000000000",
"tun" :
{
"block_ipv6" : true,
"block_outside_dns" : false,
"dns_options" :
{
"from_dhcp_options" : true,
"servers" :
{
"0" :
{
"addresses" :
[
{
"address" : "168.63.129.16"
}
]
}
}
},
"layer" : 3,
"mtu" : 1500,
"remote_address" :
{
"address" : "98.70.27.51",
"ipv6" : false
},
"reroute_gw" :
{
"flags" : 315,
"ipv4" : true,
"ipv6" : false
},
"route_metric_default" : 101,
"session_name" : "98.70.27.51",
"tunnel_address_index_ipv4" : 0,
"tunnel_address_index_ipv6" : -1,
"tunnel_addresses" :
[
{
"address" : "172.27.232.4",
"gateway" : "172.27.232.1",
"ipv6" : false,
"metric" : -1,
"net30" : false,
"prefix_length" : 21
}
]
},
"tun_type" : 0
}
POST np://[\.\pipe\agent_ovpnconnect]/tun-setup : 200 OK
TAP ADAPTERS:
guid='{F3A3D1F8-293E-459C-988A-52885796698B}' index=21 name='Local Area Connection'
Open TAP device "Local Area Connection" PATH="\.\Global{F3A3D1F8-293E-459C-988A-52885796698B}.tap" SUCCEEDED
TAP-Windows Driver Version 9.27
ActionDeleteAllRoutesOnInterface iface_index=21
netsh interface ip set interface 21 metric=9000
Ok.
netsh interface ip set address 21 static 172.27.232.4 255.255.248.0 gateway=172.27.232.1 gwmetric=101 store=active
netsh interface ipv6 add route 2000::/4 interface=1 store=active
Ok.
netsh interface ipv6 add route 3000::/4 interface=1 store=active
Ok.
netsh interface ipv6 add route fc00::/7 interface=1 store=active
Ok.
netsh interface ip add route 98.70.27.51/32 14 192.168.110.1 store=active
The object already exists.
netsh interface ip add route 0.0.0.0/1 21 172.27.232.1 store=active
Ok.
netsh interface ip add route 128.0.0.0/1 21 172.27.232.1 store=active
Ok.
netsh interface ip set dnsservers 21 static 168.63.129.16 register=primary validate=no
NRPT::ActionCreate pid=[4100] domains=[] dns_servers=[168.63.129.16] dnssec=[0] id=[OpenVPNDNSRouting-4100]
DNS::ActionApply: successful
ActionBase openvpn_app_path=C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe tap_index=21 enable=1
permit IPv4 requests from OpenVPN app
permit IPv6 requests from OpenVPN app
block IPv4 DNS requests from other apps
block IPv6 DNS requests from other apps
allow IPv4 traffic from TAP
allow IPv6 traffic from TAP
block IPv4 DNS requests to loopback from other apps
block IPv6 DNS requests to loopback from other apps
ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
TAP: ARP flush succeeded
TAP handle: d80e000000000000
⏎[May 28, 2025, 10:01:58] TunPersist: saving tun context:
Session Name: 98.70.27.51
Layer: OSI_LAYER_3
MTU: 1500
Remote Address: 98.70.27.51
Tunnel Addresses:
172.27.232.4/21 -> 172.27.232.1
Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW AUTO_LOCAL DEF1 BYPASS_DHCP IPv4 ]
Block IPv4: no
Block IPv6: yes
Block local DNS: no
Route Metric Default: 101
Add Routes:
Exclude Routes:
DNS Servers:
Priority: 0
Addresses:
168.63.129.16
Values from dhcp-options: true
⏎[May 28, 2025, 10:01:58] Connected via TUN_WIN
⏎[May 28, 2025, 10:01:58] EVENT: CONNECTED [email protected]:1194 (98.70.27.51) via /UDP on TUN_WIN/172.27.232.4/ gw=[172.27.232.1/] mtu=1500⏎[May 28, 2025, 10:54:35] SetupClient: signaling tun destroy event
⏎[May 28, 2025, 10:54:35] EVENT: DISCONNECTED ⏎[May 28, 2025, 19:01:03] OpenVPN core 3.11.2_dev win x86_64 64-bit OVPN-DCO built on May 9 2025 13:24:58
⏎[May 28, 2025, 19:01:04] Frame=512/2112/512 mssfix-ctrl=1250
⏎[May 28, 2025, 19:01:04] EVENT: RESOLVE ⏎[May 28, 2025, 19:01:04] Contacting 98.70.27.51:1194 via UDP
⏎[May 28, 2025, 19:01:04] EVENT: WAIT ⏎[May 28, 2025, 19:01:04] WinCommandAgent: transmitting bypass route to 98.70.27.51
{
"host" : "98.70.27.51",
"ipv6" : false
}
⏎[May 28, 2025, 19:01:04] Connecting to [98.70.27.51]:1194 (98.70.27.51) via UDP
⏎[May 28, 2025, 19:01:08] Server poll timeout, trying next remote entry...
⏎[May 28, 2025, 19:01:08] EVENT: RECONNECTING ⏎[May 28, 2025, 19:01:08] EVENT: RESOLVE ⏎[May 28, 2025, 19:01:08] Contacting 98.70.27.51:1194 via UDP
⏎[May 28, 2025, 19:01:08] EVENT: WAIT ⏎[May 28, 2025, 19:01:08] WinCommandAgent: transmitting bypass route to 98.70.27.51
{
"host" : "98.70.27.51",
"ipv6" : false
}
⏎[May 28, 2025, 19:01:08] Connecting to [98.70.27.51]:1194 (98.70.27.51) via UDP
⏎[May 28, 2025, 19:01:12] Server poll timeout, trying next remote entry...
⏎[May 28, 2025, 19:01:12] EVENT: RECONNECTING ⏎[May 28, 2025, 19:01:12] EVENT: RESOLVE ⏎[May 28, 2025, 19:01:12] EVENT: WAIT ⏎[May 28, 2025, 19:01:12] WinCommandAgent: transmitting bypass route to 98.70.27.51
{
"host" : "98.70.27.51",
"ipv6" : false
}
⏎[May 28, 2025, 19:01:15] Transport Error: TCP connect error on '98.70.27.51:443' (98.70.27.51:443): No connection could be made because the target machine actively refused it.
⏎[May 28, 2025, 19:01:15] Client terminated, restarting in 2000 ms...
⏎[May 28, 2025, 19:01:17] EVENT: RECONNECTING ⏎[May 28, 2025, 19:01:17] EVENT: RESOLVE ⏎[May 28, 2025, 19:01:17] Contacting 98.70.27.51:1194 via UDP
⏎[May 28, 2025, 19:01:17] EVENT: WAIT ⏎[May 28, 2025, 19:01:17] WinCommandAgent: transmitting bypass route to 98.70.27.51
{
"host" : "98.70.27.51",
"ipv6" : false
}
⏎[May 28, 2025, 19:01:17] Connecting to [98.70.27.51]:1194 (98.70.27.51) via UDP
⏎[May 28, 2025, 19:01:18] EVENT: DISCONNECTED ⏎
Expected behavior
Connect with valid certificate. Self Signed Is it possible to make domain verified certificate instead?
Environment Summary
Resource group
(move)
:
Akcell
Status
:
Running
Location
:
Central India (Zone 1)
Subscription
(move)
:
Azure Subscription PG
Subscription ID
:
afd3deda-7ff3-4462-a26f-99d607e63092
Availability zone
:
1
Operating system
:
Linux (ubuntu 22.04)
Size
:
Standard B1s (1 vcpu, 1 GiB memory)
Public IP address
:
98.70.27.51
Virtual network/subnet
:
AkcelVNetwork/default
DNS name
:
akcellbd.centralindia.cloudapp.azure.com
Health state
:
Unhealthy
Time created
:
5/8/2025, 3:13 PM UTC
Tags
(edit)
:
Add tags
Properties
Monitoring
Capabilities (7)
Recommendations (12)
Tutorials
Virtual machine
Computer name
Akcell
Operating system
Linux (ubuntu 22.04)
VM generation
V1
VM architecture
x64
Agent status
Ready
Agent version
2.13.1.1
Hibernation
Disabled
Host group
Host
Proximity placement group
Colocation status
N/A
Capacity reservation group
Disk controller type
Azure Spot
Azure Spot
Azure Spot eviction policy
Availability + scaling
Availability zone (edit)
1
Availability set
Scale Set (attach)
Security
Security type
Standard
Health monitoring
Health monitoring
Enabled
Extensions + applications
Extensions
AADSSHLoginForLinux, HealthExtension, MDE.Linux
Applications
Networking
Public IP address
98.70.27.51
(
Network interface
akcell352_z1
)
Public IP address (IPv6)
Private IP address
10.0.0.4
Private IP address (IPv6)
Virtual network/subnet
AkcelVNetwork/default
DNS name
akcellbd.centralindia.cloudapp.azure.com
Size
Size
Standard B1s
vCPUs
1
RAM
1 GiB
Source image details
Source image publisher
openvpn
Source image offer
openvpnas
Source image plan
openvpnas
Disk
OS disk
Akcell_OsDisk_1_be5ceacea1b7463890fadab09cf88c22
Encryption at host
Disabled
Azure disk encryption
Not enabled
Ephemeral OS disk
N/A
Data disks
0
Auto-shutdown
Auto-shutdown
Not enabled
Scheduled shutdown
Additional context
Thank you for your helpful suggestion. Appreciated with lov 👍