How to configure OpenVPN client for XeroBank
-
I'm attempting to configure a pfSense OpenVPN client for XeroBank's privacy service. The account credentials that I'm using work with OpenVPN. I'm using a pfSense 2.0-RC3 guest in VirtualBox 4.0.12 on Ubuntu 10.10 x64, with WAN NATed to the host, and LAN connected to an internal network.
In configuring the client, I've followed http://forum.pfsense.org/index.php?topic=24435.0.html and http://forum.pfsense.org/index.php/topic,29944.0.html. In pfSense's OpenVPN system log, I see the following TLS error:
TLS: Initial packet from [server etc]
TLS Error: cannot locate HMAC in incoming packet from [server etc]What might be causing that?
The OpenVPN config file from XeroBank contains the following lines:
client
dev tun
proto udp
remote [foo].xerobank.com 1194
resolv-retry infinite
nobind
persist-tun
tls-client
ca xbca.crt
cert xerobank.crt
key xb.key
dh xb-dh2048.pem
keepalive 20 200
cipher BF-CBC
cipher AES-256-CBC
tls-remote vpngate
ns-cert-type server
route-delay 2
redirect-gateway def1
explicit-exit-notify 3
comp-lzo
verb 3I've used the following settings in the pfSense OpenVPN client:
Server Mode: Peer to Peer (SSL/TLS)
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port:
Server host or address: [foo].xerobank.com
Server port: 1194
Proxy host or address:
Proxy port:
Proxy authentication extra options:
Server host name resolution: Infinitely resolve server
TLS Authentication: Enable authentication of TLS packets
Peer Certificate Authority: xbca.crt
Client Certificate: xerobank.crt (CA xbca.crt) [with xb.key]
Encryption algorithm: BF-CBC (128-bit)
Hardware Crypto: No Hardware Crypto Acceleration
Tunnel Network:
Remote Network:
Limit Outgoing Bandwidth:
Compression: Compress tunnel packets using the LZO algorithm
Type-of-Service: [either way]Advanced: keepalive 20 200;ns-cert-type server;route-delay 2;redirect-gateway def1;explicit-exit-notify 3;verb 3
Adding "tls-client", "tls-remote vpngate" and/or "persist-tun" to the Advanced options had no apparent effect. Neither did copying xb-dh2048.pem to /var/etc/openvpn/, and adding either "dh xb-dh2048.pem" or "dh /var/etc/openvpn/xb-dh2048.pem" to Advanced options.
With TLS Authentication turned off, I get a tunnel, but it doesn't work:
[expected /sbin/route etc]
Initialization Sequence Completed
Authenticate/Decrypt packet error: cipher final failed -
The OpenVPN config file from XeroBank contains 2 ciphers.
XeroBank uses AES-256-CBC
remove the reference to BF-CBC.
also for the sake of troubleshooting, change "verb 3", to "verb 5"; and copy paste any issues you may have from the log then here.
-
Thanks, ericab :)
The OpenVPN config file from XeroBank contains 2 ciphers.
It's my understanding that the redundancy is intentional. Is that correct?
XeroBank uses AES-256-CBC
Yes, I see in successful connections (using OpenVPN) that it uses "Cipher 'AES-256-CBC' initialized with 256 bit key" and "160 bit message hash 'SHA1' for HMAC authentication" for the data channel, and "TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA" for the control channel.
remove the reference to BF-CBC.
I've changed the Encryption algorithm setting to "AES-256-CBC".
also for the sake of troubleshooting, change "verb 3", to "verb 5"; and copy paste any issues you may have from the log then here.
I've changed "verb 3" to "verb 5". I've checked the Type-of-Service box ("Set the TOS IP header value of tunnel packets to match the encapsulated packet value"). The Advanced items are "dh /var/etc/openvpn/xb-dh2048.pem;keepalive 20 200;ns-cert-type server;route-delay 2;redirect-gateway def1;explicit-exit-notify 3;verb 5".
Here's the relevant piece of the log, obfuscated slightly:
Jul 31 HH:19:59 openvpn[61891]: SIGUSR1[soft,tls-error] received, process restarting Jul 31 HH:19:59 openvpn[61891]: Restart pause, 2 second(s) Jul 31 HH:20:01 openvpn[61891]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jul 31 HH:20:01 openvpn[61891]: Re-using SSL/TLS context Jul 31 HH:20:01 openvpn[61891]: LZO compression initialized Jul 31 HH:20:01 openvpn[61891]: Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ] Jul 31 HH:20:01 openvpn[61891]: Socket Buffers: R=[42080->65536] S=[57344->65536] Jul 31 HH:20:01 openvpn[61891]: RESOLVE: NOTE: {foo}.xerobank.com resolves to {N} addresses Jul 31 HH:20:01 openvpn[61891]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] Jul 31 HH:20:01 openvpn[61891]: Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client' Jul 31 HH:20:01 openvpn[61891]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server' Jul 31 HH:20:01 openvpn[61891]: Local Options hash (VER=V4): '{nnnnnnnn}' Jul 31 HH:20:01 openvpn[61891]: Expected Remote Options hash (VER=V4): '{mmmmmmmm}' Jul 31 HH:20:01 openvpn[61891]: UDPv4 link local (bound): [AF_INET]10.0.2.15 Jul 31 HH:20:01 openvpn[61891]: UDPv4 link remote: [AF_INET]{N.N.N.N}:1194 Jul 31 HH:20:01 openvpn[61891]: TLS: Initial packet from [AF_INET]{N.N.N.N}:1194, sid={rrrrrrrr rrrrrrrr} Jul 31 HH:20:01 openvpn[61891]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]{N.N.N.N}:1194 Jul 31 HH:20:04 openvpn[61891]: TLS: Initial packet from [AF_INET]{N.N.N.N}:1194, sid={rrrrrrrr rrrrrrrr} Jul 31 HH:20:04 openvpn[61891]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]{N.N.N.N}:1194 ... Jul 31 HH:21:00 openvpn[61891]: TLS: Initial packet from [AF_INET]{N.N.N.N}:1194, sid={rrrrrrrr rrrrrrrr} Jul 31 HH:21:00 openvpn[61891]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]{N.N.N.N}:1194 Jul 31 HH:21:01 openvpn[61891]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Jul 31 HH:21:01 openvpn[61891]: TLS Error: TLS handshake failed Jul 31 HH:21:01 openvpn[61891]: TCP/UDP: Closing socket Jul 31 HH:21:01 openvpn[61891]: SIGUSR1[soft,tls-error] received, process restarting -
I think there is a problem with the xb.key file.
In the servers config there is a seperate file xb.key and in the clients config there isn't.
Can you add this line in your clients.conf and the put the according xb.key in the clients folder ?key xb.key -
I think there is a problem with the xb.key file.
In the servers config there is a seperate file xb.key and in the clients config there isn't.
Can you add this line in your clients.conf and the put the according xb.key in the clients folder ?key xb.keyThank you. I used xb.key for xerobank.crt in Certificate Manager. It's now found in /var/etc/openvpn/ as client1.key, along with client1.ca, client1.cert, client1.conf, client1.tls-auth, and xb-dh2048.pem (which I added manually).
FWIW, here's client1.conf compared with the XeroBank config file:
[Edit4: I unchecked TLS authentication in the GUI, and now it works. The TLS error "cannot locate HMAC in incoming packet" was indeed telling me that I had a TLS-authentication mismatch. When I initially tried connecting without TLS authentication, I didn't yet have DH set up properly. Anyway, I thank everyone who helped or even thought about helping. Once I get traffic routed, I'll write up a how-to.]
[Edit3: I added "tls-remote vpngate" back to pfSense Advanced. Still no joy.]
[Edit2: Is it advisable to directly edit client1.conf?]
[Edit: I don't know why the table is oddly colored.]| pfSense | XeroBank |
| dev ovpnc1 | dev tun |
| dev-type tun | {null} |
| dev-node /dev/tun1 | {null} |
| writepid /var/run/openvpn_client1.pid | {null} |
| #user nobody | {null} |
| #group nobody | {null} |
| script-security 3 | {null} |
| daemon | {null} |
| keepalive 10 60 | keepalive 20 200 |
| ping-timer-rem | {null} |
| persist-tun | persist-tun |
| persist-key | {null} |
| proto udp | proto udp |
| cipher AES-256-CBC | cipher AES-256-CBC |
| {null} | cipher BF-CBC |
| up /usr/local/sbin/ovpn-linkup | {null} |
| down /usr/local/sbin/ovpn-linkdown | {null} |
| local 10.0.2.15 | nobind |
| tls-client | tls-client |
| client | client |
| lport 0 | {null} |
| management /var/etc/openvpn/client1.sock unix | {null} |
| remote [foo].xerobank.com 1194 | remote [foo].xerobank.com 1194 |
| ca /var/etc/openvpn/client1.ca | ca xbca.crt |
| cert /var/etc/openvpn/client1.cert | cert xerobank.crt |
| key /var/etc/openvpn/client1.key | key xb.key |
| comp-lzo | comp-lzo |
| passtos | {null} |
| resolv-retry infinite | resolv-retry infinite |
| dh /var/etc/openvpn/xb-dh2048.pem | dh xb-dh2048.pem |
| keepalive 20 200 | {see above} |
| tls-remote vpngate | tls-remote vpngate |
| ns-cert-type server | ns-cert-type server |
| route-delay 2 | route-delay 2 |
| redirect-gateway def1 | redirect-gateway def1 |
| explicit-exit-notify 3 | explicit-exit-notify 3 |
| verb 5 | verb 3 | -
Hi,
on the left (client) side you have two time "keepalive".
Further I am not sure if is correct, that both sides are using "tls-client". I think the client side should use "tls-server".But I am no expert.
-
…on the left (client) side you have two time "keepalive".
Thank you. I wasn't clear about the columns. Both are clients. The left column is the client config generated by the pfSense OpenVPN client set-up GUI. The right column is a client config provided by XeroBank. It's my model, as it were, in that I know that it works.
I do have two keepalive lines. The "keepalive 10 60" line seems to be pfSense's default. I don't see in the GUI where it's set. The "keepalive 20 200" line is from the client config provided by XeroBank.
Further I am not sure if is correct, that both sides are using "tls-client". I think the client side should use "tls-server".
As I've noted, both are client scripts.
But I am no expert.
Well, neither am I, as I've demonstrated in this thread! The TLS error "cannot locate HMAC in incoming packet" was clearly pointing to a TLS-authentication mismatch between client and server. I had googled that error, and had found numerous comments to that effect. Yet I was just too stubborn to see it, because I'd already failed with TLS authentication disabled in the GUI. However, as I posted here, the client actually did connect with TLS authentication disabled (although it couldn't decrypt packets). In retrospect, I see that packet decryption failed because I hadn't yet properly set up SSL/TLS authentication for the pfSense client.
As I now (vaguely) appreciate, "TLS authentication" for pfSense means using a shared persistent TLS key ("client1.tls-auth") which is generated by the client (indicated by the terminal "1" in "tls-auth /var/etc/openvpn/client1.tls-auth 1"). What XeroBank's OpenVPN servers expect, OTOH, is periodically generating SSL/TLS keys cooperatively based on the shared DH parameters file ("xb-dh2048.pem") – which is accomplished by "dh /var/etc/openvpn/xb-dh2048.pem".
Now I need to set up routing.
Thanks again to everyone who helped in any way. I believe that this thread has done it's job, unless any y'all want to hijack it.
-
I've managed to create an OpenVPN client on pfSense that connects to XeroBank. I've also managed, at least partially, to secure the VPN connection. However, I'd appreciate criticism and suggestions.
To summarize, I'm using a pfSense 2.0-RC3 guest in VirtualBox 4.0.12 ("pfSense"). The WAN interface is NATed to the VirtualBox host, and the LAN interface is connected to a VirtualBox internal network ("pfSLAN"). Also connected to pfSLAN is an Ubuntu Maverick guest ("Ubuntu").
With ovpnc1 up, I see new "def1 type" routes, and traceroute at pfSense shell on interface ovpnc1 to internet sites shows expected routing via XeroBank's exit node. Enabling Outbound NAT for LAN to OpenVPN allows Ubuntu to access the internet via ovpnc1. Use OpenVPN to connect to vpntunnel.se (or similar) and Re: How to create an OpenVPN client to a public OpenVPN provider offered key insights, BTW.
In System: General Setup, I've specified a public DNS server (XYZ.com) and disabled "Allow DNS server list to be overridden by DHCP/PPP on WAN". I've disabled DNS Forwarder, and specified XeroBank's internal DNS servers (10.244.1.1 and 10.244.2.1) in DHCP Server on LAN. Just to be safe, I also created firewall rules to block LAN access to XYZ.com's DNS servers.
With ovpnc1 down, Ubuntu can ping nothing except pfSense. With ovpnc1 up, packet captures on WAN confirm that traffic from Ubuntu is restricted to ovpnc1. That is, the only IP addresses that I see are pfSense (10.0.2.15), its VirtualBox gateway (10.0.2.2) and XeroBank's OpenVPN server. Steve Gibson's DNS Nameserver Spoofability Test reveals that Ubuntu can access only XeroBank's internal DNS servers.