OpenVPN Client can't connect to pfSense
-
I've been at it for the most of the day trying to configure the Synology VPN client to work with my VPN server I have setup in pfSense. The exported config from my pfSense OpenVPN server works great on my Mac's Viscosity client, so I know it has to be something within the Syno causing the issue, or perhaps something I can change on the pfSense to make it more "compatible"?
I dug into the Viscosity config path and got all the correct certs it was using, then referenced those in my Syno's OpenVPN config…
Can anyone direct me to the right area I need to tweak? Once I create the OpenVPN adapter in DSM, here's my config file (client_xxxxxxx) located in /usr/syno/etc/synovpnclient/openvpn/ I've been messing with...
dev tun tls-client remote myhostname.com 1194 pull proto udp up /usr/syno/etc.defaults/synovpnclient/scripts/ovpn-up route-up /usr/syno/etc.defaults/synovpnclient/scripts/route-up ca /usr/syno/etc/synovpnclient/openvpn/ca.crt comp-lzo redirect-gateway script-security 2 float reneg-sec 0 explicit-exit-notify plugin /lib/openvpn/openvpn-down-root.so /usr/syno/etc.defaults/synovpnclient/scripts/ip-down auth-user-pass /tmp/ovpn_client_up ns-cert-type server tls-auth /usr/syno/etc/synovpnclient/openvpn/ta.key 1 persist-key persist-tun key /usr/syno/etc/synovpnclient/openvpn/key.key lport 0 verify-x509-name "OpenVPNServer" name cipher AES-256-CBC resolv-retry infinite auth SHA1 log openvpn.logThe only log entry generated on the Syno shows
Options error: If you use one of –cert or --key, you must use them both. Use --help for more information.
Not a lot to go off of!
-
Edit: here is the error generated within the pfSense logs:
openvpn[31594]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.1.172:1194 -
This will be a Synology topic, not a pfSense one.
Have you tried to export the config as "Inline configuration" > Others?
This way, the certs are stored inside the .ovpn file. AFAIK Synology ovpn client likes that. -
Your Synology config is broken. Probably a better question for a Synology-focused forum as they likely know better than us how to configure it. The options error it's throwing at you shows what's broken, somehow it's filling in a cert without the associated key, where both must be specified.
-
Thanks for the nudges in the right direction. verb 3 wasn't giving me the info I needed, so I went after verb 4 and finally got more granular logs in my openvpn.log file.
The first and big pointer was
ERROR: could not read Auth username from stdin
My auth-user-pass config didn't specify any txt file with the credentials in it, which makes me think the Synology's passing of the GUI entered credentials is fubar'd. I commented the auth-user-pass config out, and of course, I got all sorts of TLS handshake errors. The connection requires a user/pass.
Connected as we speak as long as I pass the credentials as a file.
I really appreciate your help. It says something when an OpenVPN thread in the Syno forum needs to be approved by a mod before it gets posted. Lots of ambiguity on their front end presentation to a very robust VPN.