Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tomato Client dialing to a pfSense OVPN server - HAMC failure

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      McFuzz
      last edited by

      Hi all!

      I've setup a little OVPN server that works flawlessly with desktop based clients (the Windows OpenVPN client, Tunnelblick, iOS client and DD-WRT router based client).

      However, I have a router that is running Tomato 1.28 (1.28.0000 MIPSR2-2.8-130 K26 USB AIO) and I followed the guide posted here- https://forums.openvpn.net/topic12384.html - to set it up to dial to my server.

      I followed the guide for its entirety, mostly, with the exception of Compression (which I have enabled).

      However, upon attempting to dial to the server, I get the following error on the pfSense end:

      
TLS Error: cannot locate HMAC in incoming packet from...

      My specific Tomato version has an option called 'Extra HMAC authorization (tls-auth)' which, per the guide, I've set to disabled. I also tried to set it to bi-direction, incoming or outgoing - none worked.

      I tried changes my authorization mode from 'TLS' to Static Key - however that caused the following messages:

      
Jul 8 12:16:39	openvpn[1950]: 5x.xx.xx.xx:22230 TLS Error: TLS handshake failed
Jul 8 12:16:41	openvpn[1950]: 5x.xx.xx.xx:57577 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

      Also tried to change 'Extra HMAC Authorization' option to 'Bi-Directional' while keeping the static key – this error appears:

      
Jul 8 12:27:46	openvpn[1950]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Jul 8 12:27:46	openvpn[1950]: TLS Error: incoming packet authentication failed from [AF_INET]5x.xx.xx.xx:16497

      So I am a bit stumped - any ides on how to make it work right?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • H
        hatimux
        last edited by

        When you activate the tls-auth option, are you sure to have the same TLS key on both sides?

        1 Reply Last reply Reply Quote 0
        • R
          reggie14
          last edited by

          Following-up to what hatimux said, have you tried enabling (or disabling) TLS authentication on both sides?  It sounds like you had it enabled on your pfSense server, but disabled in your Tomato client.

          You can keep your authorization mode to TLS.  If you want to disable TLS authentication on your server just uncheck the box labeled "Enable authentication of TLS packets."

          1 Reply Last reply Reply Quote 0
          • M
            McFuzz
            last edited by

            Yup - it's enabled on both ends and the proper key is used on both ends.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.