I have setup an OpenVPN server on Ubuntu but pfsense as OpenVPN client won't connect, Windows client is working fine



  • So I use digitalocean and spin Ubuntu in one of the droplets.

    I installed OpenVPN using this quick install script inside the Ubuntu server. https://github.com/Nyr/openvpn-install

    Then I generate .ovpn file (without username and password) and I have tested this on Windows machine using Pritunl and it's working fine. However when I tried it on pfSense, it's not working. Here's the log.

    Oct 24 23:50:06	openvpn	51034	SENT PING
    Oct 24 23:50:06	openvpn	51034	TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
    Oct 24 23:49:56	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
    Oct 24 23:49:50	openvpn	51034	SENT PING
    Oct 24 23:49:50	openvpn	51034	TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
    Oct 24 23:49:40	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
    Oct 24 23:49:32	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
    Oct 24 23:49:31	openvpn	51034	MANAGEMENT: Client disconnected
    Oct 24 23:49:31	openvpn	51034	MANAGEMENT: CMD 'state 1'
    Oct 24 23:49:31	openvpn	51034	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Oct 24 23:49:28	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
    Oct 24 23:49:26	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
    Oct 24 23:49:26	openvpn	51034	SENT PING
    Oct 24 23:49:26	openvpn	51034	TLS Warning: no data channel send key available: [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
    Oct 24 23:49:26	openvpn	51034	UDPv4 link remote: [AF_INET]77.77.77.77:1194
    Oct 24 23:49:26	openvpn	51034	UDPv4 link local (bound): [AF_INET]88.88.88.88:0
    Oct 24 23:49:26	openvpn	51034	Socket Buffers: R=[42080->42080] S=[57344->57344]
    Oct 24 23:49:26	openvpn	51034	TCP/UDP: Preserving recently used remote address: [AF_INET]77.77.77.77:1194
    Oct 24 23:49:26	openvpn	51034	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
    Oct 24 23:49:26	openvpn	51034	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
    Oct 24 23:49:26	openvpn	51034	calc_options_string_link_mtu: link-mtu 1621 -> 1601
    Oct 24 23:49:26	openvpn	51034	crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
    Oct 24 23:49:26	openvpn	51034	calc_options_string_link_mtu: link-mtu 1621 -> 1601
    Oct 24 23:49:26	openvpn	51034	crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
    Oct 24 23:49:26	openvpn	51034	Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
    Oct 24 23:49:26	openvpn	51034	RESOLVE_REMOTE flags=0x0901 phase=1 rrs=0 sig=-1 status=0
    Oct 24 23:49:26	openvpn	51034	MTU DYNAMIC mtu=1450, flags=2, 1621 -> 1450
    Oct 24 23:49:26	openvpn	51034	Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
    Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
    Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
    Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
    Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
    Oct 24 23:49:26	openvpn	51034	PRNG init md=SHA1 size=36
    Oct 24 23:49:26	openvpn	51034	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Oct 24 23:49:26	openvpn	51034	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Oct 24 23:49:26	openvpn	51034	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
    Oct 24 23:49:26	openvpn	51008	library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
    Oct 24 23:49:26	openvpn	51008	OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 16 2018
    Oct 24 23:49:26	openvpn	51008	auth_user_pass_file = '[UNDEF]'
    Oct 24 23:49:26	openvpn	51008	pull = ENABLED
    Oct 24 23:49:26	openvpn	51008	client = ENABLED
    Oct 24 23:49:26	openvpn	51008	port_share_port = '[UNDEF]'
    Oct 24 23:49:26	openvpn	51008	port_share_host = '[UNDEF]'
    Oct 24 23:49:26	openvpn	51008	auth_token_lifetime = 0
    Oct 24 23:49:26	openvpn	51008	auth_token_generate = DISABLED
    Oct 24 23:49:26	openvpn	51008	auth_user_pass_verify_script_via_file = DISABLED
    Oct 24 23:49:26	openvpn	51008	auth_user_pass_verify_script = '[UNDEF]'
    Oct 24 23:49:26	openvpn	51008	max_routes_per_client = 256
    Oct 24 23:49:26	openvpn	51008	max_clients = 1024
    Oct 24 23:49:26	openvpn	51008	cf_per = 0```java
    code
    

    And here's my OpenVPN server log.

    Oct 24 16:44:25 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29070
    Oct 24 16:44:55 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29070]
    Oct 24 16:45:37 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29123
    Oct 24 16:46:06 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 3 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29123]
    Oct 24 16:46:55 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40205
    Oct 24 16:47:26 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40205]
    Oct 24 16:47:32 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:53641
    Oct 24 16:47:46 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 3 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:53641]
    Oct 24 16:47:55 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:44143
    Oct 24 16:48:26 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:44143]
    Oct 24 16:49:01 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:37533
    Oct 24 16:49:14 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 3 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:37533]
    Oct 24 16:49:25 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:9163
    Oct 24 16:49:28 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:9163
    Oct 24 16:49:28 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:2618
    Oct 24 16:49:58 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:2618]
    Oct 24 16:50:33 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13215
    Oct 24 16:51:03 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13215]
    Oct 24 16:51:38 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40634
    Oct 24 16:52:08 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40634]
    Oct 24 16:52:43 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:11610
    Oct 24 16:53:16 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:11610]
    Oct 24 16:53:48 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13097
    Oct 24 16:54:18 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13097]
    Oct 24 16:54:58 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:12906
    Oct 24 16:55:29 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:12906]
    Oct 24 16:56:18 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:54530
    

    77.77.77.77 is my VPS IP and 88.88.88.88 is my WAN IP

    My server.conf

    port 1194
    proto udp
    dev tun
    sndbuf 0
    rcvbuf 0
    ca ca.crt
    cert server.crt
    key server.key
    dh dh.pem
    auth SHA512
    tls-auth ta.key 0
    topology subnet
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS 1.1.1.1"
    push "dhcp-option DNS 1.0.0.1"
    keepalive 10 120
    cipher AES-256-CBC
    user nobody
    group nogroup
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3
    crl-verify crl.pem
    
    

    My pfSense client settings.

    0_1540400700244_61d2b425-d2dd-42bf-81b3-08b92b2c4925-image.png



  • You would be better of learning to configure OpenVPN manually.

    We possibly need the client config file generated by "the script that does wonders" ;)

    What is visible for now is that the server uses

    tls-auth ta.key 0
    

    but the client is missing the TLS key (with key-direction 1), hence the server log complaining

    TLS Error: cannot locate HMAC in incoming packet from
    

    Also, in the server config use absolute paths to files.



  • @pippin Here's the client.ovpn

    client
    dev tun
    proto udp
    sndbuf 0
    rcvbuf 0
    remote 77.77.77.77 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    remote-cert-tls server
    auth SHA512
    cipher AES-256-CBC
    setenv opt block-outside-dns
    key-direction 1
    verb 3
    <ca>
    -----BEGIN CERTIFICATE-----
    MIIDKzCCAhOgAwIBAgIJAKtAKxoFxc14MA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
    


  • This post is deleted!


  • @Pippin "but the client is missing the TLS key (with key-direction 1), hence the server log complaining". Dammit, this is it. Thanks it works.

    @ninom4ster aw shiett!



  • Ah was just writing ;)

    There you go...