• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

I have setup an OpenVPN server on Ubuntu but pfsense as OpenVPN client won't connect, Windows client is working fine

Scheduled Pinned Locked Moved OpenVPN
7 Posts 4 Posters 1.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    warheat1990
    last edited by warheat1990 Oct 24, 2018, 5:07 PM Oct 24, 2018, 5:05 PM

    So I use digitalocean and spin Ubuntu in one of the droplets.

    I installed OpenVPN using this quick install script inside the Ubuntu server. https://github.com/Nyr/openvpn-install

    Then I generate .ovpn file (without username and password) and I have tested this on Windows machine using Pritunl and it's working fine. However when I tried it on pfSense, it's not working. Here's the log.

    Oct 24 23:50:06	openvpn	51034	SENT PING
Oct 24 23:50:06	openvpn	51034	TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Oct 24 23:49:56	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct 24 23:49:50	openvpn	51034	SENT PING
Oct 24 23:49:50	openvpn	51034	TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Oct 24 23:49:40	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct 24 23:49:32	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct 24 23:49:31	openvpn	51034	MANAGEMENT: Client disconnected
Oct 24 23:49:31	openvpn	51034	MANAGEMENT: CMD 'state 1'
Oct 24 23:49:31	openvpn	51034	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Oct 24 23:49:28	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct 24 23:49:26	openvpn	51034	UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct 24 23:49:26	openvpn	51034	SENT PING
Oct 24 23:49:26	openvpn	51034	TLS Warning: no data channel send key available: [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Oct 24 23:49:26	openvpn	51034	UDPv4 link remote: [AF_INET]77.77.77.77:1194
Oct 24 23:49:26	openvpn	51034	UDPv4 link local (bound): [AF_INET]88.88.88.88:0
Oct 24 23:49:26	openvpn	51034	Socket Buffers: R=[42080->42080] S=[57344->57344]
Oct 24 23:49:26	openvpn	51034	TCP/UDP: Preserving recently used remote address: [AF_INET]77.77.77.77:1194
Oct 24 23:49:26	openvpn	51034	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Oct 24 23:49:26	openvpn	51034	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Oct 24 23:49:26	openvpn	51034	calc_options_string_link_mtu: link-mtu 1621 -> 1601
Oct 24 23:49:26	openvpn	51034	crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Oct 24 23:49:26	openvpn	51034	calc_options_string_link_mtu: link-mtu 1621 -> 1601
Oct 24 23:49:26	openvpn	51034	crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Oct 24 23:49:26	openvpn	51034	Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Oct 24 23:49:26	openvpn	51034	RESOLVE_REMOTE flags=0x0901 phase=1 rrs=0 sig=-1 status=0
Oct 24 23:49:26	openvpn	51034	MTU DYNAMIC mtu=1450, flags=2, 1621 -> 1450
Oct 24 23:49:26	openvpn	51034	Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
Oct 24 23:49:26	openvpn	51034	PID packet_id_init seq_backtrack=64 time_backtrack=15
Oct 24 23:49:26	openvpn	51034	PRNG init md=SHA1 size=36
Oct 24 23:49:26	openvpn	51034	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 24 23:49:26	openvpn	51034	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 24 23:49:26	openvpn	51034	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Oct 24 23:49:26	openvpn	51008	library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
Oct 24 23:49:26	openvpn	51008	OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 16 2018
Oct 24 23:49:26	openvpn	51008	auth_user_pass_file = '[UNDEF]'
Oct 24 23:49:26	openvpn	51008	pull = ENABLED
Oct 24 23:49:26	openvpn	51008	client = ENABLED
Oct 24 23:49:26	openvpn	51008	port_share_port = '[UNDEF]'
Oct 24 23:49:26	openvpn	51008	port_share_host = '[UNDEF]'
Oct 24 23:49:26	openvpn	51008	auth_token_lifetime = 0
Oct 24 23:49:26	openvpn	51008	auth_token_generate = DISABLED
Oct 24 23:49:26	openvpn	51008	auth_user_pass_verify_script_via_file = DISABLED
Oct 24 23:49:26	openvpn	51008	auth_user_pass_verify_script = '[UNDEF]'
Oct 24 23:49:26	openvpn	51008	max_routes_per_client = 256
Oct 24 23:49:26	openvpn	51008	max_clients = 1024
Oct 24 23:49:26	openvpn	51008	cf_per = 0```java
code

    And here's my OpenVPN server log.

    Oct 24 16:44:25 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29070
Oct 24 16:44:55 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29070]
Oct 24 16:45:37 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29123
Oct 24 16:46:06 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 3 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29123]
Oct 24 16:46:55 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40205
Oct 24 16:47:26 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40205]
Oct 24 16:47:32 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:53641
Oct 24 16:47:46 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 3 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:53641]
Oct 24 16:47:55 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:44143
Oct 24 16:48:26 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:44143]
Oct 24 16:49:01 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:37533
Oct 24 16:49:14 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 3 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:37533]
Oct 24 16:49:25 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:9163
Oct 24 16:49:28 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:9163
Oct 24 16:49:28 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:2618
Oct 24 16:49:58 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:2618]
Oct 24 16:50:33 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13215
Oct 24 16:51:03 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13215]
Oct 24 16:51:38 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40634
Oct 24 16:52:08 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40634]
Oct 24 16:52:43 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:11610
Oct 24 16:53:16 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:11610]
Oct 24 16:53:48 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13097
Oct 24 16:54:18 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13097]
Oct 24 16:54:58 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:12906
Oct 24 16:55:29 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:12906]
Oct 24 16:56:18 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:54530

    77.77.77.77 is my VPS IP and 88.88.88.88 is my WAN IP

    My server.conf

    port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem

    My pfSense client settings.

    0_1540400700244_61d2b425-d2dd-42bf-81b3-08b92b2c4925-image.png

    1 Reply Last reply Reply Quote 0
    • P
      Pippin
      last edited by Pippin Oct 24, 2018, 5:27 PM Oct 24, 2018, 5:26 PM

      You would be better of learning to configure OpenVPN manually.

      We possibly need the client config file generated by "the script that does wonders" ;)

      What is visible for now is that the server uses

      tls-auth ta.key 0

      but the client is missing the TLS key (with key-direction 1), hence the server log complaining

      TLS Error: cannot locate HMAC in incoming packet from

      Also, in the server config use absolute paths to files.

      I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
      Halton Arp

      W 1 Reply Last reply Oct 24, 2018, 5:27 PM Reply Quote 0
      • W
        warheat1990 @Pippin
        last edited by warheat1990 Oct 24, 2018, 5:32 PM Oct 24, 2018, 5:27 PM

        @pippin Here's the client.ovpn

        client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote 77.77.77.77 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
setenv opt block-outside-dns
key-direction 1
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIDKzCCAhOgAwIBAgIJAKtAKxoFxc14MA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
        N 1 Reply Last reply Oct 24, 2018, 5:30 PM Reply Quote 0
        • N
          NinoM4ster @warheat1990
          last edited by Oct 24, 2018, 5:30 PM

          This post is deleted!
          W 1 Reply Last reply Oct 24, 2018, 5:33 PM Reply Quote 0
          • W
            warheat1990 @NinoM4ster
            last edited by Oct 24, 2018, 5:33 PM

            @Pippin "but the client is missing the TLS key (with key-direction 1), hence the server log complaining". Dammit, this is it. Thanks it works.

            @ninom4ster aw shiett!

            E 1 Reply Last reply Apr 22, 2019, 9:51 AM Reply Quote 0
            • P
              Pippin
              last edited by Oct 24, 2018, 5:35 PM

              Ah was just writing ;)

              There you go...

              I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
              Halton Arp

              1 Reply Last reply Reply Quote 0
              • E
                emirefek @warheat1990
                last edited by Apr 22, 2019, 9:51 AM

                @warheat1990 What is it? How Can I fix. Fix post is deleted.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received