I have setup an OpenVPN server on Ubuntu but pfsense as OpenVPN client won't connect, Windows client is working fine
-
So I use digitalocean and spin Ubuntu in one of the droplets.
I installed OpenVPN using this quick install script inside the Ubuntu server. https://github.com/Nyr/openvpn-install
Then I generate .ovpn file (without username and password) and I have tested this on Windows machine using Pritunl and it's working fine. However when I tried it on pfSense, it's not working. Here's the log.
Oct 24 23:50:06 openvpn 51034 SENT PING Oct 24 23:50:06 openvpn 51034 TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000] Oct 24 23:49:56 openvpn 51034 UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Oct 24 23:49:50 openvpn 51034 SENT PING Oct 24 23:49:50 openvpn 51034 TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000] Oct 24 23:49:40 openvpn 51034 UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Oct 24 23:49:32 openvpn 51034 UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Oct 24 23:49:31 openvpn 51034 MANAGEMENT: Client disconnected Oct 24 23:49:31 openvpn 51034 MANAGEMENT: CMD 'state 1' Oct 24 23:49:31 openvpn 51034 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Oct 24 23:49:28 openvpn 51034 UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Oct 24 23:49:26 openvpn 51034 UDPv4 WRITE [14] to [AF_INET]77.77.77.77:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Oct 24 23:49:26 openvpn 51034 SENT PING Oct 24 23:49:26 openvpn 51034 TLS Warning: no data channel send key available: [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000] Oct 24 23:49:26 openvpn 51034 UDPv4 link remote: [AF_INET]77.77.77.77:1194 Oct 24 23:49:26 openvpn 51034 UDPv4 link local (bound): [AF_INET]88.88.88.88:0 Oct 24 23:49:26 openvpn 51034 Socket Buffers: R=[42080->42080] S=[57344->57344] Oct 24 23:49:26 openvpn 51034 TCP/UDP: Preserving recently used remote address: [AF_INET]77.77.77.77:1194 Oct 24 23:49:26 openvpn 51034 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server' Oct 24 23:49:26 openvpn 51034 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client' Oct 24 23:49:26 openvpn 51034 calc_options_string_link_mtu: link-mtu 1621 -> 1601 Oct 24 23:49:26 openvpn 51034 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes Oct 24 23:49:26 openvpn 51034 calc_options_string_link_mtu: link-mtu 1621 -> 1601 Oct 24 23:49:26 openvpn 51034 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes Oct 24 23:49:26 openvpn 51034 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ] Oct 24 23:49:26 openvpn 51034 RESOLVE_REMOTE flags=0x0901 phase=1 rrs=0 sig=-1 status=0 Oct 24 23:49:26 openvpn 51034 MTU DYNAMIC mtu=1450, flags=2, 1621 -> 1450 Oct 24 23:49:26 openvpn 51034 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ] Oct 24 23:49:26 openvpn 51034 PID packet_id_init seq_backtrack=64 time_backtrack=15 Oct 24 23:49:26 openvpn 51034 PID packet_id_init seq_backtrack=64 time_backtrack=15 Oct 24 23:49:26 openvpn 51034 PID packet_id_init seq_backtrack=64 time_backtrack=15 Oct 24 23:49:26 openvpn 51034 PID packet_id_init seq_backtrack=64 time_backtrack=15 Oct 24 23:49:26 openvpn 51034 PRNG init md=SHA1 size=36 Oct 24 23:49:26 openvpn 51034 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Oct 24 23:49:26 openvpn 51034 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Oct 24 23:49:26 openvpn 51034 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock Oct 24 23:49:26 openvpn 51008 library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10 Oct 24 23:49:26 openvpn 51008 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 16 2018 Oct 24 23:49:26 openvpn 51008 auth_user_pass_file = '[UNDEF]' Oct 24 23:49:26 openvpn 51008 pull = ENABLED Oct 24 23:49:26 openvpn 51008 client = ENABLED Oct 24 23:49:26 openvpn 51008 port_share_port = '[UNDEF]' Oct 24 23:49:26 openvpn 51008 port_share_host = '[UNDEF]' Oct 24 23:49:26 openvpn 51008 auth_token_lifetime = 0 Oct 24 23:49:26 openvpn 51008 auth_token_generate = DISABLED Oct 24 23:49:26 openvpn 51008 auth_user_pass_verify_script_via_file = DISABLED Oct 24 23:49:26 openvpn 51008 auth_user_pass_verify_script = '[UNDEF]' Oct 24 23:49:26 openvpn 51008 max_routes_per_client = 256 Oct 24 23:49:26 openvpn 51008 max_clients = 1024 Oct 24 23:49:26 openvpn 51008 cf_per = 0```java code
And here's my OpenVPN server log.
Oct 24 16:44:25 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29070 Oct 24 16:44:55 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29070] Oct 24 16:45:37 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29123 Oct 24 16:46:06 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 3 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:29123] Oct 24 16:46:55 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40205 Oct 24 16:47:26 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40205] Oct 24 16:47:32 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:53641 Oct 24 16:47:46 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 3 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:53641] Oct 24 16:47:55 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:44143 Oct 24 16:48:26 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:44143] Oct 24 16:49:01 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:37533 Oct 24 16:49:14 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 3 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:37533] Oct 24 16:49:25 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:9163 Oct 24 16:49:28 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:9163 Oct 24 16:49:28 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:2618 Oct 24 16:49:58 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:2618] Oct 24 16:50:33 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13215 Oct 24 16:51:03 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13215] Oct 24 16:51:38 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40634 Oct 24 16:52:08 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:40634] Oct 24 16:52:43 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:11610 Oct 24 16:53:16 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:11610] Oct 24 16:53:48 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13097 Oct 24 16:54:18 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:13097] Oct 24 16:54:58 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:12906 Oct 24 16:55:29 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: message repeated 4 times: [ TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:12906] Oct 24 16:56:18 ubuntu-s-1vcpu-1gb-nyc1-01 ovpn-server[17453]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]88.88.88.88:54530
77.77.77.77
is my VPS IP and88.88.88.88
is my WAN IPMy
server.conf
port 1194 proto udp dev tun sndbuf 0 rcvbuf 0 ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 1.1.1.1" push "dhcp-option DNS 1.0.0.1" keepalive 10 120 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem
My pfSense client settings.
-
You would be better of learning to configure OpenVPN manually.
We possibly need the client config file generated by "the script that does wonders" ;)
What is visible for now is that the server uses
tls-auth ta.key 0
but the client is missing the TLS key (with key-direction 1), hence the server log complaining
TLS Error: cannot locate HMAC in incoming packet from
Also, in the server config use absolute paths to files.
-
@pippin Here's the client.ovpn
client dev tun proto udp sndbuf 0 rcvbuf 0 remote 77.77.77.77 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA512 cipher AES-256-CBC setenv opt block-outside-dns key-direction 1 verb 3 <ca> -----BEGIN CERTIFICATE----- MIIDKzCCAhOgAwIBAgIJAKtAKxoFxc14MA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
-
This post is deleted! -
@Pippin "but the client is missing the TLS key (with key-direction 1), hence the server log complaining". Dammit, this is it. Thanks it works.
@ninom4ster aw shiett!
-
Ah was just writing ;)
There you go...
-
@warheat1990 What is it? How Can I fix. Fix post is deleted.