OpenVPN: Insufficient key material or header text not found



  • I have 3 pfSense boxes set up. OpenVPN on all 3. The setup on all is by using the OpenVPN wizard, then the client export package to export for each user.
    All 3 are using TLS plus username/pw.
    But I can't connect to one of the boxes, getting the error message in the subject line on the client.
    In the pfsense system logs/openVPN log, I get:

    Jan 4 14:21:21 openvpn 6807 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server1.sock

    • Jan 4 14:21:21 openvpn 6807 WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
    • Jan 4 14:21:21 openvpn 6807 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    • Jan 4 14:21:21 openvpn 6807 PLUGIN_INIT: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so '[/usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so] [/usr/local/sbin/ovpn_auth_verify_async] [user] [TG9jYWwgRGF0YWJhc2U=] [true] [server1] [1194]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
    • Jan 4 14:21:21 openvpn 6807 Diffie-Hellman initialized with 2048 bit key
    • Jan 4 14:21:21 openvpn 6807 Insufficient key material or header text not found in file '/var/etc/openvpn/server1.tls-auth' (0/128/256 bytes found/min/max)
    • Jan 4 14:21:21 openvpn 6807 Exiting due to fatal error

    I've been over my OpenVPN settings multiple times. Settings (other than WAN IPs) are AFAICT identical.

    Where do I start looking?

    Oh - I had this problem OpenVPN connecting fine, but connected clients could not pass any data (no pings to FW or to PCs on LAN) so I deleted the openvpn server and FW rule, recreated both with the wizard. Re-exported client configs. Could I have screwed up something by doing that?
    Thanks!


  • LAYER 8 Rebel Alliance

    I'm not sure to understand correctly what you are doing.
    You're talking about 3 pfSense boxes....so you want them to connect together as a Site to Site VPN? Doing this by the Wizard is wrong, the Wizard is only for Remote Access Server Setups.
    Check the docs how to setup Site to Site VPNs manually: https://www.netgate.com/docs/pfsense/vpn/openvpn/index.html

    -Rico



  • Yes, 3 boxes, but no, not connecting them together with OpenVPN (using IPSEC VTI for that). It's just that each site has different users, and if there's a snow day the'd need to work from home. With 2 of the boxes (one netgate, one white box) OpenVPN has been problem free. Just one has issues. I'm thinking it might be a bad install, and that I need to re-do the installation.
    This particular office had a netgate box fail when I upgraded to 2.4.4 (no anything on the serial terminal no matter what I did with the reset button) so I swapped in a spare 3-NIC PC, installed pfSense on that - and OpenVPN was working fine there, too. But I needed more NICs, so I bought another white box, installed pfSense - and everything is working except OpenVPN. I guess I know what I'm doing this weekend. Sigh...