TLS Encryption and Authentication not working. Authentication only, working fine

maartenv · Dec 16, 2020, 3:14 PM

When I have in the openvpn server, TLS Key usage mode = with Authentication only, I can make a connection with pfSense.
But when I just enable TLS Key usage mode = TLS Encryption and Authentication, I don't get a connection with pfsense.

Anybody any idea what I am doing wrong?

johnpoz · Dec 16, 2020, 3:15 PM

@maartenv what client are you using?

maartenv · Dec 16, 2020, 3:17 PM

@johnpoz Most clients (Linux)

johnpoz · Dec 16, 2020, 3:23 PM

What is most clients? What is the specific version number? Did you adjust your client config to reflect the change in your server config?

maartenv · Dec 16, 2020, 3:33 PM

@johnpoz I Suppose I misunderstood your question about what Client I was using. My answer was "Most Clients" in the Client Export Window, under OpenVPN Clients. If you did not mean that, which client do you mean? The "user" as a client?

While writing this answer I think I already see what I am doing wrong. I am using Authentication Only (No Cert).

johnpoz · Dec 16, 2020, 3:38 PM

What I mean by client is what version number of the client software is the user running? 2.4.x 2.3.x, 2.5

There are multiple versions of the client - and a while back for example the client on ios did not support encryption - only auth.

maartenv · Dec 16, 2020, 3:40 PM

@johnpoz OpenVPN 2.4.7 x86_64-pc-linux-gnu.

johnpoz · Dec 16, 2020, 3:45 PM

Well that for sure is a dated client.. Almost 2 years old. But it should support encryption and auth..

You need to make sure your set in the client for "tls-crypt" and yes you have to have a tls key setup..

maartenv · Dec 16, 2020, 3:56 PM

@johnpoz Yes I know it is outdated, though I am using Ubuntu 20.04 LTS. And I wanted to keep it like that because there is a chance that more users will try to login with an older OpenVPN version.

I remember that there should be a field that disables 2.5 requirements. But I forgot where and I can't find it anymore? Could you tell me?

And yes, I generated a TLS key

johnpoz · Dec 16, 2020, 3:58 PM

@maartenv that is in the client export util

maartenv · Dec 16, 2020, 4:09 PM

@maartenv Thanks, I was afraid I forgot to set that, But I did. Openvpn 2.5 settings are not included.
Can it have something to do with the fact that I use Adaptive LZO Compression or the NCP Encryption Algorithms?

maartenv · Dec 16, 2020, 9:45 PM

@johnpoz It is still not working. I have setup OpenVPN completely new but still the same. Without encryption it is working fine, but not with encryption.
Can it have something to do with the NCP Encryption Algorithms?

When I look at the certifcates, the are exactly the same, the only difference is that <tls-auth> is changed in <tls-crypt> and that in the tls crypt file the line key-direction 1 disappeared.

But furthermore both Certivicates and OpenVPN static keys V1 are 100% identical

johnpoz · Dec 16, 2020, 11:22 PM

@maartenv said in TLS Encryption and Authentication not working. Authentication only, working fine:

I use Adaptive LZO Compression

You understand that was compromised quite some time ago and should not be used..

What like 2 years ago
https://community.openvpn.net/openvpn/wiki/VORACLE

Post up your config.. I have no idea what else your doing.. To be honest you run through the wizard, and you have server up and running in like 2 minutes..

maartenv · Dec 16, 2020, 11:35 PM

@johnpoz Running the wizard again is exactly what I already did with for most the default settings, like Omit preference. Please give me 15 minutes, than I will upload the config.

maartenv · Dec 17, 2020, 12:00 AM

@johnpoz The[0_1608162720468_OpenVPN.config.pdf](Uploading 100%) config

johnpoz · Dec 17, 2020, 12:21 AM

And what is not working? What does the log say on connection? Your not using encryption there your using just auth.

Your not even using tls there.. And what are you using for auth? One sec an will post up mine

here

maartenv · Dec 17, 2020, 12:20 AM

@johnpoz This is normally working. The problem is that when I set TLS Authentication to TLS Encryption and Authentication I don't get a connection anymore.

johnpoz · Dec 17, 2020, 12:23 AM

Your not using TLS.. so how would it encrypt.. You just have user auth set, not remote (ssl/tls)

maartenv · Dec 17, 2020, 12:29 AM

@johnpoz You are right. Let me check again. I did that as well and also did not work, but I changed several other settings at the same time (stupid) and I had set it back to just the auth setting and now I forgot to enable SSL/TLS again.

maartenv · Dec 17, 2020, 12:40 AM

@johnpoz Now I remember: In that case I could not create a new cert. Instead I got the message "If a client is missing from the list it is likely due to a CA mismatch between the OpnVPN server instance and the client certificate"

JohnPoz, I appreciate your help quite a lot, but here (Amsterdam) it is 1.30 am and I have to get up early tomorrow morning.

Tomorrow I will focus on that. Hope I can solve it then.