[SOLVED] pfSense w/OpenVPN; Ubuntu Clients



  • I'm relatively new to this whole thing but let me give you a rundown of whats going on.

    pfSense server with OVPN running. Windows user can connect just fine. Mac users can connect just fine. The connection is TLS+Auth

    Im working on setting up some laptops with ubuntu for some remote users and I can not get them to connect to the VPN. Im using the ubuntu network-manager-openvpn gui.

    When trying to set it up I create a new connection, use our WAN IP, Select TLS+Auth, input my username, set password to always ask.
    User cert from pfSense Cert Manager>Certs>export my cert
    CA Cert from pfSense Cert Manager>CA's>export CA cert
    Private Key from pfsense Cert Manager>Certs>export my key

    I make the following changed in Advanced>Security
    -Cipher AES-128CBC
    -HMAC Auth SHA-1

    As these are what are in my config

    
    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote our.ip 1194 udp
    lport 0
    verify-x509-name "www.oursite.com" name
    auth-user-pass
    pkcs12 pfsense-charter.firewall.hq-udp-1194-ipeek.p12
    tls-auth pfsense-charter.firewall.hq-udp-1194-ipeek-tls.key 1
    ns-cert-type server
    
    

    Under Advanced>General I select "Use Custom Gateway Port 1149"

    I save it, try and connect to it, and get the following in our pfSense OpenVPN logs

    
    pfsense-charter openvpn[22432]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.2.115:55163
    
    

    That is using the Network-Manager-Gui.

    I have also tried by command line from /etc/openvpn and this is what I get:

    
    Mon Apr 21 09:37:49 2014 OpenVPN 2.2.1 i686-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 13 2014
    Mon Apr 21 09:37:49 2014 WARNING: file 'login.conf' is group or others accessible
    Mon Apr 21 09:37:49 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Mon Apr 21 09:37:49 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Mon Apr 21 09:37:49 2014 WARNING: file 'Isaac+Peek.key' is group or others accessible
    Mon Apr 21 09:37:49 2014 WARNING: file 'VN_VPN-CA.key' is group or others accessible
    Mon Apr 21 09:37:49 2014 Control Channel Authentication: using 'VN_VPN-CA.key' as a free-form passphrase file
    Mon Apr 21 09:37:49 2014 LZO compression initialized
    Mon Apr 21 09:37:49 2014 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
    Mon Apr 21 09:37:49 2014 UDPv4 link local: [undef]
    Mon Apr 21 09:37:49 2014 UDPv4 link remote: [AF_INET]xx.xx.x.xxx:1194
    Mon Apr 21 09:38:49 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mon Apr 21 09:38:49 2014 TLS Error: TLS handshake failed
    Mon Apr 21 09:38:49 2014 SIGUSR1[soft,tls-error] received, process restarting
    Mon Apr 21 09:38:51 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Mon Apr 21 09:38:51 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Mon Apr 21 09:38:51 2014 Re-using SSL/TLS context
    Mon Apr 21 09:38:51 2014 LZO compression initialized
    Mon Apr 21 09:38:51 2014 UDPv4 link local: [undef]
    Mon Apr 21 09:38:51 2014 UDPv4 link remote: [AF_INET]xx.xx.x.xxx:1194
    Mon Apr 21 09:39:52 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mon Apr 21 09:39:52 2014 TLS Error: TLS handshake failed
    Mon Apr 21 09:39:52 2014 SIGUSR1[soft,tls-error] received, process restarting
    Mon Apr 21 09:39:54 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Mon Apr 21 09:39:54 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Mon Apr 21 09:39:54 2014 Re-using SSL/TLS context
    Mon Apr 21 09:39:54 2014 LZO compression initialized
    Mon Apr 21 09:39:54 2014 UDPv4 link local: [undef]
    Mon Apr 21 09:39:54 2014 UDPv4 link remote: [AF_INET]xx.xx.x.xxx:1194
    Mon Apr 21 09:40:54 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mon Apr 21 09:40:54 2014 TLS Error: TLS handshake failed
    Mon Apr 21 09:40:54 2014 SIGUSR1[soft,tls-error] received, process restarting
    Mon Apr 21 09:40:56 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Mon Apr 21 09:40:56 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Mon Apr 21 09:40:56 2014 Re-using SSL/TLS context
    Mon Apr 21 09:40:56 2014 LZO compression initialized
    Mon Apr 21 09:40:56 2014 UDPv4 link local: [undef]
    Mon Apr 21 09:40:56 2014 UDPv4 link remote: [AF_INET]xx.xx.x.xxx:1194
    
    

    My Client config:

    
    client
    dev tun
    proto udp
    remote xx.xx.x.xxx 1194
    resolv-retry infinite
    nobind
    user nobody
    group nogroup
    persist-key
    persist-tun
    auth-user-pass login.conf
    ca VN_VPN-CA.crt
    cert Isaac+Peek.crt
    key  Isaac+Peek.key
    tls-auth VN_VPN-CA.key
    comp-lzo
    cipher AES-128-CBC
    pull dhcp-options
    

    My server config:

    
    dev ovpns1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local xx.xx.x.xxx
    tls-server
    server 10.0.8.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server1.php via-env
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 25
    push "route 192.168.2.0 255.255.255.0"
    client-to-client
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    persist-remote-ip
    float
    

    And finally here are the openvpn logs on the server:

    
    Apr 21 11:43:00	pfsense-charter openvpn[32526]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.2.115:42349
    Apr 21 11:43:00	pfsense-charter openvpn[32526]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Apr 21 11:42:58	pfsense-charter openvpn[32526]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.2.115:42349
    Apr 21 11:42:58	pfsense-charter openvpn[32526]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    


  • This can be closed.

    My problem was with the TLS-Auth key. I did have the wrong one. Once I edited the key and added the 1 behind it in my conf it resolved the problem.

    As for the GUI it too works. I needed to go into the Advanced settings and enable TLS-Auth and choose my key. It now works like a charm..

    Thanks for the help Jimp.