Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] pfSense w/OpenVPN; Ubuntu Clients

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 12.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      Ipeek
      last edited by

      I'm relatively new to this whole thing but let me give you a rundown of whats going on.

      pfSense server with OVPN running. Windows user can connect just fine. Mac users can connect just fine. The connection is TLS+Auth

      Im working on setting up some laptops with ubuntu for some remote users and I can not get them to connect to the VPN. Im using the ubuntu network-manager-openvpn gui.

      When trying to set it up I create a new connection, use our WAN IP, Select TLS+Auth, input my username, set password to always ask.
      User cert from pfSense Cert Manager>Certs>export my cert
      CA Cert from pfSense Cert Manager>CA's>export CA cert
      Private Key from pfsense Cert Manager>Certs>export my key

      I make the following changed in Advanced>Security
      -Cipher AES-128CBC
      -HMAC Auth SHA-1

      As these are what are in my config

      
dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote our.ip 1194 udp
lport 0
verify-x509-name "www.oursite.com" name
auth-user-pass
pkcs12 pfsense-charter.firewall.hq-udp-1194-ipeek.p12
tls-auth pfsense-charter.firewall.hq-udp-1194-ipeek-tls.key 1
ns-cert-type server

      Under Advanced>General I select "Use Custom Gateway Port 1149"

      I save it, try and connect to it, and get the following in our pfSense OpenVPN logs

      
pfsense-charter openvpn[22432]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.2.115:55163

      That is using the Network-Manager-Gui.

      I have also tried by command line from /etc/openvpn and this is what I get:

      
Mon Apr 21 09:37:49 2014 OpenVPN 2.2.1 i686-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 13 2014
Mon Apr 21 09:37:49 2014 WARNING: file 'login.conf' is group or others accessible
Mon Apr 21 09:37:49 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Apr 21 09:37:49 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Apr 21 09:37:49 2014 WARNING: file 'Isaac+Peek.key' is group or others accessible
Mon Apr 21 09:37:49 2014 WARNING: file 'VN_VPN-CA.key' is group or others accessible
Mon Apr 21 09:37:49 2014 Control Channel Authentication: using 'VN_VPN-CA.key' as a free-form passphrase file
Mon Apr 21 09:37:49 2014 LZO compression initialized
Mon Apr 21 09:37:49 2014 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Mon Apr 21 09:37:49 2014 UDPv4 link local: [undef]
Mon Apr 21 09:37:49 2014 UDPv4 link remote: [AF_INET]xx.xx.x.xxx:1194
Mon Apr 21 09:38:49 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Apr 21 09:38:49 2014 TLS Error: TLS handshake failed
Mon Apr 21 09:38:49 2014 SIGUSR1[soft,tls-error] received, process restarting
Mon Apr 21 09:38:51 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Apr 21 09:38:51 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Apr 21 09:38:51 2014 Re-using SSL/TLS context
Mon Apr 21 09:38:51 2014 LZO compression initialized
Mon Apr 21 09:38:51 2014 UDPv4 link local: [undef]
Mon Apr 21 09:38:51 2014 UDPv4 link remote: [AF_INET]xx.xx.x.xxx:1194
Mon Apr 21 09:39:52 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Apr 21 09:39:52 2014 TLS Error: TLS handshake failed
Mon Apr 21 09:39:52 2014 SIGUSR1[soft,tls-error] received, process restarting
Mon Apr 21 09:39:54 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Apr 21 09:39:54 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Apr 21 09:39:54 2014 Re-using SSL/TLS context
Mon Apr 21 09:39:54 2014 LZO compression initialized
Mon Apr 21 09:39:54 2014 UDPv4 link local: [undef]
Mon Apr 21 09:39:54 2014 UDPv4 link remote: [AF_INET]xx.xx.x.xxx:1194
Mon Apr 21 09:40:54 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Apr 21 09:40:54 2014 TLS Error: TLS handshake failed
Mon Apr 21 09:40:54 2014 SIGUSR1[soft,tls-error] received, process restarting
Mon Apr 21 09:40:56 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Apr 21 09:40:56 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Apr 21 09:40:56 2014 Re-using SSL/TLS context
Mon Apr 21 09:40:56 2014 LZO compression initialized
Mon Apr 21 09:40:56 2014 UDPv4 link local: [undef]
Mon Apr 21 09:40:56 2014 UDPv4 link remote: [AF_INET]xx.xx.x.xxx:1194

      My Client config:

      
client
dev tun
proto udp
remote xx.xx.x.xxx 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
auth-user-pass login.conf
ca VN_VPN-CA.crt
cert Isaac+Peek.crt
key  Isaac+Peek.key
tls-auth VN_VPN-CA.key
comp-lzo
cipher AES-128-CBC
pull dhcp-options

      My server config:

      
dev ovpns1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local xx.xx.x.xxx
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 25
push "route 192.168.2.0 255.255.255.0"
client-to-client
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float

      And finally here are the openvpn logs on the server:

      
Apr 21 11:43:00	pfsense-charter openvpn[32526]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.2.115:42349
Apr 21 11:43:00	pfsense-charter openvpn[32526]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Apr 21 11:42:58	pfsense-charter openvpn[32526]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.2.115:42349
Apr 21 11:42:58	pfsense-charter openvpn[32526]: Authenticate/Decrypt packet error: packet HMAC authentication failed
      1 Reply Last reply Reply Quote 0
      • I
        Ipeek
        last edited by

        This can be closed.

        My problem was with the TLS-Auth key. I did have the wrong one. Once I edited the key and added the 1 behind it in my conf it resolved the problem.

        As for the GUI it too works. I needed to go into the Advanced settings and enable TLS-Auth and choose my key. It now works like a charm..

        Thanks for the help Jimp.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.