[SOLVED] pfSense w/OpenVPN; Ubuntu Clients
-
I'm relatively new to this whole thing but let me give you a rundown of whats going on.
pfSense server with OVPN running. Windows user can connect just fine. Mac users can connect just fine. The connection is TLS+Auth
Im working on setting up some laptops with ubuntu for some remote users and I can not get them to connect to the VPN. Im using the ubuntu network-manager-openvpn gui.
When trying to set it up I create a new connection, use our WAN IP, Select TLS+Auth, input my username, set password to always ask.
User cert from pfSense Cert Manager>Certs>export my cert
CA Cert from pfSense Cert Manager>CA's>export CA cert
Private Key from pfsense Cert Manager>Certs>export my keyI make the following changed in Advanced>Security
-Cipher AES-128CBC
-HMAC Auth SHA-1As these are what are in my config
dev tun persist-tun persist-key cipher AES-128-CBC auth SHA1 tls-client client resolv-retry infinite remote our.ip 1194 udp lport 0 verify-x509-name "www.oursite.com" name auth-user-pass pkcs12 pfsense-charter.firewall.hq-udp-1194-ipeek.p12 tls-auth pfsense-charter.firewall.hq-udp-1194-ipeek-tls.key 1 ns-cert-type server
Under Advanced>General I select "Use Custom Gateway Port 1149"
I save it, try and connect to it, and get the following in our pfSense OpenVPN logs
pfsense-charter openvpn[22432]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.2.115:55163
That is using the Network-Manager-Gui.
I have also tried by command line from /etc/openvpn and this is what I get:
Mon Apr 21 09:37:49 2014 OpenVPN 2.2.1 i686-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 13 2014 Mon Apr 21 09:37:49 2014 WARNING: file 'login.conf' is group or others accessible Mon Apr 21 09:37:49 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Mon Apr 21 09:37:49 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Mon Apr 21 09:37:49 2014 WARNING: file 'Isaac+Peek.key' is group or others accessible Mon Apr 21 09:37:49 2014 WARNING: file 'VN_VPN-CA.key' is group or others accessible Mon Apr 21 09:37:49 2014 Control Channel Authentication: using 'VN_VPN-CA.key' as a free-form passphrase file Mon Apr 21 09:37:49 2014 LZO compression initialized Mon Apr 21 09:37:49 2014 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Mon Apr 21 09:37:49 2014 UDPv4 link local: [undef] Mon Apr 21 09:37:49 2014 UDPv4 link remote: [AF_INET]xx.xx.x.xxx:1194 Mon Apr 21 09:38:49 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Mon Apr 21 09:38:49 2014 TLS Error: TLS handshake failed Mon Apr 21 09:38:49 2014 SIGUSR1[soft,tls-error] received, process restarting Mon Apr 21 09:38:51 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Mon Apr 21 09:38:51 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Mon Apr 21 09:38:51 2014 Re-using SSL/TLS context Mon Apr 21 09:38:51 2014 LZO compression initialized Mon Apr 21 09:38:51 2014 UDPv4 link local: [undef] Mon Apr 21 09:38:51 2014 UDPv4 link remote: [AF_INET]xx.xx.x.xxx:1194 Mon Apr 21 09:39:52 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Mon Apr 21 09:39:52 2014 TLS Error: TLS handshake failed Mon Apr 21 09:39:52 2014 SIGUSR1[soft,tls-error] received, process restarting Mon Apr 21 09:39:54 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Mon Apr 21 09:39:54 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Mon Apr 21 09:39:54 2014 Re-using SSL/TLS context Mon Apr 21 09:39:54 2014 LZO compression initialized Mon Apr 21 09:39:54 2014 UDPv4 link local: [undef] Mon Apr 21 09:39:54 2014 UDPv4 link remote: [AF_INET]xx.xx.x.xxx:1194 Mon Apr 21 09:40:54 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Mon Apr 21 09:40:54 2014 TLS Error: TLS handshake failed Mon Apr 21 09:40:54 2014 SIGUSR1[soft,tls-error] received, process restarting Mon Apr 21 09:40:56 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Mon Apr 21 09:40:56 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Mon Apr 21 09:40:56 2014 Re-using SSL/TLS context Mon Apr 21 09:40:56 2014 LZO compression initialized Mon Apr 21 09:40:56 2014 UDPv4 link local: [undef] Mon Apr 21 09:40:56 2014 UDPv4 link remote: [AF_INET]xx.xx.x.xxx:1194
My Client config:
client dev tun proto udp remote xx.xx.x.xxx 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun auth-user-pass login.conf ca VN_VPN-CA.crt cert Isaac+Peek.crt key Isaac+Peek.key tls-auth VN_VPN-CA.key comp-lzo cipher AES-128-CBC pull dhcp-options
My server config:
dev ovpns1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local xx.xx.x.xxx tls-server server 10.0.8.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify /var/etc/openvpn/server1.php via-env tls-verify /var/etc/openvpn/server1.tls-verify.php lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 25 push "route 192.168.2.0 255.255.255.0" client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server1.tls-auth 0 persist-remote-ip float
And finally here are the openvpn logs on the server:
Apr 21 11:43:00 pfsense-charter openvpn[32526]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.2.115:42349 Apr 21 11:43:00 pfsense-charter openvpn[32526]: Authenticate/Decrypt packet error: packet HMAC authentication failed Apr 21 11:42:58 pfsense-charter openvpn[32526]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.2.115:42349 Apr 21 11:42:58 pfsense-charter openvpn[32526]: Authenticate/Decrypt packet error: packet HMAC authentication failed
-
This can be closed.
My problem was with the TLS-Auth key. I did have the wrong one. Once I edited the key and added the 1 behind it in my conf it resolved the problem.
As for the GUI it too works. I needed to go into the Advanced settings and enable TLS-Auth and choose my key. It now works like a charm..
Thanks for the help Jimp.