Bug with OpenVPN Export 1.2.6



  • Just setup a new alix kit at a client and went to install OpenVPN as we've done dozens of times before.  Using v2.1.2nano bsd and Viscosity 1.4.8 on Mavericks (and Mountain Lion) we get this error when trying to connect:

    Apr 22 06:44:30: Checking reachability status of connection…
    Apr 22 06:44:30: Connection is reachable. Starting connection attempt.
    Options error: --tls-auth fails with 'ta.key': No such file or directory
    Options error: Please correct these errors.

    The OpenVPN subsystem could not be started. Please check the following:

    • Check for any error messages above this notification.
    • Make sure Viscosity is not running under a File Vault protected location (put Viscosity in the Applications folder).
    • Make sure the configuration is valid. Check the connection settings for the connection using Viscosity and make sure all settings are correct.

    Now, I've got 6 other OpenVPN connections and they all have the ta.key file except this newly created one.  I've gone through the wizard three times now with the same affect.

    I took a working OpenVPN setup running Export 1.2.5 and successfully exported a working viscosity bundle, but when I upgraded to the OpenVPN Export 1.2.6 that's where the problem started.

    I have now replicated this bug on another install of PFSense 2.1.2.  I had 1.2.5 of the OpenVPN export package installed and could export a working Viscosity bundle, and then I upgraded to v1.2.6 and re-exported and the resulting bundle did not work.

    Thanks.


  • Rebel Alliance Developer Netgate

    We'll look into it. In the meantime, use the "other" inline export option and that should work fine for importing to Viscosity.


  • Rebel Alliance Developer Netgate

    Using the latest version of the export package I exported a viscosity config and it contained the ta.key file and the line referencing the ta.key.

    Try removing and reinstalling the package. If that does not help, we'll need some more info about the config to track it down.

    Looking at the code it all looks correct, at least for version 1.2.6. Before that there was a bug in the Viscosity export but it wasn't related to the TLS key as far as I can see.



  • I removed and reinstalled the package and still get the same error.  I did get the "others" link to work so that's fine for now.


  • Rebel Alliance Developer Netgate

    You might make sure to remove the file from your download folder and clear your browser cache and then try it again. Or try downloading from another browser.



  • The issue with the Viscosity export was only in the offset of the variables at the end, impacting the OpenVPN Manager and custom options fields. I verified the TLS key functionality in 1.2.6 at the time that was fixed, and again now. It works fine. I'd go with Jim's last recommendation next.



  • Hi,

    I am having the same issue (Viscosity config does not work but the Other inline option does).

    If it helps, this is the log for the Viscosity config file:

    Apr 23 09:12:36: Viscosity Mac 1.4.6 (1156)
    Apr 23 09:12:36: Viscosity OpenVPN Engine Started
    Apr 23 09:12:36: Running on Mac OS X 10.9.2
    Apr 23 09:12:36: –-------
    Apr 23 09:12:36: Checking reachability status of connection...
    Apr 23 09:12:36: Connection is reachable. Starting connection attempt.
    Options error: --tls-auth fails with 'ta.key': No such file or directory
    Options error: Please correct these errors.

    The OpenVPN subsystem could not be started. Please check the following:

    • Check for any error messages above this notification.
    • Make sure Viscosity is not running under a File Vault protected location (put Viscosity in the Applications folder).
    • Make sure the configuration is valid. Check the connection settings for the connection using Viscosity and make sure all settings are correct.

    Thanks

    James


  • Rebel Alliance Developer Netgate

    @scolland - Are you on version 1.2.6 of the export package? If so, does your server actually have TLS Authentication enabled?

    I still can't reproduce any problem with the current package. The ta.key is in the archive as it should be.



  • I'm having the same problem with the Viscosity export.

    Version 1.2.6 of the export package.

    Yes, the server has TLS Authentication enabled.

    The exported Viscosity package does contain the ta.key, but it looks like it can't be read in by the client.  ??


  • Rebel Alliance Developer Netgate

    Does the ta.key in the file have anything in it? Is it the right ta.key?



  • @jimp:

    Does the ta.key in the file have anything in it? Is it the right ta.key?

    It's there.  The ta.key in the bundle is identical to the one in the server config page.  Also the same as the one in the "others" export which does work in Viscosity.

    FWIW, the Viscosity client is 1.4.8 (1162).  May be client-side issue.



  • I found the problem with the Viscosity bundle created by the Client Export.

    This is how it should look (based on the export of a working profile from the Viscosity client)

    ca ca.crt
    tls-auth ta.key 1
    cert cert.crt
    key key.key
    

    Here is what the pfSense bundle has

    
    tls-auth pfsense-udp-1194-username-tls.key  <<-----
    ca ca.crt
    tls-auth ta.key 1
    cert cert.crt
    key key.key
    

    If I remove the erroneous tls-auth line (the first one) from the config.conf in the bundle, everything works correctly.


  • Rebel Alliance Developer Netgate

    OK, that should be much easier to track down. I'll check on it from that angle.


  • Rebel Alliance Developer Netgate

    Pushed a fix. Be on the lookout for 1.2.9



  • @jimp:

    Pushed a fix. Be on the lookout for 1.2.9

    That works.  Thanks!  :)



  • I was just coming back after taking some time off of work and going to post something.  Thanks for fixing this guys!