Bug with OpenVPN Export 1.2.6

rugby

Just setup a new alix kit at a client and went to install OpenVPN as we've done dozens of times before.  Using v2.1.2nano bsd and Viscosity 1.4.8 on Mavericks (and Mountain Lion) we get this error when trying to connect:

Apr 22 06:44:30: Checking reachability status of connection…
Apr 22 06:44:30: Connection is reachable. Starting connection attempt.
Options error: --tls-auth fails with 'ta.key': No such file or directory
Options error: Please correct these errors.

The OpenVPN subsystem could not be started. Please check the following:

• Check for any error messages above this notification.
• Make sure Viscosity is not running under a File Vault protected location (put Viscosity in the Applications folder).
• Make sure the configuration is valid. Check the connection settings for the connection using Viscosity and make sure all settings are correct.

Now, I've got 6 other OpenVPN connections and they all have the ta.key file except this newly created one.  I've gone through the wizard three times now with the same affect.

I took a working OpenVPN setup running Export 1.2.5 and successfully exported a working viscosity bundle, but when I upgraded to the OpenVPN Export 1.2.6 that's where the problem started.

I have now replicated this bug on another install of PFSense 2.1.2.  I had 1.2.5 of the OpenVPN export package installed and could export a working Viscosity bundle, and then I upgraded to v1.2.6 and re-exported and the resulting bundle did not work.

Thanks.

jimp

We'll look into it. In the meantime, use the "other" inline export option and that should work fine for importing to Viscosity.

jimp

Using the latest version of the export package I exported a viscosity config and it contained the ta.key file and the line referencing the ta.key.

Try removing and reinstalling the package. If that does not help, we'll need some more info about the config to track it down.

Looking at the code it all looks correct, at least for version 1.2.6. Before that there was a bug in the Viscosity export but it wasn't related to the TLS key as far as I can see.

rugby

I removed and reinstalled the package and still get the same error.  I did get the "others" link to work so that's fine for now.

jimp

You might make sure to remove the file from your download folder and clear your browser cache and then try it again. Or try downloading from another browser.

cmb

The issue with the Viscosity export was only in the offset of the variables at the end, impacting the OpenVPN Manager and custom options fields. I verified the TLS key functionality in 1.2.6 at the time that was fixed, and again now. It works fine. I'd go with Jim's last recommendation next.

scolland

Hi,

I am having the same issue (Viscosity config does not work but the Other inline option does).

If it helps, this is the log for the Viscosity config file:

Apr 23 09:12:36: Viscosity Mac 1.4.6 (1156)
Apr 23 09:12:36: Viscosity OpenVPN Engine Started
Apr 23 09:12:36: Running on Mac OS X 10.9.2
Apr 23 09:12:36: –-------
Apr 23 09:12:36: Checking reachability status of connection...
Apr 23 09:12:36: Connection is reachable. Starting connection attempt.
Options error: --tls-auth fails with 'ta.key': No such file or directory
Options error: Please correct these errors.

The OpenVPN subsystem could not be started. Please check the following:

• Check for any error messages above this notification.
• Make sure Viscosity is not running under a File Vault protected location (put Viscosity in the Applications folder).
• Make sure the configuration is valid. Check the connection settings for the connection using Viscosity and make sure all settings are correct.

Thanks

James

jimp

@scolland - Are you on version 1.2.6 of the export package? If so, does your server actually have TLS Authentication enabled?

I still can't reproduce any problem with the current package. The ta.key is in the archive as it should be.

priller

I'm having the same problem with the Viscosity export.

Version 1.2.6 of the export package.

Yes, the server has TLS Authentication enabled.

The exported Viscosity package does contain the ta.key, but it looks like it can't be read in by the client.  ??

jimp

Does the ta.key in the file have anything in it? Is it the right ta.key?

priller

@jimp:

Does the ta.key in the file have anything in it? Is it the right ta.key?

It's there.  The ta.key in the bundle is identical to the one in the server config page.  Also the same as the one in the "others" export which does work in Viscosity.

FWIW, the Viscosity client is 1.4.8 (1162).  May be client-side issue.

priller

I found the problem with the Viscosity bundle created by the Client Export.

This is how it should look (based on the export of a working profile from the Viscosity client)

ca ca.crt
tls-auth ta.key 1
cert cert.crt
key key.key

Here is what the pfSense bundle has

tls-auth pfsense-udp-1194-username-tls.key  <<-----
ca ca.crt
tls-auth ta.key 1
cert cert.crt
key key.key

If I remove the erroneous tls-auth line (the first one) from the config.conf in the bundle, everything works correctly.

jimp

OK, that should be much easier to track down. I'll check on it from that angle.

jimp

Pushed a fix. Be on the lookout for 1.2.9

priller

@jimp:

Pushed a fix. Be on the lookout for 1.2.9

That works.  Thanks!  :)

rugby

I was just coming back after taking some time off of work and going to post something.  Thanks for fixing this guys!