PFSense to Witopia



  • I am trying pfSense out with different VPN Service providers and I am working on Witopia.

    It is really challenging my knowledge with the pfSense and OpenVPN.

    General pFSense OpenVPN questions:
    1. If I choose option in the GUI do I have to specify it in the Advanced options sections? For example,
    'Server host or Address' is a field in the GUI but can i specify other by using the advanced options box? For example: server vpn1.address.com; server2.address.com ?

    2. In the "TLS Authentication Section", is the key in the file "ta.key" supposed to go there?

    3. I have been getting the following output from the logs:

    Jan 16 21:59:53 openvpn[27848]: event_wait : Interrupted system call (code=4)
    Jan 16 21:59:53 openvpn[27848]: SIGTERM[hard,] received, process exiting
    Jan 16 21:59:53 openvpn[23185]: OpenVPN 2.3.3 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014
    Jan 16 21:59:53 openvpn[23185]: WARNING: using –pull/--client and --ifconfig together is probably not what you want
    Jan 16 21:59:53 openvpn[23185]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jan 16 21:59:53 openvpn[23185]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
    Jan 16 21:59:53 openvpn[23446]: UDPv4 link local (bound): [AF_INET]XXX.XXX.1.122
    Jan 16 21:59:53 openvpn[23446]: UDPv4 link remote: [AF_INET]XXX.XXX.XXX.140:1194
    Jan 16 21:59:53 openvpn[23446]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.XXX.140:1194
    Jan 16 21:59:55 openvpn[23446]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.XXX.140:1194

    I am not sure why i am getting the Warning or the HMAC error. I cut and paste the data in the ta.key file into the TLS Authentication box in the pFSense Client settings.

    Any help would be appreciated.



    • Yes, you can specify a set of servers there using the following format:

      remote

      for example

      remote vpn-1.contoso.com 9999 udp
      remote vpn-2.contoso.com 8888 tcp

    • That's right. You should paste contents of ta.key there as is.

    • Reason could be:

      • Invalid TLS auth key

      • Wrong Digest algo is set

      • Network is incorrectly configured on the server

      • Time issue

    I suggest you to increase verbosity level to 3 and post clean untouched log here again. Clear logs before.

    p.s: a client config would be nice;



  • @Dmitriy:

    Could I, as the eternal noob, ask what happens next? I mean, there is only 1 server it connects to at the time, right? So what does adding two servers do?



  • Jingles, I think adding two servers will allow the client to use the second one if the first one isn't working.

    Dmitriy,

    I am reviewing their client config file they don't specify a digest algorithm. The provide the following:

    client
    dev tun
    proto udp
    remote [REPLACE WITH SERVER NAME] 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ns-cert-type server
    cipher bf-cbc
    comp-lzo
    verb 3
    mute 20
    ca ca.crt
    mssfix 1300
    key CN1.key
    cert CN2.crt
    #tls-auth ta.key 1

    Since I am using pfSense. I don't need to specify the path for the files since pFSense allows me to put the certs in the certificate authority and load the tls key in the GUI.  Right?

    I changed the verbosity to 4 and got this:
    Jan 20 18:19:21 openvpn[84390]: real_hash_size = 256
    Jan 20 18:19:21 openvpn[84390]: virtual_hash_size = 256
    Jan 20 18:19:21 openvpn[84390]: client_connect_script = '[UNDEF]'
    Jan 20 18:19:21 openvpn[84390]: learn_address_script = '[UNDEF]'
    Jan 20 18:19:21 openvpn[84390]: client_disconnect_script = '[UNDEF]'
    Jan 20 18:19:21 openvpn[84390]: client_config_dir = '[UNDEF]'
    Jan 20 18:19:21 openvpn[84390]: ccd_exclusive = DISABLED
    Jan 20 18:19:21 openvpn[84390]: tmp_dir = '/tmp'
    Jan 20 18:19:21 openvpn[84390]: push_ifconfig_defined = DISABLED
    Jan 20 18:19:21 openvpn[84390]: push_ifconfig_local = 0.0.0.0
    Jan 20 18:19:21 openvpn[84390]: push_ifconfig_remote_netmask = 0.0.0.0
    Jan 20 18:19:21 openvpn[84390]: push_ifconfig_ipv6_defined = DISABLED
    Jan 20 18:19:21 openvpn[84390]: push_ifconfig_ipv6_local = ::/0
    Jan 20 18:19:21 openvpn[84390]: push_ifconfig_ipv6_remote = ::
    Jan 20 18:19:21 openvpn[84390]: enable_c2c = DISABLED
    Jan 20 18:19:21 openvpn[84390]: duplicate_cn = DISABLED
    Jan 20 18:19:21 openvpn[84390]: cf_max = 0
    Jan 20 18:19:21 openvpn[84390]: cf_per = 0
    Jan 20 18:19:21 openvpn[84390]: max_clients = 1024
    Jan 20 18:19:21 openvpn[84390]: max_routes_per_client = 256
    Jan 20 18:19:21 openvpn[84390]: auth_user_pass_verify_script = '[UNDEF]'
    Jan 20 18:19:21 openvpn[84390]: auth_user_pass_verify_script_via_file = DISABLED
    Jan 20 18:19:21 openvpn[84390]: port_share_host = '[UNDEF]'
    Jan 20 18:19:21 openvpn[84390]: port_share_port = 0
    Jan 20 18:19:21 openvpn[84390]: client = ENABLED
    Jan 20 18:19:21 openvpn[84390]: pull = ENABLED
    Jan 20 18:19:21 openvpn[84390]: auth_user_pass_file = '[UNDEF]'
    Jan 20 18:19:21 openvpn[84390]: OpenVPN 2.3.3 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014
    Jan 20 18:19:21 openvpn[84390]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
    Jan 20 18:19:21 openvpn[84390]: WARNING: using –pull/--client and --ifconfig together is probably not what you want
    Jan 20 18:19:21 openvpn[84390]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jan 20 18:19:21 openvpn[84390]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
    Jan 20 18:19:21 openvpn[84390]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 20 18:19:21 openvpn[84390]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jan 20 18:19:21 openvpn[84390]: LZO compression initialized
    Jan 20 18:19:21 openvpn[84390]: Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Jan 20 18:19:21 openvpn[84390]: Socket Buffers: R=[42080->65536] S=[57344->65536]
    Jan 20 18:19:21 openvpn[84390]: Data Channel MTU parms [ L:1542 D:1300 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Jan 20 18:19:21 openvpn[84390]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    Jan 20 18:19:21 openvpn[84390]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
    Jan 20 18:19:21 openvpn[84390]: Local Options hash (VER=V4): '504e774e'
    Jan 20 18:19:21 openvpn[84390]: Expected Remote Options hash (VER=V4): '14168603'
    Jan 20 18:19:21 openvpn[84425]: UDPv4 link local (bound): [AF_INET]XXX.XXX.1.222
    Jan 20 18:19:21 openvpn[84425]: UDPv4 link remote: [AF_INET]XXX.XXX.111.111:1194
    Jan 20 18:19:21 openvpn[84425]: TLS: Initial packet from [AF_INET]XXX.XXX.111.111:1194, sid=2dbd86cf 06dd0388
    Jan 20 18:19:21 openvpn[84425]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.111.111:1194
    Jan 20 18:19:23 openvpn[84425]: TLS: Initial packet from [AF_INET]XXX.XXX.111.111:1194, sid=2dbd86cf 06dd0388
    Jan 20 18:19:23 openvpn[84425]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.111.111:1194
    Jan 20 18:19:27 openvpn[84425]: TLS: Initial packet from [AF_INET]XXX.XXX.111.111:1194, sid=2dbd86cf 06dd0388
    Jan 20 18:19:27 openvpn[84425]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.111.111:1194

    The only places I think may be wrong are the bolded.

    Thanks for any help. Also, when posting what info should I take out or clean. Just the IP addresses?


Log in to reply