PFSense to Witopia

BeepStein

I am trying pfSense out with different VPN Service providers and I am working on Witopia.

It is really challenging my knowledge with the pfSense and OpenVPN.

General pFSense OpenVPN questions:
1. If I choose option in the GUI do I have to specify it in the Advanced options sections? For example,
'Server host or Address' is a field in the GUI but can i specify other by using the advanced options box? For example: server vpn1.address.com; server2.address.com ?

2. In the "TLS Authentication Section", is the key in the file "ta.key" supposed to go there?

3. I have been getting the following output from the logs:

Jan 16 21:59:53 openvpn[27848]: event_wait : Interrupted system call (code=4)
Jan 16 21:59:53 openvpn[27848]: SIGTERM[hard,] received, process exiting
Jan 16 21:59:53 openvpn[23185]: OpenVPN 2.3.3 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014
Jan 16 21:59:53 openvpn[23185]: WARNING: using –pull/--client and --ifconfig together is probably not what you want
Jan 16 21:59:53 openvpn[23185]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jan 16 21:59:53 openvpn[23185]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
Jan 16 21:59:53 openvpn[23446]: UDPv4 link local (bound): [AF_INET]XXX.XXX.1.122
Jan 16 21:59:53 openvpn[23446]: UDPv4 link remote: [AF_INET]XXX.XXX.XXX.140:1194
Jan 16 21:59:53 openvpn[23446]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.XXX.140:1194
Jan 16 21:59:55 openvpn[23446]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.XXX.140:1194

I am not sure why i am getting the Warning or the HMAC error. I cut and paste the data in the ta.key file into the TLS Authentication box in the pFSense Client settings.

Any help would be appreciated.

eshield

• Yes, you can specify a set of servers there using the following format:

  remote

  for example

  remote vpn-1.contoso.com 9999 udp
  remote vpn-2.contoso.com 8888 tcp

• That's right. You should paste contents of ta.key there as is.

• Reason could be:

  • Invalid TLS auth key

  • Wrong Digest algo is set

  • Network is incorrectly configured on the server

  • Time issue

I suggest you to increase verbosity level to 3 and post clean untouched log here again. Clear logs before.

p.s: a client config would be nice;

Mr. Jingles

@Dmitriy:

• Yes, you can specify a set of servers there using the following format:

  remote

  for example

  remote vpn-1.contoso.com 9999 udp
  remote vpn-2.contoso.com 8888 tcp

Could I, as the eternal noob, ask what happens next? I mean, there is only 1 server it connects to at the time, right? So what does adding two servers do?

BeepStein

Jingles, I think adding two servers will allow the client to use the second one if the first one isn't working.

Dmitriy,

I am reviewing their client config file they don't specify a digest algorithm. The provide the following:

client
dev tun
proto udp
remote [REPLACE WITH SERVER NAME] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher bf-cbc
comp-lzo
verb 3
mute 20
ca ca.crt
mssfix 1300
key CN1.key
cert CN2.crt
#tls-auth ta.key 1

Since I am using pfSense. I don't need to specify the path for the files since pFSense allows me to put the certs in the certificate authority and load the tls key in the GUI.  Right?

I changed the verbosity to 4 and got this:
Jan 20 18:19:21 openvpn[84390]: real_hash_size = 256
Jan 20 18:19:21 openvpn[84390]: virtual_hash_size = 256
Jan 20 18:19:21 openvpn[84390]: client_connect_script = '[UNDEF]'
Jan 20 18:19:21 openvpn[84390]: learn_address_script = '[UNDEF]'
Jan 20 18:19:21 openvpn[84390]: client_disconnect_script = '[UNDEF]'
Jan 20 18:19:21 openvpn[84390]: client_config_dir = '[UNDEF]'
Jan 20 18:19:21 openvpn[84390]: ccd_exclusive = DISABLED
Jan 20 18:19:21 openvpn[84390]: tmp_dir = '/tmp'
Jan 20 18:19:21 openvpn[84390]: push_ifconfig_defined = DISABLED
Jan 20 18:19:21 openvpn[84390]: push_ifconfig_local = 0.0.0.0
Jan 20 18:19:21 openvpn[84390]: push_ifconfig_remote_netmask = 0.0.0.0
Jan 20 18:19:21 openvpn[84390]: push_ifconfig_ipv6_defined = DISABLED
Jan 20 18:19:21 openvpn[84390]: push_ifconfig_ipv6_local = ::/0
Jan 20 18:19:21 openvpn[84390]: push_ifconfig_ipv6_remote = ::
Jan 20 18:19:21 openvpn[84390]: enable_c2c = DISABLED
Jan 20 18:19:21 openvpn[84390]: duplicate_cn = DISABLED
Jan 20 18:19:21 openvpn[84390]: cf_max = 0
Jan 20 18:19:21 openvpn[84390]: cf_per = 0
Jan 20 18:19:21 openvpn[84390]: max_clients = 1024
Jan 20 18:19:21 openvpn[84390]: max_routes_per_client = 256
Jan 20 18:19:21 openvpn[84390]: auth_user_pass_verify_script = '[UNDEF]'
Jan 20 18:19:21 openvpn[84390]: auth_user_pass_verify_script_via_file = DISABLED
Jan 20 18:19:21 openvpn[84390]: port_share_host = '[UNDEF]'
Jan 20 18:19:21 openvpn[84390]: port_share_port = 0
Jan 20 18:19:21 openvpn[84390]: client = ENABLED
Jan 20 18:19:21 openvpn[84390]: pull = ENABLED
Jan 20 18:19:21 openvpn[84390]: auth_user_pass_file = '[UNDEF]'
Jan 20 18:19:21 openvpn[84390]: OpenVPN 2.3.3 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014
Jan 20 18:19:21 openvpn[84390]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Jan 20 18:19:21 openvpn[84390]: WARNING: using –pull/--client and --ifconfig together is probably not what you want
Jan 20 18:19:21 openvpn[84390]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jan 20 18:19:21 openvpn[84390]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
Jan 20 18:19:21 openvpn[84390]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 20 18:19:21 openvpn[84390]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 20 18:19:21 openvpn[84390]: LZO compression initialized
Jan 20 18:19:21 openvpn[84390]: Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Jan 20 18:19:21 openvpn[84390]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jan 20 18:19:21 openvpn[84390]: Data Channel MTU parms [ L:1542 D:1300 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Jan 20 18:19:21 openvpn[84390]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Jan 20 18:19:21 openvpn[84390]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Jan 20 18:19:21 openvpn[84390]: Local Options hash (VER=V4): '504e774e'
Jan 20 18:19:21 openvpn[84390]: Expected Remote Options hash (VER=V4): '14168603'
Jan 20 18:19:21 openvpn[84425]: UDPv4 link local (bound): [AF_INET]XXX.XXX.1.222
Jan 20 18:19:21 openvpn[84425]: UDPv4 link remote: [AF_INET]XXX.XXX.111.111:1194
Jan 20 18:19:21 openvpn[84425]: TLS: Initial packet from [AF_INET]XXX.XXX.111.111:1194, sid=2dbd86cf 06dd0388
Jan 20 18:19:21 openvpn[84425]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.111.111:1194
Jan 20 18:19:23 openvpn[84425]: TLS: Initial packet from [AF_INET]XXX.XXX.111.111:1194, sid=2dbd86cf 06dd0388
Jan 20 18:19:23 openvpn[84425]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.111.111:1194
Jan 20 18:19:27 openvpn[84425]: TLS: Initial packet from [AF_INET]XXX.XXX.111.111:1194, sid=2dbd86cf 06dd0388
Jan 20 18:19:27 openvpn[84425]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.111.111:1194

The only places I think may be wrong are the bolded.

Thanks for any help. Also, when posting what info should I take out or clean. Just the IP addresses?