SITE-TO-SITE as PEER TO PEER (SSL/TLS)



  • I've setup a site-to-site as Peer to Peer (shared Key) and everything work like a charm, but reading about it, it isn't the best solution.

    I'm trying to setup a Peer to Peer ( SSL /TLS) as this:

    SERVER
    protocol: UDP
    service mode: tun
    interface: WAN
    localport: 1111
    TLS auth: flag on both enable auth and generate key
    Server CA: generated by this server in CAs Tab (certificate Autority Manager)
    Server Certificate: generated in System: Certificate Manager tab
                                  ( Server Certificate  CA: No, Server: Yes)
    lenght: 2048 bits
    auth digest alg: AES-256-CBC
    no hardware crypto acceleration
    certificate depth: one(client+Server)

    advanced configuration:
    mode server
    tls-server

    CLIENT
    server mode: peer to peer (ssl/tls)
    protocol: udp
    device mode: tun
    interface: WAN
    server host: mystaticIP
    server port: 1111

    user auth settings: empty

    Crypto:
    TLS: pasted key generated by server
    Peer certificate autority:  the imported Server CA: generated by this server in CAs Tab (certificate Autority Manager)
    Client Certificate:  the imported Server Certificate: generated in System: Certificate Manager tab
                                  ( Server Certificate  CA: No, Server: Yes)

    encryption algoritm: AES-256-CBC
    auth: SHA1
    hw crypto: no hw

    Advanced configuration: tls-client

    then save and run fail because I keep getting this error:

    SERVER
    openvpn[92480]: TLS Error: incoming packet authentication failed from [AF_INET]
    authenticate/Decrypt packet error: packet HMAC authentication failed

    Jun 17 14:23:57    openvpn[92480]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Jun 17 14:23:47    openvpn[92480]: Initialization Sequence Completed
    Jun 17 14:23:47    openvpn[92480]: UDPv4 link remote: [undef]
    Jun 17 14:23:47    openvpn[92480]: UDPv4 link local (bound): [AF_INET]172.111.0.3:1197
    Jun 17 14:23:47    openvpn[92480]: /usr/local/sbin/ovpn-linkup ovpns4 1500 1557 192.111.0.1 192.111.0.2 init
    Jun 17 14:23:47    openvpn[92480]: /sbin/ifconfig ovpns4 192.111.0.1 192.111.0.2 mtu 1500 netmask 255.255.255.255 up
    Jun 17 14:23:47    openvpn[92480]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Jun 17 14:23:47    openvpn[92480]: TUN/TAP device /dev/tun4 opened
    Jun 17 14:23:47    openvpn[92480]: TUN/TAP device ovpns4 exists previously, keep at program end
    Jun 17 14:23:47    openvpn[92480]: Control Channel Authentication: using '/var/etc/openvpn/server4.tls-auth' as a OpenVPN static key file
    Jun 17 14:23:46    openvpn[92480]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jun 17 14:23:46    openvpn[92167]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
    Jun 17 14:23:46    openvpn[92167]: OpenVPN 2.3.6 i386-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Apr 8 2015

    CLIENT

    Jun 17 14:23:55    openvpn[20608]: SIGUSR1[soft,ping-restart] received, process restarting
    Jun 17 14:23:55    openvpn[20608]: [UNDEF] Inactivity timeout (–ping-restart), restarting
    Jun 17 14:22:55    openvpn[20608]: UDPv4 link remote: [AF_INET]MYREMOTEIP:1111
    Jun 17 14:22:55    openvpn[20608]: UDPv4 link local (bound): [AF_INET]WANIP
    Jun 17 14:22:55    openvpn[20608]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jun 17 14:22:55    openvpn[20608]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Jun 17 14:22:53    openvpn[20608]: SIGUSR1[soft,ping-restart] received, process restarting
    Jun 17 14:22:53    openvpn[20608]: [UNDEF] Inactivity timeout (–ping-restart), restarting
    Jun 17 14:21:53    openvpn[20608]: UDPv4 link remote: [AF_INET]MYREMOTEIP:1111
    Jun 17 14:21:53    openvpn[20608]: UDPv4 link local (bound): [AF_INET]WANIP
    Jun 17 14:21:53    openvpn[20608]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jun 17 14:21:53    openvpn[20608]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Jun 17 14:21:51    openvpn[20608]: SIGUSR1[soft,ping-restart] received, process restarting
    Jun 17 14:21:51    openvpn[20608]: [UNDEF] Inactivity timeout (–ping-restart), restarting
    Jun 17 14:20:51    openvpn[20608]: UDPv4 link remote: [AF_INET]MYREMOTEIP:1111
    Jun 17 14:20:51    openvpn[20608]: UDPv4 link local (bound): [AF_INET]WANIP
    Jun 17 14:20:51    openvpn[20608]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jun 17 14:20:51    openvpn[20608]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Jun 17 14:20:49    openvpn[20608]: SIGUSR1[soft,ping-restart] received, process restarting
    Jun 17 14:20:49    openvpn[20608]: [UNDEF] Inactivity timeout (–ping-restart), restarting
    Jun 17 14:19:49    openvpn[20608]: UDPv4 link remote: [AF_INET]MYREMOTEIP:1111
    Jun 17 14:19:49    openvpn[20608]: UDPv4 link local (bound): [AF_INET]WANIP
    Jun 17 14:19:49    openvpn[20608]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jun 17 14:19:49    openvpn[20608]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Jun 17 14:19:47    openvpn[20608]: SIGUSR1[soft,ping-restart] received, process restarting
    Jun 17 14:19:47    openvpn[20608]: [UNDEF] Inactivity timeout (–ping-restart), restarting
    Jun 17 14:19:45    openvpn[8919]: MANAGEMENT: Client disconnected
    Jun 17 14:19:45    openvpn[8919]: MANAGEMENT: CMD 'status 2'
    Jun 17 14:19:45    openvpn[8919]: MANAGEMENT: CMD 'state 1'
    Jun 17 14:19:45    openvpn[8919]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jun 17 14:19:28    openvpn[8919]: MANAGEMENT: Client disconnected
    Jun 17 14:19:28    openvpn[8919]: MANAGEMENT: CMD 'status 2'
    Jun 17 14:19:28    openvpn[8919]: MANAGEMENT: CMD 'state 1'
    Jun 17 14:19:28    openvpn[8919]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jun 17 14:18:56    openvpn[8919]: MANAGEMENT: Client disconnected
    Jun 17 14:18:56    openvpn[8919]: MANAGEMENT: CMD 'status 2'
    Jun 17 14:18:56    openvpn[8919]: MANAGEMENT: CMD 'state 1'
    Jun 17 14:18:56    openvpn[8919]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jun 17 14:18:47    openvpn[20608]: UDPv4 link remote: [AF_INET]MYREMOTEIP:1111
    Jun 17 14:18:47    openvpn[20608]: UDPv4 link local (bound): [AF_INET]WANIP
    Jun 17 14:18:47    openvpn[20608]: Control Channel Authentication: using '/var/etc/openvpn/client3.tls-auth' as a OpenVPN static key file
    Jun 17 14:18:47    openvpn[20608]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jun 17 14:18:47    openvpn[20608]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Jun 17 14:18:47    openvpn[20608]: WARNING: using –pull/--client and --ifconfig together is probably not what you want
    Jun 17 14:18:47    openvpn[20475]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09

    what am I missing? Thanks in advance



  • Adding SSL/TLS to a shared key setup should be relatively straightforward.
    I would suggest taking it in two steps, SSL first then add TLS.

    SSL:
    You need the following in System->CertManager on the OpenVPN Server system:

    1. CA  - A Certificate of Authority for all the Certificates (simply create one)
        Create an Internal Certificate Authority
        Descriptive Name - anything you like
        Key length 2048 (or greater)
        Digest, Lifetime - SHA256, 3650 defaults are fine.
        Distinguished Name - fill in everything, Common Name - must be unique

    Certificates-
    2) A Certificate for the OpenVPN Server
      Create Internal Certificate
      Use CA created in 1)
      Key length 2048 (or greater) same as in 1)
      Certificate Type - Server Certificate
      Distinguished Name info comes from CA, except Common Name - use a unique identifier for the Server

    1. A Certificate for the OpenVPN Client
        Create Internal Certificate
        Use CA created in 1)
        Key length 2048 (or greater) same as in 1)
        Certificate Type - User Certificate
        Distinguished Name info comes from CA, except Common Name - use a unique identifier for the Client

    On the Server VPN->OpenVPN:Server

    Cryptographic Settings
        TLS Authentication - Leave unchecked for now (easier to add later)
        Peer Certfificate Revocation List - None
        Peer Certificate Authority - CA from 1)
        Server Certificate - Cert from 2)
        DH Parameters list - 2048 (or greater)
        Encryption Algorithm - as needed and hardware allows (I prefer AES-256-CBC)
        Auth Digest Algorithm - SHA-1
        Hardware Crypto - enable if available
        Certificate Depth - leave at One (Client+Server)

    Everything else as before on the working OpenVPN Server

    You need the following in System->CertManager on the OpenVPN Client system:

    1. CA  - The Certificate of Authority from 1)
        Import an existing Certificate Authority
        Paste in only the Certificate Data from 1) (NOT the Certificate Private Key).

    2. Certificates  The Certificate from 3)
        Import an existing Certificate Authority
        Paste in only the Certificate data and the Private Key data from 3).

    On the Client VPN->OpenVPN:Client

    Cryptographic Settings
        TLS Authentication - Leave unchecked for now (easier to add later)
        Peer Certificate Authority - CA from 1)
        Client Certificate - Cert from 3)
        Encryption Algorithm - Same as used for the OpenVPN Server
        Auth Digest Algorithm - Same as used for the OpenVPN Server
        Hardware Crypto - enable if available

    Everything else as before on the working OpenVPN Client

    If everything is setup properly, the client and server should connect and give you an active tunnel as before.
    One issue I've run into before when changing certificates with OpenVPN is the server (and sometimes the client) don't want to release previous running copies of themselves without an explicit "kill" of their process (or a reboot of pfSense).  The other thing to watch out for is that the clocks on both pfSense boxes must be reasonably close to correct or the handshake may not work properly.

    Once you have SSL working right, you can go back and enable TLS on the Server and use the automatic key generated to paste into the client.
    I find it easier to troubleshoot one step at a time.

    Once you've seen the general layout of a working SSL OpenVPN setup, it's really not very hard to get up and running.
    It's just the first time that's a bear  ;)

    Edit:=- Fixed improper reference for Client certificate



  • it works like a charm now, THANKS A LOT!

    Just one thing:

    On the Client VPN->OpenVPN:Client

    Cryptographic Settings
        TLS Authentication - Leave unchecked for now (easier to add later)
        Peer Certificate Authority - CA from 1)
        Client Certificate - Cert from 2)

    should be
        Client Certificate - Cert from 3)

    Hope you can add this to wiki, it really is a good explanation, thanks!



  • Glad we could help.

    Thanks for noticing my oooops (and being kind about it) I typed that up in a hurry.
    I fixed that for posterity.

    I'm not a dev, just lending a hand when I can so I don't know if this will make it anywhere else.

    I'm definitely not opposed to anyone making the best use of it they can  :)

    It may be helpful to update the title of this thread with a (SOLVED) for future reference.



  • @divsys hello

    I have a similar topic I hope you can read it and help me

    https://forum.netgate.com/topic/139648/openvpn-site-to-site-routing/2

    Thank you


  • LAYER 8 Netgate

    @xlameee Please don't post to ancient, crusty threads. Please start a new one. Locking this.


Log in to reply