SITE-TO-SITE as PEER TO PEER (SSL/TLS)

Summer

I've setup a site-to-site as Peer to Peer (shared Key) and everything work like a charm, but reading about it, it isn't the best solution.

I'm trying to setup a Peer to Peer ( SSL /TLS) as this:

SERVER
protocol: UDP
service mode: tun
interface: WAN
localport: 1111
TLS auth: flag on both enable auth and generate key
Server CA: generated by this server in CAs Tab (certificate Autority Manager)
Server Certificate: generated in System: Certificate Manager tab
                              ( Server Certificate  CA: No, Server: Yes)
lenght: 2048 bits
auth digest alg: AES-256-CBC
no hardware crypto acceleration
certificate depth: one(client+Server)

advanced configuration:
mode server
tls-server

CLIENT
server mode: peer to peer (ssl/tls)
protocol: udp
device mode: tun
interface: WAN
server host: mystaticIP
server port: 1111

user auth settings: empty

Crypto:
TLS: pasted key generated by server
Peer certificate autority:  the imported Server CA: generated by this server in CAs Tab (certificate Autority Manager)
Client Certificate:  the imported Server Certificate: generated in System: Certificate Manager tab
                              ( Server Certificate  CA: No, Server: Yes)

encryption algoritm: AES-256-CBC
auth: SHA1
hw crypto: no hw

Advanced configuration: tls-client

then save and run fail because I keep getting this error:

SERVER
openvpn[92480]: TLS Error: incoming packet authentication failed from [AF_INET]
authenticate/Decrypt packet error: packet HMAC authentication failed

Jun 17 14:23:57    openvpn[92480]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Jun 17 14:23:47    openvpn[92480]: Initialization Sequence Completed
Jun 17 14:23:47    openvpn[92480]: UDPv4 link remote: [undef]
Jun 17 14:23:47    openvpn[92480]: UDPv4 link local (bound): [AF_INET]172.111.0.3:1197
Jun 17 14:23:47    openvpn[92480]: /usr/local/sbin/ovpn-linkup ovpns4 1500 1557 192.111.0.1 192.111.0.2 init
Jun 17 14:23:47    openvpn[92480]: /sbin/ifconfig ovpns4 192.111.0.1 192.111.0.2 mtu 1500 netmask 255.255.255.255 up
Jun 17 14:23:47    openvpn[92480]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jun 17 14:23:47    openvpn[92480]: TUN/TAP device /dev/tun4 opened
Jun 17 14:23:47    openvpn[92480]: TUN/TAP device ovpns4 exists previously, keep at program end
Jun 17 14:23:47    openvpn[92480]: Control Channel Authentication: using '/var/etc/openvpn/server4.tls-auth' as a OpenVPN static key file
Jun 17 14:23:46    openvpn[92480]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jun 17 14:23:46    openvpn[92167]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Jun 17 14:23:46    openvpn[92167]: OpenVPN 2.3.6 i386-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Apr 8 2015

CLIENT

Jun 17 14:23:55    openvpn[20608]: SIGUSR1[soft,ping-restart] received, process restarting
Jun 17 14:23:55    openvpn[20608]: [UNDEF] Inactivity timeout (–ping-restart), restarting
Jun 17 14:22:55    openvpn[20608]: UDPv4 link remote: [AF_INET]MYREMOTEIP:1111
Jun 17 14:22:55    openvpn[20608]: UDPv4 link local (bound): [AF_INET]WANIP
Jun 17 14:22:55    openvpn[20608]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jun 17 14:22:55    openvpn[20608]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 17 14:22:53    openvpn[20608]: SIGUSR1[soft,ping-restart] received, process restarting
Jun 17 14:22:53    openvpn[20608]: [UNDEF] Inactivity timeout (–ping-restart), restarting
Jun 17 14:21:53    openvpn[20608]: UDPv4 link remote: [AF_INET]MYREMOTEIP:1111
Jun 17 14:21:53    openvpn[20608]: UDPv4 link local (bound): [AF_INET]WANIP
Jun 17 14:21:53    openvpn[20608]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jun 17 14:21:53    openvpn[20608]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 17 14:21:51    openvpn[20608]: SIGUSR1[soft,ping-restart] received, process restarting
Jun 17 14:21:51    openvpn[20608]: [UNDEF] Inactivity timeout (–ping-restart), restarting
Jun 17 14:20:51    openvpn[20608]: UDPv4 link remote: [AF_INET]MYREMOTEIP:1111
Jun 17 14:20:51    openvpn[20608]: UDPv4 link local (bound): [AF_INET]WANIP
Jun 17 14:20:51    openvpn[20608]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jun 17 14:20:51    openvpn[20608]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 17 14:20:49    openvpn[20608]: SIGUSR1[soft,ping-restart] received, process restarting
Jun 17 14:20:49    openvpn[20608]: [UNDEF] Inactivity timeout (–ping-restart), restarting
Jun 17 14:19:49    openvpn[20608]: UDPv4 link remote: [AF_INET]MYREMOTEIP:1111
Jun 17 14:19:49    openvpn[20608]: UDPv4 link local (bound): [AF_INET]WANIP
Jun 17 14:19:49    openvpn[20608]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jun 17 14:19:49    openvpn[20608]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 17 14:19:47    openvpn[20608]: SIGUSR1[soft,ping-restart] received, process restarting
Jun 17 14:19:47    openvpn[20608]: [UNDEF] Inactivity timeout (–ping-restart), restarting
Jun 17 14:19:45    openvpn[8919]: MANAGEMENT: Client disconnected
Jun 17 14:19:45    openvpn[8919]: MANAGEMENT: CMD 'status 2'
Jun 17 14:19:45    openvpn[8919]: MANAGEMENT: CMD 'state 1'
Jun 17 14:19:45    openvpn[8919]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jun 17 14:19:28    openvpn[8919]: MANAGEMENT: Client disconnected
Jun 17 14:19:28    openvpn[8919]: MANAGEMENT: CMD 'status 2'
Jun 17 14:19:28    openvpn[8919]: MANAGEMENT: CMD 'state 1'
Jun 17 14:19:28    openvpn[8919]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jun 17 14:18:56    openvpn[8919]: MANAGEMENT: Client disconnected
Jun 17 14:18:56    openvpn[8919]: MANAGEMENT: CMD 'status 2'
Jun 17 14:18:56    openvpn[8919]: MANAGEMENT: CMD 'state 1'
Jun 17 14:18:56    openvpn[8919]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jun 17 14:18:47    openvpn[20608]: UDPv4 link remote: [AF_INET]MYREMOTEIP:1111
Jun 17 14:18:47    openvpn[20608]: UDPv4 link local (bound): [AF_INET]WANIP
Jun 17 14:18:47    openvpn[20608]: Control Channel Authentication: using '/var/etc/openvpn/client3.tls-auth' as a OpenVPN static key file
Jun 17 14:18:47    openvpn[20608]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jun 17 14:18:47    openvpn[20608]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 17 14:18:47    openvpn[20608]: WARNING: using –pull/--client and --ifconfig together is probably not what you want
Jun 17 14:18:47    openvpn[20475]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09

what am I missing? Thanks in advance

divsys

Adding SSL/TLS to a shared key setup should be relatively straightforward.
I would suggest taking it in two steps, SSL first then add TLS.

SSL:
You need the following in System->CertManager on the OpenVPN Server system:

1. CA  - A Certificate of Authority for all the Certificates (simply create one)
     Create an Internal Certificate Authority
     Descriptive Name - anything you like
     Key length 2048 (or greater)
     Digest, Lifetime - SHA256, 3650 defaults are fine.
     Distinguished Name - fill in everything, Common Name - must be unique

Certificates-
2) A Certificate for the OpenVPN Server
  Create Internal Certificate
  Use CA created in 1)
  Key length 2048 (or greater) same as in 1)
  Certificate Type - Server Certificate
  Distinguished Name info comes from CA, except Common Name - use a unique identifier for the Server

3. A Certificate for the OpenVPN Client
     Create Internal Certificate
     Use CA created in 1)
     Key length 2048 (or greater) same as in 1)
     Certificate Type - User Certificate
     Distinguished Name info comes from CA, except Common Name - use a unique identifier for the Client

On the Server VPN->OpenVPN:Server

Cryptographic Settings
    TLS Authentication - Leave unchecked for now (easier to add later)
    Peer Certfificate Revocation List - None
    Peer Certificate Authority - CA from 1)
    Server Certificate - Cert from 2)
    DH Parameters list - 2048 (or greater)
    Encryption Algorithm - as needed and hardware allows (I prefer AES-256-CBC)
    Auth Digest Algorithm - SHA-1
    Hardware Crypto - enable if available
    Certificate Depth - leave at One (Client+Server)

Everything else as before on the working OpenVPN Server

You need the following in System->CertManager on the OpenVPN Client system:

4. CA  - The Certificate of Authority from 1)
     Import an existing Certificate Authority
     Paste in only the Certificate Data from 1) (NOT the Certificate Private Key).

5. Certificates  The Certificate from 3)
     Import an existing Certificate Authority
     Paste in only the Certificate data and the Private Key data from 3).

On the Client VPN->OpenVPN:Client

Cryptographic Settings
    TLS Authentication - Leave unchecked for now (easier to add later)
    Peer Certificate Authority - CA from 1)
    Client Certificate - Cert from 3)
    Encryption Algorithm - Same as used for the OpenVPN Server
    Auth Digest Algorithm - Same as used for the OpenVPN Server
    Hardware Crypto - enable if available

Everything else as before on the working OpenVPN Client

If everything is setup properly, the client and server should connect and give you an active tunnel as before.
One issue I've run into before when changing certificates with OpenVPN is the server (and sometimes the client) don't want to release previous running copies of themselves without an explicit "kill" of their process (or a reboot of pfSense).  The other thing to watch out for is that the clocks on both pfSense boxes must be reasonably close to correct or the handshake may not work properly.

Once you have SSL working right, you can go back and enable TLS on the Server and use the automatic key generated to paste into the client.
I find it easier to troubleshoot one step at a time.

Once you've seen the general layout of a working SSL OpenVPN setup, it's really not very hard to get up and running.
It's just the first time that's a bear  ;)

Edit:=- Fixed improper reference for Client certificate

Summer

it works like a charm now, THANKS A LOT!

Just one thing:

On the Client VPN->OpenVPN:Client

Cryptographic Settings
    TLS Authentication - Leave unchecked for now (easier to add later)
    Peer Certificate Authority - CA from 1)
    Client Certificate - Cert from 2)

should be
    Client Certificate - Cert from 3)

Hope you can add this to wiki, it really is a good explanation, thanks!

divsys

Glad we could help.

Thanks for noticing my oooops (and being kind about it) I typed that up in a hurry.
I fixed that for posterity.

I'm not a dev, just lending a hand when I can so I don't know if this will make it anywhere else.

I'm definitely not opposed to anyone making the best use of it they can  :)

It may be helpful to update the title of this thread with a (SOLVED) for future reference.

xlameee

@divsys hello

I have a similar topic I hope you can read it and help me

https://forum.netgate.com/topic/139648/openvpn-site-to-site-routing/2

Thank you

Derelict

@xlameee Please don't post to ancient, crusty threads. Please start a new one. Locking this.