Tomato Client dialing to a pfSense OVPN server - HAMC failure
I've setup a little OVPN server that works flawlessly with desktop based clients (the Windows OpenVPN client, Tunnelblick, iOS client and DD-WRT router based client).
However, I have a router that is running Tomato 1.28 (1.28.0000 MIPSR2-2.8-130 K26 USB AIO) and I followed the guide posted here- https://forums.openvpn.net/topic12384.html - to set it up to dial to my server.
I followed the guide for its entirety, mostly, with the exception of Compression (which I have enabled).
However, upon attempting to dial to the server, I get the following error on the pfSense end:
TLS Error: cannot locate HMAC in incoming packet from...
My specific Tomato version has an option called 'Extra HMAC authorization (tls-auth)' which, per the guide, I've set to disabled. I also tried to set it to bi-direction, incoming or outgoing - none worked.
I tried changes my authorization mode from 'TLS' to Static Key - however that caused the following messages:
Jul 8 12:16:39 openvpn: 5x.xx.xx.xx:22230 TLS Error: TLS handshake failed Jul 8 12:16:41 openvpn: 5x.xx.xx.xx:57577 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Also tried to change 'Extra HMAC Authorization' option to 'Bi-Directional' while keeping the static key – this error appears:
Jul 8 12:27:46 openvpn: Authenticate/Decrypt packet error: packet HMAC authentication failed Jul 8 12:27:46 openvpn: TLS Error: incoming packet authentication failed from [AF_INET]5x.xx.xx.xx:16497
So I am a bit stumped - any ides on how to make it work right?
When you activate the tls-auth option, are you sure to have the same TLS key on both sides?
Following-up to what hatimux said, have you tried enabling (or disabling) TLS authentication on both sides? It sounds like you had it enabled on your pfSense server, but disabled in your Tomato client.
You can keep your authorization mode to TLS. If you want to disable TLS authentication on your server just uncheck the box labeled "Enable authentication of TLS packets."
Yup - it's enabled on both ends and the proper key is used on both ends.