6

I am trying to configure my Raspberry Pi as an OpenVPN server on site B. For this setup, I require that the client configuration is stored in a very single file, as it's going to be deployed on my Android phone. I don't want to mess with paths and so: I'll beam the file via Bluetooth and zap!

The configuration is PKI-based. The configuration is inspired to an existing VPN (commented out) of which the Raspy is the client (site B to site A). The "other" VPN can be enabled at any time but, again, it is currently commented out. I am trying this on Windows first before trying to deploy on Android, especially because I can edit and rerun configuration at any time, fast-type with keyboard and copy&paste stuff from the server because I can always remote into it via ssh. On mobile, it will take me a lot of time to test.

Server.conf

port 1194
proto udp
dev tun

ca /etc/ssl/vpn/ca.crt
cert /etc/ssl/vpn/raspy.crt
key /etc/ssl/vpn/raspy.key
dh /etc/ssl/vpn/dh2048.pem
key-direction 1
tls-auth /etc/ssl/vpn/ta.key 0 # This file is secret
cipher AES-256-CBC   # AES


client-config-dir ccd
ifconfig-pool-persist ipp.txt
client-to-client
push "route 192.168.192.0 255.255.255.0 vpn_gateway"
keepalive 10 120
comp-lzo


user nobody
group nogroup
persist-key
persist-tun


status openvpn-status.log
log  /var/log
verb 6 #helps me troubleshoot

Client.conf

dev tun
proto udp
remote raspy.example.me 1194

resolv-retry infinite


nobind


user nobody
group nogroup


persist-key
persist-tun


<ca>
-----BEGIN CERTIFICATE-----
Matches the CA certificate deployed on server
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
This is the client certificate that I have signed with common CA
I assume this part of the setup is fine
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
Client private key
-----END RSA PRIVATE KEY-----
</key>


<dh>
-----BEGIN DH PARAMETERS-----
Matches the content of /etc/ssl/vpn/dh2048.pem
-----END DH PARAMETERS-----
</dh>
cipher AES-256-CBC
remote-cert-tls server


<tls-auth>
-----BEGIN OpenVPN Static key V1-----
matches /etc/ssl/vpn/ta.key
-----END OpenVPN Static key V1-----
</tls-auth>


cipher AES-256-CBC


comp-lzo


log         /var/log/openvpn.log
verb 6

I am confident that the certificates are set correctly, but in the meantime I will re-test them with OpenSSL to make sure the chain is fine.

Connecting, I find the following logs

Server

Tue Jul 28 11:02:25 2020 us=457781 Authenticate/Decrypt packet error: packet HMAC authentication failed
Tue Jul 28 11:02:25 2020 us=458025 TLS Error: incoming packet authentication failed from [AF_INET]xxx:46976
Tue Jul 28 11:02:27 2020 us=732637 Authenticate/Decrypt packet error: packet HMAC authentication failed
Tue Jul 28 11:02:27 2020 us=732832 TLS Error: incoming packet authentication failed from [AF_INET]xxx:46976

Client

Tue Jul 28 11:02:25 2020 UDP WRITE [42] to [AF_INET]xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
Tue Jul 28 11:02:29 2020 UDP WRITE [42] to [AF_INET]xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
Tue Jul 28 11:02:37 2020 UDP WRITE [42] to [AF_INET]xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
Tue Jul 28 11:02:53 2020 UDP WRITE [42] to [AF_INET]xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0

What may be wrong in this setup? How should I fix this?

Research

I have found this topic that claims to be solved

bznelson wrote: ↑
Mon Apr 09, 2018 10:52 pm
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0

bznelson wrote: ↑
Mon Apr 09, 2018 10:52 pm
<tls-crypt>

Ah yes, the tls-auth/tls-crypt, that's it! Thank you so much! I was running a 2.3 server, but I had initially installed 2.4 and I guess there was some cross pollination.

I'm running OpenVPN 2.4.0 on both hosts. I don't know how that linked thread may help me

And in the same topic someone said about the error

This usually means you have the wrong ta.key installed somewhere.

But I have checked three times. The keys are the same but the very difference is that one is on a file, one is inlined

I have tried to completely remove the tls-auth from client and server. The error is fixed and I have the next error to care about. So, the above linked forum was correct, there is some mess between the two identical keys

usr-local-ΕΨΗΕΛΩΝ
  • 4,862

4 Answers4

1

Both client and server configuration need to share the same cipher configuration. The line:

cipher AES-256-CBC

Must be present on both.

NeonMan
  • 173
  • 1
  • 1
  • 15
0

In my case it was the authentication digest algorithm. Pfsense had a more secure default than the server, so that had to be aligned. SHA-1 is the insecure default, SHA256 seems a better option.

John White
  • 189
0

Maybe your ta.key generate was wrong.

openvpn --genkey tls-auth ta.key (this is wrong!)

please refer official website https://openvpn.net/community-resources/how-to/#hardening-openvpn-security

screenshot: what is tls-auth use for

In my case openvpn 2.5.4

WARNING: Using --genkey --secret filename is DEPRECATED. Use --genkey secret filename instead. EasyRSA Shell

openvpn --genkey secret ta.key

after add following config, it works.

screenshot: tls-auth config

ongyanjin
  • 1
  • 1
0

For me, I reviewed that auth SHA512 was missing from my client file.

FMorschel
  • 103