Community Support Forum
 
  OpenVPN.net  •  Forum Index  •  FAQ  

It is currently Wed Oct 22, 2014 7:53 am


Forum rules


If you would like help, here is a few things you will want to do in order to help us help you.

**Post your configs from client and server, without comments. you can strip comments in linux/bsd with something like this:
grep -vE '^#|^;|^$' server.conf
**Tell us your goal.
**If you are having problems connecting, post your logfiles from server and client after using verb 4 in both configs


Also, there are 2 things you should be aware of:

**Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
**You ONLY want to use dev tap if you are tunneling layer2 traffic, if you are using IP traffic you want tun. If you are using tap only for windows file sharing, look into running a WINS server instead.



Post new topic Reply to topic  [ 6 posts ] 
 tls-auth HMAC signature not working with Win7 
Author Message
 Post subject: tls-auth HMAC signature not working with Win7
PostPosted: Sun Apr 15, 2012 7:15 pm 
OpenVPN User

Joined: Sun Apr 15, 2012 6:01 pm
Posts: 10
Hello,
I have a problem when I activate tls-auth HMAC signature and use a WIn7 client.
My setup is as follows:

## Server ##
port 443
port-share 127.0.0.1 1443
proto tcp
dev tun
ca ca.crt
cert server.crt
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
client-to-client
keepalive 10 120
comp-lzo
;tls-auth ta.key 0
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

## Client Windows ##
client
dev tun
dev-node tap
proto tcp
remote xyz.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert windows001.crt
key windows001.key
ns-cert-type server
;tls-auth ta.key 1
comp-lzo
verb 1

## Client MacOSX ##
client
dev tun
proto tcp
remote xyz.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
;tls-auth ta.key 1
comp-lzo
verb 10


but if I try to use tls-auth and add
tls-auth ta.key 0 in the server
and
tls-auth ta.key 1 in both clients

the MacOSX conects without any problem but when trying to connect the Win7 I have the errors below in the server:

ovpn-server[32588]: MULTI: multi_create_instance called
ovpn-server[32588]: Re-using SSL/TLS context
ovpn-server[32588]: LZO compression initialized
ovpn-server[32588]: Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
ovpn-server[32588]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
ovpn-server[32588]: Local Options hash (VER=V4): 'bd577cd1'
ovpn-server[32588]: Expected Remote Options hash (VER=V4): 'ee93268d'
ovpn-server[32588]: TCP connection established with [AF_INET]1.2.3.4:56957
ovpn-server[32588]: Socket Buffers: R=[131072->131072] S=[131072->131072]
ovpn-server[32588]: TCPv4_SERVER link local: [undef]
ovpn-server[32588]: TCPv4_SERVER link remote: [AF_INET]1.2.3.4:56957
ovpn-server[32588]: 1.2.3.4:56957 TLS: Initial packet from [AF_INET]1.2.3.4:56957, sid=4a3469f7 2aec77f8
ovpn-server[32588]: 1.2.3.4:56957 Authenticate/Decrypt packet error: packet HMAC authentication failed
ovpn-server[32588]: 1.2.3.4:56957 TLS Error: incoming packet authentication failed from [AF_INET]1.2.3.4:56957
ovpn-server[32588]: 1.2.3.4:56957 Fatal TLS error (check_tls_errors_co), restarting
ovpn-server[32588]: 1.2.3.4:56957 SIGUSR1[soft,tls-error] received, client-instance restarting
ovpn-server[32588]: TCP/UDP: Closing socket


Server is Ubuntu 10.04.4 LTS
Openvpn server is OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
The client in the Win7 is the latest bundle from the site

I´ve verified that the ta.key is the same in all three locations
Any help will be appreciated

Regards
Jofre


Offline
 Profile  
 
 Post subject: Re: tls-auth HMAC signature not working with Win7
PostPosted: Mon Apr 16, 2012 10:27 am 
Forum Team
User avatar

Joined: Fri Aug 20, 2010 2:57 pm
Posts: 2702
Location: Amsterdam
all I can say is: works for me on win7 64 bit...

can you increase the verbosity on both client and server to 'verb 4' and reconnect; check the log files on both sides to see where it is failing.


Offline
 Profile  
 
 Post subject: Re: tls-auth HMAC signature not working with Win7
PostPosted: Mon Apr 16, 2012 3:55 pm 
OpenVPN User

Joined: Sun Apr 15, 2012 6:01 pm
Posts: 10
Hi,
I did but could find out the root of the problem

##Server log ##
ovpn-server[3098]: MULTI: multi_create_instance called
ovpn-server[3098]: Re-using SSL/TLS context
ovpn-server[3098]: LZO compression initialized
ovpn-server[3098]: Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
ovpn-server[3098]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
ovpn-server[3098]: Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
ovpn-server[3098]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
ovpn-server[3098]: Local Options hash (VER=V4): 'bd577cd1'
ovpn-server[3098]: Expected Remote Options hash (VER=V4): 'ee93268d'
ovpn-server[3098]: TCP connection established with [AF_INET]1.2.3.4:53248
ovpn-server[3098]: Socket Buffers: R=[131072->131072] S=[131072->131072]
ovpn-server[3098]: TCPv4_SERVER link local: [undef]
ovpn-server[3098]: TCPv4_SERVER link remote: [AF_INET]1.2.3.4:53248
ovpn-server[3098]: 1.2.3.4:53248 TLS: Initial packet from [AF_INET]1.2.3.4:53248, sid=b038a437 8d5be866
ovpn-server[3098]: 1.2.3.4:53248 Authenticate/Decrypt packet error: packet HMAC authentication failed
ovpn-server[3098]: 1.2.3.4:53248 TLS Error: incoming packet authentication failed from [AF_INET]1.2.3.4:53248
ovpn-server[3098]: 1.2.3.4:53248 Fatal TLS error (check_tls_errors_co), restarting
ovpn-server[3098]: 1.2.3.4:53248 SIGUSR1[soft,tls-error] received, client-instance restarting
ovpn-server[3098]: TCP/UDP: Closing socket


## Client log ##
(I added what seams useful)

Mon Apr 16 17:43:36 2012 us=618000 NOTE: OpenVPNAS 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Apr 16 17:43:36 2012 us=883000 Control Channel Authentication: tls-auth using INLINE static key file
Mon Apr 16 17:43:36 2012 us=883000 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 16 17:43:36 2012 us=883000 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 16 17:43:36 2012 us=883000 LZO compression initialized
Mon Apr 16 17:43:36 2012 us=883000 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
Mon Apr 16 17:43:36 2012 us=883000 Socket Buffers: R=[8192->8192] S=[64512->64512]
Mon Apr 16 17:43:36 2012 us=883000 MANAGEMENT: >STATE:1334591016,RESOLVE,,,
Mon Apr 16 17:43:37 2012 us=179000 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Apr 16 17:43:37 2012 us=179000 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Mon Apr 16 17:43:37 2012 us=179000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Mon Apr 16 17:43:37 2012 us=179000 Local Options hash (VER=V4): '863ad621'
Mon Apr 16 17:43:37 2012 us=179000 Expected Remote Options hash (VER=V4): '64e96fc1'
Mon Apr 16 17:43:37 2012 us=179000 Attempting to establish TCP connection with 11.22.33.44:443
Mon Apr 16 17:43:37 2012 us=179000 MANAGEMENT: >STATE:1334591017,TCP_CONNECT,,,
Mon Apr 16 17:43:37 2012 us=273000 TCP connection established with 11.22.33.44:443
Mon Apr 16 17:43:37 2012 us=273000 TCPv4_CLIENT link local: [undef]
Mon Apr 16 17:43:37 2012 us=273000 TCPv4_CLIENT link remote: 11.22.33.44:443
Mon Apr 16 17:43:37 2012 us=273000 MANAGEMENT: >STATE:1334591017,WAIT,,,
Mon Apr 16 17:43:37 2012 us=382000 Connection reset, restarting [0]
Mon Apr 16 17:43:37 2012 us=382000 TCP/UDP: Closing socket
Mon Apr 16 17:43:37 2012 us=382000 SIGUSR1[soft,connection-reset] received, process restarting
Mon Apr 16 17:43:37 2012 us=382000 MANAGEMENT: >STATE:1334591017,RECONNECTING,connection-reset,,
Mon Apr 16 17:43:37 2012 us=382000 Restart pause, 5 second(s)


Offline
 Profile  
 
 Post subject: Re: tls-auth HMAC signature not working with Win7
PostPosted: Tue Apr 17, 2012 1:11 pm 
Forum Team
User avatar

Joined: Fri Aug 20, 2010 2:57 pm
Posts: 2702
Location: Amsterdam
you're using the commercial version of openvpn for your client (openvpn AS); try it with the open source version:
http://openvpn.net/index.php/open-source/downloads.html

grab v2.2.2 , uninstall the old client and reinstall the open source one.


Offline
 Profile  
 
 Post subject: Re: tls-auth HMAC signature not working with Win7
PostPosted: Tue Apr 17, 2012 4:33 pm 
OpenVPN User

Joined: Sun Apr 15, 2012 6:01 pm
Posts: 10
Thanks JJK that was the solution!
The only drawback is that the client is not able to resolve DNS properly but as I use a fixed IP that is not an issue
I´ll buy the book in return for having helped me
Regards
Jofre


Offline
 Profile  
 
 Post subject: Re: tls-auth HMAC signature not working with Win7
PostPosted: Tue Apr 17, 2012 10:07 pm 
Forum Team
User avatar

Joined: Fri Aug 20, 2010 2:57 pm
Posts: 2702
Location: Amsterdam
nice to hear that.
you should be able to get DNS resolution working by adding
Code:
push "dhcp-option DNS x.x.x.x"

to the server config and by adding
Code:
register-dns

to the client config file.


Offline
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 


 Who is online 

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


phpBB SEO
[ Time : 0.073s | 14 Queries | GZIP : On ]

 
Index  |  FAQ


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group