OpenVPN on Raspberry - cannot locate HMAC in incoming packet

[matrois]

Hi Forum.
This is my first post. After reading I want to thank for all the usefull information.
Now I have to start writing, perhaps you can help me out.

My setup is the following:

- Router(fritzbox) with Portforwarding 1192 (udp), 443 (tcp+udp), 80 (tcp+udp) and 943 (udp) to my Raspberry
- Raspberry PI with "DietPI" and installed openvpn, version ... (http://dietpi.com/phpbb/viewtopic.php?f=8&t=5&p=623)
- trying to connect with the latest installer version for windows (https://openvpn.net/index.php/open-sour ... loads.html)

Serverconfig:

Code: Select all

port 1192
proto udp
dev tun

ca ca.crt
cert DietPi_OpenVPN_Server.crt
key DietPi_OpenVPN_Server.key
dh dh1024.pem

server 10.8.0.0 255.255.255.0

client-to-client
keepalive 10 60
comp-lzo
max-clients 10

user nobody
group nogroup

persist-key
persist-tun
verb 3

#Web Forwarding (uncomment to enable)
#push "redirect-gateway"
#push "dhcp-option DNS 10.8.0.1"

Clientconfig:

Code: Select all

client
dev tun
proto udp
remote m.y.i.p 1192
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server name
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 1
<ca>
-----BEGIN CERTIFICATE-----
[certificate]
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
[certificate]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
[private key]
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
[static key]
-----END OpenVPN Static key V1-----
</tls-auth>

Connections with the automatic vpnconfig (see above) result in this error:

TLS Error: cannot locate HMAC in incoming packet

After some research I investigated that there is missing the tls-preshared key on the server side. So I created a PSK with

Code: Select all

openvpn --genkey --secret ta.key

and added

Code: Select all

tls-auth /etc/openvpn/easy-rsa2/keys/ta.key 1

to the server config. Into the client config I added the same PSK (between </tls-auth>)
Some other additions to my server config are:

Code: Select all

auth SHA512 #same in clientconfig
cipher AES-256-CBC
remote-cert-tls client
tls-version-min 1.2
tls-cipher TLS-RSA-WITH-AES-128-CBC-SHA

But nothing solves my problem. The next Connection ends in the following log entry (verb 5):

Mon Mar 27 19:04:33 2017 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Mar 27 19:04:33 2017 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Mar 27 19:04:33 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]m.y.i.p:1192
Mon Mar 27 19:04:33 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Mar 27 19:04:33 2017 UDP link local: (not bound)
Mon Mar 27 19:04:33 2017 UDP link remote: [AF_INET]m.y.i.p:1192
Mon Mar 27 19:04:33 2017 MANAGEMENT: >STATE:1490634273,WAIT,,,,,,

I also have tried with standard port number 1194 and with tcp but udp (changed portforwarding, server and clientconfig). I get no useable connection.
Do you have some hint for me. Allthough the internet seems to explode of information about openvpn I do not find a solution for my special problem. Thank you for every answer.

[TinCanTech]

Please see:
HOWTO: Request Help !

[matrois]

Server: OpenVPN 2.3.4

Client: OpenVPN GUI 11.5.0.0

[TinCanTech]

Server: OpenVPN 2.3.4

Badly out of date ..

Client: OpenVPN GUI 11.5.0.0

And openvpn --version ?

TLS Error: cannot locate HMAC in incoming packet

and added

Code: Select all
tls-auth /etc/openvpn/easy-rsa2/keys/ta.key 1


to the server config

See --tls-auth in The Manual v24x

[matrois]

I used OpenVPN before on my Fritzbox with Freetz in version 2.3.2 (see http://freetz.org/wiki/packages/openvpn). I do not want to use that setup anymore because I do not want to "freetz" my Fritzbox again.

Now I want to use my Raspberry with DietPI for OpenVPN. DietPI is based on Raspbian (which is based on Debian Jessie) and the latest version of OpenVPN Server in the stable package repository is 2.3.4-5+deb8u1
(see here: http://archive.raspbian.org/raspbian/di ... f/Packages)

I do not know a way to get a newer version of OpenVPN Server.
Could the version of OpenVPN Server probably the reason for my problem?

Thank you for the advice about "tls-auth". I will tried it with

Server:

Code: Select all

tls-auth /etc/openvpn/easy-rsa2/keys/ta.key 0

If I understand the "tls-auth" and "secret" section of the posted link correct I think I need to change the client config, too?
Client:

Code: Select all

key-direction 0

Now I have tried all possible combinations of key-directions and I do not get a connection. I even tried "tls-crypt" instead of "tls-auth" because there is no key direction necessary. For me it would be much enough to have one very simple example which works and on which I could build on. Unfortunately all the supposed to be simple examples do not work on my setup.

My biggest problem to solve is where to get a hint to the error. The client log ends with

Tue Mar 28 21:41:17 2017 MANAGEMENT: >STATE:1490730077,WAIT,,,,,,

and no error.

In the server log (/var/log/openvpn.log) I do not find any recent entrys. There are only some older entry which I could not assign to a special config version. I wonder why there are no log entrys even if I switch to

Code: Select all

verb 5

in the server config.

[TinCanTech]

I do not know a way to get a newer version of OpenVPN Server.

This may be of use:
https://community.openvpn.net/openvpn/w ... twareRepos

I even tried "tls-crypt" instead of "tls-auth" because there is no key direction necessary.

You can not use --tls-crypt because that is only available in version 2.4

Now I have tried all possible combinations of key-directions and I do not get a connection.

There is only one combination that you need .. zero 0 on the server and one 1 on the client ..

Try disabling --tls-auth until you get your connection to work.

[matrois]

I have realized, that I have started with to complicated config. Now I have break it down to the most simple config I could found ((https://openvpn.net/index.php/open-sour ... howto.html))

Server:

Code: Select all

dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key

Client:

Code: Select all

remote myremote.mydomain
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key

With that config I get a connection. The next steps are to include some security, tls etc. Based on a working config it is only try and error to get it to a complex configuration...

Perhaps I will be back later with some special questions

[Pippin]

Yup, that`s the way to go.