Inline tls-auth

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
davide.belloni
OpenVpn Newbie
Posts: 9
Joined: Wed Feb 15, 2012 4:09 pm

Inline tls-auth

Post by davide.belloni » Mon Jan 21, 2013 10:14 am

Hi,
I'm trying to connect my android to an openvpn server using inline tls-auth file.
The client configuration is the following one:

Code: Select all

client
dev tun
proto tcp
remote X.X.X.X 443
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
cipher AES-256-CBC
auth-user-pass
auth-retry interact
auth-nocache
reneg-bytes 549755813888
reneg-pkts 536870912
reneg-sec 28800
connect-retry-max 3
route-nopull
ca ca2.crt
cert sslcert.pem
key sslkey.pem
tls-auth [inline]
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
With this configuration an OpenVPN 2.2.1 can connect to the server, instead with new andorid "OpenVPN Connect" it's not possible.
The profile and certificates files are in /sdcard/OpenVPN and when I import the profile the client return: "Error reading file referenced by profile: [inline] : cannot open: /sdcard/OpenVPN/[inline]"

Someone can help me?

P.S.: which version of OpenVPn is used in new andorid "OpenVPN Connect"?

User avatar
jamesyonan
OpenVPN Inc.
Posts: 169
Joined: Thu Jan 24, 2013 12:13 am

Re: Inline tls-auth

Post by jamesyonan » Thu Jan 24, 2013 1:52 am

Remove this line:
tls-auth [inline]
Then you also might need to add a key-direction directive, such as:

Code: Select all

key-direction 1

davide.belloni
OpenVpn Newbie
Posts: 9
Joined: Wed Feb 15, 2012 4:09 pm

Re: Inline tls-auth

Post by davide.belloni » Thu Jan 24, 2013 7:42 am

Hi jamesyonan,
thanks for the reply.
With specified configuration the profile can be imported in OpenVPN Connect for Android without errors, but the tls-auth key isn't send (I think) by the client.

In the server log I have:

Code: Select all

openvpn[1973]: X.X.X.X:34005 Authenticate/Decrypt packet error: packet HMAC authentication failed
openvpn[1973]: X.X.X.X:34005 TLS Error: incoming packet authentication failed from X.X.X.X:34005
openvpn[1973]: X.X.X.X:34005 Fatal TLS error (check_tls_errors_co), restarting
In the server configuration I've:

Code: Select all

tls-auth <path_ta.key> 0

davide.belloni
OpenVpn Newbie
Posts: 9
Joined: Wed Feb 15, 2012 4:09 pm

Re: Inline tls-auth

Post by davide.belloni » Fri Jan 25, 2013 6:56 am

Hi to everyone,
I've seen that this post has been moved from Android to iOS, but this issue is present both Android and iOS software version!

davide.belloni
OpenVpn Newbie
Posts: 9
Joined: Wed Feb 15, 2012 4:09 pm

Re: Inline tls-auth

Post by davide.belloni » Fri Jan 25, 2013 8:00 am

Hi,
now I've restarted the server and not reloaded it and works!
But the old clients without key direction don't connect anymore, so I've to revert the configuration

How can I permit connection to clients without key-direction and phone client with?

Thanks!

wvd
OpenVpn Newbie
Posts: 2
Joined: Fri Jan 25, 2013 10:11 am

Re: Inline tls-auth

Post by wvd » Fri Jan 25, 2013 10:15 am

Hi, I started to see the same isue, HMAC authentication seems to fail since the upgrade to the latest openvpn connect client (1.1.8) for ANDROID in combination with v2.2.2 on the server side. As soon as I disable tls-auth on the client and server, it works again...

Jan 25 08:34:38 localhost openvpn[13037]: TLS Error: incoming packet authentication failed f
rom x.x.x.x:xxxx
Jan 25 08:34:40 localhost openvpn[13037]: Authenticate/Decrypt packet error: packet HMAC aut
hentication failed

davide.belloni
OpenVpn Newbie
Posts: 9
Joined: Wed Feb 15, 2012 4:09 pm

Re: Inline tls-auth

Post by davide.belloni » Fri Jan 25, 2013 1:03 pm

Hi,
my problem now is tls-auth inclusion in OpenVPN Connect profile with bi-directional key direction.
I think that is something not implemented or not documented

Thanks

User avatar
jamesyonan
OpenVPN Inc.
Posts: 169
Joined: Thu Jan 24, 2013 12:13 am

Re: Inline tls-auth

Post by jamesyonan » Sat Jan 26, 2013 3:53 pm

The recommended tls-auth usage is to use "key-direction 0" on the server and "key-direction 1" on the client because that uses different tls-auth keys for the client -> server direction and server -> client direction (somewhat more secure), and it also works on all versions of OpenVPN.

If the server is using tls-auth without the key-direction parameter, such as "tls-auth ta.key"
it's a bit more problematic because then client-side unified profiles would need to have "key-direction bidirectional", however this directive will only be available on 1.0.1 (iOS) and 1.1.9 (Android), and is not currently implemented on the OpenVPN 2.x branch.

wvd
OpenVpn Newbie
Posts: 2
Joined: Fri Jan 25, 2013 10:11 am

Re: Inline tls-auth

Post by wvd » Sun Jan 27, 2013 3:48 pm

jamesyonan wrote:The recommended tls-auth usage is to use "key-direction 0" on the server and "key-direction 1" on the client because that uses different tls-auth keys for the client -> server direction and server -> client direction (somewhat more secure), and it also works on all versions of OpenVPN.
Thx this resolved my issue with the Android client!

davide.belloni
OpenVpn Newbie
Posts: 9
Joined: Wed Feb 15, 2012 4:09 pm

Re: Inline tls-auth

Post by davide.belloni » Thu Jan 31, 2013 10:51 am

If the server is using tls-auth without the key-direction parameter, such as "tls-auth ta.key"
it's a bit more problematic because then client-side unified profiles would need to have "key-direction bidirectional", however this directive will only be available on 1.0.1 (iOS) and 1.1.9 (Android), and is not currently implemented on the OpenVPN 2.x branch.
Hi,
thanks for the reply.
There are possibilities that the directive will be implemented on the OpenVPN 2.x branch in the next future?

fmarzocca
OpenVpn Newbie
Posts: 4
Joined: Sat Feb 23, 2013 1:11 pm

Re: Inline tls-auth

Post by fmarzocca » Sat Feb 23, 2013 2:23 pm

Hi,

I had a similar problem but I have fixed the connection by adding "key direction1" in the client.

Now I have no connection errors, and the log is fine, but still the browser won't find the server... It looks like a DNS problem?

(using iOS v. 1.0 build 47)

Thanks

Fabio

Post Reply