IPad iOS 9.2 HMAC firewall does not work

[Kulturmensch]

OpenVPN is installed on my root server (Ubuntu 14.4.3) and clients (Windows 10). I am using a HMAC firewall with an entry in the server/clients as follows:

# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
# Generate with:
# openvpn --genkey --secret ta.key
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth ta.key 0 # This file is secret

Today I tried to connect IPad and IPhone to the root server, too. I first got connection errors. But when I modified server - and IPad config files, to connect without HMAC (i.e. without the line tls-auth ta.key 0) everything worked fine.

Is it possible to use also HMAC on IPhone and IPad?

[Pippin]

On the client it should be:

Code: Select all

tls-auth ta.key 1

And on the server:

Code: Select all

tls-auth ta.key 0

For iOS it`s adviced to use inline:
https://community.openvpn.net/openvpn/w ... nPage#lbAV

Code: Select all

<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----
</key>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>

key-direction 1

[Kulturmensch]

Thank you for the quick reply!

Would the whole XXX.ovpn file for an IPhone then look like this for instance:

client
proto udp
dev tun0
remote XXX 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert XXX.crt
key XXX.key
--tls-auth ta.key 1
comp-lzo
verb 3
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1

with the right content replacing the place holders ----Begin ... End?

[Kulturmensch]

I found this example https://community.openvpn.net/openvpn/wiki/IOSinline
Everything works now! Thank you for your help!

[Pippin]

Trial and error, time and a lot of reading........

When using inline files you can remove the paths to the files.
I would look something like this:

tls-client
proto udp
dev tun0
remote XXX 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3

<ca>
-----BEGIN CERTIFICATE-----
MIIDgIBATANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJOTDEM
MAoGQwwCgYDVQQKEwNNTUQxDTALBgNVBAsTBE9WUE4xCzAJBgNV
BAMToZIhvcNAQkBFhRkcmVldGplaEBob3RtYWlsLmNvbTAeFw0x
NTA5w0yNTA5MjMwOTAyMDBaMGoxCzAJBgNVBAYTAk5MMQwwCgYD
....
....
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBqMQswCQ
MAoGA1UECBMDR0xEMQwwCgYDVQQKEwNNTUQxDTALBgNVBAsTBE
YJKoZIhvcNAQkBFhRkcmVldGplaEBob3RtYWlsLmNvbTAeFw0x
BaFw0yMDA5MjMwOTEwMDBaMHIxCzAJBgNVBAYTAk5MMQwwCgYD
....
....
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAuXl0CxfXI6F0Q/SesInid8mcSzZY71pTQKcZH59
ayfAwoMPxZmwcIbiM5yugFmXXyK4LLY0C/AD7UXuHBzzWTWfJ3fxsf+
lX4F79l85pXbrjoyQMoimYqIrjYAkq0+GCP2Xols0HrUS5EAv6t9Bsp
gRh54Y0F7bxa7mKQTcrphJ4hw9hUUPbXDI6OgYRni+du30WaixjucnK
....
....
-----END RSA PRIVATE KEY-----
</key>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
4c3479ec7a96abd2deb9a7615
2d3412f0234fde07da2bf7459
47ded1c65008f4144398279df
3b04099ca055198ea70bf26f8
....
....
-----END OpenVPN Static key V1-----
</tls-auth>

key-direction 1

You can open every file in a text editor and copy the contents to the client config as shown above.

***
Note that

client

is replaced with

tls-client

And server config should have

tls-server

***
Also note that

key-direction 1

and

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
4c3479ec7a96abd2deb9a7615
2d3412f0234fde07da2bf7459
47ded1c65008f4144398279df
3b04099ca055198ea70bf26f8
....
....
-----END OpenVPN Static key V1-----
</tls-auth>

replaces

tls-auth ta.key 1

*****
Edit:
I see you found the solution by yourself, good

[Kulturmensch]

Thank you for your example!
I have just optimized my client.conf
Unfortunately the replacement of client with tls-client does not work. I have already modified the server conf with tls-server, too.
Do you have any idea?

By the way, the usage of just client works together with tls-server used on the server side.

[Kulturmensch]

Using tls-client instead of just client leads to the logentry (Windows 10, Desktop-PC):

Options error: On Windows, --ifconfig is required when --dev tun is used
Use --help for more information.

and nothing happens.

[Pippin]

Please see here:
topic21084.html

I just learned that client should be replaced by tls-client
Thanks to Pippin

--client should not be replaced by --tls-client

--client expands to --tls-client & --pull

--tls-client does not expand and so you loose --pull

You can use both together:

Code: Select all

tls-client
pull

or only

Code: Select all

client

which includes both.

a lot of reading........

Which I obviously did not do

[Kulturmensch]

I fully agree I have read a lot up to know and - obvously - I am not yet through (What about comp-LZ4 i.e.)
But the current result is already great and I feel more safe getting access to public WiFis!
However, thanks for the clarification