INLINE client file: not connecting to server

fperloff · Post by **fperloff** » Sun Jan 07, 2018 8:23 pm

Hi --
I have a working OpenVPN server with Windows and Android clients.
I want to develop an inline client config file for some Android and IOS clients. I took a working client config and pasted into it the ca.crt, client.cert, client.key and tls-auth.key. I received the error "Insufficient key material or header text not found in file '[[INLINE]]' (0/128/256 bytes found/min/max)"
I then copied out the ca.crt, client.crt, client.key and tls-auth.key to separate files and modified the client config file to refer to the files, rather than including them inline. I was able to connect the client to the server. So I'm quite confident that my key files are intact and correct.
Is there something wrong with my syntax in the inline .ovpn file?
Thanks!

SERVER

1

port 1194

2

proto udp

3

dev tun

4

ca /etc/openvpn/keys/ca.crt

5

cert /etc/openvpn/keys/server.crt

6

key /etc/openvpn/keys/server.key

7

dh /etc/openvpn/keys/dh4096.pem

8

tls-auth /etc/openvpn/keys/ta.key 0

9

key-direction 0

10

cipher AES-128-CBC

11

auth SHA256

12

server 10.8.0.0 255.255.255.0

13

push "redirect-gateway def1 bypass-dhcp"

14

push "dhcp-option DNS 8.8.8.8"

15

push "dhcp-option DNS 8.8.4.4"

16

ifconfig-pool-persist ipp.txt

17

keepalive 10 120

18

comp-lzo

19

persist-key

20

persist-tun

21

status openvpn-status.log

22

verb 4444

23

user nobody

24

group nogroup

INLINE client config

CLIENT

1

remote www.xxx.yyy.zzz 1194

2

comp-lzo

3

client

4

dev tun

5

redirect-gateway def1

6

remote-cert-tls server

7

key-direction 1

8

cipher AES-128-CBC

9

auth SHA256

10

proto udp

11

resolv-retry infinite

12

nobind

13

persist-key

14

persist-tun

15

verb 4

16

mute 20

17

<ca>

18

--STRIPPED INLINE CA CERT--

19

</ca>

20

<cert>

21

--STRIPPED INLINE CERT--

22

</cert>

23

<key>

24

--STRIPPED INLINE KEY--

25

</key>

26

<tls-auth>

27

--STRIPPED INLINE TLS-AUTH KEY--

28

</tls-auth>

Client log file (INLINE configuration):

Code: Select all

Sun Jan 07 11:35:18 2018 us=428444 Current Parameter Settings:
Sun Jan 07 11:35:18 2018 us=428444   config = 'xxx-pixel.ovpn'
Sun Jan 07 11:35:18 2018 us=428444   mode = 0
Sun Jan 07 11:35:18 2018 us=428444   show_ciphers = DISABLED
Sun Jan 07 11:35:18 2018 us=428444   show_digests = DISABLED
Sun Jan 07 11:35:18 2018 us=428444   show_engines = DISABLED
Sun Jan 07 11:35:18 2018 us=428444   genkey = DISABLED
Sun Jan 07 11:35:18 2018 us=428444   key_pass_file = '[UNDEF]'
Sun Jan 07 11:35:18 2018 us=428444   show_tls_ciphers = DISABLED
Sun Jan 07 11:35:18 2018 us=428444   connect_retry_max = 0
Sun Jan 07 11:35:18 2018 us=428444 Connection profiles [0]:
Sun Jan 07 11:35:18 2018 us=428444   proto = udp
Sun Jan 07 11:35:18 2018 us=428444   local = '[UNDEF]'
Sun Jan 07 11:35:18 2018 us=428444   local_port = '[UNDEF]'
Sun Jan 07 11:35:18 2018 us=428444   remote = 'www.xxx.yyy.zzz'
Sun Jan 07 11:35:18 2018 us=428444   remote_port = '1194'
Sun Jan 07 11:35:18 2018 us=428444   remote_float = DISABLED
Sun Jan 07 11:35:18 2018 us=428444   bind_defined = DISABLED
Sun Jan 07 11:35:18 2018 us=428444   bind_local = DISABLED
Sun Jan 07 11:35:18 2018 us=428444   bind_ipv6_only = DISABLED
Sun Jan 07 11:35:18 2018 us=428444 NOTE: --mute triggered...
Sun Jan 07 11:35:18 2018 us=428444 272 variation(s) on previous 20 message(s) suppressed by --mute
Sun Jan 07 11:35:18 2018 us=428444 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Sun Jan 07 11:35:18 2018 us=428444 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Jan 07 11:35:18 2018 us=428444 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Enter Management Password:
Sun Jan 07 11:35:18 2018 us=429447 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Jan 07 11:35:18 2018 us=429447 Need hold release from management interface, waiting...
Sun Jan 07 11:35:18 2018 us=430449 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Jan 07 11:35:18 2018 us=533726 MANAGEMENT: CMD 'state on'
Sun Jan 07 11:35:18 2018 us=533726 MANAGEMENT: CMD 'log all on'
Sun Jan 07 11:35:18 2018 us=552777 MANAGEMENT: CMD 'echo all on'
Sun Jan 07 11:35:18 2018 us=553781 MANAGEMENT: CMD 'hold off'
Sun Jan 07 11:35:18 2018 us=555285 MANAGEMENT: CMD 'hold release'
Sun Jan 07 11:35:18 2018 us=617952 MANAGEMENT: Client disconnected
Sun Jan 07 11:35:18 2018 us=617952 Insufficient key material or header text not found in file '[[INLINE]]' (0/128/256 bytes found/min/max)
Sun Jan 07 11:35:18 2018 us=617952 Exiting due to fatal error

Client config where keys are in separate files (i.e. not INLINE)

CLIENT

1

ca keys/ca.crt

2

cert keys/pixel.crt

3

key keys/pixel.key

4

tls-auth keys/ta.key 1

5

remote www.xxx.yyy.zzz

6

comp-lzo

7

client

8

dev tun

9

redirect-gateway def1

10

remote-cert-tls server

11

cipher AES-128-CBC

12

auth SHA256

13

auth-nocache

14

proto udp

15

resolv-retry infinite

16

nobind

17

persist-key

18

persist-tun

19

verb 4

20

mute 20

Client log where keys are in separate files (i.e. not INLINE):

Code: Select all

Sun Jan 07 12:08:48 2018 us=419084 Current Parameter Settings:
Sun Jan 07 12:08:48 2018 us=419084   config = 'xxx.ovpn'
Sun Jan 07 12:08:48 2018 us=419084   mode = 0
Sun Jan 07 12:08:48 2018 us=419084   show_ciphers = DISABLED
Sun Jan 07 12:08:48 2018 us=419084   show_digests = DISABLED
Sun Jan 07 12:08:48 2018 us=419084   show_engines = DISABLED
Sun Jan 07 12:08:48 2018 us=419084   genkey = DISABLED
Sun Jan 07 12:08:48 2018 us=419084   key_pass_file = '[UNDEF]'
Sun Jan 07 12:08:48 2018 us=419084   show_tls_ciphers = DISABLED
Sun Jan 07 12:08:48 2018 us=419084   connect_retry_max = 0
Sun Jan 07 12:08:48 2018 us=419084 Connection profiles [0]:
Sun Jan 07 12:08:48 2018 us=419084   proto = udp
Sun Jan 07 12:08:48 2018 us=419084   local = '[UNDEF]'
Sun Jan 07 12:08:48 2018 us=419084   local_port = '[UNDEF]'
Sun Jan 07 12:08:48 2018 us=419084   remote = 'www.xxx.yyy.zzz''
Sun Jan 07 12:08:48 2018 us=419084   remote_port = '1194'
Sun Jan 07 12:08:48 2018 us=419084   remote_float = DISABLED
Sun Jan 07 12:08:48 2018 us=419084   bind_defined = DISABLED
Sun Jan 07 12:08:48 2018 us=420087   bind_local = DISABLED
Sun Jan 07 12:08:48 2018 us=420087   bind_ipv6_only = DISABLED
Sun Jan 07 12:08:48 2018 us=420087 NOTE: --mute triggered...
Sun Jan 07 12:08:48 2018 us=420087 272 variation(s) on previous 20 message(s) suppressed by --mute
Sun Jan 07 12:08:48 2018 us=420087 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Sun Jan 07 12:08:48 2018 us=420087 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Jan 07 12:08:48 2018 us=420087 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Enter Management Password:
Sun Jan 07 12:08:48 2018 us=420087 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Sun Jan 07 12:08:48 2018 us=420087 Need hold release from management interface, waiting...
Sun Jan 07 12:08:48 2018 us=421090 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Sun Jan 07 12:08:48 2018 us=524367 MANAGEMENT: CMD 'state on'
Sun Jan 07 12:08:48 2018 us=524367 MANAGEMENT: CMD 'log all on'
Sun Jan 07 12:08:48 2018 us=546928 MANAGEMENT: CMD 'echo all on'
Sun Jan 07 12:08:48 2018 us=548933 MANAGEMENT: CMD 'hold off'
Sun Jan 07 12:08:48 2018 us=549936 MANAGEMENT: CMD 'hold release'
Sun Jan 07 12:08:48 2018 us=615612 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jan 07 12:08:48 2018 us=615612 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jan 07 12:08:48 2018 us=615612 LZO compression initializing
Sun Jan 07 12:08:48 2018 us=615612 Control Channel MTU parms [ L:1622 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Sun Jan 07 12:08:48 2018 us=615612 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sun Jan 07 12:08:48 2018 us=615612 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client'
Sun Jan 07 12:08:48 2018 us=615612 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server'
Sun Jan 07 12:08:48 2018 us=615612 TCP/UDP: Preserving recently used remote address: [AF_INET]www.xxx.yyy.zzz:1194
Sun Jan 07 12:08:48 2018 us=615612 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Jan 07 12:08:48 2018 us=615612 UDP link local: (not bound)
Sun Jan 07 12:08:48 2018 us=615612 UDP link remote: [AF_INET]www.xxx.yyy.zzz:1194
Sun Jan 07 12:08:48 2018 us=615612 MANAGEMENT: >STATE:1515355728,WAIT,,,,,,
Sun Jan 07 12:08:48 2018 us=655719 MANAGEMENT: >STATE:1515355728,AUTH,,,,,,
Sun Jan 07 12:08:48 2018 us=655719 TLS: Initial packet from [AF_INET]www.xxx.yyy.zzz:1194, sid=b9ee9c5b 185d7d9f
Sun Jan 07 12:08:48 2018 us=742953 VERIFY OK: depth=1, C=US, ST=XX, ...
Sun Jan 07 12:08:48 2018 us=743456 VERIFY KU OK
Sun Jan 07 12:08:48 2018 us=743456 Validating certificate extended key usage
Sun Jan 07 12:08:48 2018 us=743456 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jan 07 12:08:48 2018 us=743456 VERIFY EKU OK
Sun Jan 07 12:08:48 2018 us=743456 VERIFY OK: depth=0, C=US, ST=XX, ...
Sun Jan 07 12:08:48 2018 us=931460 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun Jan 07 12:08:48 2018 us=932463 [server] Peer Connection Initiated with [AF_INET]www.xxx.yyy.zzz:1194
Sun Jan 07 12:08:50 2018 us=69558 MANAGEMENT: >STATE:1515355730,GET_CONFIG,,,,,,
Sun Jan 07 12:08:50 2018 us=69558 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Jan 07 12:08:50 2018 us=106658 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.34 10.8.0.33'
Sun Jan 07 12:08:50 2018 us=106658 OPTIONS IMPORT: timers and/or timeouts modified
Sun Jan 07 12:08:50 2018 us=106658 OPTIONS IMPORT: --ifconfig/up options modified
Sun Jan 07 12:08:50 2018 us=106658 OPTIONS IMPORT: route options modified
Sun Jan 07 12:08:50 2018 us=106658 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jan 07 12:08:50 2018 us=106658 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:406 ET:0 EL:3 ]
Sun Jan 07 12:08:50 2018 us=106658 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Jan 07 12:08:50 2018 us=106658 Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jan 07 12:08:50 2018 us=106658 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Jan 07 12:08:50 2018 us=106658 Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jan 07 12:08:50 2018 us=106658 interactive service msg_channel=0
Sun Jan 07 12:08:50 2018 us=110669 ROUTE_GATEWAY 10.10.10.1/255.255.255.0 I=2 HWADDR=b0:6e:bf:84:7e:43
Sun Jan 07 12:08:50 2018 us=115681 open_tun
Sun Jan 07 12:08:50 2018 us=115681 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{499BAD2B-5964-4951-817A-724F82FD29B1}.tap
Sun Jan 07 12:08:50 2018 us=115681 TAP-Windows Driver Version 9.21 
Sun Jan 07 12:08:50 2018 us=115681 TAP-Windows MTU=1500
Sun Jan 07 12:08:50 2018 us=116684 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.34/255.255.255.252 on interface {499BAD2B-5964-4951-817A-724F82FD29B1} [DHCP-serv: 10.8.0.33, lease-time: 31536000]
Sun Jan 07 12:08:50 2018 us=116684 DHCP option string: 06080808 08080808 0404
Sun Jan 07 12:08:50 2018 us=116684 Successful ARP Flush on interface [8] {499BAD2B-5964-4951-817A-724F82FD29B1}
Sun Jan 07 12:08:50 2018 us=118689 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jan 07 12:08:50 2018 us=118689 MANAGEMENT: >STATE:1515355730,ASSIGN_IP,,10.8.0.34,,,,
Sun Jan 07 12:08:55 2018 us=807177 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Sun Jan 07 12:08:55 2018 us=807177 C:\WINDOWS\system32\route.exe ADD www.xxx.yyy.zzz MASK 255.255.255.255 10.10.10.1
Sun Jan 07 12:08:55 2018 us=809181 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Sun Jan 07 12:08:55 2018 us=809181 Route addition via IPAPI succeeded [adaptive]
Sun Jan 07 12:08:55 2018 us=809181 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.33
Sun Jan 07 12:08:55 2018 us=810183 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Sun Jan 07 12:08:55 2018 us=810183 Route addition via IPAPI succeeded [adaptive]
Sun Jan 07 12:08:55 2018 us=810183 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.33
Sun Jan 07 12:08:55 2018 us=811186 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Sun Jan 07 12:08:55 2018 us=811186 Route addition via IPAPI succeeded [adaptive]
Sun Jan 07 12:08:55 2018 us=811186 MANAGEMENT: >STATE:1515355735,ADD_ROUTES,,,,,,
Sun Jan 07 12:08:55 2018 us=811186 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.33
Sun Jan 07 12:08:55 2018 us=812189 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Sun Jan 07 12:08:55 2018 us=812189 Route addition via IPAPI succeeded [adaptive]
Sun Jan 07 12:08:55 2018 us=812189 Initialization Sequence Completed
Sun Jan 07 12:08:55 2018 us=812189 MANAGEMENT: >STATE:1515355735,CONNECTED,SUCCESS,10.8.0.34,www.xxx.yyy.zzz,,

fperloff · Post by **fperloff** » Wed Jan 10, 2018 8:12 pm

So, what does '[[INLINE]]' refer to in the client log? Which key / header is insufficient?

Insufficient key material or header text not found in file '[[INLINE]]' (0/128/256 bytes found/min/max)

If I knew, I could fix the client config.

Thanks!

TinCanTech · Post by **TinCanTech** » Wed Jan 10, 2018 9:40 pm

fperloff wrote: ↑
Wed Jan 10, 2018 8:12 pm
what does '[[INLINE]]' refer to in the client log? Which key / header is insufficient?

That is a good question .. I have asked the devs for details.

However, the message says "in file '[[INLINE]]' (0/128/256 bytes found/min/max)" .. so it found 0 Zero data in the Inline section. I cannot say for sure but perhaps it is a copy/paste error ..

FYI: you also need --key-direction with inline --tls-auth

fperloff · Post by **fperloff** » Wed Jan 10, 2018 9:43 pm

SOLVED
I regenerated the tls key on the server and copied it into the client config file. I can now connect using the INLINE ovpn file.

TinCanTech · Post by **TinCanTech** » Wed Jan 10, 2018 9:44 pm

Thanks for letting us know you solved it

AlanBardgett · Post by **AlanBardgett** » Sat May 02, 2020 12:19 am

@fperloff

Two years later and still saving people time! THANK YOU! Ran into the issue with pfsense 2.4.4_P3 generating the invalid TLS initially. Did the same "regenerate" (removed TLS requirement, enabled again, autogenerate, saved, worked!).

OpenVPN Support Forum

INLINE client file: not connecting to server

INLINE client file: not connecting to server

Re: INLINE client file: not connecting to server

Re: INLINE client file: not connecting to server

Re: INLINE client file: not connecting to server

Re: INLINE client file: not connecting to server

Re: INLINE client file: not connecting to server