[Solved] Problems connecting via tls-crypt to AirVPN

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
gReg0r
OpenVpn Newbie
Posts: 4
Joined: Sat Jul 18, 2020 11:08 pm

[Solved] Problems connecting via tls-crypt to AirVPN

Post by gReg0r » Sat Jul 18, 2020 11:41 pm

Dear community,

First off, I'm unsure if I've posted this to the correct board. It seems to be for tutorials, but the other boards seemed even more out of place.

I am at a point where I don't know how to solve my issue at hand, so I'm hoping to find some guidance here :).

I am running a pfSense (2.4.5-p1) box that is routing all non-local traffic of a particular local subnet through an OpenVPN (provider AirVPN). While this setup works, I'm only able to connect via "tls-auth". According to the provider a connection with "tls-crypt" is supported, but I'm unable to establish such connection.
Since my knowledge on OpenVPN is marginal at best, I would like to hear your opinion on where I screwed myself:
Operating system:

Code: Select all

uname -a
FreeBSD anivia 11.3-STABLE FreeBSD 11.3-STABLE #243 abf8cba50ce(RELENG_2_4_5): Tue Jun  2 17:53:37 EDT 2020     root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-245/obj/amd64/YNx4Qq3j/build/ce-crossbuild-245/sources/FreeBSD-src/sys/pfSense  amd64
OpenVPN version:

Code: Select all

# /root: openvpn --version
OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May  4 2020
library versions: OpenSSL 1.0.2u-freebsd  20 Dec 2019, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
Network setup:

Code: Select all

/root: ifconfig
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:25:90:bb:74:60
        hwaddr 00:25:90:bb:74:60
        inet6 fe80::225:90ff:febb:7460%igb0 prefixlen 64 scopeid 0x1
        inet 109.91.186.108 netmask 0xfffff800 broadcast 255.255.255.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:25:90:bb:74:61
        hwaddr 00:25:90:bb:74:61
        inet6 fe80::225:90ff:febb:7461%igb1 prefixlen 64 scopeid 0x2
        inet 10.0.10.1 netmask 0xffffff00 broadcast 10.0.10.255
        inet 172.23.97.1 netmask 0xffffffff broadcast 172.23.97.1
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
igb2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:25:90:bb:74:62
        hwaddr 00:25:90:bb:74:62
        inet6 fe80::225:90ff:febb:7462%igb2 prefixlen 64 scopeid 0x3
        inet 10.0.30.1 netmask 0xffffff00 broadcast 10.0.30.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
igb3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6500bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:25:90:bb:74:63
        hwaddr 00:25:90:bb:74:63
        inet6 fe80::225:90ff:febb:7463%igb3 prefixlen 64 scopeid 0x4
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
enc0: flags=0<> metric 0 mtu 1536
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: enc
pfsync0: flags=0<> metric 0 mtu 1500
        groups: pfsync
pflog0: flags=100<PROMISC> metric 0 mtu 33160
        groups: pflog
igb3.1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:25:90:bb:74:63
        inet6 fe80::225:90ff:febb:7463%igb3.1 prefixlen 64 scopeid 0x9
        inet 10.0.1.1 netmask 0xffffff00 broadcast 10.0.1.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 1 vlanpcp: 0 parent interface: igb3
        groups: vlan
igb3.20: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:25:90:bb:74:63
        inet6 fe80::225:90ff:febb:7463%igb3.20 prefixlen 64 scopeid 0xa
        inet 10.0.20.1 netmask 0xffffff00 broadcast 10.0.20.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 20 vlanpcp: 0 parent interface: igb3
        groups: vlan
igb3.40: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:25:90:bb:74:63
        inet6 fe80::225:90ff:febb:7463%igb3.40 prefixlen 64 scopeid 0xb
        inet 10.0.40.1 netmask 0xffffff00 broadcast 10.0.40.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 40 vlanpcp: 0 parent interface: igb3
        groups: vlan
igb3.50: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:25:90:bb:74:63
        inet6 fe80::225:90ff:febb:7463%igb3.50 prefixlen 64 scopeid 0xc
        inet 10.0.50.1 netmask 0xffffff00 broadcast 10.0.50.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 50 vlanpcp: 0 parent interface: igb3
        groups: vlan
igb3.100: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:25:90:bb:74:63
        inet6 fe80::225:90ff:febb:7463%igb3.100 prefixlen 64 scopeid 0xd
        inet 10.0.100.1 netmask 0xffffff00 broadcast 10.0.100.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 100 vlanpcp: 0 parent interface: igb3
        groups: vlan
ovpnc1: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: tun openvpn
OpenVPN client configuration:
client
# /root: cat /var/etc/openvpn/client1.conf
dev ovpnc1
verb 5
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 5 30
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local <Public-IP-Address-Removed>
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote X.X.X.X 443 udp4
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-crypt /var/etc/openvpn/client1.tls-crypt
ncp-ciphers AES-256-GCM
comp-lzo no
resolv-retry infinite
route-noexec
explicit-exit-notify 5
remote-cert-tls server
prng sha256 64
mlock
auth-nocache


Provider (AirVPN) configuration file:
client
# --------------------------------------------------------
# Air VPN | https://airvpn.org | Saturday 18th of July 2020 09:59:10 AM
# OpenVPN Client Configuration
# AirVPN_DE-Frankfurt_Menkalinan_UDP-443-Entry3
# --------------------------------------------------------

client
dev tun
remote X.X.X.X 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
route-delay 5
verb 3
explicit-exit-notify 5
ca "ca.crt"
cert "user.crt"
key "user.key"
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
tls-crypt "tls-crypt.key"
auth SHA512


The OpenVPN client logs (verbosity = 4) when trying to establish a connection:

Code: Select all

Jul 19 01:46:45 anivia openvpn[80075]: SIGTERM received, sending exit notification to peer
Jul 19 01:46:49 anivia openvpn[30575]: Current Parameter Settings:
Jul 19 01:46:49 anivia openvpn[30575]:   config = '/var/etc/openvpn/client1.conf'
Jul 19 01:46:49 anivia openvpn[30575]:   mode = 0
Jul 19 01:46:49 anivia openvpn[30575]:   show_ciphers = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   show_digests = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   show_engines = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   genkey = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   key_pass_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   show_tls_ciphers = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   connect_retry_max = 0
Jul 19 01:46:49 anivia openvpn[30575]: Connection profiles [0]:
Jul 19 01:46:49 anivia openvpn[30575]:   proto = udp4
Jul 19 01:46:49 anivia openvpn[30575]:   local = '<IP-Address-Removed>'
Jul 19 01:46:49 anivia openvpn[30575]:   local_port = '0'
Jul 19 01:46:49 anivia openvpn[30575]:   remote = 'X.X.X.X'
Jul 19 01:46:49 anivia openvpn[30575]:   remote_port = '443'
Jul 19 01:46:49 anivia openvpn[30575]:   remote_float = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   bind_defined = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   bind_local = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   bind_ipv6_only = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   connect_retry_seconds = 5
Jul 19 01:46:49 anivia openvpn[30575]:   connect_timeout = 120
Jul 19 01:46:49 anivia openvpn[30575]:   socks_proxy_server = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   socks_proxy_port = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   tun_mtu = 1500
Jul 19 01:46:49 anivia openvpn[30575]:   tun_mtu_defined = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   link_mtu = 1500
Jul 19 01:46:49 anivia openvpn[30575]:   link_mtu_defined = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   tun_mtu_extra = 0
Jul 19 01:46:49 anivia openvpn[30575]:   tun_mtu_extra_defined = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   mtu_discover_type = -1
Jul 19 01:46:49 anivia openvpn[30575]:   fragment = 0
Jul 19 01:46:49 anivia openvpn[30575]:   mssfix = 1450
Jul 19 01:46:49 anivia openvpn[30575]:   explicit_exit_notification = 5
Jul 19 01:46:49 anivia openvpn[30575]: Connection profiles END
Jul 19 01:46:49 anivia openvpn[30575]:   remote_random = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   ipchange = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   dev = 'ovpnc1'
Jul 19 01:46:49 anivia openvpn[30575]:   dev_type = 'tun'
Jul 19 01:46:49 anivia openvpn[30575]:   dev_node = '/dev/tun1'
Jul 19 01:46:49 anivia openvpn[30575]:   lladdr = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   topology = 1
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_local = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_remote_netmask = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_noexec = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_nowarn = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_ipv6_local = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_ipv6_netbits = 0
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_ipv6_remote = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   shaper = 0
Jul 19 01:46:49 anivia openvpn[30575]:   mtu_test = 0
Jul 19 01:46:49 anivia openvpn[30575]:   mlock = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   keepalive_ping = 5
Jul 19 01:46:49 anivia openvpn[30575]:   keepalive_timeout = 30
Jul 19 01:46:49 anivia openvpn[30575]:   inactivity_timeout = 0
Jul 19 01:46:49 anivia openvpn[30575]:   ping_send_timeout = 5
Jul 19 01:46:49 anivia openvpn[30575]:   ping_rec_timeout = 30
Jul 19 01:46:49 anivia openvpn[30575]:   ping_rec_timeout_action = 2
Jul 19 01:46:49 anivia openvpn[30575]:   ping_timer_remote = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   remap_sigusr1 = 0
Jul 19 01:46:49 anivia openvpn[30575]:   persist_tun = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   persist_local_ip = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   persist_remote_ip = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   persist_key = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   passtos = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   resolve_retry_seconds = 1000000000
Jul 19 01:46:49 anivia openvpn[30575]:   resolve_in_advance = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   username = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   groupname = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   chroot_dir = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   cd_dir = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   writepid = '/var/run/openvpn_client1.pid'
Jul 19 01:46:49 anivia openvpn[30575]:   up_script = '/usr/local/sbin/ovpn-linkup'
Jul 19 01:46:49 anivia openvpn[30575]:   down_script = '/usr/local/sbin/ovpn-linkdown'
Jul 19 01:46:49 anivia openvpn[30575]:   down_pre = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   up_restart = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   up_delay = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   daemon = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   inetd = 0
Jul 19 01:46:49 anivia openvpn[30575]:   log = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   suppress_timestamps = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   machine_readable_output = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   nice = 0
Jul 19 01:46:49 anivia openvpn[30575]:   verbosity = 4
Jul 19 01:46:49 anivia openvpn[30575]:   mute = 0
Jul 19 01:46:49 anivia openvpn[30575]:   gremlin = 0
Jul 19 01:46:49 anivia openvpn[30575]:   status_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   status_file_version = 1
Jul 19 01:46:49 anivia openvpn[30575]:   status_file_update_freq = 60
Jul 19 01:46:49 anivia openvpn[30575]:   occ = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   rcvbuf = 0
Jul 19 01:46:49 anivia openvpn[30575]:   sndbuf = 0
Jul 19 01:46:49 anivia openvpn[30575]:   sockflags = 0
Jul 19 01:46:49 anivia openvpn[30575]:   fast_io = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   comp.alg = 1
Jul 19 01:46:49 anivia openvpn[30575]:   comp.flags = 0
Jul 19 01:46:49 anivia openvpn[30575]:   route_script = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   route_default_gateway = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   route_default_metric = 0
Jul 19 01:46:49 anivia openvpn[30575]:   route_noexec = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   route_delay = 0
Jul 19 01:46:49 anivia openvpn[30575]:   route_delay_window = 30
Jul 19 01:46:49 anivia openvpn[30575]:   route_delay_defined = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   route_nopull = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   route_gateway_via_dhcp = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   allow_pull_fqdn = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   management_addr = '/var/etc/openvpn/client1.sock'
Jul 19 01:46:49 anivia openvpn[30575]:   management_port = 'unix'
Jul 19 01:46:49 anivia openvpn[30575]:   management_user_pass = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   management_log_history_cache = 250
Jul 19 01:46:49 anivia openvpn[30575]:   management_echo_buffer_size = 100
Jul 19 01:46:49 anivia openvpn[30575]:   management_write_peer_info_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   management_client_user = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   management_client_group = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   management_flags = 256
Jul 19 01:46:49 anivia openvpn[30575]:   shared_secret_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   key_direction = not set
Jul 19 01:46:49 anivia openvpn[30575]:   ciphername = 'AES-256-CBC'
Jul 19 01:46:49 anivia openvpn[30575]:   ncp_enabled = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   ncp_ciphers = 'AES-256-GCM'
Jul 19 01:46:49 anivia openvpn[30575]:   authname = 'SHA512'
Jul 19 01:46:49 anivia openvpn[30575]:   prng_hash = 'sha256'
Jul 19 01:46:49 anivia openvpn[30575]:   prng_nonce_secret_len = 64
Jul 19 01:46:49 anivia openvpn[30575]:   keysize = 0
Jul 19 01:46:49 anivia openvpn[30575]:   engine = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   replay = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   mute_replay_warnings = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   replay_window = 64
Jul 19 01:46:49 anivia openvpn[30575]:   replay_time = 15
Jul 19 01:46:49 anivia openvpn[30575]:   packet_id_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   use_iv = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   test_crypto = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   tls_server = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   tls_client = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   key_method = 2
Jul 19 01:46:49 anivia openvpn[30575]:   ca_file = '/var/etc/openvpn/client1.ca'
Jul 19 01:46:49 anivia openvpn[30575]:   ca_path = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   dh_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   cert_file = '/var/etc/openvpn/client1.cert'
Jul 19 01:46:49 anivia openvpn[30575]:   extra_certs_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   priv_key_file = '/var/etc/openvpn/client1.key'
Jul 19 01:46:49 anivia openvpn[30575]:   pkcs12_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   cipher_list = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   cipher_list_tls13 = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   tls_cert_profile = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   tls_verify = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   tls_export_cert = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   verify_x509_type = 0
Jul 19 01:46:49 anivia openvpn[30575]:   verify_x509_name = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   crl_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   ns_cert_type = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 65535
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_eku = 'TLS Web Server Authentication'
Jul 19 01:46:49 anivia openvpn[30575]:   ssl_flags = 0
Jul 19 01:46:49 anivia openvpn[30575]:   tls_timeout = 2
Jul 19 01:46:49 anivia openvpn[30575]:   renegotiate_bytes = -1
Jul 19 01:46:49 anivia openvpn[30575]:   renegotiate_packets = 0
Jul 19 01:46:49 anivia openvpn[30575]:   renegotiate_seconds = 3600
Jul 19 01:46:49 anivia openvpn[30575]:   handshake_window = 60
Jul 19 01:46:49 anivia openvpn[30575]:   transition_window = 3600
Jul 19 01:46:49 anivia openvpn[30575]:   single_session = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   push_peer_info = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   tls_exit = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   tls_auth_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   tls_crypt_file = '/var/etc/openvpn/client1.tls-crypt'
Jul 19 01:46:49 anivia openvpn[30575]:   server_network = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   server_netmask = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   server_network_ipv6 = ::
Jul 19 01:46:49 anivia openvpn[30575]:   server_netbits_ipv6 = 0
Jul 19 01:46:49 anivia openvpn[30575]:   server_bridge_ip = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   server_bridge_netmask = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   server_bridge_pool_start = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   server_bridge_pool_end = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_pool_defined = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_pool_start = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_pool_end = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_pool_netmask = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_pool_persist_filename = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_pool_persist_refresh_freq = 600
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_ipv6_pool_defined = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_ipv6_pool_base = ::
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_ipv6_pool_netbits = 0
Jul 19 01:46:49 anivia openvpn[30575]:   n_bcast_buf = 256
Jul 19 01:46:49 anivia openvpn[30575]:   tcp_queue_limit = 64
Jul 19 01:46:49 anivia openvpn[30575]:   real_hash_size = 256
Jul 19 01:46:49 anivia openvpn[30575]:   virtual_hash_size = 256
Jul 19 01:46:49 anivia openvpn[30575]:   client_connect_script = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   learn_address_script = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   client_disconnect_script = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   client_config_dir = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   ccd_exclusive = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   tmp_dir = '/tmp'
Jul 19 01:46:49 anivia openvpn[30575]:   push_ifconfig_defined = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   push_ifconfig_local = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   push_ifconfig_remote_netmask = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   push_ifconfig_ipv6_defined = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   push_ifconfig_ipv6_local = ::/0
Jul 19 01:46:49 anivia openvpn[30575]:   push_ifconfig_ipv6_remote = ::
Jul 19 01:46:49 anivia openvpn[30575]:   enable_c2c = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   duplicate_cn = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   cf_max = 0
Jul 19 01:46:49 anivia openvpn[30575]:   cf_per = 0
Jul 19 01:46:49 anivia openvpn[30575]:   max_clients = 1024
Jul 19 01:46:49 anivia openvpn[30575]:   max_routes_per_client = 256
Jul 19 01:46:49 anivia openvpn[30575]:   auth_user_pass_verify_script = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   auth_user_pass_verify_script_via_file = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   auth_token_generate = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   auth_token_lifetime = 0
Jul 19 01:46:49 anivia openvpn[30575]:   port_share_host = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   port_share_port = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   client = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   pull = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   auth_user_pass_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]: OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May  4 2020
Jul 19 01:46:49 anivia openvpn[30575]: library versions: OpenSSL 1.0.2u-freebsd  20 Dec 2019, LZO 2.10
Jul 19 01:46:49 anivia openvpn[30841]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Jul 19 01:46:49 anivia openvpn[30841]: mlockall call succeeded
Jul 19 01:46:49 anivia openvpn[30841]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 19 01:46:49 anivia openvpn[30841]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 19 01:46:49 anivia openvpn[30841]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 19 01:46:49 anivia openvpn[30841]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 19 01:46:49 anivia openvpn[30841]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 19 01:46:49 anivia openvpn[30841]: Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Jul 19 01:46:49 anivia openvpn[30841]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Jul 19 01:46:49 anivia openvpn[30841]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Jul 19 01:46:49 anivia openvpn[30841]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Jul 19 01:46:49 anivia openvpn[30841]: TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:443
Jul 19 01:46:49 anivia openvpn[30841]: Socket Buffers: R=[42080->42080] S=[57344->57344]
Jul 19 01:46:49 anivia openvpn[30841]: UDPv4 link local (bound): [AF_INET]<IP-Address-Removed>:0
Jul 19 01:46:49 anivia openvpn[30841]: UDPv4 link remote: [AF_INET]X.X:X.X:443
Jul 19 01:47:19 anivia openvpn[30841]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Jul 19 01:47:19 anivia openvpn[30841]: TCP/UDP: Closing socket
Jul 19 01:47:19 anivia openvpn[30841]: SIGUSR1[soft,ping-restart] received, process restarting
Jul 19 01:47:19 anivia openvpn[30841]: Restart pause, 5 second(s)
Just to clarify, I'm able to connect to this server, but only using "tls-auth" and auth digest "SHA1". The corresponding keys (tls-crypt vs tls-auth) have been checked multiple times. I also tried multiple different servers from this provider. I feel like I have tried everything and google is starting to feel like running in a circle.

Does anybody have guidance?

Edit: Noticed my initial logs where with "verb 5". Replaced logs with "verb 4"
Last edited by gReg0r on Sun Jul 19, 2020 9:42 am, edited 5 times in total.
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Problems connecting via tls-crypt to AirVPN

Post by TinCanTech » Sat Jul 18, 2020 11:54 pm

gReg0r wrote:
Sat Jul 18, 2020 11:41 pm
 According to the provider a connection with "tls-crypt" is supported, but I'm unable to establish such connection.
You need the correct key from your provider.

viewtopic.php?f=30&t=22603#p68963
Top
gReg0r
OpenVpn Newbie
Posts: 4
Joined: Sat Jul 18, 2020 11:08 pm

Re: Problems connecting via tls-crypt to AirVPN

Post by gReg0r » Sun Jul 19, 2020 12:13 am

Hey TinCanTech,

Thanks for that link. I assume I did almost everything wrong I could ... I guess I should've gone to bed. Anyhow, as far as I understand your link I should've posted to "Offtopic, Related", sadly I can't find a delete function: Is it possible to move this thread to the "Offtopic, Related" board?

Meanwhile, I've updated the OP with the missing information.

Regarding your comment on the key file: I am 100% certain, that the client1.crypt-key has the same content as the "tls-crypt.key" that my provider is providing. But since I've tried pretty much everything, I start to believe that I am being served a wrong key file ...

Edit: I'm tired and will log off now, but one question is on my mind: Why isn't the auth failing with an error or notice in the log?
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Problems connecting via tls-crypt to AirVPN

Post by TinCanTech » Sun Jul 19, 2020 12:30 am

gReg0r wrote:
Sun Jul 19, 2020 12:13 am
 Thanks for that link. I assume I did almost everything wrong I could ...
Almost .. but that can be fixed ;)
gReg0r wrote:
Sun Jul 19, 2020 12:13 am
 I should've posted to "Offtopic, Related"
I'm sure someone can do do this for you :mrgreen:
gReg0r wrote:
Sun Jul 19, 2020 12:13 am
 I am 100% certain, that the client1.crypt-key has the same content as the "tls-crypt.key" that my provider is providing. But since I've tried pretty much everything, I start to believe that I am being served a wrong key file ...
Possibly :geek:
gReg0r wrote:
Sun Jul 19, 2020 12:13 am
 one question is on my mind: Why isn't the auth failing with an error or notice in the log?
Bring-on the ambiguity :ugeek:

If you mean --tls-auth then probably because --tls-auth is the thing your provider is actually providing 8-)
Top
gReg0r
OpenVpn Newbie
Posts: 4
Joined: Sat Jul 18, 2020 11:08 pm

Re: Problems connecting via tls-crypt to AirVPN

Post by gReg0r » Sun Jul 19, 2020 7:43 am

Hey TinCanTech,

Thanks for your reply and taking care of moving this topic! After a few hours of refreshing dreams I'm back to tackle this again.
I'm reading your reply to my question:
What I was wondering about was, If I'm using the wrong tls-crypt key, why am I not receiving any kind of error or notice when the auth challenge (read --tls-crypt /var/etc/openvpn/client1.tls-crypt) somewhat (?) fails to complete but doesn't give me (the client) a proper notice about it. I'm reading your reply as: "that's intended behavior".
Top
User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: Problems connecting via tls-crypt to AirVPN

Post by Pippin » Sun Jul 19, 2020 8:16 am

Provider (AirVPN) configuration file:

Code: Select all

remote X.X.X.X 443
OpenVPN client configuration: (pfSense)

Code: Select all

remote X.X.X.X 443 udp4
As far as I understand and unless AirVPN is doing something custom,
one cannot connect to a server configured for tls-crypt with tls-auth and vice versa.

So question is, are the remote addresses X.X.X.X the same or different?
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Top
gReg0r
OpenVpn Newbie
Posts: 4
Joined: Sat Jul 18, 2020 11:08 pm

Re: Problems connecting via tls-crypt to AirVPN

Post by gReg0r » Sun Jul 19, 2020 9:41 am

Thanks Pippin,

I have screwed myself with the entry IPs and forgot to change it after configuring "--tls-auth".

I feel stupid now. Going to yell at a tree!
Top
User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: [Solved] Problems connecting via tls-crypt to AirVPN

Post by Pippin » Sun Jul 19, 2020 10:14 am

Welcome, happens to all, no exceptions.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: [Solved] Problems connecting via tls-crypt to AirVPN

Post by TinCanTech » Sun Jul 19, 2020 10:27 am

We all make mitsakes 8-)
Top
Post Reply

Return to “Off Topic, Related”