OpenVPN Support Forum

Posted: **Sat Jul 18, 2020 11:41 pm**

Dear community,

First off, I'm unsure if I've posted this to the correct board. It seems to be for tutorials, but the other boards seemed even more out of place.

I am at a point where I don't know how to solve my issue at hand, so I'm hoping to find some guidance here

.

I am running a pfSense (2.4.5-p1) box that is routing all non-local traffic of a particular local subnet through an OpenVPN (provider AirVPN). While this setup works, I'm only able to connect via "tls-auth". According to the provider a connection with "tls-crypt" is supported, but I'm unable to establish such connection.
Since my knowledge on OpenVPN is marginal at best, I would like to hear your opinion on where I screwed myself:
Operating system:

Code: Select all

uname -a
FreeBSD anivia 11.3-STABLE FreeBSD 11.3-STABLE #243 abf8cba50ce(RELENG_2_4_5): Tue Jun  2 17:53:37 EDT 2020     root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-245/obj/amd64/YNx4Qq3j/build/ce-crossbuild-245/sources/FreeBSD-src/sys/pfSense  amd64

OpenVPN version:

Code: Select all

# /root: openvpn --version
OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May  4 2020
library versions: OpenSSL 1.0.2u-freebsd  20 Dec 2019, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

Network setup:

Code: Select all

/root: ifconfig
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:25:90:bb:74:60
        hwaddr 00:25:90:bb:74:60
        inet6 fe80::225:90ff:febb:7460%igb0 prefixlen 64 scopeid 0x1
        inet 109.91.186.108 netmask 0xfffff800 broadcast 255.255.255.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:25:90:bb:74:61
        hwaddr 00:25:90:bb:74:61
        inet6 fe80::225:90ff:febb:7461%igb1 prefixlen 64 scopeid 0x2
        inet 10.0.10.1 netmask 0xffffff00 broadcast 10.0.10.255
        inet 172.23.97.1 netmask 0xffffffff broadcast 172.23.97.1
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
igb2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:25:90:bb:74:62
        hwaddr 00:25:90:bb:74:62
        inet6 fe80::225:90ff:febb:7462%igb2 prefixlen 64 scopeid 0x3
        inet 10.0.30.1 netmask 0xffffff00 broadcast 10.0.30.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
igb3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6500bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:25:90:bb:74:63
        hwaddr 00:25:90:bb:74:63
        inet6 fe80::225:90ff:febb:7463%igb3 prefixlen 64 scopeid 0x4
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
enc0: flags=0<> metric 0 mtu 1536
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: enc
pfsync0: flags=0<> metric 0 mtu 1500
        groups: pfsync
pflog0: flags=100<PROMISC> metric 0 mtu 33160
        groups: pflog
igb3.1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:25:90:bb:74:63
        inet6 fe80::225:90ff:febb:7463%igb3.1 prefixlen 64 scopeid 0x9
        inet 10.0.1.1 netmask 0xffffff00 broadcast 10.0.1.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 1 vlanpcp: 0 parent interface: igb3
        groups: vlan
igb3.20: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:25:90:bb:74:63
        inet6 fe80::225:90ff:febb:7463%igb3.20 prefixlen 64 scopeid 0xa
        inet 10.0.20.1 netmask 0xffffff00 broadcast 10.0.20.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 20 vlanpcp: 0 parent interface: igb3
        groups: vlan
igb3.40: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:25:90:bb:74:63
        inet6 fe80::225:90ff:febb:7463%igb3.40 prefixlen 64 scopeid 0xb
        inet 10.0.40.1 netmask 0xffffff00 broadcast 10.0.40.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 40 vlanpcp: 0 parent interface: igb3
        groups: vlan
igb3.50: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:25:90:bb:74:63
        inet6 fe80::225:90ff:febb:7463%igb3.50 prefixlen 64 scopeid 0xc
        inet 10.0.50.1 netmask 0xffffff00 broadcast 10.0.50.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 50 vlanpcp: 0 parent interface: igb3
        groups: vlan
igb3.100: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:25:90:bb:74:63
        inet6 fe80::225:90ff:febb:7463%igb3.100 prefixlen 64 scopeid 0xd
        inet 10.0.100.1 netmask 0xffffff00 broadcast 10.0.100.255
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 100 vlanpcp: 0 parent interface: igb3
        groups: vlan
ovpnc1: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: tun openvpn

OpenVPN client configuration:

client

# /root: cat /var/etc/openvpn/client1.conf
dev ovpnc1
verb 5
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 5 30
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local <Public-IP-Address-Removed>
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote X.X.X.X 443 udp4
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-crypt /var/etc/openvpn/client1.tls-crypt
ncp-ciphers AES-256-GCM
comp-lzo no
resolv-retry infinite
route-noexec
explicit-exit-notify 5
remote-cert-tls server
prng sha256 64
mlock
auth-nocache

Provider (AirVPN) configuration file:

client

# --------------------------------------------------------
# Air VPN | https://airvpn.org | Saturday 18th of July 2020 09:59:10 AM
# OpenVPN Client Configuration
# AirVPN_DE-Frankfurt_Menkalinan_UDP-443-Entry3
# --------------------------------------------------------

client
dev tun
remote X.X.X.X 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
route-delay 5
verb 3
explicit-exit-notify 5
ca "ca.crt"
cert "user.crt"
key "user.key"
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
tls-crypt "tls-crypt.key"
auth SHA512

The OpenVPN client logs (verbosity = 4) when trying to establish a connection:

Code: Select all

Jul 19 01:46:45 anivia openvpn[80075]: SIGTERM received, sending exit notification to peer
Jul 19 01:46:49 anivia openvpn[30575]: Current Parameter Settings:
Jul 19 01:46:49 anivia openvpn[30575]:   config = '/var/etc/openvpn/client1.conf'
Jul 19 01:46:49 anivia openvpn[30575]:   mode = 0
Jul 19 01:46:49 anivia openvpn[30575]:   show_ciphers = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   show_digests = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   show_engines = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   genkey = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   key_pass_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   show_tls_ciphers = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   connect_retry_max = 0
Jul 19 01:46:49 anivia openvpn[30575]: Connection profiles [0]:
Jul 19 01:46:49 anivia openvpn[30575]:   proto = udp4
Jul 19 01:46:49 anivia openvpn[30575]:   local = '<IP-Address-Removed>'
Jul 19 01:46:49 anivia openvpn[30575]:   local_port = '0'
Jul 19 01:46:49 anivia openvpn[30575]:   remote = 'X.X.X.X'
Jul 19 01:46:49 anivia openvpn[30575]:   remote_port = '443'
Jul 19 01:46:49 anivia openvpn[30575]:   remote_float = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   bind_defined = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   bind_local = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   bind_ipv6_only = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   connect_retry_seconds = 5
Jul 19 01:46:49 anivia openvpn[30575]:   connect_timeout = 120
Jul 19 01:46:49 anivia openvpn[30575]:   socks_proxy_server = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   socks_proxy_port = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   tun_mtu = 1500
Jul 19 01:46:49 anivia openvpn[30575]:   tun_mtu_defined = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   link_mtu = 1500
Jul 19 01:46:49 anivia openvpn[30575]:   link_mtu_defined = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   tun_mtu_extra = 0
Jul 19 01:46:49 anivia openvpn[30575]:   tun_mtu_extra_defined = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   mtu_discover_type = -1
Jul 19 01:46:49 anivia openvpn[30575]:   fragment = 0
Jul 19 01:46:49 anivia openvpn[30575]:   mssfix = 1450
Jul 19 01:46:49 anivia openvpn[30575]:   explicit_exit_notification = 5
Jul 19 01:46:49 anivia openvpn[30575]: Connection profiles END
Jul 19 01:46:49 anivia openvpn[30575]:   remote_random = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   ipchange = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   dev = 'ovpnc1'
Jul 19 01:46:49 anivia openvpn[30575]:   dev_type = 'tun'
Jul 19 01:46:49 anivia openvpn[30575]:   dev_node = '/dev/tun1'
Jul 19 01:46:49 anivia openvpn[30575]:   lladdr = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   topology = 1
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_local = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_remote_netmask = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_noexec = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_nowarn = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_ipv6_local = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_ipv6_netbits = 0
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_ipv6_remote = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   shaper = 0
Jul 19 01:46:49 anivia openvpn[30575]:   mtu_test = 0
Jul 19 01:46:49 anivia openvpn[30575]:   mlock = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   keepalive_ping = 5
Jul 19 01:46:49 anivia openvpn[30575]:   keepalive_timeout = 30
Jul 19 01:46:49 anivia openvpn[30575]:   inactivity_timeout = 0
Jul 19 01:46:49 anivia openvpn[30575]:   ping_send_timeout = 5
Jul 19 01:46:49 anivia openvpn[30575]:   ping_rec_timeout = 30
Jul 19 01:46:49 anivia openvpn[30575]:   ping_rec_timeout_action = 2
Jul 19 01:46:49 anivia openvpn[30575]:   ping_timer_remote = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   remap_sigusr1 = 0
Jul 19 01:46:49 anivia openvpn[30575]:   persist_tun = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   persist_local_ip = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   persist_remote_ip = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   persist_key = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   passtos = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   resolve_retry_seconds = 1000000000
Jul 19 01:46:49 anivia openvpn[30575]:   resolve_in_advance = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   username = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   groupname = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   chroot_dir = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   cd_dir = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   writepid = '/var/run/openvpn_client1.pid'
Jul 19 01:46:49 anivia openvpn[30575]:   up_script = '/usr/local/sbin/ovpn-linkup'
Jul 19 01:46:49 anivia openvpn[30575]:   down_script = '/usr/local/sbin/ovpn-linkdown'
Jul 19 01:46:49 anivia openvpn[30575]:   down_pre = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   up_restart = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   up_delay = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   daemon = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   inetd = 0
Jul 19 01:46:49 anivia openvpn[30575]:   log = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   suppress_timestamps = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   machine_readable_output = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   nice = 0
Jul 19 01:46:49 anivia openvpn[30575]:   verbosity = 4
Jul 19 01:46:49 anivia openvpn[30575]:   mute = 0
Jul 19 01:46:49 anivia openvpn[30575]:   gremlin = 0
Jul 19 01:46:49 anivia openvpn[30575]:   status_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   status_file_version = 1
Jul 19 01:46:49 anivia openvpn[30575]:   status_file_update_freq = 60
Jul 19 01:46:49 anivia openvpn[30575]:   occ = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   rcvbuf = 0
Jul 19 01:46:49 anivia openvpn[30575]:   sndbuf = 0
Jul 19 01:46:49 anivia openvpn[30575]:   sockflags = 0
Jul 19 01:46:49 anivia openvpn[30575]:   fast_io = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   comp.alg = 1
Jul 19 01:46:49 anivia openvpn[30575]:   comp.flags = 0
Jul 19 01:46:49 anivia openvpn[30575]:   route_script = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   route_default_gateway = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   route_default_metric = 0
Jul 19 01:46:49 anivia openvpn[30575]:   route_noexec = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   route_delay = 0
Jul 19 01:46:49 anivia openvpn[30575]:   route_delay_window = 30
Jul 19 01:46:49 anivia openvpn[30575]:   route_delay_defined = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   route_nopull = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   route_gateway_via_dhcp = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   allow_pull_fqdn = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   management_addr = '/var/etc/openvpn/client1.sock'
Jul 19 01:46:49 anivia openvpn[30575]:   management_port = 'unix'
Jul 19 01:46:49 anivia openvpn[30575]:   management_user_pass = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   management_log_history_cache = 250
Jul 19 01:46:49 anivia openvpn[30575]:   management_echo_buffer_size = 100
Jul 19 01:46:49 anivia openvpn[30575]:   management_write_peer_info_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   management_client_user = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   management_client_group = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   management_flags = 256
Jul 19 01:46:49 anivia openvpn[30575]:   shared_secret_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   key_direction = not set
Jul 19 01:46:49 anivia openvpn[30575]:   ciphername = 'AES-256-CBC'
Jul 19 01:46:49 anivia openvpn[30575]:   ncp_enabled = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   ncp_ciphers = 'AES-256-GCM'
Jul 19 01:46:49 anivia openvpn[30575]:   authname = 'SHA512'
Jul 19 01:46:49 anivia openvpn[30575]:   prng_hash = 'sha256'
Jul 19 01:46:49 anivia openvpn[30575]:   prng_nonce_secret_len = 64
Jul 19 01:46:49 anivia openvpn[30575]:   keysize = 0
Jul 19 01:46:49 anivia openvpn[30575]:   engine = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   replay = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   mute_replay_warnings = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   replay_window = 64
Jul 19 01:46:49 anivia openvpn[30575]:   replay_time = 15
Jul 19 01:46:49 anivia openvpn[30575]:   packet_id_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   use_iv = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   test_crypto = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   tls_server = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   tls_client = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   key_method = 2
Jul 19 01:46:49 anivia openvpn[30575]:   ca_file = '/var/etc/openvpn/client1.ca'
Jul 19 01:46:49 anivia openvpn[30575]:   ca_path = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   dh_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   cert_file = '/var/etc/openvpn/client1.cert'
Jul 19 01:46:49 anivia openvpn[30575]:   extra_certs_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   priv_key_file = '/var/etc/openvpn/client1.key'
Jul 19 01:46:49 anivia openvpn[30575]:   pkcs12_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   cipher_list = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   cipher_list_tls13 = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   tls_cert_profile = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   tls_verify = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   tls_export_cert = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   verify_x509_type = 0
Jul 19 01:46:49 anivia openvpn[30575]:   verify_x509_name = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   crl_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   ns_cert_type = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 65535
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_ku[i] = 0
Jul 19 01:46:49 anivia openvpn[30575]:   remote_cert_eku = 'TLS Web Server Authentication'
Jul 19 01:46:49 anivia openvpn[30575]:   ssl_flags = 0
Jul 19 01:46:49 anivia openvpn[30575]:   tls_timeout = 2
Jul 19 01:46:49 anivia openvpn[30575]:   renegotiate_bytes = -1
Jul 19 01:46:49 anivia openvpn[30575]:   renegotiate_packets = 0
Jul 19 01:46:49 anivia openvpn[30575]:   renegotiate_seconds = 3600
Jul 19 01:46:49 anivia openvpn[30575]:   handshake_window = 60
Jul 19 01:46:49 anivia openvpn[30575]:   transition_window = 3600
Jul 19 01:46:49 anivia openvpn[30575]:   single_session = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   push_peer_info = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   tls_exit = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   tls_auth_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   tls_crypt_file = '/var/etc/openvpn/client1.tls-crypt'
Jul 19 01:46:49 anivia openvpn[30575]:   server_network = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   server_netmask = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   server_network_ipv6 = ::
Jul 19 01:46:49 anivia openvpn[30575]:   server_netbits_ipv6 = 0
Jul 19 01:46:49 anivia openvpn[30575]:   server_bridge_ip = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   server_bridge_netmask = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   server_bridge_pool_start = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   server_bridge_pool_end = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_pool_defined = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_pool_start = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_pool_end = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_pool_netmask = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_pool_persist_filename = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_pool_persist_refresh_freq = 600
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_ipv6_pool_defined = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_ipv6_pool_base = ::
Jul 19 01:46:49 anivia openvpn[30575]:   ifconfig_ipv6_pool_netbits = 0
Jul 19 01:46:49 anivia openvpn[30575]:   n_bcast_buf = 256
Jul 19 01:46:49 anivia openvpn[30575]:   tcp_queue_limit = 64
Jul 19 01:46:49 anivia openvpn[30575]:   real_hash_size = 256
Jul 19 01:46:49 anivia openvpn[30575]:   virtual_hash_size = 256
Jul 19 01:46:49 anivia openvpn[30575]:   client_connect_script = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   learn_address_script = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   client_disconnect_script = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   client_config_dir = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   ccd_exclusive = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   tmp_dir = '/tmp'
Jul 19 01:46:49 anivia openvpn[30575]:   push_ifconfig_defined = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   push_ifconfig_local = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   push_ifconfig_remote_netmask = 0.0.0.0
Jul 19 01:46:49 anivia openvpn[30575]:   push_ifconfig_ipv6_defined = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   push_ifconfig_ipv6_local = ::/0
Jul 19 01:46:49 anivia openvpn[30575]:   push_ifconfig_ipv6_remote = ::
Jul 19 01:46:49 anivia openvpn[30575]:   enable_c2c = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   duplicate_cn = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   cf_max = 0
Jul 19 01:46:49 anivia openvpn[30575]:   cf_per = 0
Jul 19 01:46:49 anivia openvpn[30575]:   max_clients = 1024
Jul 19 01:46:49 anivia openvpn[30575]:   max_routes_per_client = 256
Jul 19 01:46:49 anivia openvpn[30575]:   auth_user_pass_verify_script = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   auth_user_pass_verify_script_via_file = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   auth_token_generate = DISABLED
Jul 19 01:46:49 anivia openvpn[30575]:   auth_token_lifetime = 0
Jul 19 01:46:49 anivia openvpn[30575]:   port_share_host = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   port_share_port = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]:   client = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   pull = ENABLED
Jul 19 01:46:49 anivia openvpn[30575]:   auth_user_pass_file = '[UNDEF]'
Jul 19 01:46:49 anivia openvpn[30575]: OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May  4 2020
Jul 19 01:46:49 anivia openvpn[30575]: library versions: OpenSSL 1.0.2u-freebsd  20 Dec 2019, LZO 2.10
Jul 19 01:46:49 anivia openvpn[30841]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Jul 19 01:46:49 anivia openvpn[30841]: mlockall call succeeded
Jul 19 01:46:49 anivia openvpn[30841]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 19 01:46:49 anivia openvpn[30841]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 19 01:46:49 anivia openvpn[30841]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 19 01:46:49 anivia openvpn[30841]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 19 01:46:49 anivia openvpn[30841]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 19 01:46:49 anivia openvpn[30841]: Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Jul 19 01:46:49 anivia openvpn[30841]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Jul 19 01:46:49 anivia openvpn[30841]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Jul 19 01:46:49 anivia openvpn[30841]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Jul 19 01:46:49 anivia openvpn[30841]: TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:443
Jul 19 01:46:49 anivia openvpn[30841]: Socket Buffers: R=[42080->42080] S=[57344->57344]
Jul 19 01:46:49 anivia openvpn[30841]: UDPv4 link local (bound): [AF_INET]<IP-Address-Removed>:0
Jul 19 01:46:49 anivia openvpn[30841]: UDPv4 link remote: [AF_INET]X.X:X.X:443
Jul 19 01:47:19 anivia openvpn[30841]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Jul 19 01:47:19 anivia openvpn[30841]: TCP/UDP: Closing socket
Jul 19 01:47:19 anivia openvpn[30841]: SIGUSR1[soft,ping-restart] received, process restarting
Jul 19 01:47:19 anivia openvpn[30841]: Restart pause, 5 second(s)

Just to clarify, I'm able to connect to this server, but only using "tls-auth" and auth digest "SHA1". The corresponding keys (tls-crypt vs tls-auth) have been checked multiple times. I also tried multiple different servers from this provider. I feel like I have tried everything and google is starting to feel like running in a circle.

Does anybody have guidance?

Edit: Noticed my initial logs where with "verb 5". Replaced logs with "verb 4"

Posted: **Sat Jul 18, 2020 11:54 pm**

gReg0r wrote: ↑
Sat Jul 18, 2020 11:41 pm
According to the provider a connection with "tls-crypt" is supported, but I'm unable to establish such connection.

You need the correct key from your provider.

viewtopic.php?f=30&t=22603#p68963

Posted: **Sun Jul 19, 2020 12:13 am**

Hey TinCanTech,

Thanks for that link. I assume I did almost everything wrong I could ... I guess I should've gone to bed. Anyhow, as far as I understand your link I should've posted to "Offtopic, Related", sadly I can't find a delete function: Is it possible to move this thread to the "Offtopic, Related" board?

Meanwhile, I've updated the OP with the missing information.

Regarding your comment on the key file: I am 100% certain, that the client1.crypt-key has the same content as the "tls-crypt.key" that my provider is providing. But since I've tried pretty much everything, I start to believe that I am being served a wrong key file ...

Edit: I'm tired and will log off now, but one question is on my mind: Why isn't the auth failing with an error or notice in the log?

Posted: **Sun Jul 19, 2020 12:30 am**

gReg0r wrote: ↑
Sun Jul 19, 2020 12:13 am
Thanks for that link. I assume I did almost everything wrong I could ...

Almost .. but that can be fixed

gReg0r wrote: ↑
Sun Jul 19, 2020 12:13 am
I should've posted to "Offtopic, Related"

I'm sure someone can do do this for you

gReg0r wrote: ↑
Sun Jul 19, 2020 12:13 am
I am 100% certain, that the client1.crypt-key has the same content as the "tls-crypt.key" that my provider is providing. But since I've tried pretty much everything, I start to believe that I am being served a wrong key file ...

Possibly

gReg0r wrote: ↑
Sun Jul 19, 2020 12:13 am
one question is on my mind: Why isn't the auth failing with an error or notice in the log?

Bring-on the ambiguity

If you mean --tls-auth then probably because --tls-auth is the thing your provider is actually providing

Posted: **Sun Jul 19, 2020 7:43 am**

Hey TinCanTech,

Thanks for your reply and taking care of moving this topic! After a few hours of refreshing dreams I'm back to tackle this again.
I'm reading your reply to my question:
What I was wondering about was, If I'm using the wrong tls-crypt key, why am I not receiving any kind of error or notice when the auth challenge (read --tls-crypt /var/etc/openvpn/client1.tls-crypt) somewhat (?) fails to complete but doesn't give me (the client) a proper notice about it. I'm reading your reply as: "that's intended behavior".

Posted: **Sun Jul 19, 2020 8:16 am**

Provider (AirVPN) configuration file:

Code: Select all

remote X.X.X.X 443

OpenVPN client configuration: (pfSense)

Code: Select all

remote X.X.X.X 443 udp4

As far as I understand and unless AirVPN is doing something custom,
one cannot connect to a server configured for tls-crypt with tls-auth and vice versa.

So question is, are the remote addresses X.X.X.X the same or different?

Posted: **Sun Jul 19, 2020 9:41 am**

Thanks Pippin,

I have screwed myself with the entry IPs and forgot to change it after configuring "--tls-auth".

I feel stupid now. Going to yell at a tree!

Posted: **Sun Jul 19, 2020 10:14 am**

Welcome, happens to all, no exceptions.

Posted: **Sun Jul 19, 2020 10:27 am**

We all make mitsakes

OpenVPN Support Forum

[Solved] Problems connecting via tls-crypt to AirVPN

[Solved] Problems connecting via tls-crypt to AirVPN

Re: Problems connecting via tls-crypt to AirVPN

Re: Problems connecting via tls-crypt to AirVPN

Re: Problems connecting via tls-crypt to AirVPN

Re: Problems connecting via tls-crypt to AirVPN

Re: Problems connecting via tls-crypt to AirVPN

Re: Problems connecting via tls-crypt to AirVPN

Re: [Solved] Problems connecting via tls-crypt to AirVPN

Re: [Solved] Problems connecting via tls-crypt to AirVPN