Page 1 of 1

[SOLVED] [Newbie]How can i fix this

Posted: Wed Jun 08, 2011 3:50 am
by ovpn2ac
hey all
totally new to this thing
im getting stuck at generating the CA private key and certificate

Image

Uploaded with ImageShack.us

Re: [Newbie]How can i fix this

Posted: Wed Jun 08, 2011 7:01 am
by maikcat
hi there,

please write us the commands you used so we can help you out.

for the record

first edit vars file
source it
then execute

build-ca
build-key-server server
build-dh
build-key user01

this is the correct order

Michael.

Re: [Newbie]How can i fix this

Posted: Wed Jun 08, 2011 7:38 am
by janjust
The error you're seeing is that you've not supplied the right passphrase (password) for the CA ca.key file.
Either start over and remember the password this time or type in the right password :)

Re: [Newbie]How can i fix this

Posted: Fri Jun 10, 2011 1:39 am
by ovpn2ac
thnx! :D
so ca and certs are done.

i encountered this

im running the server on Vmware ubuntu
and running the OpenVPN GUI on WinXP Pro SP3
both are on the same machine
Fri Jun 10 09:29:23 2011 OpenVPN 2.2.0 Win32-MSVC++ [SSL] [LZO2] built on Apr 26 2011
Fri Jun 10 09:29:23 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Jun 10 09:29:23 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Jun 10 09:29:23 2011 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Fri Jun 10 09:29:23 2011 UDPv4 link local: [undef]
Fri Jun 10 09:29:23 2011 UDPv4 link remote: 192.168.249.128:1194
Fri Jun 10 09:29:23 2011 TLS Error: cannot locate HMAC in incoming packet from 192.168.249.128:1194
Fri Jun 10 09:29:25 2011 TLS Error: cannot locate HMAC in incoming packet from 192.168.249.128:1194
Fri Jun 10 09:29:27 2011 TLS Error: cannot locate HMAC in incoming packet from 192.168.249.128:1194
server config
proto udp
port 1194
dev tun

server 192.168.249.128 255.255.255.0

ca /etc/openvpn/fyp/ca.crt
cert /etc/openvpn/fyp/server.crt
key /etc/openvpn/fyp/server.key
dh /etc/openvpn/fyp/dh2048.pem
tls-auth /etc/openvpn/fyp/ta.key 0
client config
client
proto udp
remote 192.168.249.128
port 1194
dev tun
nobind

ca ca.crt
cert openvpnclient1.crt
key openvpnclient1.key

tls-auth ta.key 1

Re: [Newbie]How can i fix this

Posted: Fri Jun 10, 2011 8:21 am
by janjust
you're re-using the vmnet subnet for your VPN subnet; that's asking for trouble. try using

Code: Select all

server 10.0.8.0 255.255.255.0
to see if that helps.

Re: [Newbie]How can i fix this

Posted: Fri Jun 10, 2011 8:43 am
by ovpn2ac
hmm. :D
Fri Jun 10 16:32:56 2011 UDPv4 link local: [undef]
Fri Jun 10 16:32:56 2011 UDPv4 link remote: 10.0.8.0:1194
Fri Jun 10 16:33:56 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Jun 10 16:33:56 2011 TLS Error: TLS handshake failed

Re: [Newbie]How can i fix this

Posted: Fri Jun 10, 2011 8:58 am
by janjust
you changed the wrong line :ugeek:

use this as server config

Code: Select all

proto udp
port 1194
dev tun

server 10.0.8.0 255.255.255.0

ca /etc/openvpn/fyp/ca.crt
cert /etc/openvpn/fyp/server.crt
key /etc/openvpn/fyp/server.key
dh /etc/openvpn/fyp/dh2048.pem
tls-auth /etc/openvpn/fyp/ta.key 0

verb 4
and this as client config:

Code: Select all

client
proto udp
remote 192.168.249.128
port 1194
dev tun
nobind

ca ca.crt
cert openvpnclient1.crt
key openvpnclient1.key

tls-auth ta.key 1

Re: [Newbie]How can i fix this

Posted: Fri Jun 10, 2011 9:08 am
by ovpn2ac
still getting the

TLS Error: cannot locate HMAC in incoming packet from 192.168.249.128:1194

what does verb 4 do btw

Re: [Newbie]How can i fix this

Posted: Fri Jun 10, 2011 9:10 am
by maikcat
hi there,

increases verbocity...

1 less
9 more..

Michael

Re: [Newbie]How can i fix this

Posted: Fri Jun 10, 2011 9:23 am
by janjust
comment out

Code: Select all

tls-auth
in both server and client config to see if that helps (for troubleshooting). If it then works then the 'ta.key' files on client and server are out of sync - they MUST be identical.

Re: [Newbie]How can i fix this

Posted: Mon Jun 13, 2011 12:49 am
by ovpn2ac

Code: Select all

Options error: Unrecognized option or missing parameter(s) in example2-2-client.ovpn:12: ta.key (2.2.0)
Use --help for more information.
doesnt work :D

Re: [Newbie]How can i fix this

Posted: Tue Jun 14, 2011 6:19 am
by janjust
sigh; I meant , comment out the entire line
tls-auth ta.key 0

Re: [Newbie]How can i fix this

Posted: Thu Jun 16, 2011 8:13 am
by ovpn2ac
it worked
thanks janjust :D

Re: [Newbie]How can i fix this

Posted: Thu Jun 16, 2011 12:17 pm
by janjust
Excellent, closing topic