using tls-auth with multiple clients

[merkava]

Hi guys,

I have configured openvpn in server mode with this config:

Code: Select all

proto udp
port 1194
dev tun
server 192.168.200.0 255.255.255.0

ca /etc/openvpn/cookbook/ca.crt
cert /etc/openvpn/cookbook/openvpnserver.crt
key /etc/openvpn/cookbook/openvpnserver.key
dh /etc/openvpn/cookbook/dh2048.pem

keepalive 10 60
topology subnet

daemon
log-append /home/mazimi/Desktop/openvpn.log
verb 5

client-to-client
client-config-dir /etc/openvpn/cookbook/clients

I want to use tls-auth with each client so i generate a key for each client and put location of it in client files. for example one of the per client files looks like this:

Code: Select all

tls-auth /etc/openvpn/cookbook/ta.key 0

the other:

Code: Select all

tls-auth /etc/openvpn/cookbook/ta2.key 0

and so on ....
clients config files look like this:

Code: Select all

client
proto udp
remote 192.168.3.1
port 1194
dev tun

ca /etc/openvpn/cookbook/ca.crt
cert /etc/openvpn/cookbook/client1.crt
key /etc/openvpn/cookbook/client1.key
tls-auth /etc/openvpn/cookbook/ta.key 1

daemon
log-append /root/openvpn.log

ns-cert-type server
verb 5

But when i start openvpn, log file shows:
server ip: 192.168.3.1
client ip: 192.168.3.254
This is client log file:

Code: Select all

Thu Jan 12 21:27:42 2012 us=604882 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Thu Jan 12 21:27:42 2012 us=605087 Local Options hash (VER=V4): '70f5b3af'
Thu Jan 12 21:27:42 2012 us=605173 Expected Remote Options hash (VER=V4): 'a2e2498c'
Thu Jan 12 21:27:42 2012 us=613785 UDPv4 link local (bound): [undef]
Thu Jan 12 21:27:42 2012 us=615281 UDPv4 link remote: [AF_INET]192.168.3.1:1194
WRThu Jan 12 21:27:42 2012 us=630017 TLS: Initial packet from [AF_INET]192.168.3.1:1194, sid=5642d85d 7bee1387
Thu Jan 12 21:27:42 2012 us=630145 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.3.1:1194
WRThu Jan 12 21:27:44 2012 us=705132 TLS: Initial packet from [AF_INET]192.168.3.1:1194, sid=5642d85d 7bee1387
Thu Jan 12 21:27:44 2012 us=705268 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.3.1:1194
RThu Jan 12 21:27:48 2012 us=274031 TLS: Initial packet from [AF_INET]192.168.3.1:1194, sid=5642d85d 7bee1387
Thu Jan 12 21:27:48 2012 us=274116 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.3.1:1194
WRThu Jan 12 21:27:56 2012 us=405112 TLS: Initial packet from [AF_INET]192.168.3.1:1194, sid=5642d85d 7bee1387
Thu Jan 12 21:27:56 2012 us=405245 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.3.1:1194

and server log file shows:

Code: Select all

Fri Jan 13 00:57:42 2012 us=706599 192.168.3.254:1194 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Jan 13 00:57:42 2012 us=706642 192.168.3.254:1194 Local Options hash (VER=V4): '239669a8'
Fri Jan 13 00:57:42 2012 us=706675 192.168.3.254:1194 Expected Remote Options hash (VER=V4): '3514370b'
RFri Jan 13 00:57:42 2012 us=706760 192.168.3.254:1194 TLS: Initial packet from 192.168.3.254:1194, sid=77ba59a2 824aa47e
Fri Jan 13 00:57:42 2012 us=706784 192.168.3.254:1194 TLS Error: reading acknowledgement record from packet
WRFri Jan 13 00:57:44 2012 us=788227 192.168.3.254:1194 TLS Error: reading acknowledgement record from packet
WWRFri Jan 13 00:57:48 2012 us=356524 192.168.3.254:1194 TLS Error: reading acknowledgement record from packet
WRFri Jan 13 00:57:56 2012 us=483580 192.168.3.254:1194 TLS Error: reading acknowledgement record from packet

What is wrong with this configuration?

[maikcat]

you must use the same ta.key on *ALL* clients..

Michael.

[merkava]

Thank you very much

[maikcat]

You welcome,

closing topic.

Michael.