Openvpn client not using tls-auth properly?

LeftyAce · 2016-10-15 07:29:42

Hi all,

I'm trying to connect to an OpenVPN server running on my router (running DD-WRT). I have followed the instructions here to set it up with public keys. I moved the keys needed on the router by copy-pasting the contents of the keys into the web interface of the router using xclip.

When I attempt to connect, this is what happens:

# openvpn /etc/openvpn/client.conf 
Sat Oct 15 00:18:54 2016 OpenVPN 2.3.12 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug 24 2016
Sat Oct 15 00:18:54 2016 library versions: OpenSSL 1.0.2i  22 Sep 2016, LZO 2.09
Sat Oct 15 00:18:54 2016 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Oct 15 00:18:54 2016 Control Channel Authentication: using '/home/lefty/Router/easy-rsa/ta.key' as a OpenVPN static key file
Sat Oct 15 00:18:54 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Oct 15 00:18:54 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Oct 15 00:18:54 2016 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Oct 15 00:18:54 2016 Attempting to establish TCP connection with [AF_INET]73.189.236.219:443 [nonblock]
Sat Oct 15 00:18:55 2016 TCP connection established with [AF_INET]73.189.236.219:443
Sat Oct 15 00:18:55 2016 TCPv4_CLIENT link local: [undef]
Sat Oct 15 00:18:55 2016 TCPv4_CLIENT link remote: [AF_INET]73.189.236.219:443
Sat Oct 15 00:18:55 2016 Connection reset, restarting [0]
Sat Oct 15 00:18:55 2016 SIGUSR1[soft,connection-reset] received, process restarting
Sat Oct 15 00:18:55 2016 Restart pause, 5 second(s)
Sat Oct 15 00:18:57 2016 SIGINT[hard,init_instance] received, process exiting

Looking at the logs on my router, I see this:

20161015 00:17:31 I TCP connection established with [AF_INET]192.168.1.124:55164
20161015 00:17:32 192.168.1.124:55164 TLS: Initial packet from [AF_INET]192.168.1.124:55164 sid=c0759c14 548da6f0
20161015 00:17:32 N 192.168.1.124:55164 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.1.124:55164
20161015 00:17:32 N 192.168.1.124:55164 Fatal TLS error (check_tls_errors_co) restarting
20161015 00:17:32 192.168.1.124:55164 SIGUSR1[soft tls-error] received client-instance restarting

I think the problem is in this line:

20161015 00:17:32 N 192.168.1.124:55164 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.1.124:55164

My /etc/openvpn/client.conf file includes this line:

tls-auth /home/lefty/Router/easy-rsa/ta.key 1

Is there something else I need to do to enable the tls handshake? Any ideas why the openVPN server thinks there is no HMAC being attempted?

Thanks in advance!

Last edited by LeftyAce (2016-10-15 07:30:32)

Elizine · 2016-10-18 04:06:57

You need to disable your secret Key, try comment this line :

#tls-auth ta.key 1 # This file is secret

Arch Linux

#1 2016-10-15 07:29:42

Openvpn client not using tls-auth properly?

#2 2016-10-18 04:06:57

Re: Openvpn client not using tls-auth properly?

Board footer