New Member
Posts: 32
Registered: ‎03-14-2013
Accepted Solution

OpenVPN server config help

I am trying to have a OpenVPN server but testing it on my mobile device, it starts the connection, but after some seconds the connection is terminated ("Session Invalidated") then it restarts over and over again

 

This is what I have:

 

eth0 subnet 192.168.1.0/24 (INTERNET)
eth1 + eth2 Bridged 192.168.2.0/24

 

How do I configure in /etc/openvpn/:

source ./vars
./clean-all
./build-ca
./build-key-server MYSERVER
./build-dh
./build-key-pass CLIENT

 

I copy then all to /config/auth/keys/

then

 

configure
set interfaces openvpn vtun0
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 192.168.100.0/24
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/keys/ca.crt
set interfaces openvpn vtun0 tls cert-file /config/auth/keys/MYSERVER.crt
set interfaces openvpn vtun0 tls key-file /config/auth/keys/MYSERVER.key
set interfaces openvpn vtun0 tls dh-file /config/auth/keys/dh1024.pem
set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 server push-route 192.168.2.0/24
commit
save

 

my client ovpn file:

 

client
dev tun
proto udp
remote XXXX.dyndns.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert CLIENT.crt
key CLIENT.key
cipher AES-256-CBC
verb 3

 

 

Is there something missing? Do you also advice something extra?

 

Thank you

 


Accepted Solutions
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5473
Solutions: 1656
Contributions: 2

Re: OpenVPN server config help


Snedcor wrote:

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1570'

WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth SHA256'

WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

...
 

Authenticate/Decrypt packet error: packet HMAC authentication failed


The "auth" mismatch in the warning may be the cause for the HMAC failure. The "comp-lzo" mismatch may be a problem too. Assuming this is the log on the router, try adding these:

set interfaces openvpn vtun0 hash sha256
set interfaces openvpn vtun0 openvpn-option '--comp-lzo'

 and see if it makes any difference.

View solution in original post


All Replies
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5473
Solutions: 1656
Contributions: 2

Re: OpenVPN server config help

Maybe post the relevant log messages (from /var/log/messages) so that people can see if there is any information there. Also you can increase the log level (for example, set interfaces openvpn vtun0 openvpn-option '--verb 4') if there is not much information.

New Member
Posts: 32
Registered: ‎03-14-2013

Re: OpenVPN server config help

Basicly I have these warnings: (XXX.XXX.XXX.XXX is just the my IP address)

 

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1570'

WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth SHA256'

WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

[teste1] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:10873

MULTI: new connection by client 'teste1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.

MULTI_sva: pool returned IPv4=192.168.100.2, IPv6=43:bcc::22:b6:d27c

MULTI: Learn: 192.168.100.2 -> teste1/XXX.XXX.XXX.XXX:10873

MULTI: primary virtual IP for teste1/XXX.XXX.XXX.XXX:10873: 192.168.100.2

teste1/XXX.XXX.XXX.XXX:10873 PUSH: Received control message: 'PUSH_REQUEST'

teste1/XXX.XXX.XXX.XXX:10873 send_push_reply(): safe_cap=960

teste1/XXX.XXX.XXX.XXX:10873 SENT CONTROL [teste1]: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,route-gateway 192.168.100.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.100.2 255.255.255.0' (status=1)

teste1/XXX.XXX.XXX.XXX:10873 Authenticate/Decrypt packet error: packet HMAC authentication failed

teste1/XXX.XXX.XXX.XXX:10873 [teste1] Inactivity timeout (--ping-restart), restarting

teste1/XXX.XXX.XXX.XXX:10873 SIGUSR1[soft,ping-restart] received, client-instance restarting

 

Authenticate/Decrypt packet error: packet HMAC authentication failed

 

 

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5473
Solutions: 1656
Contributions: 2

Re: OpenVPN server config help


Snedcor wrote:

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1570'

WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth SHA256'

WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

...
 

Authenticate/Decrypt packet error: packet HMAC authentication failed


The "auth" mismatch in the warning may be the cause for the HMAC failure. The "comp-lzo" mismatch may be a problem too. Assuming this is the log on the router, try adding these:

set interfaces openvpn vtun0 hash sha256
set interfaces openvpn vtun0 openvpn-option '--comp-lzo'

 and see if it makes any difference.

New Member
Posts: 32
Registered: ‎03-14-2013

Re: OpenVPN server config help

It's Working! Man Very Happy thank you ver much!

 

Now, should I use an HMAC Signature for safety? (ta.key)

 

To generate the key I need to:

openvpn --genkey --secret ta.key

 

Then I have a file ta.key that should be in the same folder as the certificates.

 

for the client .ovpn I need to add this line: tls-auth ta.key 1

 

How I configure the server?

 

 

New Member
Posts: 32
Registered: ‎03-14-2013

Re: OpenVPN server config help

Another point I checked.

 

I can access the server, can ping and access devices inside the network, but all internet traffic is not going through the tunnel.

I check my ip address and it's not the same where the router server is.

 

I want everything through the tunnel.

 

 

Highlighted
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5473
Solutions: 1656
Contributions: 2

Re: OpenVPN server config help


@Snedcor wrote:

Now, should I use an HMAC Signature for safety? (ta.key)

 

To generate the key I need to:

openvpn --genkey --secret ta.key

 

Then I have a file ta.key that should be in the same folder as the certificates.

 

for the client .ovpn I need to add this line: tls-auth ta.key 1

 

How I configure the server? 


Generally, if you want to play with the more advanced OpenVPN options that are not exposed in the CLI configuration, you can use the "openvpn-options" setting. For example, in this case, try

set interfaces openvpn vtun0 openvpn-option '--tls-auth ta.key 0'

(You probably need direction 0 since the client side uses 1.)

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5473
Solutions: 1656
Contributions: 2

Re: OpenVPN server config help


@Snedcor wrote:

I can access the server, can ping and access devices inside the network, but all internet traffic is not going through the tunnel.

I check my ip address and it's not the same where the router server is.

 

I want everything through the tunnel. 


If you want everything through the tunnel, you probably need a default route through the tunnel. Maybe try pushing a default route from the server or just set a default route on the client.

New Member
Posts: 32
Registered: ‎03-14-2013

Re: OpenVPN server config help

Sorry to ask, how I would do that on the server or client?

 

Thank you

 

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5473
Solutions: 1656
Contributions: 2

Re: OpenVPN server config help

For example, on the client you can try the "redirect-gateway" setting to replace the default route.

New Member
Posts: 32
Registered: ‎03-14-2013

Re: OpenVPN server config help

Perfect. It works on the client side.

 

Now, how can I force in the server side that all traffic is going trough the tunnel and avoid split tunneling without the need for the client.ovpn to be changed?

 

Where is the config file of the server so I can change directly the configuration like the client ovpn without having to introduce commands on the CLI?

 

Thank you

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5473
Solutions: 1656
Contributions: 2

Re: OpenVPN server config help

Generally each OpenVPN option in the ovpn file corresponds to the same command-line option (by adding "--" in front), so the two should be equivalent and we are not using an ovpn file. You can try push routes or play with other settings on the server.

New Member
Posts: 3
Registered: ‎02-26-2013

Re: OpenVPN server config help

Were you able to get it working with tls-auth set?  I can get a connection up with no tls-auth, but as soon as I add it (to both client and server) I just get 

 

Apr 27 16:49:42 ubnt openvpn[24652]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]x.x.x.x:45264

 

My config is (it still doesn't quite work right even without the --tls-auth, but it does connect..)

 

 openvpn vtun0 {
     encryption aes256
     hash sha512
     local-port 1194
     mode server
     openvpn-option --comp-lzo
     openvpn-option "--tls-auth /config/auth/ta.key 0"
     protocol udp
     server {
         push-route 10.0.0.0/8
         subnet 10.10.0.0/24
         topology subnet
     }
     tls {
         ca-cert-file /config/auth/ca.crt
         cert-file /config/auth/edgerouter.crt
         dh-file /config/auth/dh2048.pem
         key-file /config/auth/edgerouter.key
     }
 }

 

One thing which looks strange to me is if I increase the verbosity up, in the config dump in /var/log/messages I see key_direction = 1.  If I change my config to "--tls-auth /config/auth/ta.key" (i.e. no direction at the end) it sets itself to  key_direction = 0.  Clients are all set to 1

 

Any help would be greatly appreciated!! 

 

New Member
Posts: 32
Registered: ‎03-14-2013

Re: OpenVPN server config help

[ Edited ]

At the moment I have this config in my server:

 

encryption aes256
hash sha256
mode server
openvpn-option "--verb 4"
openvpn-option --comp-lzo
openvpn-option "--tls-auth /config/auth/keys/ta.key 0"
openvpn-option redirect-gateway
openvpn-option "dhcp-option DNS 10.0.0.1"
server {
push-route 10.0.0.0/24
subnet 10.15.200.0/24
}
tls {
ca-cert-file /config/auth/keys/ca.crt
cert-file /config/auth/keys/MYSERVER.crt
dh-file /config/auth/keys/dh1024.pem
key-file /config/auth/keys/MYSERVER.key
}

 

 

This is my client config:

 

client
dev tun
proto udp
remote DOMAIN 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert USER.crt
key USER.key
tls-auth ta.key 1
ns-cert-type server
auth sha256
cipher AES-256-CBC
comp-lzo
verb 3
redirect-gateway

 

 

I have the Following issues:

  1. If I take out redirect-gateway from the client conf, it splits tunneling. I really want to force full tunneling regardless of user.ovpn.
  2. In some public hotspots, don't know why, it stablishes connection with the server, can ping devices in the network, can use other services but cannot open any websites. It looks like a problem with DNS, but my android phone uses google DNS over vpn (8.8.8.8) and suffers from the same. If I use a third party vpn like HideMyAss I have no problems.

 

Thank you

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5473
Solutions: 1656
Contributions: 2

Re: OpenVPN server config help


JarlNicolson wrote:

One thing which looks strange to me is if I increase the verbosity up, in the config dump in /var/log/messages I see key_direction = 1.  If I change my config to "--tls-auth /config/auth/ta.key" (i.e. no direction at the end) it sets itself to  key_direction = 0.  Clients are all set to 1


Just to rule out the obvious, I assume the "ta.key" file is generated on the server using the "openvpn" command and then copied over to the client?

 

Also note that not setting the direction is actually a different mode, so you can also try removing the direction on both client and server. If specified, one side needs to be 0 and the other needs to be 1.

Emerging Member
Posts: 44
Registered: ‎12-31-2013
Kudos: 16
Solutions: 4

Re: OpenVPN server config help

Alright, so we have success!  I can connect from my laptop using my phone as a hotspot.  However, I can't ping either way through the tunnel. Man Sad  I specified the same subnet for the openvpn subnet(192.168.1.0/24) as my network uses on br0, is that a problem?  I would like to be able to access resources on my network while away, along with use my internet connection which I know is secure.  I am thinking I have to assign a differnet subnet but I just am not sure.. :/

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5473
Solutions: 1656
Contributions: 2

Re: OpenVPN server config help

Looks like this has been solved in your other thread now Icon Smile