[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Problem with tls-auth, openvpn in multi-client server mode (tcp)

  • Subject: Re: [Openvpn-users] Problem with tls-auth, openvpn in multi-client server mode (tcp)
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Wed, 22 Sep 2004 12:10:16 -0600 (MDT)

On Wed, 22 Sep 2004, Maciek Mikrut wrote:

> Hello,  
> We have an openvpn setup connecting multiple sites plus a couple of roaming  
> users. We run openvpn in multi-client server mode using TCP protocol   
> in order for roaming users to reach the openvpn server from behind NAT  
> firewall.   We have a strange problem with tls-auth option on roaming  
> user's machines. When tls-auth is enabled, it takes many re-tries   
> (and sometime not at all) for them to connect to vpn.  
> Did anyone have a similar problem? Any help? Please cc email to me  
> on mmikrut@xxxxxxxxxxxxxxx :) Thanks !  
>   
> Attached are config files and sample of error messages  

I wasn't able to reproduce problems with TCP mode + tls-auth.

Have you tried the connection without tls-auth?

Have you tried UDP rather than TCP?

I would expect to see the error "TLS Error: cannot locate HMAC in incoming
packet from <ip>:5000" when tls-auth is used in the local config but is
absent in the remote config. It would help to see some "verb 9" debugging
info immediately before the error occurs.

James
   
> ############## SERVER CONFIG ###############  
> local <server_ip_address>  
> port 5000  
> proto tcp  
> dev tun  
> ca cert/ca.crt  
> cert cert/server.crt  
> key cert/server.key  # This file is secret  
> dh cert/dh1024.pem  
> server 192.168.0.128 255.255.255.192  
> client-config-dir ccd  
> client-to-client  
> keepalive 10 60  
> tls-auth cert/ta.key 0 # This file is secret  
> comp-lzo  
> status /var/log/openvpn-server-status.log  
> verb 4  
>   
>   
> ############# CLIENT CONFIG ###################  
> client  
> dev tun  
> proto tcp  
> remote <remote_server_ip> 5000  
> resolv-retry infinite  
> ca cert/ca.crt  
> cert cert/client.crt  
> key cert/client.key  
> tls-auth cert/ta.key 1  
> comp-lzo  
> verb 4  
>   
>   
> ###### SAMPLE ERROR MESSAGE ON SERVER ############  
> Sep 22 10:51:03 border1 openvpn[18775]: Local Options hash (VER=V4):  
> 'bd577cd1'  
> Sep 22 10:51:03 border1 openvpn[18775]: Expected Remote Options hash  
> (VER=V4): 'ee93268d'  
> Sep 22 10:51:03 border1 openvpn[18775]: TCP connection established with  
> 203.199.89.102:61198  
> Sep 22 10:51:03 border1 openvpn[18775]: Socket Buffers: R=[131072->131072]  
> S=[131072->131072]  
> Sep 22 10:51:03 border1 openvpn[18775]: TCPv4_SERVER link local: [undef]  
> Sep 22 10:51:03 border1 openvpn[18775]: TCPv4_SERVER link remote:  
> 203.199.89.102:61198  
> Sep 22 10:51:03 border1 openvpn[18775]: 203.199.89.102:61198 TLS: Initial  
> packet from 203.199.89.10  
> 2:61198, sid=5657fa76 094215e8  
> Sep 22 10:51:16 border1 openvpn[18775]: 203.199.89.102:61198 VERIFY OK:  
> depth=1, /C=AU/ST=ACT/L=Can  
> berra/O=CyberOne.Pty.Ltd/OU=Servers/CN=border1.cyberone.com.au/ 
> emailAddress=sysadm@xxxxxxxxxxxxxxx  
> Sep 22 10:51:16 border1 openvpn[18775]: 203.199.89.102:61198 VERIFY OK:  
> depth=0, /C=AU/ST=ACT/O=Cyb  
> erOne.Pty.Ltd/OU=Manila.Division/CN=manila.cyberone.com.au/ 
> emailAddress=sysadm@xxxxxxxxxxxxxxx  
> Sep 22 10:51:17 border1 openvpn[18775]: MULTI: multi_close_instance called  
> Sep 22 10:51:17 border1 openvpn[18775]: TCP/UDP: Closing socket  
>   
>   
> #### SAMPLE ERROR MESSAGE ON CLIENT ##########  
>   
> syslog:  
> Sep 22 10:31:30 aileen openvpn[1798]: Fatal decryption error  
> (check_tls_errors_dowork), restarting  
> Sep 22 10:31:36 aileen openvpn[1798]: TLS Error: cannot locate HMAC in  
> incoming packet from <ip>:5000  
>   
> messages:  
> Sep 22 09:28:13 aileen openvpn[1702]: TCP connection established with  
> <ip>:5000  
> Sep 22 09:28:13 aileen openvpn[1702]: Socket Buffers: R=[87380->131072]  
> S=[16384->131072]  
> Sep 22 09:28:13 aileen openvpn[1702]: TCPv4_CLIENT link local: [undef]  
> Sep 22 09:28:13 aileen openvpn[1702]: TCPv4_CLIENT link remote: <ip>:5000  
> Sep 22 09:28:14 aileen openvpn[1702]: TLS: Initial packet from <ip>:5000,  
> sid=ea843077 c9a  
> 62f79  
> Sep 22 09:28:20 aileen openvpn[1702]: VERIFY OK:  
> depth=1, /C=AU/ST=ACT/L=Canberra/O=CyberOne.Pty.Lt  
> d/OU=Servers/CN=border1.cyberone.com.au/emailAddress=sysadm@xxxxxxxxxxxxxxx  
> Sep 22 09:28:20 aileen openvpn[1702]: VERIFY OK:  
> depth=0, /C=AU/ST=ACT/O=CyberOne.Pty.Ltd/OU=System  
> s/CN=border1.cyberone.com.au/emailAddress=sysadm@xxxxxxxxxxxxxxx  
> Sep 22 09:28:27 aileen openvpn[1702]: TCP/UDP: Closing socket  
> Sep 22 09:28:27 aileen openvpn[1702]: SIGUSR1[soft,connection-reset] received,  
> process restarting  
>   
>   
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users