[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] tls-auth and TCP


  • Subject: [Openvpn-users] tls-auth and TCP
  • From: Medvidek Pu <Pu.Medvidek@xxxxxxxxx>
  • Date: Wed, 13 Jun 2007 11:20:02 +0200 (CEST)

Hi,

thanks for wonderful OpenVPN! I've just configured it and it works very well. Still, I have one question: is it possible to use tls-auth and TCP together?

I've got a working configuration that uses tls-auth and UDP. The TCP configuration is the same (it differs only in protocol), also the client configuration is the same (it differs only in protocol as well), but the following appears in the server log:

Wed Jun 13 10:19:13 2007 xx.xx.xx.xx:1054 TLS: Initial packet from xx.xx.xx.xx:1054, sid=37b23432 ba70ab1e
Wed Jun 13 10:19:45 2007 xx.xx.xx.xx:1054 Authenticate/Decrypt packet error: packet HMAC authentication failed
Wed Jun 13 10:19:45 2007 xx.xx.xx.xx:1054 TLS Error: incoming packet authentication failed from xx.xx.xx.xx:1054
Wed Jun 13 10:19:45 2007 xx.xx.xx.xx:1054 Fatal TLS error (check_tls_errors_co), restarting
Wed Jun 13 10:19:45 2007 xx.xx.xx.xx:1054 SIGUSR1[soft,tls-error] received, client-instance restarting

The client log reads:

TLS: initial packet sent ...
VERIFY OK ...
Connection reset, restarting

I'm using the following configuration.

SERVER (Linux)

local 10.10.0.2
port <server-port>
mode server
tls-server
proto tcp
dev tun
server 10.10.1.0 255.255.255.0
push "route 10.10.0.2 255.255.255.0"
duplicate-cn
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
log-append /var/log/openvpn
status /var/run/openvpn/vpn.status 10
comp-lzo
verb 3
client-config-dir /etc/openvpn/ccd
ccd-exclusive
persist-tun
persist-key
tls-auth /etc/openvpn/key.txt 0

CLIENT (Windows)

client
dev tun
proto tcp
remote <server-ip> <server-port>
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert my.crt
key my.key
tls-auth key.txt 1
comp-lzo
verb 3
mute 20

Please, can you check if it is set reasonably? Have I missed something important?

- I've checked several times that the key.txt is really the same text file on both client and server (created with --genkey, created on Linux first and distributed on clients, later recreated on a Windows client and copied to the server).
- The <server-ip> and <server-port> replace the real server IP and port.
- The client configuration files are empty. Their only purpose is to limit the set of users with a certificate that can connect to the VPN.

Some positive information:
- When the tls-auth option is commented out then the client connects and everything works fine.
- When the tls-auth option is set and the protocol is UDP then the client connects and everything works fine. (UDP configuration has also keepalive 10 120 set on both server and client, but I've discovered that the keepalive option on client prevents TCP connection even when tls-auth is disabled.)

I will appreciate any help.

Thank you
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users