How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

[stevetoza]

Hi All,

Wondering if someone can help me get this working. Have been through the guide and forum posts but still stuck,

When connecting to the server it just sits there in the logs on the server I can see

Code:

TLS Error: cannot locate HMAC in incoming packet from [AF_INET6]::ffff:87.101.157.243:55173

IP Changed for security

ipfw list

Code:

[root@openvpn_1 /]# ipfw list
00100 nat 1 ip from 172.16.8.0/24 to any out via epair2b
00200 nat 1 ip from any to any in via epair2b
65535 allow ip from any to any

ifconfig -a

Code:

[root@openvpn_1 /]# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair2b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 46:aa:c7:f6:b5:dd
	inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
	nd6 options=9<PERFORMNUD,IFDISABLED>
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	inet 172.16.8.1 --> 172.16.8.2 netmask 0xffffffff
	nd6 options=9<PERFORMNUD,IFDISABLED>

openvpn.conf

Code:

[root@openvpn_1 /mnt/keys]# cat openvpn.conf
port 10011
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt #Server public key
key openvpn-server.key #Server private key
dh dh.pem #Diffie-Hellman parameters
server 172.16.8.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0" #Yellow network
tls-auth ta.key 0
#crl-verify crl.pem
keepalive 10 120
cipher AES-256-CBC
auth SHA256
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3

openvpn log

Code:

Jan 11 15:23:03 openvpn_1 openvpn[35911]: WARNING: file 'openvpn-server.key' is group or others accessible
Jan 11 15:23:03 openvpn_1 openvpn[35911]: WARNING: file 'ta.key' is group or others accessible
Jan 11 15:23:03 openvpn_1 openvpn[35911]: Current Parameter Settings:
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   config = '/mnt/keys/openvpn.conf'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   mode = 1
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   show_ciphers = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   show_digests = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   show_engines = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   genkey = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   key_pass_file = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   show_tls_ciphers = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   connect_retry_max = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]: Connection profiles [0]:
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   proto = udp
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   local = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   local_port = '10011'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   remote = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   remote_port = '10011'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   remote_float = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   bind_defined = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   bind_local = ENABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   bind_ipv6_only = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   connect_retry_seconds = 5
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   connect_timeout = 120
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   socks_proxy_server = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   socks_proxy_port = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   tun_mtu = 1500
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   tun_mtu_defined = ENABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   link_mtu = 1500
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   link_mtu_defined = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   tun_mtu_extra = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   tun_mtu_extra_defined = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   mtu_discover_type = -1
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   fragment = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   mssfix = 1450
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   explicit_exit_notification = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]: Connection profiles END
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   remote_random = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ipchange = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   dev = 'tun'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   dev_type = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   dev_node = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   lladdr = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   topology = 1
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ifconfig_local = '172.16.8.1'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ifconfig_remote_netmask = '172.16.8.2'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ifconfig_noexec = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ifconfig_nowarn = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ifconfig_ipv6_local = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ifconfig_ipv6_netbits = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ifconfig_ipv6_remote = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   shaper = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   mtu_test = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   mlock = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   keepalive_ping = 10
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   keepalive_timeout = 120
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   inactivity_timeout = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ping_send_timeout = 10
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ping_rec_timeout = 240
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ping_rec_timeout_action = 2
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ping_timer_remote = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   remap_sigusr1 = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   persist_tun = ENABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   persist_local_ip = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   persist_remote_ip = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   persist_key = ENABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   passtos = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   resolve_retry_seconds = 1000000000
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   resolve_in_advance = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   username = 'nobody'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   groupname = 'nobody'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   chroot_dir = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   cd_dir = '/mnt/keys'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   writepid = '/var/run/openvpn.pid'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   up_script = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   down_script = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   down_pre = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   up_restart = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   up_delay = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   daemon = ENABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   inetd = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   log = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   suppress_timestamps = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   machine_readable_output = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   nice = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   verbosity = 4
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   mute = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   gremlin = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   status_file = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   status_file_version = 1
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   status_file_update_freq = 60
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   occ = ENABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   rcvbuf = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   sndbuf = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   sockflags = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   fast_io = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   comp.alg = 2
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   comp.flags = 1
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   route_script = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   route_default_gateway = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   route_default_metric = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   route_noexec = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   route_delay = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   route_delay_window = 30
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   route_delay_defined = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   route_nopull = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   route_gateway_via_dhcp = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   allow_pull_fqdn = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   route 172.16.8.0/255.255.255.0/default (not set)/default (not set)
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   management_addr = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   management_port = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   management_user_pass = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   management_log_history_cache = 250
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   management_echo_buffer_size = 100
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   management_write_peer_info_file = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   management_client_user = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   management_client_group = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   management_flags = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   shared_secret_file = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   key_direction = 1
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ciphername = 'AES-256-CBC'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ncp_enabled = ENABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   authname = 'SHA256'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   prng_hash = 'SHA1'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   prng_nonce_secret_len = 16
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   keysize = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   engine = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   replay = ENABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   mute_replay_warnings = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   replay_window = 64
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   replay_time = 15
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   packet_id_file = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   use_iv = ENABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   test_crypto = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   tls_server = ENABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   tls_client = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   key_method = 2
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ca_file = 'ca.crt'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ca_path = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   dh_file = 'dh.pem'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   cert_file = 'openvpn-server.crt'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   extra_certs_file = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   priv_key_file = 'openvpn-server.key'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   pkcs12_file = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   cipher_list = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   tls_verify = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   tls_export_cert = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   verify_x509_type = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   verify_x509_name = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   crl_file = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ns_cert_type = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   remote_cert_ku = 0
Jan 11 15:23:03 openvpn_1 last message repeated 15 times
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   remote_cert_eku = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ssl_flags = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   tls_timeout = 2
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   renegotiate_bytes = -1
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   renegotiate_packets = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   renegotiate_seconds = 3600
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   handshake_window = 60
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   transition_window = 3600
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   single_session = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   push_peer_info = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   tls_exit = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   tls_auth_file = 'ta.key'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   tls_crypt_file = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   server_network = 172.16.8.0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   server_netmask = 255.255.255.0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   server_network_ipv6 = ::
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   server_netbits_ipv6 = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   server_bridge_ip = 0.0.0.0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   server_bridge_netmask = 0.0.0.0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   server_bridge_pool_start = 0.0.0.0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   server_bridge_pool_end = 0.0.0.0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   push_entry = 'route 192.168.1.0 255.255.255.0'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   push_entry = 'route 172.16.8.1'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   push_entry = 'topology net30'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   push_entry = 'ping 10'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   push_entry = 'ping-restart 120'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ifconfig_pool_defined = ENABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ifconfig_pool_start = 172.16.8.4
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ifconfig_pool_end = 172.16.8.251
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ifconfig_pool_netmask = 0.0.0.0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ifconfig_pool_persist_filename = 'ipp.txt'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ifconfig_pool_persist_refresh_freq = 600
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ifconfig_ipv6_pool_defined = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ifconfig_ipv6_pool_base = ::
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ifconfig_ipv6_pool_netbits = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   n_bcast_buf = 256
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   tcp_queue_limit = 64
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   real_hash_size = 256
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   virtual_hash_size = 256
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   client_connect_script = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   learn_address_script = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   client_disconnect_script = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   client_config_dir = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   ccd_exclusive = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   tmp_dir = '/tmp'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   push_ifconfig_defined = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   push_ifconfig_local = 0.0.0.0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   push_ifconfig_remote_netmask = 0.0.0.0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   push_ifconfig_ipv6_defined = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   push_ifconfig_ipv6_local = ::/0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   push_ifconfig_ipv6_remote = ::
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   enable_c2c = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   duplicate_cn = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   cf_max = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   cf_per = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   max_clients = 1024
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   max_routes_per_client = 256
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   auth_user_pass_verify_script = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   auth_user_pass_verify_script_via_file = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   auth_token_generate = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   auth_token_lifetime = 0
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   port_share_host = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   port_share_port = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   client = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   pull = DISABLED
Jan 11 15:23:03 openvpn_1 openvpn[35911]:   auth_user_pass_file = '[UNDEF]'
Jan 11 15:23:03 openvpn_1 openvpn[35911]: OpenVPN 2.4.0 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan  3 2017
Jan 11 15:23:03 openvpn_1 openvpn[35911]: library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09
Jan 11 15:23:03 openvpn_1 openvpn[35912]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Jan 11 15:23:03 openvpn_1 openvpn[35912]: Diffie-Hellman initialized with 2048 bit key
Jan 11 15:23:03 openvpn_1 openvpn[35912]: Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Jan 11 15:23:03 openvpn_1 openvpn[35912]: ECDH curve secp384r1 added
Jan 11 15:23:03 openvpn_1 openvpn[35912]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Jan 11 15:23:03 openvpn_1 openvpn[35912]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Jan 11 15:23:03 openvpn_1 openvpn[35912]: TLS-Auth MTU parms [ L:1622 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Jan 11 15:23:03 openvpn_1 openvpn[35912]: ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=epair2b HWADDR=46:aa:c7:f6:b5:dd
Jan 11 15:23:03 openvpn_1 openvpn[35912]: TUN/TAP device /dev/tun0 opened
Jan 11 15:23:03 openvpn_1 openvpn[35912]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 11 15:23:03 openvpn_1 openvpn[35912]: /sbin/ifconfig tun0 172.16.8.1 172.16.8.2 mtu 1500 netmask 255.255.255.255 up
Jan 11 15:23:03 openvpn_1 openvpn[35912]: /sbin/route add -net 172.16.8.0 172.16.8.2 255.255.255.0
Jan 11 15:23:03 openvpn_1 openvpn[35912]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Jan 11 15:23:03 openvpn_1 openvpn[35912]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Jan 11 15:23:03 openvpn_1 openvpn[35912]: Socket Buffers: R=[42080->42080] S=[9216->9216]
Jan 11 15:23:03 openvpn_1 openvpn[35912]: setsockopt(IPV6_V6ONLY=0)
Jan 11 15:23:03 openvpn_1 openvpn[35912]: UDPv6 link local (bound): [AF_INET6][undef]:10011
Jan 11 15:23:03 openvpn_1 openvpn[35912]: UDPv6 link remote: [AF_UNSPEC]
Jan 11 15:23:03 openvpn_1 openvpn[35912]: GID set to nobody
Jan 11 15:23:03 openvpn_1 openvpn[35912]: UID set to nobody
Jan 11 15:23:03 openvpn_1 openvpn[35912]: MULTI: multi_init called, r=256 v=256
Jan 11 15:23:03 openvpn_1 openvpn[35912]: IFCONFIG POOL: base=172.16.8.4 size=62, ipv6=0
Jan 11 15:23:03 openvpn_1 openvpn[35912]: ifconfig_pool_read(), in='steve.tozer,172.16.8.4', TODO: IPv6
Jan 11 15:23:03 openvpn_1 openvpn[35912]: succeeded -> ifconfig_pool_set()
Jan 11 15:23:03 openvpn_1 openvpn[35912]: IFCONFIG POOL LIST
Jan 11 15:23:03 openvpn_1 openvpn[35912]: steve.tozer,172.16.8.4
Jan 11 15:23:03 openvpn_1 openvpn[35912]: Initialization Sequence Completed
Jan 11 15:25:03 openvpn_1 openvpn[35912]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET6]::ffff:87.104.157.114:64229

Client config

Code:

client
dev tun
proto udp
remote blank.duckdns.org 500
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert steve.tozer.crt
key steve.tozer.key
remote-cert-tls server
cipher AES-256-CBC
tls-auth ta.key 1
#dhcp-option DNS 0.0.0.0
#redirect-gateway def1
comp-lzo
verb 3

Client Log's

Code:

2017-01-11 15:37:42 *Tunnelblick: Established communication with OpenVPN
2017-01-11 15:37:42 OpenVPN 2.3.12 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Nov 17 2016
2017-01-11 15:37:42 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
2017-01-11 15:37:42 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2017-01-11 15:37:42 Need hold release from management interface, waiting...
2017-01-11 15:37:42 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2017-01-11 15:37:42 MANAGEMENT: CMD 'pid'
2017-01-11 15:37:42 MANAGEMENT: CMD 'state on'
2017-01-11 15:37:42 MANAGEMENT: CMD 'state'
2017-01-11 15:37:42 MANAGEMENT: CMD 'bytecount 1'
2017-01-11 15:37:42 MANAGEMENT: CMD 'hold release'
2017-01-11 15:37:42 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-01-11 15:37:42 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
2017-01-11 15:37:42 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-01-11 15:37:42 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-01-11 15:37:42 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-01-11 15:37:42 MANAGEMENT: >STATE:1484149062,RESOLVE,,,
2017-01-11 15:37:42 UDPv4 link local: [undef]
2017-01-11 15:37:42 UDPv4 link remote: [AF_INET]IPADDRESS:500
2017-01-11 15:37:42 MANAGEMENT: >STATE:1484149062,WAIT,,,
2017-01-11 15:37:42 *Tunnelblick: openvpnstart starting OpenVPN
2017-01-11 15:39:43 *Tunnelblick: Disconnecting; notification window disconnect button pressed
2017-01-11 15:39:43 *Tunnelblick: No 'pre-disconnect.sh' script to execute
2017-01-11 15:39:43 *Tunnelblick: Disconnecting using 'kill'
2017-01-11 15:39:43 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2017-01-11 15:39:43 TLS Error: TLS handshake failed
2017-01-11 15:39:43 SIGUSR1[soft,tls-error] received, process restarting
2017-01-11 15:39:43 MANAGEMENT: >STATE:1484149183,RECONNECTING,tls-error,,
2017-01-11 15:39:43 SIGTERM[hard,init_instance] received, process exiting
2017-01-11 15:39:43 MANAGEMENT: >STATE:1484149183,EXITING,init_instance,,
2017-01-11 15:39:43 *Tunnelblick: No 'post-disconnect.sh' script to execute
2017-01-11 15:39:43 *Tunnelblick: Expected disconnection occurred.

Thanks

 

[zoomzoom]

Anyone requesting help due to an error needs to post the information I have repeatedly posted about over and over again. Failure to do so will result in few bothering to try and help.

Please see my past posts in this thread to determine what four things need to be included in posts regarding errors.

 

[stevetoza]

@zoomzoom Have updated my post with all the config and verbose 4 openvpn log

 

[zoomzoom]

@zoomzoom Have updated my post with all the config and verbose 4 openvpn log

client config and client log are missing... most likely, you're missing the tls auth key and/or direction

 

[stevetoza]

client config and client log are missing... most likely, you're missing the tls auth key and/or direction

Updated post with the further info

 

[zoomzoom]

Updated post with the further info

Client config is missing auth SHA256.

• If that doesn't solve it:
  1. Stop the server, change proto to tcp, and verb to 4 [server] & 5 [client].
  2. Start sever, attempt connection with the client, and once it fails, please repost the logs.

• I would also verify the permissions and owner of the tls-auth keys, as it's failing due to tls-auth

 

[stevetoza]

@zoomzoom That fixed it thank you for casting your eye over the config :) Much appreciated

 

[THX]

@THX Were you able to find the information you needed and learn why you were having issues?

@zoomzoom It seems like the ipfw rules caused my problems. I'm still nit shure how this had happen, because I disabled ipfw completly once while troubleshooting. Good thing it hadn't anything to do with openvpn. No ccd option is needed for my kind of setup. I'm happy since the time I spend with it now everything is working fine.

I learned some things thanks to you. So thanks again for your effort replying and taking the time to explain so much.

 

[KevDog]

@zoomzoom -- I'm kind of lost where to start -- I took a look at your OpenSSL config, however I'm not sure what parts I need out of it -- I'm not running windows or any Sophos. Do I need an ICA? Do I need 4 certificates? Kind of confused just where to start -- I get the jist what you're trying to do.

 

[zoomzoom]

@zoomzoom -- I'm kind of lost where to start -- I took a look at your OpenSSL config, however I'm not sure what parts I need out of it -- I'm not running windows or any Sophos. Do I need an ICA? Do I need 4 certificates? Kind of confused just where to start -- I get the jist what you're trying to do.

Instructions & commands begin at line 500. You may also wish to glance at the Encryption section of my OpenVPN wiki on OpenWrt if you still don't understand things, as I wrote that wiki with KISS in mind.

Sent from my Pixel XL using Tapatalk

 

[KevDog]

Thanks -- I'll walk through it -- however not exactly cookbook as you would call it -- at least for beginner. I'll also have to find a different firewall script. Do I really need a ICA for personal use?

 

[zoomzoom]

Thanks -- I'll walk through it -- however not exactly cookbook as you would call it -- at least for beginner. I'll also have to find a different firewall script. Do I really need a ICA for personal use?

I'm not sure why you would need a different firewall script, as that has nothing to do with creating and using certs/openssl.

If you take the time to read it, it's extremely easy, and is broken down completely; however, I can't force users to read. You can lead a horse to water, but you can't force it to drink.

• If you back out of the config on GitHub to the containing folder, you'll find an OpenSSL Notepad++ language xml that I encourage all, especially those who've never used an openssl.cnf, to utilize.

• Much the same as running an OpenVPN server and client requires some basic research to be performed on the user's end, so does utilizing an openssl.cnf. The OpenWrt wiki I wrote employed KISS and breaks things down even further than in the 364 lines of comments in my openssl.cnf.

Yes, for security and user convenience purposes, it's recommended to utilize a self signed CA that signs a self created ICA. This thread is not about OpenSSL however, and everything I've mentioned thus far is extremely easy to discover with a simple google search.

 

[KevDog]

I'm not here to fight but making comments like you can lead a horse to water but can't make it drink is really not very helpful. You do realize on your wiki webpage you link to the official openvpn site with instructions that use easyrsa to generate the keys right? I've looked at your notepad++ script (I don't have a windows machine) however I still believe I could use your openssl.conf file. Within the conf file however there are a bunch a sections with various variables -- many which I don't think are applicable to my situation -- however they might be -- I'm not certain. I keep asking about an intermediate CA and I've yet to discover an answer regarding the question.

Thank you for your time. I don't want to waste anymore of yours.

 

[zoomzoom]

I'm not here to fight but making comments like you can lead a horse to water but can't make it drink is really not very helpful. You do realize on your wiki webpage you link to the official openvpn site with instructions that use easyrsa to generate the keys right? I've looked at your notepad++ script (I don't have a windows machine) however I still believe I could use your openssl.conf file. Within the conf file however there are a bunch a sections with various variables -- many which I don't think are applicable to my situation -- however they might be -- I'm not certain. I keep asking about an intermediate CA and I've yet to discover an answer regarding the question.

Yes, I'm obviously well aware of what my wiki links to as I'm the one who wrote it...

If you don't utilize Windows, then all you need to do is follow the wiki as written, dismissing commands that are for OpenWrt only.

• The Notepad++ language xml is recommended for those using Windows, as most don't know what PowerShell ISE is, let alone how to access or use it (Linux natively supports smart highlighting).

 

[NasKar]

I'm getting errors below on my main screen of my freenas
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) and
TLS Error: TLS handshake failed

my openvpn.conf file

Code:

port 10011
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt #Server public key
key openvpn-server.key #Server private key
dh dh.pem #Diffie-Hellman parameters
server 172.16.8.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0" #Yellow network
tls-auth ta.key 0
#crl-verify crl.pem
keepalive 10 120
cipher AES-256-CBC
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3

Any idea on how to fix this. The VPN does work btw.

 

[zoomzoom]

@NasKar Please first perform the steps in Post1, then reply back with the information in Post2

 

[NasKar]

@NasKar Please first perform the steps in Post1, then reply back with the information in Post2

iphone log

Code:

2017-02-08 19:18:01 NET Internet:ReachableViaWiFi/-R t------
2017-02-08 19:18:01 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
2017-02-08 19:18:01 Session is ACTIVE
2017-02-08 19:18:01 EVENT: GET_CONFIG
2017-02-08 19:18:01 Sending PUSH_REQUEST to server...
2017-02-08 19:18:01 OPTIONS:
0 [route] [192.168.1.0] [255.255.255.0]
1 [route] [172.16.8.1]
2 [topology] [net30]
3 [ping] [10]
4 [ping-restart] [120]
5 [ifconfig] [172.16.8.6] [172.16.8.5]

2017-02-08 19:18:01 PROTOCOL OPTIONS:
  cipher: AES-256-CBC
  digest: SHA1
  compress: LZO
  peer ID: -1
2017-02-08 19:18:01 EVENT: ASSIGN_IP
2017-02-08 19:18:01 Connected via tun
2017-02-08 19:18:01 LZO-ASYM init swap=0 asym=0
2017-02-08 19:18:01 EVENT: CONNECTED @external.ddns.net:443 (external.IP) via /TCPv4 on tun/172.16.8.6/ gw=[172.16.8.5/]
2017-02-08 19:18:01 SetStatus Connected

ipfw.rules

Code:

#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 172.16.8.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

openvpn.conf

Code:

port 10011
proto tcp
dev tun
ca ca.crt
cert openvpn-server.crt #Server public key
key openvpn-server.key #Server private key
dh dh.pem #Diffie-Hellman parameters
server 172.16.8.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0" #Yellow network
tls-auth ta.key 0
#crl-verify crl.pem
keepalive 10 120
cipher AES-256-CBC
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 4

iphone.conf

Code:

client
dev tun
proto tcp
remote external.ddns.net 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert NasKar.crt
key NasKar.key
remote-cert-tls server
cipher AES-256-CBC
tls-auth ta.key 1
#dhcp-option DNS 0.0.0.0
#redirect-gateway def1
comp-lzo
verb 5

Can't seem to find my openvpn server log. Can you tell me it's location?

 

[zoomzoom]

@NasKar Likely in /var, however if not, you'll need to specify it in your server config log /var/openvpn.log

• My hunch says it's likely a time related issue... add to server config: push 'dhcp-option NTP 129.6.15.30'
  • This is the NTP server for NIST, however if you reside outside the US, you'll likely want to utilize a reputable NTP server that's near you.

Also:

• Your TLS cipher is not a secure cipher, however it will depend upon what you're using your VPN for.
  
  
• Was that the entire iPhone log output?
  • If it was, bump up the verbosity to 7, as there should be more output than that. If you didn't stop the server and disconnect the client after making the config changes, please do so, restart/reconnect, then recheck the log, as in order for the verbosity to change, both the client and server must be stopped/disconnected then restarted/reconnected

 

[NasKar]

@NasKar Likely in /var, however if not, you'll need to specify it in your server config log /var/openvpn.log

• My hunch says it's likely a time related issue... add to server config: push 'dhcp-option NTP 129.6.15.30'
  • This is the NTP server for NIST, however if you reside outside the US, you'll likely want to utilize a reputable NTP server that's near you.

Also:

• Your TLS cipher is not a secure cipher, however it will depend upon what you're using your VPN for.
  
  
• Was that the entire iPhone log output?
  • If it was, bump up the verbosity to 7, as there should be more output than that. If you didn't stop the server and disconnect the client after making the config changes, please do so, restart/reconnect, then recheck the log, as in order for the verbosity to change, both the client and server must be stopped/disconnected then restarted/reconnected

I added the push command and the log /var/openvpn.log to the openvpn.conf file in /mnt/keys/
Then I restart the jail from the GUI. Here is the log file.
I use the openvpn to get access other jails running Sonarr, Sabnzbd, etc so I'm guessing it's secure enough.
The iphone log I disconnected and reconnected after the reboot of the openvpn jail.

 

[zoomzoom]

@NasKar Issue:

Code:

Thu Feb  9 17:39:01 2017 us=981450 192.168.1.1:8668 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1563 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Thu Feb  9 17:39:01 2017 us=981465 192.168.1.1:8668 Connection reset, restarting [0]
Thu Feb  9 17:39:01 2017 us=981474 192.168.1.1:8668 SIGUSR1[soft,connection-reset] received, client-instance restarting

I would recommend to try adding the below options to the server config, and if that doesn't work, seeking help on the OpenVPN forum.

Code:

#--- Connection Speed ---#
sndbuf      393216
rcvbuf      393216
fragment    0
mssfix      0
tun-mtu     48000

#--- Pushed Buffers ---#
push        'sndbuf 393216'
push        'rcvbuf 393216'

• Single quotes may not be needed with BSD, so if the option errors out in the log, remove them
• tun-mtu needs to be tuned based upon cipher used

You should be able to come up with the causation via googling: bad encapsulated packet length from peer (5635), which must be > 0 and <= 1563

• Check out the first returned result and scroll to the very last paragraph.

I would also do some research on why your iphone is listing a TLS cipher when none has been specified in the server's, config. In order for a TLS cipher to be utilized over an SSL cipher, it must be specified in the config of the server (for an example, see my GitHub).

• Utilizing a TLS cipher, especially an EC TLS cipher, is far faster on encryption/decryption, however the caveat is all keys must be greater than the desired encryption level (i.e. for 2048bit, a 3072bit or 4096bit key would be required)

EDIT: Corrected underscore to dash & TLS cipher specified in the server's config only