Dear all, I'm in trouble with the config. I created the VPN as described on the first post (tested twice), but this is the result when a client try to connect to FreeNAS VPN (no response from server at all):
TLS Error: cannot locate HMAC in incoming packet from [AF_INET6]::ffff:192.168.10.7:64273
Commenting the tls-auth both from client and server I was able to connect to VPN, but I'm stuck on client and I cannot reach the FreeNAS IP or FreeNAS share, from server I see a lot of following error:
user.name/192.168.10.7 Authenticate/Decrypt packet error: packet HMAC authentication failed
Please help, I'm getting crazy.
Server Config:
port 1195
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt
key openvpn-server.key
dh dh.pem
server 172.16.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.10.0 255.255.255.0"
#tls-auth ta.key 0
#crl-verify crl.pem
keepalive 10 120
cipher AES-256-CBC
auth SHA256
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3
Client Config:
client
dev tun
proto udp
remote 192.168.10.100 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert user.name.crt
key user.name.key
remote-cert-tls server
cipher AES-256-CBC
#tls-auth ta.key 1
#dhcp-option DNS 192.168.10.1
#redirect-gateway def1
comp-lzo
verb 3
The Firewall:
[root@OpenVPN /mnt/keys]# ipfw list
00100 nat 1 ip from 172.16.8.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any
My network:
FreeNAS 192.168.10.128
OpenVPN Jail: 192.168.10.100
[root@OpenVPN /mnt/keys]# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 92:5b:27:f8:a1:07
inet 192.168.10.100 netmask 0xffffff00 broadcast 192.168.10.255
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
tun0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
nd6 options=9<PERFORMNUD,IFDISABLED>
Then compelte OpenVPN Server Log (start and connecting Client):
root@OpenVPN:/mnt/keys # openvpn --config /mnt/keys/openvpn.conf
Mon Apr 17 07:32:30 2017 OpenVPN 2.4.1 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Apr 13 2017
Mon Apr 17 07:32:30 2017 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.10
Mon Apr 17 07:32:30 2017 Diffie-Hellman initialized with 2048 bit key
Mon Apr 17 07:32:30 2017 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Mon Apr 17 07:32:30 2017 ECDH curve secp384r1 added
Mon Apr 17 07:32:30 2017 ROUTE_GATEWAY 192.168.10.1/255.255.255.0 IFACE=epair0b HWADDR=92:5b:27:f8:a1:07
Mon Apr 17 07:32:30 2017 TUN/TAP device /dev/tun0 opened
Mon Apr 17 07:32:30 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Apr 17 07:32:30 2017 /sbin/ifconfig tun0 172.16.8.1 172.16.8.2 mtu 1500 netmask 255.255.255.255 up
Mon Apr 17 07:32:30 2017 /sbin/route add -net 172.16.8.0 172.16.8.2 255.255.255.0
add net 172.16.8.0: gateway 172.16.8.2
Mon Apr 17 07:32:30 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET6
Mon Apr 17 07:32:30 2017 Socket Buffers: R=[42080->42080] S=[9216->9216]
Mon Apr 17 07:32:30 2017 setsockopt(IPV6_V6ONLY=0)
Mon Apr 17 07:32:30 2017 UDPv6 link local (bound): [AF_INET6][undef]:1195
Mon Apr 17 07:32:30 2017 UDPv6 link remote: [AF_UNSPEC]
Mon Apr 17 07:32:30 2017 GID set to nobody
Mon Apr 17 07:32:30 2017 UID set to nobody
Mon Apr 17 07:32:30 2017 MULTI: multi_init called, r=256 v=256
Mon Apr 17 07:32:30 2017 IFCONFIG POOL: base=172.16.8.4 size=62, ipv6=0
Mon Apr 17 07:32:30 2017 ifconfig_pool_read(), in='user.name,172.16.8.4', TODO: IPv6
Mon Apr 17 07:32:30 2017 succeeded -> ifconfig_pool_set()
Mon Apr 17 07:32:30 2017 IFCONFIG POOL LIST
Mon Apr 17 07:32:30 2017 user.name,172.16.8.4
Mon Apr 17 07:32:30 2017 Initialization Sequence Completed
Mon Apr 17 07:33:13 2017 192.168.10.7 TLS: Initial packet from [AF_INET6]::ffff:192.168.10.7:54855, sid=36b9e2d0 5d983149
Mon Apr 17 07:33:13 2017 192.168.10.7 VERIFY OK: depth=1, CN=Studio CA
Mon Apr 17 07:33:13 2017 192.168.10.7 VERIFY OK: depth=0, CN=user.name
Mon Apr 17 07:33:13 2017 192.168.10.7 peer info: IV_VER=2.3.14
Mon Apr 17 07:33:13 2017 192.168.10.7 peer info: IV_PLAT=win
Mon Apr 17 07:33:13 2017 192.168.10.7 peer info: IV_PROTO=2
Mon Apr 17 07:33:13 2017 192.168.10.7 peer info: IV_GUI_VER=OpenVPN_GUI_10
Mon Apr 17 07:33:13 2017 192.168.10.7 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1558'
Mon Apr 17 07:33:13 2017 192.168.10.7 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Mon Apr 17 07:33:13 2017 192.168.10.7 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 17 07:33:13 2017 192.168.10.7 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Apr 17 07:33:13 2017 192.168.10.7 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 17 07:33:13 2017 192.168.10.7 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Apr 17 07:33:13 2017 192.168.10.7 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Apr 17 07:33:13 2017 192.168.10.7 [user.name] Peer Connection Initiated with [AF_INET6]::ffff:192.168.10.7:54855
Mon Apr 17 07:33:13 2017 user.name/192.168.10.7 MULTI_sva: pool returned IPv4=172.16.8.6, IPv6=(Not enabled)
Mon Apr 17 07:33:13 2017 user.name/192.168.10.7 MULTI: Learn: 172.16.8.6 -> user.name/192.168.10.7
Mon Apr 17 07:33:13 2017 user.name/192.168.10.7 MULTI: primary virtual IP for user.name/192.168.10.7: 172.16.8.6
Mon Apr 17 07:33:16 2017 user.name/192.168.10.7 PUSH: Received control message: 'PUSH_REQUEST'
Mon Apr 17 07:33:16 2017 user.name/192.168.10.7 SENT CONTROL [user.name]: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,route 172.16.8.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.8.6 172.16.8.5,peer-id 0' (status=1)
Mon Apr 17 07:33:16 2017 user.name/192.168.10.7 Authenticate/Decrypt packet error: packet HMAC authentication failed