SOLVED Help needed with OpenVPN on FreeNAS-11.0-U2 jail

Status
Not open for further replies.

danny2001k

Cadet
Joined
Aug 23, 2017
Messages
3
Hello guys, I tried to install OpenVPN using the tutorial here: https://forums.freenas.org/index.ph...-6-with-access-to-remote-hosts-via-nat.22873/

I did it 2 times already but can't get it to work.
My setup is:
Router: 192.168.0.1
OpenVPN jail IP: 192.168.0.4
NAT 172.16.8.0/24
Port 443 FW from public address to 192.168.0.4 443

Error from cat /var/log/messages
Aug 23 12:24:10 vpn openvpn[7893]: WARNING: file 'ta.key' is group or others accessible
Aug 23 12:24:10 vpn openvpn[7893]: OpenVPN 2.4.3 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Aug 22 2017
Aug 23 12:24:10 vpn openvpn[7893]: library versions: OpenSSL 1.0.2j-freebsd 26 Sep 2016, LZO 2.10
Aug 23 12:24:10 vpn openvpn[8018]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Aug 23 12:24:10 vpn openvpn[8018]: Diffie-Hellman initialized with 2048 bit key
Aug 23 12:24:10 vpn openvpn[8018]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Aug 23 12:24:10 vpn openvpn[8018]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Aug 23 12:24:10 vpn openvpn[8018]: ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=epair2b HWADDR=5a:75:3a:0b:ce:11
Aug 23 12:24:10 vpn openvpn[8018]: TUN/TAP device /dev/tun0 opened
Aug 23 12:24:10 vpn openvpn[8018]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Aug 23 12:24:10 vpn openvpn[8018]: /sbin/ifconfig tun0 172.16.8.1 172.16.8.2 mtu 1500 netmask 255.255.255.255 up
Aug 23 12:24:10 vpn openvpn[8018]: /sbin/route add -net 172.16.8.0 172.16.8.2 255.255.255.0
Aug 23 12:24:10 vpn openvpn[8018]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Aug 23 12:24:10 vpn openvpn[8018]: Socket Buffers: R=[42080->42080] S=[9216->9216]
Aug 23 12:24:10 vpn openvpn[8018]: setsockopt(IPV6_V6ONLY=0)
Aug 23 12:24:10 vpn openvpn[8018]: UDPv6 link local (bound): [AF_INET6][undef]:443
Aug 23 12:24:10 vpn openvpn[8018]: UDPv6 link remote: [AF_UNSPEC]
Aug 23 12:24:10 vpn openvpn[8018]: GID set to nobody
Aug 23 12:24:10 vpn openvpn[8018]: UID set to nobody
Aug 23 12:24:10 vpn openvpn[8018]: MULTI: multi_init called, r=256 v=256
Aug 23 12:24:10 vpn openvpn[8018]: IFCONFIG POOL: base=172.16.8.4 size=62, ipv6=0
Aug 23 12:24:10 vpn openvpn[8018]: IFCONFIG POOL LIST
Aug 23 12:24:10 vpn openvpn[8018]: Initialization Sequence Completed
Aug 23 12:27:04 vpn openvpn[8018]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET6]::ffff:192.168.0.1:61799
Aug 23 12:27:35 vpn last message repeated 4 times


files:
openvpn.conf
Code:
port 443
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt #Server public key
key openvpn-server.key #Server private key
dh dh.pem #Diffie-Hellman parameters
server 172.16.8.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0" #Yellow network
tls-auth ta.key 0
#crl-verify crl.pem
keepalive 10 120
cipher AES-256-CBC
auth SHA256
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3


client opvn:
Code:
client
dev tun
proto udp
remote myddns.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert danny.vpn.crt
key danny.vpn.key
remote-cert-tls server
cipher AES-256-CBC
tls-auth ta.key 1
#dhcp-option DNS 0.0.0.0
#redirect-gateway def1
comp-lzo
verb 3


ps aux:

SER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 11593 0.0 0.0 10472 1888 - SsJ 12:37 0:00.01 /usr/sbin/syslogd -s
nobody 11632 0.0 0.1 20392 4176 - SsJ 12:37 0:00.02 /usr/local/sbin/openvpn --cd /mnt/keys --daemon openvpn --config /mnt/keys/openvpn.conf
root 11664 0.0 0.0 12564 1804 - SsJ 12:37 0:00.00 /usr/sbin/cron -s
root 11706 0.0 0.0 19676 3024 0 SJ 12:37 0:00.02 tcsh
root 13110 0.0 0.0 21244 1948 0 R+J 13:03 0:00.00 ps aux


sockstat -4 -l

USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
nobody openvpn 11632 6 udp46 *:443 *:*
root syslogd 11593 7 udp4 *:514 *:*


ipfw list
00100 nat 1 ip from 172.16.8.0/24 to any out via epair2b
00200 nat 1 ip from any to any in via epair2b
65535 allow ip from any to any
 

m0nkey_

MVP
Joined
Oct 27, 2015
Messages
2,739
Sounds like the tls-auth (TA key) doesn't match on the server and client.

Comment out the tls-auth lines from both server and client and restart. If you can then make a connection, you may want to regenerate your TA key.
 

danny2001k

Cadet
Joined
Aug 23, 2017
Messages
3
Yes, this was it. I commented out tls-auth from server and client and the connection worked.

The question is now, what is wrong with the ta.key?
I deleted the old key, went and generated a new one: openvpn --genkey --secret ta.key copied it in the server folder (in the correct location as I got a msg when the openvpn loaded: WARNING: file 'ta.key' is group or others accessible ) and also on the client device, and again the same error: TLS Error: cannot locate HMAC in incoming packet from [AF_INET6]::ffff:213.223.83.51:16674

Any ideas? or this is more an OpenVPN question and I should address it on their support website.
 
Status
Not open for further replies.
Top