0

I am trying to connect a laptop running Windos 10 to an Ubuntu 16.04 server running OpenVPN.

The Client keeps getting this error:

 MANAGEMENT: >STATE:1491498025,WAIT,,,,,,
 Connection reset, restarting [0]
 SIGUSR1[soft,connection-reset] received, process restarting
 MANAGEMENT: >STATE:1491498025,RECONNECTING,connection-reset,,

I followed this guide to setup OpenVPN. Everything is default except I changed to port 443 and tcp.

On the server I am seeing this error from "Systemctl status openvpn@server":

 ovpn-server[4627]: [IP ADDR] Fatal TLS error (check_tls_errors_co), restarting
 ovpn-server[4627]: [IP ADDR] SIGUSR1[soft,tls-error] received, client-instance restarting
 ovpn-server[4627]: TCP connection established with [AF_INET][IP ADDR]
 ovpn-server[4627]: [IP ADDR] TLS: Initial packet from [AF_INET][IP ADDR], sid=5bf6806d 9c9b6639
 ovpn-server[4627]:[IP ADDR] Authenticate/Decrypt packet error: packet HMAC authentication failed
 ovpn-server[4627]: [IP ADDR] TLS Error: incoming packet authentication failed from [AF_INET][IP ADDR]
 ovpn-server[4627]: [IP ADDR] Fatal TLS error (check_tls_errors_co), restarting
 ovpn-server[4627]: [IP ADDR] SIGUSR1[soft,tls-error] received, client-instance restarting

server.conf:

port 443
proto tcp
dev tun
ca ca.crt
cert KICLAB-HV-01.crt
key KICLAB-HV-01.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0
key-direction 0 
mode server
tls-server
cipher AES-128-CBC    # AES
auth SHA256           # SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

base.conf:

client
dev tun
proto tcp
remote [Internal LAN IP for testing] 443
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
auth SHA256 
key-direction 1
comp-lzo
verb 3

Client Log

Attempting to establish TCP connection with [AF_INET][IP:443} [nonblock]
MANAGEMENT: >STATE:1491826387,TCP_CONNECT,,,,,,
TCP connection established with [AF_INET][IP:443}
TCP_CLIENT link local: (not bound)
TCP_CLIENT link remote: [AF_INET][IP:443}
MANAGEMENT: >STATE:1491826388,WAIT,,,,,,
Connection reset, restarting [0]
SIGUSR1[soft,connection-reset] received, process restarting
MANAGEMENT: >STATE:1491826388,RECONNECTING,connection-reset,,,,,
Restart pause, 5 second(s)
TCP/UDP: Preserving recently used remote address: [AF_INET][IP:443}
Socket Buffers: R=[65536->65536] S=[65536->65536]
Attempting to establish TCP connection with [AF_INET][IP:443} [nonblock]
MANAGEMENT: >STATE:1491826393,TCP_CONNECT,,,,,,
TCP connection established with [AF_INET][IP:443}
TCP_CLIENT link local: (not bound)
TCP_CLIENT link remote: [AF_INET][IP:443}
MANAGEMENT: >STATE:1491826394,WAIT,,,,,,
Connection reset, restarting [0]
SIGUSR1[soft,connection-reset] received, process restarting
MANAGEMENT: >STATE:1491826394,RECONNECTING,connection-reset,,,,,
Restart pause, 5 second(s)

Current output of "Systemctl Status openvpn@server" (Note, [IP] is actually not the correct IP for the client. Is that a problem?):

MULTI: multi_init called, r=256 v=256
IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
IFCONFIG POOL LIST
MULTI: TCP INIT maxclients=1024 maxevents=1028
Initialization Sequence Completed
TCP connection established with [AF_INET][IP]:48758
[IP]:48758 TLS: Initial packet from [AF_INET][IP]:48758, sid=9ab50ac0 a37efe04
[IP]:48758 TLS Error: reading acknowledgement record from packet
[IP]:48758 Fatal TLS error (check_tls_errors_co), restarting
Apr 10 08:36:24 [host] ovpn-server[2191]: [IP]:48758 SIGUSR1[soft,tls-error] received, client-instance restarting

Thanks!

Anubioz
  • 3,597
  • 17
  • 23
flyingcars34
  • 147
  • 1
  • 2
  • 9

2 Answers2

1

From the OpenVPN website:

The --tls-auth option uses a static pre-shared key (PSK) that must be generated in advance and shared among all peers.

You have it on your server as:

tls-auth ta.key 0 # This file is secret
key-direction 0

But on the client, you have it commented out:

;tls-auth ta.key 1
...
key-direction 1

The second argument to tls-auth is the key-direction, therefore you do not need to repeat it using the key-direction stanza.

On your server, simply remove the key-direction 0 line, and on your client remove both the comment delimiter (;) and the key-direction 1 line.

Of course, the ta.key needs to also be on your client machine first before the above will actually work - copy it there securely with scp or similar.

garethTheRed
  • 4,009
  • 13
  • 20
  • Ok, so optionally, if I were to just comment out all of those lines, should I be able to work without the key altogether? I tried doing so, then restarting the service, but I am still getting an `TLS error: reading acknowledgement record from packet` `Fatal TLS error (check_tls_errors_co), restarting` on the server; so it looks like it's still checking? – flyingcars34 Apr 07 '17 at 16:54
  • I have restarted both the client and server. I am no longer getting the HMAC error, only the two TLS errors now. – flyingcars34 Apr 07 '17 at 19:02
  • I have just added the client log after trying a connection again. – flyingcars34 Apr 10 '17 at 12:16
  • Yes, I had the firewall shutdown on both client and server for testing. Problem resolved - missing certs. Thanks again! – flyingcars34 Apr 11 '17 at 14:58
  • Doh! Glad you got it fixed :-) – garethTheRed Apr 11 '17 at 15:10
1

You got no certificate for client in your configs. You should generate one signed by the same CA, which you use on your server and add it to the client.conf like this:

ca "ca.crt"
cert "client.crt"
key "client.key"
Anubioz
  • 3,597
  • 17
  • 23
  • Well there we go. The guide had a script to create certs. Somehow I skipped that part, I thought it was done. Anyway, it works now! Thank! – flyingcars34 Apr 10 '17 at 14:10