openvpn "HMAC auth" and TLS errors @ client connect?

PGNet pgnet.trash+fbsdnet at gmail.com
Thu Feb 19 20:17:12 PST 2009 

i'm taking a stab at setup of,

 openvpn --version
  OpenVPN 2.0.6 i386-portbld-freebsd6.3 [SSL] [LZO] built on Jul 18 2008

on a client's (read: i don't want to fubar this box!) headless
router/firewall (running fbsd pf) box,

 uname -r
  6.3-RELEASE-p3

i've setup,

rc.conf
 openvpn_enable="YES"
 openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
 openvpn_if="tun"

@ server, "/usr/local/etc/openvpn/openvpn.conf"
 --------
 server 172.30.7.0 255.255.255.0
 dev tun1
 proto udp
 port 22222

 dh       /usr/local/etc/openvpn/dh2048.pem
 ca       /usr/local/etc/openvpn/mydomain.com.CA.cert.rsa.pem
 cert     /usr/local/etc/openvpn/server.cert.rsa.pem
 key      /usr/local/etc/openvpn/server.key.rsa.pem
 tls-auth /usr/local/etc/openvpn/ta.key 0

 client-config-dir     /usr/local/etc/openvpn/ccd
 ccd-exclusive

 max-clients 2
 max-routes-per-client 128
 connect-freq 3 60

 cipher AES-256-CBC
 client-to-client
 comp-lzo
 keepalive 15 120
 persist-key
 persist-tun
 status openvpn-status.log
 verb 4
 --------

@ client, ".../openvpn.conf"
 --------
 tls-client
 tls-remote ho3.mydomain.com
 remote 99.xx.xx.xx 22222

 dev tun
 proto udp


 resolv-retry infinite
 keepalive 15 120

 nobind

 persist-key
 persist-tun
 ca       /usr/local/etc/openvpn/mydomain.com.CA.cert.rsa.pem
 cert     /usr/local/etc/openvpn/client.cert.rsa.pem
 key      /usr/local/etc/openvpn/client.key.rsa.pem
 tls-auth /usr/local/etc/openvpn/ta.key 1
 ns-cert-type server
 cipher AES-256-CBC
 comp-lzo
 verb 4
 pull
 --------

@ server,

 /usr/local/etc/rc.d/openvpn start
	 Starting openvpn.
	 add net 172.30.7.0: gateway 172.30.7.2

@ client connect, client logs show,
 ...
 Thu 02/19/09 07:28 PM: Control Channel Authentication: using
'/usr/local/etc/openvpn/ta.key' as a OpenVPN static key file
 Thu 02/19/09 07:28 PM: Outgoing Control Channel Authentication: Using
160 bit message hash 'SHA1' for HMAC authentication
 Thu 02/19/09 07:28 PM: Incoming Control Channel Authentication: Using
160 bit message hash 'SHA1' for HMAC authentication
 Thu 02/19/09 07:28 PM: LZO compression initialized
 Thu 02/19/09 07:28 PM: Control Channel MTU parms [ L:1542 D:166 EF:66
EB:0 ET:0 EL:0 ]
 Thu 02/19/09 07:28 PM: Data Channel MTU parms [ L:1542 D:1450 EF:42
EB:135 ET:0 EL:0 AF:3/1 ]
 Thu 02/19/09 07:28 PM: tls-client'
 Thu 02/19/09 07:28 PM: tls-server'
 Thu 02/19/09 07:28 PM: Local Options hash (VER=V4): '504e774e'
 Thu 02/19/09 07:28 PM: Expected Remote Options hash (VER=V4): '14168603'
 Thu 02/19/09 07:28 PM: Socket Buffers: R=[42080->65536] S=[9216->65536]
 Thu 02/19/09 07:28 PM: UDPv4 link local: [undef]
 Thu 02/19/09 07:28 PM: UDPv4 link remote: 99.xx.xx.xx:22222
 Thu 02/19/09 07:28 PM:

@ server syslog,

 Feb 19 19:28:21 server openvpn[3947]: Authenticate/Decrypt packet
error: packet HMAC authentication failed
 Feb 19 19:28:21 server openvpn[3947]: TLS Error: incoming packet
authentication failed from 192.168.1.6:51365

i tried to follow what online help i could find, but have clearly
missed something.

any suggestions as to what to fix? not sure what info to provide;
happy to provide what's needed.

thanks.

More information about the freebsd-net mailing list