tls-auth not working with pfSense 2.0

Got a problem with Viscosity or need help? Ask here!

filipp

Posts: 16
Joined: Wed Feb 24, 2010 5:48 pm

Post by filipp » Sun Oct 30, 2011 8:14 pm
It seems to me that Viscosity (1.3.4/1030) generates OpenVPN configs that are not compatible, at least with pfSense 2.0 when using TLS authentication.

Steps to reproduce:
1. Set your OpenVPN server to use TLS authentication
2. Copy the static key to your client and configure Viscosity to use it

Expected results:
The connection should work

Actual results:
Viscosity/OpenVPN client will never establish a connection. On the server logs I find:
Code: Select all
openvpn[58269]: TLS Error: incoming packet authentication failed from [AF_INET] ip address...
I checked the OpenVPN howto (http://openvpn.net/index.php/open-sourc ... howto.html) on using this feature and it says one should enable TLS auth support like thus:
Code: Select all
tls-auth ta.key 1
Looking at the config.conf file that Viscosity generates, the corresponding line reads:
Code: Select all
tls-auth ta.key
The weird thing is that adding the "1" actually solves the problem for me - the connection can now be established, using TLS authentication. :)

My OpenVPN server version is:
Code: Select all
OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Mon Oct 31, 2011 7:04 pm
Hi Filipp,

Are you using the Windows or Mac version of Viscosity? Are you setting the Direction to 1 in the client as well?

Cheers,

Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Nov 01, 2011 12:40 am
Hi filipp,

I've moved this one to the support section of the forums.

Viscosity is doing the right thing here - the a TLS Auth file can have no direction associated with it, or a particular direction (where the other end must compliment this direction). The OpenVPN Man page describes it best:
The optional direction parameter enables the use of 4 distinct keys (HMAC-send, cipher-encrypt, HMAC-receive, cipher-decrypt), so that each data flow direction has a different set of HMAC and cipher keys. This has a number of desirable security properties including eliminating certain kinds of DoS and message replay attacks.

When the direction parameter is omitted, 2 keys are used bidirectionally, one for HMAC and the other for encryption/decryption.

The direction parameter should always be complementary on either side of the connection, i.e. one side should use "0" and the other should use "1", or both sides should omit it altogether.
By default no direction is specified. However as Eric mentions, you can specify a direction by editing your connection, clicking on the Authentication tab, and changing the Direction from Default to 0 or 1. Obviously in the case of pfSense it must be using a direction of 0 on its end, hence forcing you to use a value of 1 client side. If you do not specify this then you will be unable to connect.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
3 posts Page 1 of 1