Skip to content
tls-auth not working with pfSense 2.0
Got a problem with Viscosity or need help? Ask here!
It seems to me that Viscosity (1.3.4/1030) generates OpenVPN configs that are not compatible, at least with pfSense 2.0 when using TLS authentication.
Steps to reproduce:
1. Set your OpenVPN server to use TLS authentication
2. Copy the static key to your client and configure Viscosity to use it
Expected results:
The connection should work
Actual results:
Viscosity/OpenVPN client will never establish a connection. On the server logs I find:
My OpenVPN server version is:
Steps to reproduce:
1. Set your OpenVPN server to use TLS authentication
2. Copy the static key to your client and configure Viscosity to use it
Expected results:
The connection should work
Actual results:
Viscosity/OpenVPN client will never establish a connection. On the server logs I find:
Code: Select all
I checked the OpenVPN howto (http://openvpn.net/index.php/open-sourc ... howto.html) on using this feature and it says one should enable TLS auth support like thus:openvpn[58269]: TLS Error: incoming packet authentication failed from [AF_INET] ip address...
Code: Select all
Looking at the config.conf file that Viscosity generates, the corresponding line reads:tls-auth ta.key 1
Code: Select all
The weird thing is that adding the "1" actually solves the problem for me - the connection can now be established, using TLS authentication. tls-auth ta.key
My OpenVPN server version is:
Code: Select all
OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
Hi Filipp,
Are you using the Windows or Mac version of Viscosity? Are you setting the Direction to 1 in the client as well?
Cheers,
Eric
Are you using the Windows or Mac version of Viscosity? Are you setting the Direction to 1 in the client as well?
Cheers,
Eric
Eric Thorpe
Viscosity Developer
Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
Viscosity Developer
Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
Hi filipp,
I've moved this one to the support section of the forums.
Viscosity is doing the right thing here - the a TLS Auth file can have no direction associated with it, or a particular direction (where the other end must compliment this direction). The OpenVPN Man page describes it best:
Cheers,
James
I've moved this one to the support section of the forums.
Viscosity is doing the right thing here - the a TLS Auth file can have no direction associated with it, or a particular direction (where the other end must compliment this direction). The OpenVPN Man page describes it best:
The optional direction parameter enables the use of 4 distinct keys (HMAC-send, cipher-encrypt, HMAC-receive, cipher-decrypt), so that each data flow direction has a different set of HMAC and cipher keys. This has a number of desirable security properties including eliminating certain kinds of DoS and message replay attacks.By default no direction is specified. However as Eric mentions, you can specify a direction by editing your connection, clicking on the Authentication tab, and changing the Direction from Default to 0 or 1. Obviously in the case of pfSense it must be using a direction of 0 on its end, hence forcing you to use a value of 1 client side. If you do not specify this then you will be unable to connect.
When the direction parameter is omitted, 2 keys are used bidirectionally, one for HMAC and the other for encryption/decryption.
The direction parameter should always be complementary on either side of the connection, i.e. one side should use "0" and the other should use "1", or both sides should omit it altogether.
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
3 posts
Page 1 of 1