# OpenVPN (TLS Error)

## sewulba

Hallo...

Server:

Interne IP = 192.168.0.7

Client:

IP des Windoof-Rechners = 192.168.0.12

Ich habe einen OpenVPN Server aufgesetzt. Ich kann mich aber leider nicht verbinden!

In /var/log/messages kommt folgende Fehlermeldung!

```
openvpn[6427]: TLS Error: cannot locate HMAC in incoming packet from 192.168.0.x:1206
```

Der OpenVPN-Client meldet nach einer gewissen Zeit, dass er keinen Handshake machen kann!

Meine openvpn.conf sieht folgendermaßen aus.

```
proto udp

dev tun

local 192.168.0.7  # "bind-adresse": auf welchem Interface soll Port udp/1194 geöffnet werden?

ca /etc/openvpn/ca.crt

cert /etc/openvpn/ppro-server.crt

key /etc/openvpn/ppro-server.key

dh /etc/openvpn/dh1024.pem

tls-auth /etc/openvpn/ta.key 0  # "0" beim VPN-Server, "1" bei VPN-Clients

server 10.8.0.0 255.255.255.0

# ifconfig-pool-persist /etc/openvpn/ipp.txt

ifconfig 10.8.0.1 10.8.0.2

# ifconfig-pool 10.8.0.4 10.8.0.251

push "route-gateway 10.8.0.1"

keepalive 10 120

#cipher BF-CBC  (=Default; sehr schnell)

#cipher AES-128-CBC (sicherer)

#cipher AES-256-CBC (am sichersten)

comp-lzo      # Kompression

user openvpn

group openvpn

persist-key

persist-tun

tun-mtu 1500

fragment 1500

resolv-retry infinite

# remote 192.168.0.7

status /etc/openvpn/openvpn-status.log

# chroot /etc/openvpn/chroot

#mode server

tls-server

mode server

#if dev tun:

#  Diese Zeile muss entfernt werden!

#  ifconfig 10.8.0.1 10.8.0.2

#   ifconfig-pool 10.8.0.4 10.8.0.251

#   route 10.8.0.0 255.255.255.0

#   if client-to-client:

#   push "route 10.8.0.0 255.255.255.0"

#   else

#   push "route 10.8.0.1"

#if dev tap:

#  Diese Zeile muss entfernt werden!

#  ifconfig 10.8.0.1 255.255.255.0

#   ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0

#   push "route-gateway 10.8.0.1"

push "route 10.8.0.0 255.255.255.0 192.168.0.7"

push "route 192.168.0.0 255.255.255.0 10.8.0.1"
```

Ausgabe 'ls -l' in /etc/openvpn

```
total 32

-rw-r--r-- 1 root root 1233 Mar  4 01:14 ca.crt

drwxr-xr-x 2 root root  192 Mar 11 12:46 chroot

-rw-r--r-- 1 root root  245 Mar  4 01:14 dh1024.pem

-rw------- 1 root root    0 Mar 11 13:01 ipp.txt

-rw------- 1 root root  232 Mar 11 13:27 openvpn-status.log

-rw-r--r-- 1 root root 1411 Mar 11 13:02 openvpn.conf

-rw-r--r-- 1 root root 3896 Mar  4 01:14 ppro-server.crt

-rw------- 1 root root  887 Mar  4 01:14 ppro-server.key

-rw------- 1 root root  636 Mar  4 01:14 ta.key
```

Auf dem Windoof-Client sieht die client.ovpn folgendermaßen aus!

```
client

# Use the same setting as you are using on

# the server.

# On most systems, the VPN will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

;dev tap

dev tun

# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel

# if you have more than one.  On XP SP2,

# you may need to disable the firewall

# for the TAP adapter.

;dev-node MyTap

# Are we connecting to a TCP or

# UDP server?  Use the same setting as

# on the server.

;proto tcp

proto udp

# The hostname/IP and port of the server.

# You can have multiple remote entries

# to load balance between the servers.

remote my-server-1 1194

;remote my-server-2 1194

# Choose a random host from the remote

# list for load-balancing.  Otherwise

# try hosts in the order specified.

;remote-random

# Keep trying indefinitely to resolve the

# host name of the OpenVPN server.  Very useful

# on machines which are not permanently connected

# to the internet such as laptops.

resolv-retry infinite

# Most clients don't need to bind to

# a specific local port number.

nobind

# Downgrade privileges after initialization (non-Windows only)

;user nobody

;group nobody

# Try to preserve some state across restarts.

persist-key

persist-tun

# If you are connecting through an

# HTTP proxy to reach the actual OpenVPN

# server, put the proxy server/IP and

# port number here.  See the man page

# if your proxy server requires

# authentication.

;http-proxy-retry # retry on connection failures

;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot

# of duplicate packets.  Set this flag

# to silence duplicate packet warnings.

;mute-replay-warnings

# SSL/TLS parms.

# See the server config file for more

# description.  It's best to use

# a separate .crt/.key file pair

# for each client.  A single ca

# file can be used for all clients.

ca ca.crt

cert client.crt

key client.key

tls-auth /etc/openvpn/ta.key 1

# Verify server certificate by checking

# that the certicate has the nsCertType

# field set to "server".  This is an

# important precaution to protect against

# a potential attack discussed here:

#  http://openvpn.net/howto.html#mitm

#

# To use this feature, you will need to generate

# your server certificates with the nsCertType

# field set to "server".  The build-key-server

# script in the easy-rsa folder will do this.

;ns-cert-type server

# If a tls-auth key is used on the server

# then every client must also have the key.

tls-auth ta.key 0

# Select a cryptographic cipher.

# If the cipher option is used on the server

# then you must also specify it here.

;cipher x

# Enable compression on the VPN link.

# Don't enable this unless it is also

# enabled in the server config file.

comp-lzo

# Set log file verbosity.

verb 3

# Silence repeating messages

;mute 20

# PORT

port 1194
```

Die key in Windows liegen in C:\Programme\OpenVPN\config drin!

Was mache ich nur flasch?

Ausgabe direkt vom Client:

```
Sun Mar 11 13:35:56 2007 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006

Sun Mar 11 13:35:56 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.

Sun Mar 11 13:35:56 2007 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Sun Mar 11 13:35:56 2007 LZO compression initialized

Sun Mar 11 13:35:56 2007 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]

Sun Mar 11 13:35:56 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]

Sun Mar 11 13:35:56 2007 Local Options hash (VER=V4): '41690919'

Sun Mar 11 13:35:56 2007 Expected Remote Options hash (VER=V4): '530fdded'

Sun Mar 11 13:35:56 2007 UDPv4 link local: [undef]

Sun Mar 11 13:35:56 2007 UDPv4 link remote: 192.168.0.7:1194

Sun Mar 11 13:36:56 2007 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Sun Mar 11 13:36:56 2007 TLS Error: TLS handshake failed

Sun Mar 11 13:36:56 2007 TCP/UDP: Closing socket

Sun Mar 11 13:36:56 2007 SIGUSR1[soft,tls-error] received, process restarting

Sun Mar 11 13:36:56 2007 Restart pause, 2 second(s)

Sun Mar 11 13:36:58 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.

Sun Mar 11 13:36:58 2007 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Sun Mar 11 13:36:58 2007 Re-using SSL/TLS context

Sun Mar 11 13:36:58 2007 LZO compression initialized

Sun Mar 11 13:36:58 2007 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]

Sun Mar 11 13:36:58 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]

Sun Mar 11 13:36:58 2007 Local Options hash (VER=V4): '41690919'

Sun Mar 11 13:36:58 2007 Expected Remote Options hash (VER=V4): '530fdded'

Sun Mar 11 13:36:58 2007 UDPv4 link local: [undef]

Sun Mar 11 13:36:58 2007 UDPv4 link remote: 192.168.0.7:1194
```

Gruss Sewulba   :Embarassed: 

PS.: TLS-AUTH habe ich schon in allen Veranten probiert. Bringt leider nichts

----------

## bbgermany

Hi,

du hast 2 mal einen Eintrag für dein tls.key in der Config-Datei:

```

tls-auth /etc/openvpn/ta.key 1 

...

# If a tls-auth key is used on the server

# then every client must also have the key.

tls-auth ta.key 0 

```

Zusätzlich ist es von Vorteil auf der Windowsseite (also dem Client) nicht den Port direkt anzugeben, sondern diese beiden Einträe zu nutzen:

```

nobind

remote <IP-Adresse> <Port>

```

MfG. Stefan

----------

## sewulba

Okay... 

Danke für die Info. Jetzt geht´s!

Eine Frage habe ich jetzt noch.

Wenn ich von meinem 10.8.0.x-VPN-Netz ins interne 192.168.0.x rein will, dann muss ich das wohl über iptables regeln. Ist das korrekt?

SeW

----------

## bbgermany

Nein musst du nicht, ein 

```

echo 1 > /proc/sys/net/ipv4/ip_forward

```

und das Hinzufügen von einer Route auf dem default Gateway sollte das Problem lösen. Alternativ kannst du dir auch mal das Bridgeing antun (ich kann dir da gerne helfen habs bei mir am laufen), dann bekommst oder kannst du eine IP aus deinem Netz vergeben  :Very Happy: 

MfG. Stefan

----------

