Messages

1

21.1 Legacy Series / Re: tls-crypt fails from opnsense openvpn client, but work from other clients

« on: February 19, 2021, 10:37:55 am »

Thak's for your reply!

It looks like opnsense does not support tls-crypt, but rather the older tls-auth.
I needed to change to tls-auth on my openvpn server to be compliant with the openvpn client on opnsense.
As usual, hours spent looking for a 5 sec fix

Still protected, but more vulnerable to unfriendly hammering.

How do I mark this as "solved"?

Regards, GeoHer

2

21.1 Legacy Series / tls-crypt fails from opnsense openvpn client, but work from other clients

« on: February 18, 2021, 05:39:10 pm »

I am trying to set up my opnsense to act as a client to a remote openvpn server. (first time)
I am set up with as much default as possible, port 1194/udp, inserted the client certificate into "trust" and all that.

I get

Code: [Select]

event_wait : Interrupted system call (code=4) in opnsense openvpn log.

On the server side, the log says:

Code: [Select]

tls-crypt unwrap error: packet authentication failed
TLS Error: tls-crypt unwrapping failed from [AF_INET]x.x.x.x:23683 (source-ip:port i guess)

Increasing the debug-level does not give more practical info.

When connecting to the same openvpn server from my local PC (ubuntu set up with an ovpn-file) I can connect and ping the remote gateway.

If I (as an experiment) turn off tls-crypt i both ends, the tunnel on my opnsense comes up, so I guess my certificate is OK.
Question is why tls-crypt fails.
I am set up with peer-to-peer SSL/TLS connection, using (currently) a selfsigned key/cert with no passphrase. (Cus' theres no way to enter a password/phrase)
I needed to add "verify-x509-name" to the config option to accept the remote (openvpn) server cert.

Is this a bug, or do anyone have any tip to solve this?

I am running opnsense as a virtual machine

Code: [Select]

OPNsense 21.1.1-amd64
FreeBSD 12.1-RELEASE-p13-HBSD
OpenSSL 1.1.1i 8 Dec 2020
Regards, GeoHer