Messages

1

Virtual private networks / Re: OPenVPN between OPNSEnse and PiVPN

« on: June 17, 2021, 01:48:18 pm »

I'm nearly there with my config but find that there is a TLS-crypt error on my remote PI Server:

Jun 17 11:26:39 CloudServer0 ovpn-server[696]: tls-crypt unwrap error: packet authentication failed
Jun 17 11:26:39 CloudServer0 ovpn-server[696]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:49805

This an error I only see on my OPNSense setup.

When I try with PFSense (It's only a VirtualBox test setup for comparison) using the same configuration the OpenVPN connection works perfectly. I've nailed this down to the following config option which does not be seem to be available on OPNSense (but is on PFSense):

TLS Key Usage Mode: TLS Encryption and Authentication

On PFsense, if this is set to "TLS Authentication only" the connection fails in the same way as OPNSense. But changing it to "TLS Encryption and Authentication" the VPN tunnel activates.

Therefore, can anyone shed some light on how to setup TLS Encryption and Authentication on OPNSense for their OpenVPN Client?

By the way, once I have this working with OPNSense I will write-up a configuration guide for the community.


 

2

Virtual private networks / OPenVPN between OPNSEnse and PiVPN

« on: June 16, 2021, 03:01:20 pm »

Guys,

I'm current migrating from an OpenWRT to OPNSense and I need to setup an OpenVPN Client on my new OPNSense Appliance to a remote RaspberryPI, which is running PIVPN. For the connection, I've created a new OpenVPN client profile, which has generated a standard .ovpn file which needs to be imported into OPNSense. I can see that there is no import feature with OPNSense for this file and so I need some help with the setup (FYI, with OpenWRT there is an import feature which makes this a bit easier).

Here is a masked version of my .ovpn file with the IP addressing and certificates modified:

client
dev tun
proto udp
remote A.B>C>D 1194
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name localhost_e05147cb-1363-4360-b5ae-a76e5ddc23d6 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
#certificate data
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
# CA Certificate data
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
#Key Data
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

</tls-crypt>
#Key Data
</tls-crypt>

I've imported the CA key in trust/authorities by cut-and paste between:

-----BEGIN CERTIFICATE-----
# CA Certificate data
-----END CERTIFICATE-----

This seems fine and OPNSense has accepted the certificate.

Moving on the the OpenVPN Client setup, I've been trying for a while now to correctly setup the VPN client but so far no luck. I could post logs for each attempted configurations attempts but if anyone had experience transposing an .ovpn file please could you give me some help based on my .ovpn file above?

Many Thanks in advance!

Tony