tls-crypt fails from opnsense openvpn client, but work from other clients

[geoher]

I am trying to set up my opnsense to act as a client to a remote openvpn server. (first time)
I am set up with as much default as possible, port 1194/udp, inserted the client certificate into "trust" and all that.

I get

Code: [Select]

event_wait : Interrupted system call (code=4) in opnsense openvpn log.

On the server side, the log says:

Code: [Select]

tls-crypt unwrap error: packet authentication failed
TLS Error: tls-crypt unwrapping failed from [AF_INET]x.x.x.x:23683 (source-ip:port i guess)

Increasing the debug-level does not give more practical info.

When connecting to the same openvpn server from my local PC (ubuntu set up with an ovpn-file) I can connect and ping the remote gateway.

If I (as an experiment) turn off tls-crypt i both ends, the tunnel on my opnsense comes up, so I guess my certificate is OK.
Question is why tls-crypt fails.
I am set up with peer-to-peer SSL/TLS connection, using (currently) a selfsigned key/cert with no passphrase. (Cus' theres no way to enter a password/phrase)
I needed to add "verify-x509-name" to the config option to accept the remote (openvpn) server cert.

Is this a bug, or do anyone have any tip to solve this?

I am running opnsense as a virtual machine

Code: [Select]

OPNsense 21.1.1-amd64
FreeBSD 12.1-RELEASE-p13-HBSD
OpenSSL 1.1.1i 8 Dec 2020
Regards, GeoHer

[Gauss23]

There are 2 options in OpenVPN: tls-crypt and tls-auth. Maybe your config needs tls-crypt. In the OPNsense GUI there is only tls-auth.

You need to add:

Code: [Select]

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
in Advanced options box.

[geoher]

Thak's for your reply!

It looks like opnsense does not support tls-crypt, but rather the older tls-auth.
I needed to change to tls-auth on my openvpn server to be compliant with the openvpn client on opnsense.
As usual, hours spent looking for a 5 sec fix

Still protected, but more vulnerable to unfriendly hammering.

How do I mark this as "solved"?

Regards, GeoHer

[Gauss23]

Thak's for your reply!

It looks like opnsense does not support tls-crypt, but rather the older tls-auth.
I needed to change to tls-auth on my openvpn server to be compliant with the openvpn client on opnsense.
As usual, hours spent looking for a 5 sec fix

Still protected, but more vulnerable to unfriendly hammering.

How do I mark this as "solved"?

Regards, GeoHer

Did you read my answer? I gave the correct hint to bring tls-crypt up and running. No need to switch to tls-auth.

Disable the checkbox in the GUI for TLS-auth and add the tls-crypt key in the advanced/custom settings box on the same page. Like in my last answer.

[dako76]

Hi, have the same Problem but your answer did not help to me. i get the same error on the openvpn server.

tls-crypt unwrap error: packet authentication failed
TLS Error: tls-crypt unwrapping failed from [AF_INET]93.xx.xx.73:52214

[dako76]

Hi, found the solution, i had to use UDP4 not UDP in the configuration of OpenVPNClient. Now it is running.