tls-crypt fails from opnsense openvpn client, but work from other clients

Started by geoher, February 18, 2021, 05:39:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 18, 2021, 05:39:10 PM
I am trying to set up my opnsense to act as a client to a remote openvpn server. (first time)
I am set up with as much default as possible, port 1194/udp, inserted the client certificate into "trust" and all that.

I get
Code Select
event_wait : Interrupted system call (code=4) in opnsense openvpn log.

On the server side, the log says:
Code Select
tls-crypt unwrap error: packet authentication failed
TLS Error: tls-crypt unwrapping failed from [AF_INET]x.x.x.x:23683 (source-ip:port i guess)

Increasing the debug-level does not give more practical info.

When connecting to the same openvpn server from my local PC (ubuntu set up with an ovpn-file) I can connect and ping the remote gateway.

If I (as an experiment) turn off tls-crypt i both ends, the tunnel on my opnsense comes up, so I guess my certificate is OK.
Question is why tls-crypt fails.
I am set up with peer-to-peer SSL/TLS connection, using (currently) a selfsigned key/cert with no passphrase. (Cus' theres no way to enter a password/phrase)
I needed to add "verify-x509-name" to the config option to accept the remote (openvpn) server cert.

Is this a bug, or do anyone have any tip to solve this?

I am running opnsense as a virtual machine
Code Select
OPNsense 21.1.1-amd64
FreeBSD 12.1-RELEASE-p13-HBSD
OpenSSL 1.1.1i 8 Dec 2020

Regards, GeoHer
February 18, 2021, 05:50:42 PM #1
There are 2 options in OpenVPN: tls-crypt and tls-auth. Maybe your config needs tls-crypt. In the OPNsense GUI there is only tls-auth.

You need to add:
Code Select
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>

in Advanced options box.
,,The S in IoT stands for Security!" :)
February 19, 2021, 10:37:55 AM #2 Last Edit: February 19, 2021, 10:39:28 AM by geoher
Thak's for your reply!

It looks like opnsense does not support tls-crypt, but rather the older tls-auth.
I needed to change to tls-auth on my openvpn server to be compliant with the openvpn client on opnsense.
As usual, hours spent looking for a 5 sec fix

Still protected, but more vulnerable to unfriendly hammering.

How do I mark this as "solved"?

Regards, GeoHer
February 19, 2021, 10:43:48 AM #3 Last Edit: February 19, 2021, 10:48:03 AM by Gauss23
Quote from: geoher on February 19, 2021, 10:37:55 AM
Thak's for your reply!

It looks like opnsense does not support tls-crypt, but rather the older tls-auth.
I needed to change to tls-auth on my openvpn server to be compliant with the openvpn client on opnsense.
As usual, hours spent looking for a 5 sec fix

Still protected, but more vulnerable to unfriendly hammering.

How do I mark this as "solved"?

Regards, GeoHer

Did you read my answer? I gave the correct hint to bring tls-crypt up and running. No need to switch to tls-auth.

Disable the checkbox in the GUI for TLS-auth and add the tls-crypt key in the advanced/custom settings box on the same page. Like in my last answer.
,,The S in IoT stands for Security!" :)
July 01, 2021, 02:14:27 PM #4
Hi, have the same Problem but your answer did not help to me. i get the same error on the openvpn server.

tls-crypt unwrap error: packet authentication failed
TLS Error: tls-crypt unwrapping failed from [AF_INET]93.xx.xx.73:52214


July 02, 2021, 12:25:40 PM #5
Hi, found the solution, i had to use UDP4 not UDP in the configuration of OpenVPNClient. Now it is running.
Print
Go Up Pages1
User actions