0

I am trying to set up a new device to connect to my OpenVPN server. The new device is a Linux system without a GUI. I exported the configuration file from a desktop Linux system and made the necessary changes.

The desktop system can connect to the VPN. However, the new system cannot connect. The log reports that the TLS handshake timed out. On the server I see the following entries:

TLS Error: cannot locate HMAC in incoming packet from ...

This indicates that the client has not been configured for HMAC authentication but the server expects it. However, this config was exported from a client which works and has the HMAC key configured. This is the client config:

client
remote 'vpn.example.org'
ca 'ca.pem'
cert 'cert.pem'
key 'key.pem'
cipher AES-128-CBC
dev tun
proto udp
verify-x509-name 'vpn.example.org'
tls-auth 'hmackey.pem' 1
nobind
auth-nocache
script-security 2
persist-key
persist-tun

The HMAC key is identical on all systems. What is wrong?

Improve this question

1 Answer 1

Reset to default
2

Some background: HMAC authentication is an additional security feature. Even before the handshake takes place, the client must sign the request using a pre-shared key. If the request does not bear a valid HMAC signature, the server will ignore the request. With UDP, this is equivalent to a firewall blocking traffic from that client.

In my case, after comparison with another client, the config file on the new system seems to be missing the line

auth SHA256

This was missing in the exported file from the Linux desktop box, but the config of the Android client showed it. After adding this option, the handshake works (to the point at which I am running into another, unrelated error).

Conclusion: without auth, OpenVPN either does not use HMAC authentication, or falls back to a default hash algorithm (I haven’t figured out which is the case). Either way, this will most likely result in a HMAC mismatch, causing the server to discard the client request.

I have filed a feature request with the project to throw a warning when tls-auth is specified but auth is not.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .