openvpn Extra HMAC authorization (tls-auth)

[octopus]

I'm testing openvpn "Extra HMAC authorization (tls-auth)" function with incoming 0, outgoing 1 and BI-directional.

When using Bi-directional all working.
Use for server incoming 0 seems not to work, get tls-error in log.

What is right setup for this?

Is it any answere for this, asked before?
http://forums.smallnetbuilder.com/showthread.php?t=16936

Octopus

 

[netware5]

You should configure the client also. If you configure the server as "incoming 0", the client should have the following line included in the config file (client.ovpn):

tls-auth ta.key 1

The rules are very simple - if the server is "0" the client should be "1" and vice versa.

 

[octopus]

You should configure the client also. If you configure the server as "incoming 0", the client should have the following line included in the config file (client.ovpn):

tls-auth ta.key 1

The rules are very simple - if the server is "0" the client should be "1" and vice versa.

Yepp, I have done that with no go. I'm using "inline" keys in .ovpn
In Rmerlin that kay is named, static.key

 

[netware5]

Yepp, I have done that with no go. I'm using "inline" keys in .ovpn
In Rmerlin that kay is named, static.key

Could you post here your client.ovpn file and screenshot of you server configuration? You may mask the sensitive information like IP addresses, keys, etc.

 

[octopus]

Could you post here your client.ovpn file and screenshot of you server configuration? You may mask the sensitive information like IP addresses, keys, etc.

client
dev tun
proto udp
remote all.dnsomatic.com 1194  <= I have edit this to my ddns service
float
cipher BF-CBC
comp-lzo adaptive
keepalive 15 60
<ca>
.
</ca>
<cert>
    paste client certificate data here
</cert>
<key>
    paste client key data here
</key>
<tls-auth>
.
</tls-auth>
ns-cert-type server
resolv-retry infinite
nobind

# Automatically generated configuration
daemon
server 10.8.0.0 255.255.255.0
proto udp
port 1194
dev tun21
cipher BF-CBC
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0"
client-config-dir ccd
client-to-client
push "dhcp-option DNS 192.168.1.1"
tls-auth static.key
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

# Custom Configuration
ca /mnt/rt-ac68u/openvpn/server1/ca.crt
dh /mnt/rt-ac68u/openvpn/server1/dh.pem
cert /mnt/rt-ac68u/openvpn/server1/server.crt
key /mnt/rt-ac68u/openvpn/server1/server.key
tls-auth /mnt/rt-ac68u/openvpn/server1/static.key

 

[netware5]

Concerning client configuration generally I do not support using "inline" keys in .ovpn files. Putting the keys in the configuration file exposes you to a risk of unintentional changes. It is much better to use a reference to a file like in your server configuration.

So my proposal is to change your approach. In that case the "tls-auth" line in the client.ovpn should be:

tls-auth static.key 1

 

[octopus]

Concerning client configuration generally I do not support using "inline" keys in .ovpn files. Putting the keys in the configuration file exposes you to a risk of unintentional changes. It is much better to use a reference to a file like in your server configuration.

So my proposal is to change your approach. In that case the "tls-auth" line in the client.ovpn should be:

tls-auth static.key 1

Thanks

After some more testing I got it to work with dropdown menu.
Menu is working and give this in server config file:

bi-directional  =>  tls-auth static.key
incoming 0  =>	tls-auth static.key 0 <= server
incoming 1  =>	tls-auth static.key 1 <= client

I really don't know what problem was probably my fault.

 

[netware5]

Thanks

After some more testing I got it to work with dropdown menu.
Menu is working and give this in server config file:

bi-directional  =>  tls-auth static.key
incoming 0  =>	tls-auth static.key 0
incoming 1  =>	tls-auth static.key 1

I really don't know what problem was probably my fault.

For servers it should be a "zero" in the line while for clients it is "one". The drop-down menu is just for convenience when configuring the server. Enjoy your new configuration

 

[octopus]

For servers it should be a "zero" in the line while for clients it is "one". The drop-down menu is just for convenience when configuring the server. Enjoy your new configuration

Hm thanks
I was to hurry when writing this, I have changed in my post to avoid confusion.
But it's working both way, you can give server 0 or 1 and your client opposite your setting, strange.

In the server configuration, add:
tls-auth ta.key 0

In the client configuration, add:
tls-auth ta.key 1

 

[netware5]

Hm thanks
I was to hurry when writing this, I have changed in my post to avoid confusion.
But it's working both way, you can give server 0 or 1 and your client opposite your setting, strange.

The "0" or "1" is a "key-direction" parameter. In the official OpenVPN guide it is recommended that "0" is for server and "1" is for client. But it it can work in reverse order indeed.

BTW i found the reason your initial configuration had failed. If you use "inline" keys, the "key-direction" parameter can not be provided in the form "tls-auth ta.key 0/1" so it should be provided on separate line in the form "key-direction 0/1" before the "inline" key. That's the reason you failed initially.

 

[octopus]

The "0" or "1" is a "key-direction" parameter. In the official OpenVPN guide it is recommended that "0" is for server and "1" is for client. But it it can work in reverse order indeed.

BTW i found the reason your initial configuration had failed. If you use "inline" keys, the "key-direction" parameter can not be provided in the form "tls-auth ta.key 0/1" so it should be provided on separate line in the form "key-direction 0/1" before the "inline" key. That's the reason you failed initially.

Yes i know that, it's needing a separate parameter but I have mine after all keys/certifikat. In this case get my Android with openvpn in TUN mode working. There you must have all parameters who is in "suite alternative" at the end of .ovpn-config.

client
dev tun
proto udp
remote all.dnsomatic.com 1194
float
cipher BF-CBC
comp-lzo adaptive
keepalive 15 60
<ca>
.
</ca>
<cert>
paste client certificate data here
</cert>
<key>
paste client key data here
</key>
<tls-auth>
.
</tls-auth>
key-direction 1
ns-cert-type server
resolv-retry infinite
nobind

 

[Builder71]

Thanks for pointing at this.
Always nice to work on your own defence.

When I switched on "Extra HMAC authorization" -> "Incoming (0)", the router generated a static key automatically.
This is nice but I always like to generate my own keys.

So I run on my laptop "openvpn.exe --genkey --secret static.key".
I pasted the key into the router and client.ovpn file.
Including the "key-direction 1" line into the client.ovpn file.

Works like a dream.