From owner-freebsd-net@FreeBSD.ORG  Fri Feb 20 04:17:11 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E8FDB106566C
	for <freebsd-net@freebsd.org>; Fri, 20 Feb 2009 04:17:11 +0000 (UTC)
	(envelope-from pgnet.trash@gmail.com)
Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.188])
	by mx1.freebsd.org (Postfix) with ESMTP id 6DAF98FC08
	for <freebsd-net@freebsd.org>; Fri, 20 Feb 2009 04:17:11 +0000 (UTC)
	(envelope-from pgnet.trash@gmail.com)
Received: by mu-out-0910.google.com with SMTP id w1so546364mue.3
	for <freebsd-net@freebsd.org>; Thu, 19 Feb 2009 20:17:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:sender:received:date
	:x-google-sender-auth:message-id:subject:from:to:content-type
	:content-transfer-encoding;
	bh=idc2Mr2RVpJB3dfXT3/hlDlkwowETIrU18hBqRdNhyI=;
	b=WZ1YUIKNdVBoyK+AuTI4ZWZdatoVz8MPXzFQkNibfF/PoreIcorMfJNgW4DrsPQZm/
	BH/3i5Xi63QZMPeXv/IFaROEHMC7pDsL/6a7GAW4Sgd44VoUoff0eP0+54hLdMSjXR08
	Fnznd+oDQpG0uvbCIDUeh/lkwgUtCF2z3uWrA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:sender:date:x-google-sender-auth:message-id:subject
	:from:to:content-type:content-transfer-encoding;
	b=JeUb0hbkCof+L5S56rHXU3exZ+jqXsp8vPSNdYaQQ71Pm02atIIIIFgHiJnv1v0Jk1
	i2Cuc9/bmKZpEsWNaPkGKycGSnnwttZrVrQBDtH9pySiiUXTHo2+2kfzBAqJEL929HeX
	YCbcE7eHyjk+y2HEL2BSbdiNZDDLpxw6fqBm4=
MIME-Version: 1.0
Sender: pgnet.trash@gmail.com
Received: by 10.102.219.8 with SMTP id r8mr1259217mug.10.1235102074971; Thu, 
	19 Feb 2009 19:54:34 -0800 (PST)
Date: Thu, 19 Feb 2009 19:54:34 -0800
X-Google-Sender-Auth: dcdae24d0d7b6d3f
Message-ID: <dbd51810902191954v1d2818efh5241dc5bb2e18b4b@mail.gmail.com>
From: PGNet <pgnet.trash+fbsdnet@gmail.com>
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: openvpn "HMAC auth" and TLS errors @ client connect?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Feb 2009 04:17:12 -0000

i'm taking a stab at setup of,

 openvpn --version
  OpenVPN 2.0.6 i386-portbld-freebsd6.3 [SSL] [LZO] built on Jul 18 2008

on a client's (read: i don't want to fubar this box!) headless
router/firewall (running fbsd pf) box,

 uname -r
  6.3-RELEASE-p3

i've setup,

rc.conf
 openvpn_enable="YES"
 openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
 openvpn_if="tun"

@ server, "/usr/local/etc/openvpn/openvpn.conf"
 --------
 server 172.30.7.0 255.255.255.0
 dev tun1
 proto udp
 port 22222

 dh       /usr/local/etc/openvpn/dh2048.pem
 ca       /usr/local/etc/openvpn/mydomain.com.CA.cert.rsa.pem
 cert     /usr/local/etc/openvpn/server.cert.rsa.pem
 key      /usr/local/etc/openvpn/server.key.rsa.pem
 tls-auth /usr/local/etc/openvpn/ta.key 0

 client-config-dir     /usr/local/etc/openvpn/ccd
 ccd-exclusive

 max-clients 2
 max-routes-per-client 128
 connect-freq 3 60

 cipher AES-256-CBC
 client-to-client
 comp-lzo
 keepalive 15 120
 persist-key
 persist-tun
 status openvpn-status.log
 verb 4
 --------

@ client, ".../openvpn.conf"
 --------
 tls-client
 tls-remote ho3.mydomain.com
 remote 99.xx.xx.xx 22222

 dev tun
 proto udp


 resolv-retry infinite
 keepalive 15 120

 nobind

 persist-key
 persist-tun
 ca       /usr/local/etc/openvpn/mydomain.com.CA.cert.rsa.pem
 cert     /usr/local/etc/openvpn/client.cert.rsa.pem
 key      /usr/local/etc/openvpn/client.key.rsa.pem
 tls-auth /usr/local/etc/openvpn/ta.key 1
 ns-cert-type server
 cipher AES-256-CBC
 comp-lzo
 verb 4
 pull
 --------

@ server,

 /usr/local/etc/rc.d/openvpn start
	 Starting openvpn.
	 add net 172.30.7.0: gateway 172.30.7.2

@ client connect, client logs show,
 ...
 Thu 02/19/09 07:28 PM: Control Channel Authentication: using
'/usr/local/etc/openvpn/ta.key' as a OpenVPN static key file
 Thu 02/19/09 07:28 PM: Outgoing Control Channel Authentication: Using
160 bit message hash 'SHA1' for HMAC authentication
 Thu 02/19/09 07:28 PM: Incoming Control Channel Authentication: Using
160 bit message hash 'SHA1' for HMAC authentication
 Thu 02/19/09 07:28 PM: LZO compression initialized
 Thu 02/19/09 07:28 PM: Control Channel MTU parms [ L:1542 D:166 EF:66
EB:0 ET:0 EL:0 ]
 Thu 02/19/09 07:28 PM: Data Channel MTU parms [ L:1542 D:1450 EF:42
EB:135 ET:0 EL:0 AF:3/1 ]
 Thu 02/19/09 07:28 PM: tls-client'
 Thu 02/19/09 07:28 PM: tls-server'
 Thu 02/19/09 07:28 PM: Local Options hash (VER=V4): '504e774e'
 Thu 02/19/09 07:28 PM: Expected Remote Options hash (VER=V4): '14168603'
 Thu 02/19/09 07:28 PM: Socket Buffers: R=[42080->65536] S=[9216->65536]
 Thu 02/19/09 07:28 PM: UDPv4 link local: [undef]
 Thu 02/19/09 07:28 PM: UDPv4 link remote: 99.xx.xx.xx:22222
 Thu 02/19/09 07:28 PM:

@ server syslog,

 Feb 19 19:28:21 server openvpn[3947]: Authenticate/Decrypt packet
error: packet HMAC authentication failed
 Feb 19 19:28:21 server openvpn[3947]: TLS Error: incoming packet
authentication failed from 192.168.1.6:51365

i tried to follow what online help i could find, but have clearly
missed something.

any suggestions as to what to fix? not sure what info to provide;
happy to provide what's needed.

thanks.