search

TinCanTech / easy-tls

Manage and Inline OpenVPN TLS keys and Easy-RSA PKI credentials. Supports OpenVPN TLS-Crypt-V2 key system and OpenVPN Peer-Fingerprint mode.
GNU General Public License v2.0
87 stars 19 forks source link

Error with EasyTLS-client-connect #287

Closed Hylosium closed 2 years ago

Hylosium commented 2 years ago

Good afternoon,

I'm trying to setup Easy-TLS with OpenVPN, and I'm almost done, but at the final when the client wants to connect gets this error:

2022-05-08 18:05:36 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST' (status=1) 2022-05-08 18:05:37 AUTH: Received control message: AUTH_FAILED 2022-05-08 18:05:37 SIGTERM[soft,auth-failure] received, process exiting

Full Initialization Client .inline file

I have installed: OpenVPN 2.5.5-1ubuntu3 Easy-TLS 2.0.8 Easy-RSA 3.0.8-1ubuntu1 OpenSSL 3.0.2-0ubuntu1.1

I'm working on Ubuntu 22.04 LTS.

And this is the error from the server:

Easy-TLS version: 2.8.0

* EasyTLS-client-connect ERROR: Unknown option: -l 2022-05-08 15:58:15 myclient1/185.44.147.181:62410 WARNING: Failed running command (--client-connect): external program exited with error status: 21 2022-05-08 15:58:16 myclient1/185.44.147.181:62410 PUSH: Received control message: 'PUSH_REQUEST' 2022-05-08 15:58:16 myclient1/185.44.147.181:62410 Delayed exit in 5 seconds 2022-05-08 15:58:16 myclient1/185.44.147.181:62410 SENT CONTROL [myclient1]: 'AUTH_FAILED' (status=1) 2022-05-08 15:58:22 myclient1/185.44.147.181:62410 SIGTERM[soft,delayed-exit] received, client-instance exiting

Full Initialization

From what I have read inside easytls-client-connect.sh I'm getting the error 21 with an error with "-l" and it says:

21 - USER ERROR Disallow connection, options error.

But I just execute ./easytls script and left everything by default.

This is my easytls-script.conf, but I think it is okay.

Easy-TLS script configuration

tmp-dir '/tmp'

tls-export-cert '/tmp'

If your clients have username/password then set this to level 3

script-security 2

tls-crypt-v2-verify '/etc/openvpn/easy-rsa/easytls-cryptv2-verify.sh -l=/etc/openvpn/easyrsa/easytls-cryptv2-verify.vars -c=/etc/openvpn/easy-rsa/pki'

client-connect '/etc/openvpn/easy-rsa/easytls-client-connect.sh -v -l=/etc/openvpn/easyrsa/easytls-client-connect.vars -M' client-disconnect '/etc/openvpn/easy-rsa/easytls-client-disconnect.sh -v -l=/etc/openvp/easyrsa/easytls-client-disconnect.vars'

And this is my easytls-client-connect.vars

233 This issue seems to have a similar problem as mine but in WIndows 10.

What can cause this error and what can I do to solve it? Do you need my server.conf? If you need me to provide something more I will do it.

Some months back I already set-up successfully Open-VPN 2.5.5 and Easy-TLS 2.0.6 and is still working nowadays, but I do not know how to solve the problem I'm having. Greetings.

TinCanTech commented 2 years ago

Error number 21 means there is an options error in your EasyTLS Server config file.

Please post the command which you use to call the client connect script.

Hylosium commented 2 years ago

I use this line inside server.conf to call the easytls-script.conf

config /etc/openvpn/easy-rsa/easytls-script.conf

This is my server.conf, just in case I'll post it also.

I think I do not use any command made by me, but inside easytls-script.conf, client-connect script is called with

client-connect '/etc/openvpn/easy-rsa/easytls-client-connect.sh -v -l=/etc/openvpn/easy-rsa/easytls-client-connect.vars -M'

Or what do yo need me to to post? Thank you for that fast response.

TinCanTech commented 2 years ago

Your command needs some options.

The simplest option is to use the -s and then get easytls-client-connect.vars from the repo.

TinCanTech commented 2 years ago

I shall prepare a wiki because this is not well documented.

TinCanTech commented 2 years ago

https://github.com/OpenVPN/easy-rsa/issues/560

Hylosium commented 2 years ago

Oh, okay, other solution would be downgrading to openssl 1.1.1 or installing it alongside the 3.0 version?

But, with the -s option how should I add it to the command? Like this client-connect /etc/openvpn/easy-rsa/easytls-client-connect.sh -s =/etc/openvpn/easy-rsa/easytls-client-connect.vars -M ?

(It was not my intention to close the issue, is just that the buttons are too close)

TinCanTech commented 2 years ago

To use -s like so, in your OpenVPN server config or Easy-TLS server config:

client-connect /etc/openvpn/easy-rsa/easytls-client-connect.sh -s

The -s will then load the default vars file for --client-connect or fail.

Hylosium commented 2 years ago

Good afternoon,

I tried with -s option, but I'm just getting flooded with this text over and over on the logs: Full log of my server

2022-05-09 22:56:07 myclient1/185.44.147.181:63552 Authenticate/Decrypt packet error: packet HMAC authentication failed 2022-05-09 22:56:07 myclient1/185.44.147.181:63552 Authenticate/Decrypt packet error: packet HMAC authentication failed

As on https://github.com/OpenVPN/easy-rsa/issues/560 they say(one link they posted), I will try to build OpenVPN with OpenSSL 1.1.1 or either use other OS with a lower version of OpenSSL and start from scratch.

Thanks, will update this issue with what I've done, maybe it can help someone else.

TinCanTech commented 2 years ago

You don't need to build openvpn, all you need is the correct settings.

Hylosium commented 2 years ago

You don't need to build openvpn, all you need is the correct settings.

But which ones? You mean to correct options from openvpn? from easy-rsa or from easy-tls?

I already tried using -s but even that now the client connects to the server now it gives another error.

Or what do you mean with correct settings?

TinCanTech commented 2 years ago

You are using option -s with no parameter, which means EasyTLS client-connect will source the default vars-file, easytls-client-connect.vars, or fail to load.

Now all you need to do is edit the vars file with your settings.

Hylosium commented 2 years ago

You are using option -s with no parameter, which means EasyTLS client-connect will source the default vars-file, easytls-client-connect.vars, or fail to load.

Now all you need to do is edit the vars file with your settings.

Solved

Really thank you, the option was quite helpful, at the end I did not edit the easytls-client-connect.vars neither building my own openvpn. I've been reading through the script easytls-client-connect.sh and I have learn that you can use -s also to reference the source path of the easytls-client-connect.vars

In the end, I solved the first error, about the "Unknown option: -l" changing -l for -s. So now my easytls-script.conf looks like this.

Easy-TLS script configuration

tmp-dir '/tmp'

tls-export-cert '/tmp'

If your clients have username/password then set this to level 3

script-security 2

tls-crypt-v2-verify '/etc/openvpn/easy-rsa/easytls-cryptv2-verify.sh -s=/etc/openvpn/easy-rsa/easytls-cryptv2-verify.vars -c=/etc/openvpn/easy-rsa/pki'

client-connect '/etc/openvpn/easy-rsa/easytls-client-connect.sh -v -s=/etc/openvpn/easy-rsa/easytls-client-connect.vars -a' client-disconnect '/etc/openvpn/easy-rsa/easytls-client-disconnect.sh -v -s=/etc/openvpn/easy-rsa/easytls-client-disconnect.vars'

Before the code lines were like:

tls-crypt-v2-verify '/etc/openvpn/easy-rsa/easytls-cryptv2-verify.sh -l=/etc/openvpn/easy-rsa/easytls-cryptv2-verify.vars -c=/etc/openvpn/easy-rsa/pki'

client-connect '/etc/openvpn/easy-rsa/easytls-client-connect.sh -v -l=/etc/openvpn/easy-rsa/easytls-client-connect.vars -a' client-disconnect '/etc/openvpn/easy-rsa/easytls-client-disconnect.sh -v -l=/etc/openvpn/easy-rsa/easytls-client-disconnect.vars'

As you can see I also changed it also for client-disconnect and tls-crypt-v2-verify. tls-crypt-v2-verify did not give me any error when using -l but client-disconnect was giving me the same error 21 - USER ERROR Disallow connection, options error. so I decided to change both. But I do not understand for what is the -loption, may you explain it to me please?

This is what these other options means, I post it just in case someone has the same error and needs a bit of info.

-s : You can either specify a path or leave it empty and it will load a default config. -c : Specify CA directory. -v : Verbose options, gives more info when running. -a : Allow connection even if the client did not use --push-peer-info

Solution for my second error:

Problem , a bad configuration of the server.conf and clients configurations were giving me this error.

Authenticate/Decrypt packet error: packet HMAC authentication failed

Solution, use the same cipher for both server and client configuration. That was my problem, now in my server.conf I added the two lines: cipher 'AES-256-CTR' data-ciphers-fallback 'AES-256-CBC' And in my client configuration (the .inline file) I added this line: data-ciphers AES-256-CTR:AES-256-GCM Now is working correctly, thank you.

If you can reply me to what the -l options means I would appreciate, if not I think we can close the issue.

TinCanTech commented 2 years ago

There is no -l option because it was replaced by -s option.

I need to update the menu to build that config file.

TinCanTech commented 2 years ago

Testing welcome ;-)

Hylosium commented 2 years ago

Just cloned from the repo(14/05/2022), working greatly now. Thank you 😁.

¿Should I close the issue?

TinCanTech commented 2 years ago

If you are satisfied that things are working the way you expect then this can be closed. If you find new problems then please open more issues here.