Closed Hylosium closed 2 years ago
Error number 21
means there is an options error in your EasyTLS Server config file.
Please post the command which you use to call the client connect script.
I use this line inside server.conf to call the easytls-script.conf
config /etc/openvpn/easy-rsa/easytls-script.conf
This is my server.conf, just in case I'll post it also.
I think I do not use any command made by me, but inside easytls-script.conf
, client-connect script
is called with
client-connect '/etc/openvpn/easy-rsa/easytls-client-connect.sh -v -l=/etc/openvpn/easy-rsa/easytls-client-connect.vars -M'
Or what do yo need me to to post? Thank you for that fast response.
Your command needs some options.
The simplest option is to use the -s
and then get easytls-client-connect.vars
from the repo.
I shall prepare a wiki because this is not well documented.
Oh, okay, other solution would be downgrading to openssl 1.1.1 or installing it alongside the 3.0 version?
But, with the -s
option how should I add it to the command? Like this client-connect /etc/openvpn/easy-rsa/easytls-client-connect.sh -s =/etc/openvpn/easy-rsa/easytls-client-connect.vars -M
?
(It was not my intention to close the issue, is just that the buttons are too close)
To use -s
like so, in your OpenVPN server config or Easy-TLS server config:
client-connect /etc/openvpn/easy-rsa/easytls-client-connect.sh -s
The -s
will then load the default vars file for --client-connect
or fail.
Good afternoon,
I tried with -s
option, but I'm just getting flooded with this text over and over on the logs:
Full log of my server
2022-05-09 22:56:07 myclient1/185.44.147.181:63552 Authenticate/Decrypt packet error: packet HMAC authentication failed 2022-05-09 22:56:07 myclient1/185.44.147.181:63552 Authenticate/Decrypt packet error: packet HMAC authentication failed
As on https://github.com/OpenVPN/easy-rsa/issues/560 they say(one link they posted), I will try to build OpenVPN with OpenSSL 1.1.1 or either use other OS with a lower version of OpenSSL and start from scratch.
Thanks, will update this issue with what I've done, maybe it can help someone else.
You don't need to build openvpn, all you need is the correct settings.
You don't need to build openvpn, all you need is the correct settings.
But which ones? You mean to correct options from openvpn? from easy-rsa or from easy-tls?
I already tried using -s
but even that now the client connects to the server now it gives another error.
Or what do you mean with correct settings?
You are using option -s
with no parameter, which means EasyTLS client-connect will source the default vars-file, easytls-client-connect.vars
, or fail to load.
Now all you need to do is edit the vars
file with your settings.
You are using option
-s
with no parameter, which means EasyTLS client-connect will source the default vars-file,easytls-client-connect.vars
, or fail to load.Now all you need to do is edit the
vars
file with your settings.
Solved
Really thank you, the option was quite helpful, at the end I did not edit the easytls-client-connect.vars
neither building my own openvpn.
I've been reading through the script easytls-client-connect.sh
and I have learn that you can use -s
also to reference the source path of the easytls-client-connect.vars
In the end, I solved the first error, about the "Unknown option: -l" changing -l
for -s
.
So now my easytls-script.conf
looks like this.
Easy-TLS script configuration
tmp-dir '/tmp'
tls-export-cert '/tmp'
If your clients have username/password then set this to level 3
script-security 2
tls-crypt-v2-verify '/etc/openvpn/easy-rsa/easytls-cryptv2-verify.sh -s=/etc/openvpn/easy-rsa/easytls-cryptv2-verify.vars -c=/etc/openvpn/easy-rsa/pki'
client-connect '/etc/openvpn/easy-rsa/easytls-client-connect.sh -v -s=/etc/openvpn/easy-rsa/easytls-client-connect.vars -a'
client-disconnect '/etc/openvpn/easy-rsa/easytls-client-disconnect.sh -v -s=/etc/openvpn/easy-rsa/easytls-client-disconnect.vars'
Before the code lines were like:
tls-crypt-v2-verify '/etc/openvpn/easy-rsa/easytls-cryptv2-verify.sh -l=/etc/openvpn/easy-rsa/easytls-cryptv2-verify.vars -c=/etc/openvpn/easy-rsa/pki'
client-connect '/etc/openvpn/easy-rsa/easytls-client-connect.sh -v -l=/etc/openvpn/easy-rsa/easytls-client-connect.vars -a'
client-disconnect '/etc/openvpn/easy-rsa/easytls-client-disconnect.sh -v -l=/etc/openvpn/easy-rsa/easytls-client-disconnect.vars'
As you can see I also changed it also for client-disconnect
and tls-crypt-v2-verify
.
tls-crypt-v2-verify
did not give me any error when using -l
but client-disconnect
was giving me the same error 21 - USER ERROR Disallow connection, options error.
so I decided to change both. But I do not understand for what is the -l
option, may you explain it to me please?
This is what these other options means, I post it just in case someone has the same error and needs a bit of info.
-s
: You can either specify a path or leave it empty and it will load a default config.-c
: Specify CA directory.-v
: Verbose options, gives more info when running.-a
: Allow connection even if the client did not use--push-peer-info
Solution for my second error:
Problem , a bad configuration of the server.conf
and clients configurations were giving me this error.
Authenticate/Decrypt packet error: packet HMAC authentication failed
Solution, use the same cipher for both server and client configuration. That was my problem, now in my server.conf
I added the two lines:
cipher 'AES-256-CTR'
data-ciphers-fallback 'AES-256-CBC'
And in my client configuration (the .inline
file) I added this line:
data-ciphers AES-256-CTR:AES-256-GCM
Now is working correctly, thank you.
If you can reply me to what the -l
options means I would appreciate, if not I think we can close the issue.
There is no -l
option because it was replaced by -s
option.
I need to update the menu to build that config file.
Testing welcome ;-)
Just cloned from the repo(14/05/2022), working greatly now. Thank you 😁.
¿Should I close the issue?
If you are satisfied that things are working the way you expect then this can be closed. If you find new problems then please open more issues here.
Good afternoon,
I'm trying to setup Easy-TLS with OpenVPN, and I'm almost done, but at the final when the client wants to connect gets this error:
Full Initialization Client .inline file
I have installed: OpenVPN 2.5.5-1ubuntu3 Easy-TLS 2.0.8 Easy-RSA 3.0.8-1ubuntu1 OpenSSL 3.0.2-0ubuntu1.1
I'm working on Ubuntu 22.04 LTS.
And this is the error from the server:
Full Initialization
From what I have read inside easytls-client-connect.sh I'm getting the error 21 with an error with "-l" and it says:
But I just execute
./easytls script
and left everything by default.This is my
easytls-script.conf
, but I think it is okay.And this is my
easytls-client-connect.vars
233 This issue seems to have a similar problem as mine but in WIndows 10.
What can cause this error and what can I do to solve it? Do you need my server.conf? If you need me to provide something more I will do it.
Some months back I already set-up successfully Open-VPN 2.5.5 and Easy-TLS 2.0.6 and is still working nowadays, but I do not know how to solve the problem I'm having. Greetings.