Hello,
I’m trying to setup an OpenVPN Access Server with the linuxserver.io docker image.
I used the following guide:
https://docs.linuxserver.io/images/docker-openvpn-as
I could login the admin panel and download the config file via browser.
When i try to connect i get the following error:
TLS Error: cannot locate HMAC in incoming packet from [AF_INET]my.ip.address:1194
Does anyone know why i can’t connect?
Thanks for your Help!
My Server config:
OpenVPN AS 1.1 configuration file
NOTE: The ~ symbol used below expands to the directory that
the configuration file is saved in
remove for production
DEBUG=false
enable AS Connect functionality
AS_CONNECT=true
temporary directory
tmp_dir=/openvpn/tmp
lic.dir=~/licenses
run_start retries
run_start_retry.give_up=60
run_start_retry.resample=10enable client gateway
sa.show_c2s_routes=true
certificates database
certs_db=sqlite:///~/db/certs.db
user properties DB
user_prop_db=sqlite:///~/db/userprop.db
configuration DB
config_db=sqlite:///~/db/config.db
configuration DB Local
config_db_local=sqlite:///~/db/config_local.db
cluster DB
cluster_db=sqlite:///~/db/cluster.db
notification DB
notification_db=sqlite:///~/db/notification.db
log DB
log_db=sqlite:///~/db/log.db
wait this many seconds between failed retries
db_retry.interval=1
how many retries to attempt before failing
db_retry.n_attempts=6
On startup, wait up to n seconds for DB files to become
available if they do not yet exist. This is generally
only useful on secondary nodes used for standby purposes.
db_startup_wait=
Node type: PRIMARY|SECONDARY. Defaults to PRIMARY.
node_type=
bootstrap authentication via PAM – allows
admin to log into web UI before authentication
system has been configured. Configure PAM users
allowed to access via the bootstrap auth mechanism.
boot_pam_service=openvpnas
boot_pam_users.0=admin
boot_pam_users.1=
boot_pam_users.2=
boot_pam_users.3=
boot_pam_users.4=
System users that are allowed to access the server agent XML API.
The user that the web server will run as should be in this list.
system_users_local.0=root
system_users_local.1=abcThe user/group that the web server will run as
cs.user=abc
cs.group=abcsocket directory
general.sock_dir=/openvpn/sock
path to linux openvpn executable
if undefined, find openvpn on the PATH
General.openvpn_exe_path=
source directory for OpenVPN Windows executable
(Must have been built with MultiFileExtract)
sa.win_exe_dir=~/exe
The company name will be shown in the UI
sa.company_name=Access Server
server agent socket
sa.sock=/openvpn/sock/sagent
If enabled, automatically generate a client configuration
when a client logs into the site and successfully authenticates
cs.auto_generate=true
files for web server (PEM format)
cs.ca_bundle=~/web-ssl/ca.crt
cs.priv_key=~/web-ssl/server.key
cs.cert=~/web-ssl/server.crtweb server will use three consecutive ports starting at this
address, for use with the OpenVPN port share feature
cs.dynamic_port_base=870
which service groups should be started during
server agent initialization
sa.initial_run_groups.0=web_group
#sa.initial_run_groups.1=openvpn_groupuse this twisted reactor
sa.reactor=epoll
The unit number of this particular AS configuration.
Normally set to 0. If you have multiple, independent AS instances
running on the same machine, each should have a unique unit number.
sa.unit=0
If true, open up web ports on the firewall using iptables
iptables.web=true
vpn.server.user=abc
vpn.server.group=abc
My Client config:
Automatically generated OpenVPN client config file
Generated on Sat Sep 19 16:15:16 2020 by ab3b26e8947e
Default Cipher
cipher AES-256-CBC
Note: this config file contains inline private keys
and therefore should be kept confidential!
Note: this configuration is user-locked to the username below
OVPN_ACCESS_SERVER_USERNAME=XXX
Define the profile name of this particular configuration file
OVPN_ACCESS_SERVER_PROFILE=XXX@vpn.XXX.com
OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=False
OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
OVPN_ACCESS_SERVER_WSHOST=vpn.XXX.com:9443
OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote XXX.com 1194 udp
remote XXX.com 1194 udp
remote XXX.com 9443 tcp
remote XXX.com 1194 udp
remote XXX.com 1194 udp
remote XXX.com 1194 udp
remote XXX.com 1194 udp
remote XXX.com 1194 udp
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 0
rcvbuf 0
auth-user-passNOTE: LZO commands are pushed by the Access Server at connect time.
NOTE: The below line doesn’t disable LZO.
comp-lzo no
-----BEGIN CERTIFICATE----- XXX -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- XXX -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- XXX -----END PRIVATE KEY-----
verb 3
setenv PUSH_PEER_INFOkey-direction 1
2048 bit OpenVPN static key (Server Agent)
-----BEGIN OpenVPN Static key V1-----
XXX
-----END OpenVPN Static key V1-----
-----BEGIN RSA SIGNATURE-----
DIGEST:sha256
XXX
-----END RSA SIGNATURE-----
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----