Can't Connect to openvpn-as

penzel · 19 September 2020 15:30

Hello,

I’m trying to setup an OpenVPN Access Server with the linuxserver.io docker image.
I used the following guide:
https://docs.linuxserver.io/images/docker-openvpn-as

I could login the admin panel and download the config file via browser.
When i try to connect i get the following error:

TLS Error: cannot locate HMAC in incoming packet from [AF_INET]my.ip.address:1194

Does anyone know why i can’t connect?

Thanks for your Help!

My Server config:

OpenVPN AS 1.1 configuration file

NOTE: The ~ symbol used below expands to the directory that

the configuration file is saved in

remove for production

DEBUG=false

enable AS Connect functionality

AS_CONNECT=true

temporary directory

tmp_dir=/openvpn/tmp

lic.dir=~/licenses

run_start retries

run_start_retry.give_up=60
run_start_retry.resample=10

enable client gateway

sa.show_c2s_routes=true

certificates database

certs_db=sqlite:///~/db/certs.db

user properties DB

user_prop_db=sqlite:///~/db/userprop.db

configuration DB

config_db=sqlite:///~/db/config.db

configuration DB Local

config_db_local=sqlite:///~/db/config_local.db

cluster DB

cluster_db=sqlite:///~/db/cluster.db

notification DB

notification_db=sqlite:///~/db/notification.db

log DB

log_db=sqlite:///~/db/log.db

wait this many seconds between failed retries

db_retry.interval=1

how many retries to attempt before failing

db_retry.n_attempts=6

On startup, wait up to n seconds for DB files to become

available if they do not yet exist. This is generally

only useful on secondary nodes used for standby purposes.

db_startup_wait=

Node type: PRIMARY|SECONDARY. Defaults to PRIMARY.

node_type=

bootstrap authentication via PAM – allows

admin to log into web UI before authentication

system has been configured. Configure PAM users

allowed to access via the bootstrap auth mechanism.

boot_pam_service=openvpnas

boot_pam_users.0=admin

boot_pam_users.1=

boot_pam_users.2=

boot_pam_users.3=

boot_pam_users.4=

System users that are allowed to access the server agent XML API.

The user that the web server will run as should be in this list.

system_users_local.0=root
system_users_local.1=abc

The user/group that the web server will run as

cs.user=abc
cs.group=abc

socket directory

general.sock_dir=/openvpn/sock

path to linux openvpn executable

if undefined, find openvpn on the PATH

General.openvpn_exe_path=

source directory for OpenVPN Windows executable

(Must have been built with MultiFileExtract)

sa.win_exe_dir=~/exe

The company name will be shown in the UI

sa.company_name=Access Server

server agent socket

sa.sock=/openvpn/sock/sagent

If enabled, automatically generate a client configuration

when a client logs into the site and successfully authenticates

cs.auto_generate=true

files for web server (PEM format)

cs.ca_bundle=~/web-ssl/ca.crt
cs.priv_key=~/web-ssl/server.key
cs.cert=~/web-ssl/server.crt

web server will use three consecutive ports starting at this

address, for use with the OpenVPN port share feature

cs.dynamic_port_base=870

which service groups should be started during

server agent initialization

sa.initial_run_groups.0=web_group
#sa.initial_run_groups.1=openvpn_group

use this twisted reactor

sa.reactor=epoll

The unit number of this particular AS configuration.

Normally set to 0. If you have multiple, independent AS instances

running on the same machine, each should have a unique unit number.

sa.unit=0

If true, open up web ports on the firewall using iptables

iptables.web=true

vpn.server.user=abc
vpn.server.group=abc

My Client config:

Automatically generated OpenVPN client config file

Generated on Sat Sep 19 16:15:16 2020 by ab3b26e8947e

Default Cipher

cipher AES-256-CBC

Note: this config file contains inline private keys

and therefore should be kept confidential!

Note: this configuration is user-locked to the username below

OVPN_ACCESS_SERVER_USERNAME=XXX

Define the profile name of this particular configuration file

OVPN_ACCESS_SERVER_PROFILE=XXX@vpn.XXX.com

OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True

OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False

OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=False

OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True

OVPN_ACCESS_SERVER_WSHOST=vpn.XXX.com:9443

OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START

-----BEGIN CERTIFICATE-----

XXX

-----END CERTIFICATE-----

OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP

OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1

setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote XXX.com 1194 udp
remote XXX.com 1194 udp
remote XXX.com 9443 tcp
remote XXX.com 1194 udp
remote XXX.com 1194 udp
remote XXX.com 1194 udp
remote XXX.com 1194 udp
remote XXX.com 1194 udp
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 0
rcvbuf 0
auth-user-pass

NOTE: LZO commands are pushed by the Access Server at connect time.

NOTE: The below line doesn’t disable LZO.

comp-lzo no
verb 3
setenv PUSH_PEER_INFO
-----BEGIN CERTIFICATE----- XXX -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- XXX -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- XXX -----END PRIVATE KEY-----
key-direction 1

2048 bit OpenVPN static key (Server Agent)

-----BEGIN OpenVPN Static key V1-----
XXX
-----END OpenVPN Static key V1-----

-----BEGIN RSA SIGNATURE-----

DIGEST:sha256

XXX

-----END RSA SIGNATURE-----

-----BEGIN CERTIFICATE-----

XXX

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

XXX

-----END CERTIFICATE-----

driz · 19 September 2020 16:43

take a look at
https://www.digitalocean.com/community/questions/help-with-the-following-error-tls-error-cannot-locate-hmac-in-incoming-packet-from-af_inet