HMAC key (ta.key) not working with PKCS11

Got a problem with Viscosity or need help? Ask here!

vpn-usr

Posts: 1
Joined: Mon Dec 23, 2019 5:15 am

Post by vpn-usr » Mon Dec 23, 2019 5:25 am
When I try to use tls-auth on the client (pointing it to a ta.key file), my OpenVPN server logs say:
Dec 22 18:18:26 ... ovpn-server[31133]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]<ip>:63448
Dec 22 18:18:28 ... ovpn-server[31133]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]<ip>:63448
Dec 22 18:18:32 ... ovpn-server[31133]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]<ip>:63448
I've attached an image of my client config. It behaves this way whether I set the Direction as "Default" or as "1".

On my server.conf file, I have:
tls-auth /etc/openvpn/tls/ta.key 0 # This file is secret
If I manually open the connection file generated by Viscosity at ~/Library/Application\ Support/Viscosity/1/config.conf, I see:
tls-auth ~/client-configs/files/ta.key
I've verified the shasums of the ta.key files are the same on the client and server. The only other variable here is that I'm using PKCS11 for this connection (connecting with a Yubikey). The PKCS11 connection works when I remove the tls-auth requirement (when I use the newest beta version of Viscosity, PKCS11 works).

Any ideas? Thanks!
Attachments
Screen Shot 2019-12-22 at 1.20.15 PM.png
Screen Shot 2019-12-22 at 1.20.15 PM.png (204.03 KiB) Viewed 10238 times

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Jan 03, 2020 9:52 pm
Hi vpn-usr,
If I manually open the connection file generated by Viscosity at ~/Library/Application\ Support/Viscosity/1/config.conf, I see:
tls-auth ~/client-configs/files/ta.key
This may be the problem: Viscosity should store its own copy of the file in your connection's profile directory. However the path in your configuration file seems to indicate it may have been modified by hand with a custom path. I recommend editing your connection in Viscosity clicking the "Clear" button next to the existing TLS-Auth file, and then clicking "Select..." to select the file to use. Click Save and try connecting. This ensures that the path and associated permissions are correct.
Dec 22 18:18:32 ... ovpn-server[31133]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]<ip>:63448
This error indicates that there is no TLS-Auth signature in the packet sent from the client. This likely means that the TLS-Auth file isn't being used in this case (as you've checked the direction).

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
2 posts Page 1 of 1