Skip to content
HMAC key (ta.key) not working with PKCS11
Got a problem with Viscosity or need help? Ask here!
When I try to use tls-auth on the client (pointing it to a ta.key file), my OpenVPN server logs say:
On my server.conf file, I have:
Any ideas? Thanks!
Dec 22 18:18:26 ... ovpn-server[31133]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]<ip>:63448I've attached an image of my client config. It behaves this way whether I set the Direction as "Default" or as "1".
Dec 22 18:18:28 ... ovpn-server[31133]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]<ip>:63448
Dec 22 18:18:32 ... ovpn-server[31133]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]<ip>:63448
On my server.conf file, I have:
tls-auth /etc/openvpn/tls/ta.key 0 # This file is secretIf I manually open the connection file generated by Viscosity at ~/Library/Application\ Support/Viscosity/1/config.conf, I see:
tls-auth ~/client-configs/files/ta.keyI've verified the shasums of the ta.key files are the same on the client and server. The only other variable here is that I'm using PKCS11 for this connection (connecting with a Yubikey). The PKCS11 connection works when I remove the tls-auth requirement (when I use the newest beta version of Viscosity, PKCS11 works).
Any ideas? Thanks!
Attachments
Screen Shot 2019-12-22 at 1.20.15 PM.png (204.03 KiB) Viewed 10245 times
Hi vpn-usr,
Cheers,
James
If I manually open the connection file generated by Viscosity at ~/Library/Application\ Support/Viscosity/1/config.conf, I see:This may be the problem: Viscosity should store its own copy of the file in your connection's profile directory. However the path in your configuration file seems to indicate it may have been modified by hand with a custom path. I recommend editing your connection in Viscosity clicking the "Clear" button next to the existing TLS-Auth file, and then clicking "Select..." to select the file to use. Click Save and try connecting. This ensures that the path and associated permissions are correct.
tls-auth ~/client-configs/files/ta.key
Dec 22 18:18:32 ... ovpn-server[31133]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]<ip>:63448This error indicates that there is no TLS-Auth signature in the packet sent from the client. This likely means that the TLS-Auth file isn't being used in this case (as you've checked the direction).
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
2 posts
Page 1 of 1