Comments (16)
TinCanTech
commented on June 3, 2024
1
Testing welcome ;-)
from easy-tls.
Hylosium
commented on June 3, 2024
1
Just cloned from the repo(14/05/2022), working greatly now. Thank you 😁.
¿Should I close the issue?
from easy-tls.
TinCanTech
commented on June 3, 2024
Error number 21 means there is an options error in your EasyTLS Server config file.
Please post the command which you use to call the client connect script.
from easy-tls.
Hylosium
commented on June 3, 2024
I use this line inside server.conf to call the easytls-script.conf
config /etc/openvpn/easy-rsa/easytls-script.conf
This is my server.conf, just in case I'll post it also.
I think I do not use any command made by me, but inside easytls-script.conf, client-connect script is called with
client-connect '/etc/openvpn/easy-rsa/easytls-client-connect.sh -v -l=/etc/openvpn/easy-rsa/easytls-client-connect.vars -M'
Or what do yo need me to to post?
Thank you for that fast response.
from easy-tls.
TinCanTech
commented on June 3, 2024
Your command needs some options.
The simplest option is to use the -s and then get easytls-client-connect.vars from the repo.
from easy-tls.
TinCanTech
commented on June 3, 2024
I shall prepare a wiki because this is not well documented.
from easy-tls.
TinCanTech
commented on June 3, 2024
from easy-tls.
Hylosium
commented on June 3, 2024
Oh, okay, other solution would be downgrading to openssl 1.1.1 or installing it alongside the 3.0 version?
But, with the -s option how should I add it to the command? Like this client-connect /etc/openvpn/easy-rsa/easytls-client-connect.sh -s =/etc/openvpn/easy-rsa/easytls-client-connect.vars -M ?
(It was not my intention to close the issue, is just that the buttons are too close)
from easy-tls.
TinCanTech
commented on June 3, 2024
To use -s like so, in your OpenVPN server config or Easy-TLS server config:
client-connect /etc/openvpn/easy-rsa/easytls-client-connect.sh -s
The -s will then load the default vars file for --client-connect or fail.
from easy-tls.
Hylosium
commented on June 3, 2024
Good afternoon,
I tried with -s option, but I'm just getting flooded with this text over and over on the logs:
Full log of my server
2022-05-09 22:56:07 myclient1/185.44.147.181:63552 Authenticate/Decrypt packet error: packet HMAC authentication failed
2022-05-09 22:56:07 myclient1/185.44.147.181:63552 Authenticate/Decrypt packet error: packet HMAC authentication failed
As on OpenVPN/easy-rsa#560 they say(one link they posted), I will try to build OpenVPN with OpenSSL 1.1.1 or either use other OS with a lower version of OpenSSL and start from scratch.
Thanks, will update this issue with what I've done, maybe it can help someone else.
from easy-tls.
TinCanTech
commented on June 3, 2024
You don't need to build openvpn, all you need is the correct settings.
from easy-tls.
Hylosium
commented on June 3, 2024
You don't need to build openvpn, all you need is the correct settings.
But which ones? You mean to correct options from openvpn? from easy-rsa or from easy-tls?
I already tried using -s but even that now the client connects to the server now it gives another error.
Or what do you mean with correct settings?
from easy-tls.
TinCanTech
commented on June 3, 2024
You are using option -s with no parameter, which means EasyTLS client-connect will source the default vars-file, easytls-client-connect.vars, or fail to load.
Now all you need to do is edit the vars file with your settings.
from easy-tls.
Hylosium
commented on June 3, 2024
You are using option
-swith no parameter, which means EasyTLS client-connect will source the default vars-file,easytls-client-connect.vars, or fail to load.Now all you need to do is edit the
varsfile with your settings.
Solved
Really thank you, the option was quite helpful, at the end I did not edit the easytls-client-connect.vars neither building my own openvpn.
I've been reading through the script easytls-client-connect.sh and I have learn that you can use -s also to reference the source path of the easytls-client-connect.vars
In the end, I solved the first error, about the "Unknown option: -l" changing -l for -s.
So now my easytls-script.conf looks like this.
#Easy-TLS script configuration
tmp-dir '/tmp'
tls-export-cert '/tmp'
#If your clients have username/password then set this to level 3
script-security 2
tls-crypt-v2-verify '/etc/openvpn/easy-rsa/easytls-cryptv2-verify.sh -s=/etc/openvpn/easy-rsa/easytls-cryptv2-verify.vars -c=/etc/openvpn/easy-rsa/pki'
client-connect '/etc/openvpn/easy-rsa/easytls-client-connect.sh -v -s=/etc/openvpn/easy-rsa/easytls-client-connect.vars -a'
client-disconnect '/etc/openvpn/easy-rsa/easytls-client-disconnect.sh -v -s=/etc/openvpn/easy-rsa/easytls-client-disconnect.vars'
Before the code lines were like:
tls-crypt-v2-verify '/etc/openvpn/easy-rsa/easytls-cryptv2-verify.sh -l=/etc/openvpn/easy-rsa/easytls-cryptv2-verify.vars -c=/etc/openvpn/easy-rsa/pki'
client-connect '/etc/openvpn/easy-rsa/easytls-client-connect.sh -v -l=/etc/openvpn/easy-rsa/easytls-client-connect.vars -a'
client-disconnect '/etc/openvpn/easy-rsa/easytls-client-disconnect.sh -v -l=/etc/openvpn/easy-rsa/easytls-client-disconnect.vars'
As you can see I also changed it also for client-disconnect and tls-crypt-v2-verify.
tls-crypt-v2-verify did not give me any error when using -l but client-disconnect was giving me the same error 21 - USER ERROR Disallow connection, options error. so I decided to change both. But I do not understand for what is the -l option, may you explain it to me please?
This is what these other options means, I post it just in case someone has the same error and needs a bit of info.
-s: You can either specify a path or leave it empty and it will load a default config.
-c: Specify CA directory.
-v: Verbose options, gives more info when running.
-a: Allow connection even if the client did not use--push-peer-info
Solution for my second error:
Problem , a bad configuration of the server.conf and clients configurations were giving me this error.
Authenticate/Decrypt packet error: packet HMAC authentication failed
Solution, use the same cipher for both server and client configuration. That was my problem, now in my server.conf I added the two lines:
cipher 'AES-256-CTR'
data-ciphers-fallback 'AES-256-CBC'
And in my client configuration (the .inline file) I added this line:
data-ciphers AES-256-CTR:AES-256-GCM
Now is working correctly, thank you.
If you can reply me to what the -l options means I would appreciate, if not I think we can close the issue.
from easy-tls.
TinCanTech
commented on June 3, 2024
There is no -l option because it was replaced by -s option.
I need to update the menu to build that config file.
from easy-tls.
TinCanTech
commented on June 3, 2024
If you are satisfied that things are working the way you expect then this can be closed. If you find new problems then please open more issues here.
from easy-tls.
Related Issues (20)
- Cat: error with easyTLS 2.7.0 (most recent) in combination with easyRSA 3.1.0 (most recent) HOT 9
- Custom --client-connect (et al) script
- Recover from missing inline file HOT 12
- Interactive menus call 'easytls' command with quoted parameters that can be empty HOT 1
- 'easytls script' uses two different values for temp folder
- tls-cryptv2-verify.vars: LOCAL_CUSTOM_G written to 'vars' includes -g: eg "-g=wiscii"
- easytls-client-connect.sh: If client source ip check is enabled then hardware address is unnecessary HOT 1
- Interactive 'script' does not need to update master hash (No changes made)
- easytls-client-connect.sh: Security level 1 kills hwaddr mismatched clients
- Interactive 'script': Add IP Matching for client connect
- Interactive 'build': TCV2 client metadata for IP address is not recognised
- Inline command options `add-dh` and `no-key` should only be used by `inline_base()` HOT 1
- How to change the directory settings for easytls? HOT 13
- easytls-openssl.cnf HOT 2
- `easytls-cryptv2-verify.sh` depends on `safessl-easyrsa.cnf`
- v.2.7.0 on Windows 11 | "Missing: C:/Progra~1/Openvpn/bin/openssl.exe" HOT 4
- How to install easy-tls? HOT 7
- Why is easy-tls needed? HOT 2
- Error: Unsupported OpenSSL version: 3.2 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from easy-tls.