Comments (16)
Testing welcome ;-)
from easy-tls.
Just cloned from the repo(14/05/2022), working greatly now. Thank you 😁.
¿Should I close the issue?
from easy-tls.
Error number 21
means there is an options error in your EasyTLS Server config file.
Please post the command which you use to call the client connect script.
from easy-tls.
I use this line inside server.conf to call the easytls-script.conf
config /etc/openvpn/easy-rsa/easytls-script.conf
This is my server.conf, just in case I'll post it also.
I think I do not use any command made by me, but inside easytls-script.conf
, client-connect script
is called with
client-connect '/etc/openvpn/easy-rsa/easytls-client-connect.sh -v -l=/etc/openvpn/easy-rsa/easytls-client-connect.vars -M'
Or what do yo need me to to post?
Thank you for that fast response.
from easy-tls.
Your command needs some options.
The simplest option is to use the -s
and then get easytls-client-connect.vars
from the repo.
from easy-tls.
I shall prepare a wiki because this is not well documented.
from easy-tls.
from easy-tls.
Oh, okay, other solution would be downgrading to openssl 1.1.1 or installing it alongside the 3.0 version?
But, with the -s
option how should I add it to the command? Like this client-connect /etc/openvpn/easy-rsa/easytls-client-connect.sh -s =/etc/openvpn/easy-rsa/easytls-client-connect.vars -M
?
(It was not my intention to close the issue, is just that the buttons are too close)
from easy-tls.
To use -s
like so, in your OpenVPN server config or Easy-TLS server config:
client-connect /etc/openvpn/easy-rsa/easytls-client-connect.sh -s
The -s
will then load the default vars file for --client-connect
or fail.
from easy-tls.
Good afternoon,
I tried with -s
option, but I'm just getting flooded with this text over and over on the logs:
Full log of my server
2022-05-09 22:56:07 myclient1/185.44.147.181:63552 Authenticate/Decrypt packet error: packet HMAC authentication failed
2022-05-09 22:56:07 myclient1/185.44.147.181:63552 Authenticate/Decrypt packet error: packet HMAC authentication failed
As on OpenVPN/easy-rsa#560 they say(one link they posted), I will try to build OpenVPN with OpenSSL 1.1.1 or either use other OS with a lower version of OpenSSL and start from scratch.
Thanks, will update this issue with what I've done, maybe it can help someone else.
from easy-tls.
You don't need to build openvpn, all you need is the correct settings.
from easy-tls.
You don't need to build openvpn, all you need is the correct settings.
But which ones? You mean to correct options from openvpn? from easy-rsa or from easy-tls?
I already tried using -s
but even that now the client connects to the server now it gives another error.
Or what do you mean with correct settings?
from easy-tls.
You are using option -s
with no parameter, which means EasyTLS client-connect will source the default vars-file, easytls-client-connect.vars
, or fail to load.
Now all you need to do is edit the vars
file with your settings.
from easy-tls.
You are using option
-s
with no parameter, which means EasyTLS client-connect will source the default vars-file,easytls-client-connect.vars
, or fail to load.Now all you need to do is edit the
vars
file with your settings.
Solved
Really thank you, the option was quite helpful, at the end I did not edit the easytls-client-connect.vars
neither building my own openvpn.
I've been reading through the script easytls-client-connect.sh
and I have learn that you can use -s
also to reference the source path of the easytls-client-connect.vars
In the end, I solved the first error, about the "Unknown option: -l" changing -l
for -s
.
So now my easytls-script.conf
looks like this.
#Easy-TLS script configuration
tmp-dir '/tmp'
tls-export-cert '/tmp'
#If your clients have username/password then set this to level 3
script-security 2
tls-crypt-v2-verify '/etc/openvpn/easy-rsa/easytls-cryptv2-verify.sh -s=/etc/openvpn/easy-rsa/easytls-cryptv2-verify.vars -c=/etc/openvpn/easy-rsa/pki'
client-connect '/etc/openvpn/easy-rsa/easytls-client-connect.sh -v -s=/etc/openvpn/easy-rsa/easytls-client-connect.vars -a'
client-disconnect '/etc/openvpn/easy-rsa/easytls-client-disconnect.sh -v -s=/etc/openvpn/easy-rsa/easytls-client-disconnect.vars'
Before the code lines were like:
tls-crypt-v2-verify '/etc/openvpn/easy-rsa/easytls-cryptv2-verify.sh -l=/etc/openvpn/easy-rsa/easytls-cryptv2-verify.vars -c=/etc/openvpn/easy-rsa/pki'
client-connect '/etc/openvpn/easy-rsa/easytls-client-connect.sh -v -l=/etc/openvpn/easy-rsa/easytls-client-connect.vars -a'
client-disconnect '/etc/openvpn/easy-rsa/easytls-client-disconnect.sh -v -l=/etc/openvpn/easy-rsa/easytls-client-disconnect.vars'
As you can see I also changed it also for client-disconnect
and tls-crypt-v2-verify
.
tls-crypt-v2-verify
did not give me any error when using -l
but client-disconnect
was giving me the same error 21 - USER ERROR Disallow connection, options error.
so I decided to change both. But I do not understand for what is the -l
option, may you explain it to me please?
This is what these other options means, I post it just in case someone has the same error and needs a bit of info.
-s
: You can either specify a path or leave it empty and it will load a default config.
-c
: Specify CA directory.
-v
: Verbose options, gives more info when running.
-a
: Allow connection even if the client did not use--push-peer-info
Solution for my second error:
Problem , a bad configuration of the server.conf
and clients configurations were giving me this error.
Authenticate/Decrypt packet error: packet HMAC authentication failed
Solution, use the same cipher for both server and client configuration. That was my problem, now in my server.conf
I added the two lines:
cipher 'AES-256-CTR'
data-ciphers-fallback 'AES-256-CBC'
And in my client configuration (the .inline
file) I added this line:
data-ciphers AES-256-CTR:AES-256-GCM
Now is working correctly, thank you.
If you can reply me to what the -l
options means I would appreciate, if not I think we can close the issue.
from easy-tls.
There is no -l
option because it was replaced by -s
option.
I need to update the menu to build that config file.
from easy-tls.
If you are satisfied that things are working the way you expect then this can be closed. If you find new problems then please open more issues here.
from easy-tls.
Related Issues (20)
- Cat: error with easyTLS 2.7.0 (most recent) in combination with easyRSA 3.1.0 (most recent) HOT 9
- Custom --client-connect (et al) script
- Recover from missing inline file HOT 12
- Interactive menus call 'easytls' command with quoted parameters that can be empty HOT 1
- 'easytls script' uses two different values for temp folder
- tls-cryptv2-verify.vars: LOCAL_CUSTOM_G written to 'vars' includes -g: eg "-g=wiscii"
- easytls-client-connect.sh: If client source ip check is enabled then hardware address is unnecessary HOT 1
- Interactive 'script' does not need to update master hash (No changes made)
- easytls-client-connect.sh: Security level 1 kills hwaddr mismatched clients
- Interactive 'script': Add IP Matching for client connect
- Interactive 'build': TCV2 client metadata for IP address is not recognised
- Inline command options `add-dh` and `no-key` should only be used by `inline_base()` HOT 1
- How to change the directory settings for easytls? HOT 13
- easytls-openssl.cnf HOT 2
- `easytls-cryptv2-verify.sh` depends on `safessl-easyrsa.cnf`
- v.2.7.0 on Windows 11 | "Missing: C:/Progra~1/Openvpn/bin/openssl.exe" HOT 4
- How to install easy-tls? HOT 7
- Why is easy-tls needed? HOT 2
- Error: Unsupported OpenSSL version: 3.2 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from easy-tls.