New to IPFire and OpenVPN

I have my IPFire setup in a lab within my house. I have IPFire up and running and traffic passing to/from the Internet. Trying to get the OpenVPN working now and running into this error messages.

Dec 3 10:12:35 ipfire1 openvpnserver[1219]: TLS: Initial packet from [AF_INET], sid=08bd0f1a faa2ee1a
Dec 3 10:12:35 ipfire1 openvpnserver[1219]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Dec 3 10:12:35 ipfire1 openvpnserver[1219]: TLS Error: incoming packet authentication failed from [AF_INET]
Dec 3 10:12:35 ipfire1 openvpnserver[1219]: Fatal TLS error (check_tls_errors_co), restarting
Dec 3 10:12:35 ipfire1 openvpnserver[1219]: SIGUSR1[soft,tls-error] received, client-instance restarting

Can anyone point me to a document/link that show just how the client *.ovpn configuration file should be?
My client is an Windows 11 Pro
OpenVPN client 3.3.6 (2752)
Here is my OpenVPN client configuration file
#OpenVPN Client conf
dev tun
proto tcp
tun-mtu 1400
remote 443
pkcs12 EdmundsonRemote4.p12
cipher AES-256-CBC
auth SHA512
tls-auth ta.key 1
verb 3
remote-cert-tls server
verify-x509-name ipfire1.localdomain name
mssfix 0
auth-token-user USER
auth-token TOTP
auth-retry interact


2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----

Here is my IPFire OpenVPN server side configuration
#OpenVPN Server conf

daemon openvpnserver
writepid /var/run/
#DAN prepare OpenVPN for listening on blue and orange
dev tun
proto tcp
port 443
script-security 3
ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
client-config-dir /var/ipfire/ovpn/ccd
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
tun-mtu 1400
mssfix 0
keepalive 10 60
status-version 1
status /var/run/ovpnserver.log 30
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-auth /var/ipfire/ovpn/certs/ta.key
max-clients 100
tls-verify /usr/lib/openvpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
reneg-sec 86400
user nobody
group nobody
verb 3

Log clients connecting/disconnecting

client-connect “/usr/sbin/openvpn-metrics client-connect”
client-disconnect “/usr/sbin/openvpn-metrics client-disconnect”

Enable Management Socket

management /var/run/openvpn.sock unix

Please point out what I am missing.
Thanks for the help in advance.

you have this entry in your .ovpn configuration file:

auth-token TOTP

this means that your OpenVPN server expects a second factor authentication, which your client is not providing. The official free software version of OpenVPN connect client in any platform has no 2FA available at the moment.

Two solutions, get rid of auth-token-user USER and auth-token TOTP and give up the use of the 2FA in the server as well, or install as a client the windows client community edition, that is the only free software client that has integrated the 2FA.

1 Like

First thank you CFusco. After I cleared all the configuration to start over fresh.
I then downloaded the OpenVPN-2.5.3 from OpenVPN . Installed it on my Window10.
I then create a new Certificate Authorities and -Key.
I then create a new Connection Status and -Control connection.
Downloaded the Client Pack
Create a new directory on my Window 10 laptop.
Copied all file to the new directory that I just created.
Edit the *.ovpn modified the pkcs12 and the tls-auth line to include the directory path.
pkcs12 **C:\OpenVPN3\**RemoteUser4.p12
tls-auth **C:\OpenVPN3\**ta.key

Import the configuration from file.
Select the Connect, and yes I have a VPN connection.

1 Like