[SOLVED] tls-auth issue - "Read error on key file"

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Going grey
    Junior Member
    • Sep 2024
    • 1
    #1

    [SOLVED] tls-auth issue - "Read error on key file"

    I find myself having to set up a new OpenVPN server. It's been a while since I last had to do this, so I'm slightly rusty and I've gone back to basics; I'm building up my configuration one step at a time, testing connectivity after each change.

    Can I spin up my own CA and get a VPN server and client working with just the certs, keys, and DH parameters? Yes, I can.

    Can I get a VPN server and client working with user authentication? Yes, I can.

    Can I get a VPN server and client working when I add tls-auth into the mix? No, this is where I was tripping up.

    I created the ta.key file using the command shown at https://openvpn.net/community-resources/how-to/ -
    Code:
    openvpn --genkey --secret ta.key
    and copied the file to both the server and client.

    The OpenVPN server is version 2.6.3 running on Raspberry Pi OS on a Raspberry Pi, and installed from the apt repository.

    The server configuration contains this line:

    Code:
    tls-auth /etc/openvpn/server/certs/ta.key 0
    The VPN server's key, all of the certs, and the ta.key file are in /etc/openvpn/server/certs.The owner is root for all files in that directory. The certs are world-readable (644); the keys are owner-only (600).

    The OpenVPN client is version 2.6.12 running on Windows 11.

    ​The client configuration contains this line:

    Code:
    tls-auth ta.key 1
    ​The client's private key, all of the certs, and the ta.key file are in the same directory as the .ovpn file.

    If I deliberately comment out the tls-auth line in the server config, the client shows this (expected) error message when trying to connect:

    Code:
    Sun Sep 29 15:12:38 2024 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]<vpn server address>:1194
    ​If I reinstate the tls-auth line in the server config, the client attempts to connect, sits there for one minute, then shows this:

    Code:
    Sun Sep 29 15:14:19 2024 UDP link remote: [AF_INET]<vpn server address>:1194
Sun Sep 29 15:15:19 2024 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Sep 29 15:15:19 2024 TLS Error: TLS handshake failed
Sun Sep 29 15:15:19 2024 SIGUSR1[soft,tls-error] received, process restarting
    If I look at the OpenVPN server log file, I see this:

    Code:
    Connection Attempt UDPv4 WRITE [54] to [AF_INET]<vpn client address>:52372: DATA len=54
Connection Attempt MULTI: multi_create_instance called
<vpn client address>:52372 Re-using SSL/TLS context
<vpn client address>:52372 Read error on key file ('/etc/openvpn/server/certs/ta.key')
<vpn client address>:52372 Exiting due to fatal error
    Googling "Read error on key file" took me to this page - http://www.uno-code.com/issues-with-...cklib-startup/ - whose author found success by changing the owner and group for ta.key to "openvpn". But I don't have an openvpn user or group on my Pi.

    It took embarrassingly long for the penny to drop.

    Later in my server configuration file, I have these two lines:

    Code:
    user nobody
group nogroup
    The file ta.key is read during the connection attempt, which occurs after the server has started and its privileges have been reduced.

    As soon as I changed the owner/group of ta.key to nobody:nogroup, the VPN client connected.
    Tags: None
    Previous template Next
    Working...
    😀
    😂
    🥰
    😘
    🤢
    😎
    😞
    😡
    👍
    👎