Hello,
I’m having trouble with OpenVPN client initiating a connection with OpenVPN server. I’ve read through threads with a similar error but all suggestions related to tls-auth files matching between server and client don’t seem to help as they already match. Initially I tried using tls-crypt instead of tls-auth but kept receiving tls-crypt unwrap error: packet too short and was unable to solve that issue with any existing forum support threads. Any help is appreciated.
Server:
OS: Linux ovpns 5.8.0-55-generic #62~20.04.1-Ubuntu SMP Wed Jun 2 08:55:04 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Network Setup:
Code: Select all
enp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.122.25 netmask 255.255.255.0 broadcast 192.168.122.255
inet6 fe80::edfa:f677:a174:ebe3 prefixlen 64 scopeid 0x20<link>
ether 52:54:00:66:52:52 txqueuelen 1000 (Ethernet)
RX packets 388447 bytes 251739916 (251.7 MB)
RX errors 0 dropped 129832 overruns 0 frame 0
TX packets 177419 bytes 33855654 (33.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 18010 bytes 1797104 (1.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18010 bytes 1797104 (1.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.15.0.1 netmask 255.255.255.0 destination 10.15.0.1
inet6 fe80::9717:4bb6:890c:af7a prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7 bytes 336 (336.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Server conf
local 192.168.122.25
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth tc.key 0
#key-direction 0
#tls-crypt tc.key
topology subnet
server 10.15.0.0 255.255.255.0
push «redirect-gateway def1 bypass-dhcp»
ifconfig-pool-persist ipp.txt
push «dhcp-option DNS 8.8.8.8»
push «dhcp-option DNS 8.8.4.4»
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 4
crl-verify crl.pem
explicit-exit-notify
status openvpn-status.log
Server Log:
Code: Select all
GNU nano 4.8 /etc/openvpn/server/openvpn-status.log
TITLE,OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AE>
TIME,Thu Jun 17 14:59:38 2021,1623956378
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes>
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
GLOBAL_STATS,Max bcast/mcast queue length,0
END
Client
OS: Linux xxx 5.8.0-55-generic #62~20.04.1-Ubuntu SMP Wed Jun 2 08:55:04 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Network Setup:
Code: Select all
enp112s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.110 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::1bd:cf94:5c02:1ff9 prefixlen 64 scopeid 0x20<link>
ether a4:ae:11:1e:4c:1f txqueuelen 1000 (Ethernet)
RX packets 535240 bytes 285665915 (285.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 440074 bytes 44375190 (44.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0x6e100000-6e17ffff
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 48414 bytes 5082905 (5.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 48414 bytes 5082905 (5.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Client conf
client
dev tun
proto udp
remote xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
ignore-unknown-option block-outside-dns
#block-outside-dns
verb 4
#tls-client
tls-auth /etc/openvpn/tc.key 1
<ca>
——BEGIN CERTIFICATE——
xxx
——END CERTIFICATE——
</ca>
<cert>
——BEGIN CERTIFICATE——
xxx
——END CERTIFICATE——
</cert>
<key>
——BEGIN PRIVATE KEY——
xxx
——END PRIVATE KEY——
</key>
Client Log:
Code: Select all
Thu Jun 17 15:12:08 2021 us=615949 WARNING: file '/etc/openvpn/tc.key' is group or others accessible
Thu Jun 17 15:12:08 2021 us=615972 Current Parameter Settings:
Thu Jun 17 15:12:08 2021 us=615976 config = 'ov-ubuntu.ovpn'
Thu Jun 17 15:12:08 2021 us=616007 mode = 0
Thu Jun 17 15:12:08 2021 us=616010 persist_config = DISABLED
Thu Jun 17 15:12:08 2021 us=616014 persist_mode = 1
Thu Jun 17 15:12:08 2021 us=616018 show_ciphers = DISABLED
Thu Jun 17 15:12:08 2021 us=616022 show_digests = DISABLED
Thu Jun 17 15:12:08 2021 us=616025 show_engines = DISABLED
Thu Jun 17 15:12:08 2021 us=616029 genkey = DISABLED
Thu Jun 17 15:12:08 2021 us=616032 key_pass_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616036 show_tls_ciphers = DISABLED
Thu Jun 17 15:12:08 2021 us=616040 connect_retry_max = 0
Thu Jun 17 15:12:08 2021 us=616043 Connection profiles [0]:
Thu Jun 17 15:12:08 2021 us=616047 proto = udp
Thu Jun 17 15:12:08 2021 us=616051 local = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616054 local_port = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616058 remote = 'xxx'
Thu Jun 17 15:12:08 2021 us=616061 remote_port = '1194'
Thu Jun 17 15:12:08 2021 us=616065 remote_float = DISABLED
Thu Jun 17 15:12:08 2021 us=616069 bind_defined = DISABLED
Thu Jun 17 15:12:08 2021 us=616072 bind_local = DISABLED
Thu Jun 17 15:12:08 2021 us=616075 bind_ipv6_only = DISABLED
Thu Jun 17 15:12:08 2021 us=616079 connect_retry_seconds = 5
Thu Jun 17 15:12:08 2021 us=616083 connect_timeout = 120
Thu Jun 17 15:12:08 2021 us=616086 socks_proxy_server = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616115 socks_proxy_port = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616120 tun_mtu = 1500
Thu Jun 17 15:12:08 2021 us=616123 tun_mtu_defined = ENABLED
Thu Jun 17 15:12:08 2021 us=616127 link_mtu = 1500
Thu Jun 17 15:12:08 2021 us=616146 link_mtu_defined = DISABLED
Thu Jun 17 15:12:08 2021 us=616150 tun_mtu_extra = 0
Thu Jun 17 15:12:08 2021 us=616154 tun_mtu_extra_defined = DISABLED
Thu Jun 17 15:12:08 2021 us=616157 mtu_discover_type = -1
Thu Jun 17 15:12:08 2021 us=616161 fragment = 0
Thu Jun 17 15:12:08 2021 us=616164 mssfix = 1450
Thu Jun 17 15:12:08 2021 us=616168 explicit_exit_notification = 0
Thu Jun 17 15:12:08 2021 us=616172 Connection profiles END
Thu Jun 17 15:12:08 2021 us=616175 remote_random = DISABLED
Thu Jun 17 15:12:08 2021 us=616179 ipchange = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616182 dev = 'tun'
Thu Jun 17 15:12:08 2021 us=616186 dev_type = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616190 dev_node = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616193 lladdr = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616197 topology = 1
Thu Jun 17 15:12:08 2021 us=616200 ifconfig_local = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616204 ifconfig_remote_netmask = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616207 ifconfig_noexec = DISABLED
Thu Jun 17 15:12:08 2021 us=616211 ifconfig_nowarn = DISABLED
Thu Jun 17 15:12:08 2021 us=616215 ifconfig_ipv6_local = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616218 ifconfig_ipv6_netbits = 0
Thu Jun 17 15:12:08 2021 us=616222 ifconfig_ipv6_remote = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616226 shaper = 0
Thu Jun 17 15:12:08 2021 us=616229 mtu_test = 0
Thu Jun 17 15:12:08 2021 us=616233 mlock = DISABLED
Thu Jun 17 15:12:08 2021 us=616236 keepalive_ping = 0
Thu Jun 17 15:12:08 2021 us=616240 keepalive_timeout = 0
Thu Jun 17 15:12:08 2021 us=616263 inactivity_timeout = 0
Thu Jun 17 15:12:08 2021 us=616266 ping_send_timeout = 0
Thu Jun 17 15:12:08 2021 us=616270 ping_rec_timeout = 0
Thu Jun 17 15:12:08 2021 us=616273 ping_rec_timeout_action = 0
Thu Jun 17 15:12:08 2021 us=616277 ping_timer_remote = DISABLED
Thu Jun 17 15:12:08 2021 us=616281 remap_sigusr1 = 0
Thu Jun 17 15:12:08 2021 us=616284 persist_tun = ENABLED
Thu Jun 17 15:12:08 2021 us=616288 persist_local_ip = DISABLED
Thu Jun 17 15:12:08 2021 us=616292 persist_remote_ip = DISABLED
Thu Jun 17 15:12:08 2021 us=616311 persist_key = ENABLED
Thu Jun 17 15:12:08 2021 us=616315 passtos = DISABLED
Thu Jun 17 15:12:08 2021 us=616318 resolve_retry_seconds = 1000000000
Thu Jun 17 15:12:08 2021 us=616322 resolve_in_advance = DISABLED
Thu Jun 17 15:12:08 2021 us=616325 username = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616329 groupname = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616332 chroot_dir = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616350 cd_dir = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616353 writepid = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616356 up_script = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616360 down_script = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616363 down_pre = DISABLED
Thu Jun 17 15:12:08 2021 us=616367 up_restart = DISABLED
Thu Jun 17 15:12:08 2021 us=616370 up_delay = DISABLED
Thu Jun 17 15:12:08 2021 us=616373 daemon = DISABLED
Thu Jun 17 15:12:08 2021 us=616377 inetd = 0
Thu Jun 17 15:12:08 2021 us=616380 log = DISABLED
Thu Jun 17 15:12:08 2021 us=616384 suppress_timestamps = DISABLED
Thu Jun 17 15:12:08 2021 us=616387 machine_readable_output = DISABLED
Thu Jun 17 15:12:08 2021 us=616391 nice = 0
Thu Jun 17 15:12:08 2021 us=616394 verbosity = 4
Thu Jun 17 15:12:08 2021 us=616398 mute = 0
Thu Jun 17 15:12:08 2021 us=616401 gremlin = 0
Thu Jun 17 15:12:08 2021 us=616404 status_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616408 status_file_version = 1
Thu Jun 17 15:12:08 2021 us=616411 status_file_update_freq = 60
Thu Jun 17 15:12:08 2021 us=616415 occ = ENABLED
Thu Jun 17 15:12:08 2021 us=616418 rcvbuf = 0
Thu Jun 17 15:12:08 2021 us=616422 sndbuf = 0
Thu Jun 17 15:12:08 2021 us=616425 mark = 0
Thu Jun 17 15:12:08 2021 us=616428 sockflags = 0
Thu Jun 17 15:12:08 2021 us=616432 fast_io = DISABLED
Thu Jun 17 15:12:08 2021 us=616435 comp.alg = 0
Thu Jun 17 15:12:08 2021 us=616439 comp.flags = 0
Thu Jun 17 15:12:08 2021 us=616442 route_script = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616446 route_default_gateway = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616449 route_default_metric = 0
Thu Jun 17 15:12:08 2021 us=616453 route_noexec = DISABLED
Thu Jun 17 15:12:08 2021 us=616456 route_delay = 0
Thu Jun 17 15:12:08 2021 us=616460 route_delay_window = 30
Thu Jun 17 15:12:08 2021 us=616476 route_delay_defined = DISABLED
Thu Jun 17 15:12:08 2021 us=616480 route_nopull = DISABLED
Thu Jun 17 15:12:08 2021 us=616484 route_gateway_via_dhcp = DISABLED
Thu Jun 17 15:12:08 2021 us=616487 allow_pull_fqdn = DISABLED
Thu Jun 17 15:12:08 2021 us=616491 management_addr = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616495 management_port = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616498 management_user_pass = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616502 management_log_history_cache = 250
Thu Jun 17 15:12:08 2021 us=616506 management_echo_buffer_size = 100
Thu Jun 17 15:12:08 2021 us=616510 management_write_peer_info_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616513 management_client_user = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616517 management_client_group = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616521 management_flags = 0
Thu Jun 17 15:12:08 2021 us=616525 shared_secret_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616529 key_direction = 1
Thu Jun 17 15:12:08 2021 us=616532 ciphername = 'AES-256-CBC'
Thu Jun 17 15:12:08 2021 us=616536 ncp_enabled = ENABLED
Thu Jun 17 15:12:08 2021 us=616540 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Thu Jun 17 15:12:08 2021 us=616544 authname = 'SHA512'
Thu Jun 17 15:12:08 2021 us=616548 prng_hash = 'SHA1'
Thu Jun 17 15:12:08 2021 us=616552 prng_nonce_secret_len = 16
Thu Jun 17 15:12:08 2021 us=616555 keysize = 0
Thu Jun 17 15:12:08 2021 us=616559 engine = DISABLED
Thu Jun 17 15:12:08 2021 us=616563 replay = ENABLED
Thu Jun 17 15:12:08 2021 us=616567 mute_replay_warnings = DISABLED
Thu Jun 17 15:12:08 2021 us=616570 replay_window = 64
Thu Jun 17 15:12:08 2021 us=616574 replay_time = 15
Thu Jun 17 15:12:08 2021 us=616578 packet_id_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616582 use_iv = ENABLED
Thu Jun 17 15:12:08 2021 us=616585 test_crypto = DISABLED
Thu Jun 17 15:12:08 2021 us=616589 tls_server = DISABLED
Thu Jun 17 15:12:08 2021 us=616593 tls_client = ENABLED
Thu Jun 17 15:12:08 2021 us=616597 key_method = 2
Thu Jun 17 15:12:08 2021 us=616600 ca_file = '[[INLINE]]'
Thu Jun 17 15:12:08 2021 us=616604 ca_path = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616608 dh_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616612 cert_file = '[[INLINE]]'
Thu Jun 17 15:12:08 2021 us=616615 extra_certs_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616619 priv_key_file = '[[INLINE]]'
Thu Jun 17 15:12:08 2021 us=616623 pkcs12_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616627 cipher_list = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616630 cipher_list_tls13 = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616634 tls_cert_profile = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616638 tls_verify = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616641 tls_export_cert = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616645 verify_x509_type = 0
Thu Jun 17 15:12:08 2021 us=616649 verify_x509_name = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616652 crl_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616656 ns_cert_type = 0
Thu Jun 17 15:12:08 2021 us=616660 remote_cert_ku[i] = 65535
Thu Jun 17 15:12:08 2021 us=616664 remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616668 remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616671 remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616675 remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616678 remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616682 remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616686 remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616689 remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616693 remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616697 remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616700 remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616704 remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616707 remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616711 remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616715 remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616718 remote_cert_eku = 'TLS Web Server Authentication'
Thu Jun 17 15:12:08 2021 us=616722 ssl_flags = 0
Thu Jun 17 15:12:08 2021 us=616726 tls_timeout = 2
Thu Jun 17 15:12:08 2021 us=616730 renegotiate_bytes = -1
Thu Jun 17 15:12:08 2021 us=616734 renegotiate_packets = 0
Thu Jun 17 15:12:08 2021 us=616737 renegotiate_seconds = 3600
Thu Jun 17 15:12:08 2021 us=616741 handshake_window = 60
Thu Jun 17 15:12:08 2021 us=616745 transition_window = 3600
Thu Jun 17 15:12:08 2021 us=616748 single_session = DISABLED
Thu Jun 17 15:12:08 2021 us=616752 push_peer_info = DISABLED
Thu Jun 17 15:12:08 2021 us=616756 tls_exit = DISABLED
Thu Jun 17 15:12:08 2021 us=616760 tls_auth_file = '/etc/openvpn/tc.key'
Thu Jun 17 15:12:08 2021 us=616763 tls_crypt_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616767 pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616771 pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616775 pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616778 pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616782 pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616786 pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616790 pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616793 pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616797 pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616801 pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616805 pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616808 pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616812 pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616816 pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616819 pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616823 pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616827 pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616831 pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616834 pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616838 pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616842 pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616846 pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616849 pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616853 pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616857 pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616860 pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616864 pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616867 pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616871 pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616875 pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616878 pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616882 pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616886 pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616889 pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616893 pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616897 pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616901 pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616904 pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616908 pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616911 pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616915 pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616919 pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616923 pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616926 pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616930 pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616933 pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616937 pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616941 pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616944 pkcs11_pin_cache_period = -1
Thu Jun 17 15:12:08 2021 us=616948 pkcs11_id = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616952 pkcs11_id_management = DISABLED
Thu Jun 17 15:12:08 2021 us=616956 server_network = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=616961 server_netmask = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=616967 server_network_ipv6 = ::
Thu Jun 17 15:12:08 2021 us=616971 server_netbits_ipv6 = 0
Thu Jun 17 15:12:08 2021 us=616975 server_bridge_ip = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=616980 server_bridge_netmask = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=616984 server_bridge_pool_start = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=616990 server_bridge_pool_end = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=616994 ifconfig_pool_defined = DISABLED
Thu Jun 17 15:12:08 2021 us=616998 ifconfig_pool_start = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=617002 ifconfig_pool_end = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=617006 ifconfig_pool_netmask = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=617010 ifconfig_pool_persist_filename = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=617014 ifconfig_pool_persist_refresh_freq = 600
Thu Jun 17 15:12:08 2021 us=617017 ifconfig_ipv6_pool_defined = DISABLED
Thu Jun 17 15:12:08 2021 us=617021 ifconfig_ipv6_pool_base = ::
Thu Jun 17 15:12:08 2021 us=617025 ifconfig_ipv6_pool_netbits = 0
Thu Jun 17 15:12:08 2021 us=617029 n_bcast_buf = 256
Thu Jun 17 15:12:08 2021 us=617033 tcp_queue_limit = 64
Thu Jun 17 15:12:08 2021 us=617037 real_hash_size = 256
Thu Jun 17 15:12:08 2021 us=617040 virtual_hash_size = 256
Thu Jun 17 15:12:08 2021 us=617044 client_connect_script = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=617048 learn_address_script = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=617052 client_disconnect_script = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=617055 client_config_dir = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=617059 ccd_exclusive = DISABLED
Thu Jun 17 15:12:08 2021 us=617063 tmp_dir = '/tmp'
Thu Jun 17 15:12:08 2021 us=617067 push_ifconfig_defined = DISABLED
Thu Jun 17 15:12:08 2021 us=617071 push_ifconfig_local = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=617075 push_ifconfig_remote_netmask = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=617079 push_ifconfig_ipv6_defined = DISABLED
Thu Jun 17 15:12:08 2021 us=617083 push_ifconfig_ipv6_local = ::/0
Thu Jun 17 15:12:08 2021 us=617087 push_ifconfig_ipv6_remote = ::
Thu Jun 17 15:12:08 2021 us=617091 enable_c2c = DISABLED
Thu Jun 17 15:12:08 2021 us=617095 duplicate_cn = DISABLED
Thu Jun 17 15:12:08 2021 us=617099 cf_max = 0
Thu Jun 17 15:12:08 2021 us=617102 cf_per = 0
Thu Jun 17 15:12:08 2021 us=617106 max_clients = 1024
Thu Jun 17 15:12:08 2021 us=617110 max_routes_per_client = 256
Thu Jun 17 15:12:08 2021 us=617113 auth_user_pass_verify_script = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=617117 auth_user_pass_verify_script_via_file = DISABLED
Thu Jun 17 15:12:08 2021 us=617121 auth_token_generate = DISABLED
Thu Jun 17 15:12:08 2021 us=617125 auth_token_lifetime = 0
Thu Jun 17 15:12:08 2021 us=617129 port_share_host = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=617132 port_share_port = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=617136 client = ENABLED
Thu Jun 17 15:12:08 2021 us=617140 pull = ENABLED
Thu Jun 17 15:12:08 2021 us=617144 auth_user_pass_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=617148 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021
Thu Jun 17 15:12:08 2021 us=617157 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Thu Jun 17 15:12:08 2021 us=617447 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Jun 17 15:12:08 2021 us=617457 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Jun 17 15:12:08 2021 us=617497 Control Channel MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Thu Jun 17 15:12:08 2021 us=617514 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Thu Jun 17 15:12:08 2021 us=617528 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Thu Jun 17 15:12:08 2021 us=617533 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Thu Jun 17 15:12:08 2021 us=617540 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx:1194
Thu Jun 17 15:12:08 2021 us=617554 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Jun 17 15:12:08 2021 us=617559 UDP link local: (not bound)
Thu Jun 17 15:12:08 2021 us=617563 UDP link remote: [AF_INET]xxx:1194
Thu Jun 17 15:12:08 2021 us=620961 TLS: Initial packet from [AF_INET]xxx:1194, sid=24ede69b 4a2fa0f4
Thu Jun 17 15:12:08 2021 us=620975 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]xxx:1194
Thu Jun 17 15:12:10 2021 us=701228 TLS: Initial packet from [AF_INET]xxx:1194, sid=24ede69b 4a2fa0f4
Thu Jun 17 15:12:10 2021 us=701300 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]xxx:1194
Thu Jun 17 15:12:14 2021 us=363139 TLS: Initial packet from [AF_INET]xxx:1194, sid=24ede69b 4a2fa0f4
Thu Jun 17 15:12:14 2021 us=363209 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]xxx:1194New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
Sign in
to your account
Comments
I keep getting TLS Error: cannot locate HMAC in incoming packet from [AF_INET]xx.xx.xx.xx:xxxxx when my OpenVPN client connected to the server. It seems tls-auth /etc/openvpn/pki/ta.key doesn’t work.
If I comment this line and it will generate a log message like xx.xx.xx.xx:xxxxx TLS: Initial packet from [AF_INET]xx.xx.xx.xx:xxxxx, sid=a1b9713f 033e1970, but xx.xx.xx.xx:xxxxx TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) & xx.xx.xx.xx:xxxxx TLS Error: TLS handshake failed will be generated after a while. The connection is still failed. Could you please advise the solution? Really appreciate.
Same issue here. To fix this, you can either comment out the tls-auth option from the openvpn.conf file; or add the tls-auth and key-redirection into the end of client configuration file, as below:
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
(contents of ta.key)
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
Had to add tls-server to the server.conf for this to work
I don’t think this is a server issue. It is a client side problem. You should inspect your OpenVPN client configuration especially TLS auth part.
This topic has been deleted. Only users with topic management privileges can see it.
Поднял OpenVpn server. Виндовые и прочие клиенты подключаются нормально, все видят сеть и все такое. Есть в удаленной точке Synology NVR, на ней пытаюсь создать подключение ругается что нет сервера или сертификат просрочен. Логи со стороны Pfsense : TLS Error: cannot locate HMAC in incoming packet from [AF_INET6]::ffff:
1. Synology NVR не поддерживает TLS authentication.
или
2. Вы не сконфигурировали на Synology NVR TLS authentication.
На стороне клиента в конфиге это
tls-auth ta.key 1
ta.key — это то, что в pfSense Видно как Key в Cryptographic Settings
или
3. На стороне клиента и сервера не совпадает директива
auth SHA1auth SHA512и т.д.
https://serverfault.com/questions/194769/unable-to-logon-to-vpn
Я новичок в этих делах можете помочь сконфигурировать конфигурационный файл?
@Shuh:
Я новичок в этих делах можете помочь сконфигурировать конфигурационный файл?
Виндовые и прочие клиенты подключаются нормально
Просто возьмите работающий конфиг с этих клиентов как основу и отредактируйте его применительно к клиенту Synology NVR.
Да пытался что то не получается. Ну что ж бкдк пробовать. В любом случаи спасибо!! 
Вот так отредактировал, synology ругается что неверные параметры
dev tun
proto udp
remote «тут ip сервера и порт» udp
resolv-retry infinite
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
verify-x509-name «MyVPN» name
auth-user-pass
pkcs12 pfSense-udp-1194-Video.p12
tls-auth pfSense-udp-1194-Video-tls.key 1
remote-cert-tls server
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
synology ругается что неверные параметры
Ищите, что конкретно ему не нравится. Добавьте ему в конфиг
verb 3
И ищите в логе ошибки. У Synology доступен стсемный логлог Open VPN?
auth-user-pass
Где вводятся логинпароль?
https://habrahabr.ru/post/216197/
https://www.ogalik.ee/synology-dsm-4-openvpn-client/
Народ помогите не могу разобраться все та же ошибка прилагаю конфигурационный файл из Synology :dev tun
tls-client
remote ipserver 1194
pull
proto udp
up /usr/syno/etc.defaults/synovpnclient/scripts/ovpn-up
route-up /usr/syno/etc.defaults/synovpnclient/scripts/route-up
ca ca_o1517654907.crt
route-noexec
script-security 2
float
reneg-sec 0
explicit-exit-notify
plugin /lib/openvpn/openvpn-down-root.so /usr/syno/etc.defaults/synovpnclient/scripts/ip-down
auth-user-pass /tmp/ovpn_client_up