Tls error cannot locate hmac in incoming packet from af inet

OpenVPN Support Forum

Community Support Forum

[Solved] PLC siemens vs OpenVPN server

[Solved] PLC siemens vs OpenVPN server

Post by bigsrl » Mon Jun 20, 2016 12:41 pm

I write here after 5-day of test. but without success.

I have an Siemens RTU3030C; it’s like a little low-energy PLC to measure water level or pressur ecc. it use an UMTS connection to remote management; due to NAT problem, it can automatically connect to an external OpenVPN server; so I tried to configure an OpenVPN server (using a raspberrypi) in my enterprise.

Siemens specification about server config is:

on Siemens configuration page, i have only this parameter:

(obviously on OpenVPN i put my public IP)

Unfortunately log on Siemens PLC is just «work» or «down’t work». and in openvpn log file i found this error:

please someone can help me? I don’t know where is the problem. I tried everythink, but sure, it’s the first openvpn server I try to set up in my life.

Re: PLC siemens vs OpenVPN server

Post by bigsrl » Mon Jun 20, 2016 1:43 pm

A little update,

I change openvpn.conf with this configuration

and i set verbose for log=4

Re: PLC siemens vs OpenVPN server

Post by TinCanTech » Mon Jun 20, 2016 1:43 pm

bigsrl wrote: tls-server

tls-auth ./easy-rsa/keys/ta.key 1

This is wrong .. See —tls-auth in The Manual v23x

Also, it looks like your Siemens device does not have support for —tls-auth

Re: PLC siemens vs OpenVPN server

Post by bigsrl » Mon Jun 20, 2016 1:47 pm

tls-auth ./easy-rsa/keys/ta.key 1 putting a «#» (see second post) but problem remain

probably you’re asking me while I’m writing new post, sorry

Re: PLC siemens vs OpenVPN server

Post by TinCanTech » Mon Jun 20, 2016 2:16 pm

dev tun
proto udp
port 1194

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh512.pem

# user nobody
# group nogroup

server 10.8.0.0 255.255.255.0
# persist-key
# persist-tun

#tls-auth ./easy-rsa/keys/ta.key 0

#tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
# tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

auth SHA256
#cipher BF-CBC
cipher AES-256-CBC

keepalive 10 60
client-to-client

# push «redirect-gateway def1»
# push «dhcp-option DNS 8.8.8.8»
# push «dhcp-option DNS 8.8.4.4»

verb 4
log-append /var/log/openvpn

Re: PLC siemens vs OpenVPN server

Post by bigsrl » Mon Jun 20, 2016 2:33 pm

Re: PLC siemens vs OpenVPN server

Post by TinCanTech » Mon Jun 20, 2016 2:59 pm

I cannot support this device ..

Try setting up a normal windows or linux client to test that your server and network are working correctly.
Then try setting up the RTU.

Re: PLC siemens vs OpenVPN server

Post by bigsrl » Mon Jun 20, 2016 3:32 pm

right, i configured my laptop now to use openvpn client with .ovpn file generaed from my raspberry

client side log (sorry it’s a screenshot to be quick)

it seems like dh key too short; i reduced it from 2048 bit to 512 cause uploading a .key to siemens RTU will be show an error due to too large key file. but I’m not sure that’s the only problem. Anyway my laptop doesn’t connect to openvon server

Re: PLC siemens vs OpenVPN server

Post by TinCanTech » Mon Jun 20, 2016 3:38 pm

You can see from your screen shot: «DH Key too small» .. 512bit is too small.

Use easyrsa to create a new PKI from scratch with a 2048bit key etc.

Re: PLC siemens vs OpenVPN server

Post by bigsrl » Tue Jun 21, 2016 2:14 pm

Ok, i changed configuration in vars to set dh encryption at 1024 bit and now my laptop (and also my siemens RTU!!) connecting correctly to the openvpn server!! thanks.

After 5 day of work, found VPN led ON is fantastic!

ok, now i have another problem, I generated something about 25/30 client key, put one on RTU and one on my laptop: each openVPN client windows (2 laptop) after connecting receive:

IP 10.8.0.xxx
SUB 255.255.255.252
NO GATEWAY
DNS1: 8.8.8.8
DNS2: 8.8.4.4

no one can ping each other and no communication between client.

but RTU, after connection, receive:

IP address 10.8.0.10
Subnet mask 10.8.0.9
why??

Raspberry cannot ping no one client , no laptop, no RTU, nothing

all client after connection cannot ping 8.8.8.8.

I simply will have all mine RTU connected to openvpn server; a pc connected as client of OpenVPN server need to retrive the http page of each RTU.

Sure my problem is in gateway or in routing.

I changed iptables configration with command

sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE
I’ve also modified the cronotab, inserting @reboot sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE

my server log is:

5.170.5.194 is the RTU
5.170.4.150 is my laptop

Источник

Tls error cannot locate hmac in incoming packet from af inet

Поднял OpenVpn server. Виндовые и прочие клиенты подключаются нормально, все видят сеть и все такое. Есть в удаленной точке Synology NVR, на ней пытаюсь создать подключение ругается что нет сервера или сертификат просрочен. Логи со стороны Pfsense : TLS Error: cannot locate HMAC in incoming packet from [AF_INET6]::ffff:

1. Synology NVR не поддерживает TLS authentication.
или
2. Вы не сконфигурировали на Synology NVR TLS authentication.
На стороне клиента в конфиге это
tls-auth ta.key 1
ta.key — это то, что в pfSense Видно как Key в Cryptographic Settings
или
3. На стороне клиента и сервера не совпадает директива
auth SHA1auth SHA512и т.д.

Я новичок в этих делах можете помочь сконфигурировать конфигурационный файл?

Я новичок в этих делах можете помочь сконфигурировать конфигурационный файл?

Виндовые и прочие клиенты подключаются нормально
Просто возьмите работающий конфиг с этих клиентов как основу и отредактируйте его применительно к клиенту Synology NVR.

Да пытался что то не получается. Ну что ж бкдк пробовать. В любом случаи спасибо!! 😉

Вот так отредактировал, synology ругается что неверные параметры

dev tun
proto udp

remote «тут ip сервера и порт» udp
resolv-retry infinite

ca ca.crt
cert client.crt
key client.key

verify-x509-name «MyVPN» name
auth-user-pass
pkcs12 pfSense-udp-1194-Video.p12
tls-auth pfSense-udp-1194-Video-tls.key 1
remote-cert-tls server

cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM

synology ругается что неверные параметры
Ищите, что конкретно ему не нравится. Добавьте ему в конфиг

И ищите в логе ошибки. У Synology доступен стсемный логлог Open VPN?

Источник

OpenVPN Support Forum

Community Support Forum

Disk Full: TLS Error: cannot locate HMAC in incoming packet from.

Disk Full: TLS Error: cannot locate HMAC in incoming packet from.

Post by dsetis » Thu Jun 21, 2018 11:14 am

Sometimes I have received attempts to connect to my server (not real connections I think), and each one of them, generating entries in my LOGFILE:
«TLS Error: cannot locate HMAC in incoming packet from. »
Result: 20G logfiles per day, that my rotate can’t manage..
What is the best way to solve it?

— «verb 0» isn’t a good option, i think.
— «disable the TLS security?» wrong way .

Any ideas?

Re: Disk Full: TLS Error: cannot locate HMAC in incoming packet from.

Post by TinCanTech » Thu Jun 21, 2018 8:01 pm

Re: Disk Full: TLS Error: cannot locate HMAC in incoming packet from.

Post by dsetis » Wed Jun 27, 2018 10:02 pm

Re: Disk Full: TLS Error: cannot locate HMAC in incoming packet from.

Post by TinCanTech » Wed Jun 27, 2018 10:34 pm

Result: 20G logfiles per day,

— «verb 0» isn’t a good option,

Re: Disk Full: TLS Error: cannot locate HMAC in incoming packet from.

Post by dsetis » Mon Jul 02, 2018 7:00 pm

With «0», I think no LOGS will be generated and its not so good.
with 1, the LOG is usefull, the problem is about the TLS attack. With 1, its flooding openvpn.log file

Re: Disk Full: TLS Error: cannot locate HMAC in incoming packet from.

Post by TinCanTech » Mon Jul 02, 2018 8:33 pm

Re: Disk Full: TLS Error: cannot locate HMAC in incoming packet from.

Post by dsetis » Tue Jul 03, 2018 2:32 pm

I was really confused.
I’m so sorry

I reversed mute option. 2 = less equals logs.
Thanks. Its working!

Re: Disk Full: TLS Error: cannot locate HMAC in incoming packet from.

Post by TinCanTech » Tue Jul 03, 2018 2:37 pm

Re: Disk Full: TLS Error: cannot locate HMAC in incoming packet from.

Post by dsetis » Tue Jul 03, 2018 3:13 pm

Now, again.. around 13k per second.
With verb 1 and mute 1

Tue Jul 3 12:08:23 2018 TLS Error: incoming packet authentication failed from 152.240.255.85:35215
Tue Jul 3 12:08:23 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Tue Jul 3 12:08:23 2018 TLS Error: incoming packet authentication failed from 177.56.233.73:58123
Tue Jul 3 12:08:23 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Tue Jul 3 12:08:23 2018 TLS Error: incoming packet authentication failed from 189.93.133.108:37127
Tue Jul 3 12:08:23 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Tue Jul 3 12:08:23 2018 TLS Error: incoming packet authentication failed from 152.240.129.127:48610
Tue Jul 3 12:08:23 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Tue Jul 3 12:08:23 2018 TLS Error: incoming packet authentication failed from 152.240.114.76:44890
Tue Jul 3 12:08:24 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Tue Jul 3 12:08:24 2018 TLS Error: incoming packet authentication failed from 152.240.107.107:44177
Tue Jul 3 12:08:24 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Tue Jul 3 12:08:24 2018 TLS Error: incoming packet authentication failed from 187.69.219.44:34305
Tue Jul 3 12:08:24 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Tue Jul 3 12:08:24 2018 TLS Error: incoming packet authentication failed from 152.240.224.88:55099
Tue Jul 3 12:08:24 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Tue Jul 3 12:08:24 2018 TLS Error: incoming packet authentication failed from 152.245.135.126:46313
Tue Jul 3 12:08:24 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Tue Jul 3 12:08:24 2018 TLS Error: incoming packet authentication failed from 179.86.133.247:53054
Tue Jul 3 12:08:24 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Tue Jul 3 12:08:24 2018 TLS Error: incoming packet authentication failed from 152.245.160.189:33492

Re: Disk Full: TLS Error: cannot locate HMAC in incoming packet from.

Post by TinCanTech » Tue Jul 03, 2018 3:24 pm

Источник

OpenVPN Support Forum

Community Support Forum

Unable to connect with Openvpn server (TLS Error)

Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Tue Apr 12, 2016 12:17 pm

Hello members, i have recently installed a openvpn server on my ARCH 4.4.5-1 i686 GNU/Linux home machine.

Aparently the server is running OK as the output show:

My server config:

When i try to connect my server with my android phone (with openvpn for android app installed) with the respective imported keys and cert (ca.crt; kelsinni.crt; kelsinni.key) i got always the same TLS error:

I have double checked all the configs but still got this same error all the times. can anyone please give me a tip about the source of this problem?
Thanks in advance for all the help given.

Re: Unable to connect with Openvpn server (TLS Error)

Post by Traffic » Tue Apr 12, 2016 2:50 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Tue Apr 12, 2016 6:47 pm

.
client-to-client
keepalive 1800 4000

cipher DES-EDE3-CBC # Triple-DES
comp-lzo yes

user nobody
group nobody
.

Re: Unable to connect with Openvpn server (TLS Error)

Post by Traffic » Tue Apr 12, 2016 7:23 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Tue Apr 12, 2016 9:34 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by Traffic » Tue Apr 12, 2016 10:15 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Tue Apr 12, 2016 11:11 pm

I have notice that ‘de.blinkt.openvpn’ wasnt for sure correct but. i went on the smartphone openvpn for android app and change the «search domain» on «DNS AND IP» tab form ‘de.blinkt.openvpn’ to my DNS.

The most strange is that after this change the log still give me that ‘de.blinkt.openvpn’ DNS. and the same TLS error.

Re: Unable to connect with Openvpn server (TLS Error)

Post by Traffic » Tue Apr 12, 2016 11:25 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Wed Apr 13, 2016 9:24 pm

cd /var/log/
dir
btmp faillog journal lastlog old openvpn.log pacman.log wtmp

I think you are asking openvpn.log. here it is:

Re: Unable to connect with Openvpn server (TLS Error)

Post by Traffic » Wed Apr 13, 2016 9:30 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Wed Apr 13, 2016 9:54 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by Traffic » Wed Apr 13, 2016 10:53 pm

This most probably means that you have corrupted your tls-auth ta.key while importing it to you phone .. or possibly imported the wrong file. Try again. make sure the file is exactly the same.

FYI: you do not have to call the file ta.key .. you can rename it to anything more memorable.

Re: Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Thu Apr 14, 2016 10:40 am

This most probably means that you have corrupted your tls-auth ta.key while importing it to you phone .. or possibly imported the wrong file. Try again. make sure the file is exactly the same.

FYI: you do not have to call the file ta.key .. you can rename it to anything more memorable.

I have 2 folders where keys and certs are.

in /root/easy-rsa/keys/
01.pem dh2048.pem index.txt ipp.txt serial
02.pem homeserver.crt index.txt.attr kelsinni.crt serial.old
ca.crt homeserver.csr index.txt.attr.old kelsinni.csr ta.key
ca.key homeserver.key index.txt.old kelsinni.key

and in /etc/openvpn/certs/
ca.crt dh2048.pem homeserver.key
ca.key homeserver.crt ta.key

The keys that i copied to my android were the client certificate (kelsinni.crt), client certificate key (kelsinni.key) and the CA certificate (ca.crt) all locate on /root/easy-rsa/keys/

The app openvpn for android only asks these 3 files CA certificate, Client certificate and Client certificate key. nothing about ta.key:

Im going to copy again the files to the android.

Источник