OpenVPN: "Authenticate/Decrypt packet error: packet HMAC authentication failed"
I am trying to configure my Raspberry Pi as an OpenVPN server on site B. For this setup, I require that the client configuration is stored in a very single file, as it's going to be deployed on my Android phone. I don't want to mess with paths and so: I'll beam the file via Bluetooth and zap!
The configuration is PKI-based. The configuration is inspired to an existing VPN (commented out) of which the Raspy is the client (site B to site A). The "other" VPN can be enabled at any time but, again, it is currently commented out. I am trying this on Windows first before trying to deploy on Android, especially because I can edit and rerun configuration at any time, fast-type with keyboard and copy&paste stuff from the server because I can always remote into it via ssh. On mobile, it will take me a lot of time to test.
Server.conf
port 1194
proto udp
dev tun
ca /etc/ssl/vpn/ca.crt
cert /etc/ssl/vpn/raspy.crt
key /etc/ssl/vpn/raspy.key
dh /etc/ssl/vpn/dh2048.pem
key-direction 1
tls-auth /etc/ssl/vpn/ta.key 0 # This file is secret
cipher AES-256-CBC # AES
client-config-dir ccd
ifconfig-pool-persist ipp.txt
client-to-client
push "route 192.168.192.0 255.255.255.0 vpn_gateway"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log /var/log
verb 6 #helps me troubleshootClient.conf
dev tun
proto udp
remote raspy.example.me 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
Matches the CA certificate deployed on server
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
This is the client certificate that I have signed with common CA
I assume this part of the setup is fine
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
Client private key
-----END RSA PRIVATE KEY-----
</key>
<dh>
-----BEGIN DH PARAMETERS-----
Matches the content of /etc/ssl/vpn/dh2048.pem
-----END DH PARAMETERS-----
</dh>
cipher AES-256-CBC
remote-cert-tls server
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
matches /etc/ssl/vpn/ta.key
-----END OpenVPN Static key V1-----
</tls-auth>
cipher AES-256-CBC
comp-lzo
log /var/log/openvpn.log
verb 6I am confident that the certificates are set correctly, but in the meantime I will re-test them with OpenSSL to make sure the chain is fine.
Connecting, I find the following logs
Server
Tue Jul 28 11:02:25 2020 us=457781 Authenticate/Decrypt packet error: packet HMAC authentication failed
Tue Jul 28 11:02:25 2020 us=458025 TLS Error: incoming packet authentication failed from [AF_INET]xxx:46976
Tue Jul 28 11:02:27 2020 us=732637 Authenticate/Decrypt packet error: packet HMAC authentication failed
Tue Jul 28 11:02:27 2020 us=732832 TLS Error: incoming packet authentication failed from [AF_INET]xxx:46976Client
Tue Jul 28 11:02:25 2020 UDP WRITE [42] to [AF_INET]xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
Tue Jul 28 11:02:29 2020 UDP WRITE [42] to [AF_INET]xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
Tue Jul 28 11:02:37 2020 UDP WRITE [42] to [AF_INET]xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
Tue Jul 28 11:02:53 2020 UDP WRITE [42] to [AF_INET]xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0What may be wrong in this setup? How should I fix this?
Research
I have found this topic that claims to be solved
bznelson wrote: ↑
Mon Apr 09, 2018 10:52 pm
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
bznelson wrote: ↑
Mon Apr 09, 2018 10:52 pm
<tls-crypt>Ah yes, the tls-auth/tls-crypt, that's it! Thank you so much! I was running a 2.3 server, but I had initially installed 2.4 and I guess there was some cross pollination.
I'm running OpenVPN 2.4.0 on both hosts. I don't know how that linked thread may help me
And in the same topic someone said about the error
This usually means you have the wrong ta.key installed somewhere.
But I have checked three times. The keys are the same but the very difference is that one is on a file, one is inlined
I have tried to completely remove the tls-auth from client and server. The error is fixed and I have the next error to care about. So, the above linked forum was correct, there is some mess between the two identical keys
53 Answers
Both client and server configuration need to share the same cipher configuration. The line:
cipher AES-256-CBCMust be present on both.
6In my case it was the authentication digest algorithm. Pfsense had a more secure default than the server, so that had to be aligned. SHA-1 is the insecure default, SHA256 seems a better option.
Maybe your ta.key generate was wrong.
openvpn --genkey tls-auth ta.key (this is wrong!)
please refer official website
screenshot: what is tls-auth use for
In my case openvpn 2.5.4
WARNING: Using --genkey --secret filename is DEPRECATED. Use --genkey secret filename instead. EasyRSA Shell
openvpn --genkey secret ta.key
after add following config, it works.
2
