`tls-crypt unwrap error: packet authentication failed` connection error for OpenVPN ServerWindows 7 client...
Why is Agricola named as such?
Why are the books in the Game of Thrones citadel library shelved spine inwards?
Issues resetting the ledger HWM
Is there any risk in sharing info about technologies and products we use with a supplier?
Square Root Distance from Integers
Crontab: Ubuntu running script (noob)
Does diversity provide anything that meritocracy does not?
Why did Democrats in the Senate oppose the Born-Alive Abortion Survivors Protection Act (2019 S.130)?
Hilchos Shabbos English Sefer
Why are all my replica super soldiers young adults or old teenagers?
Is this ordinary workplace experiences for a job in Software Engineering?
How to make ice magic work from a scientific point of view?
How can a large fleets maintain formation in interstellar space?
Identify KNO3 and KH2PO4 at home
Early credit roll before the end of the film
Eww, those bytes are gross
Alien invasion to probe us, why?
Why is it that Bernie Sanders is always called a "socialist"?
Why would space fleets be aligned?
general past possibility with COULD
Why avoid shared user accounts?
How much mayhem could I cause as a sentient fish?
Building an exterior wall within an exterior wall for insulation
Why does photorec keep finding files after I have filled the disk free space as root?
`tls-crypt unwrap error: packet authentication failed` connection error for OpenVPN Server
Windows 7 client fails to connect to Debian OpenVPN serverOpenVPN Linux client - tls key negotiation failed to occur (FrootVPN)Systemd service start errorHow to create an (open)VPN connection to my routertunnelblick disconnects after every 25secOpenDNS blocks requests sent to VPN ServerOpenVPN: Single-Device Connection Failure (code=10060)OpenVPN not listening on portAndroid client is able to connect to My OpenVPN server in azure but unable to connect from my asus router (RT-AC88U)What is causing the failure in the msodbcsql instalation and how can I solve it?
0
• I am unable to set up the VPN server on my host, using OpenVPN, specifically, when connecting to the server, the connection is failing with an error tls-crypt unwrap error: packet authentication failed. It looks like the TCP connection has been established, hence, the port forwarding is working properly, however, the TLS is failing.
• I have configured the OpenVPN using PIVPN http://www.pivpn.io/
• firewalld is not running on the host, here are the running services:
Ï gateway
State: running
Jobs: 0 queued
Failed: 0 units
Since: Thu 1970-01-01 01:00:01 BST; 49 years 1 months ago
CGroup: /
+-user.slice
| +-user-1000.slice
| +-user@1000.service
| | +-init.scope
| | +-790 /lib/systemd/systemd --user
| | +-793 (sd-pam)
| +-session-c1.scope
| +- 785 sshd: pi [priv]
| +- 800 sshd: pi@pts/0
| +- 803 -bash
| +-1053 sudo systemctl status
| +-1057 systemctl status
+-init.scope
| +-1 /sbin/init
+-system.slice
+-systemd-timesyncd.service
| +-256 /lib/systemd/systemd-timesyncd
+-dbus.service
| +-303 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
+-hciuart.service
| +-505 /usr/bin/hciattach /dev/serial1 bcm43xx 3000000 flow - b8:27:eb:30:50:9d
+-ssh.service
| +-647 /usr/sbin/sshd -D
+-dnsmasq.service
| +-658 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,19036,8,2,49aac11d7b6f6446702e5
4a1607371607a1a41855200fd2ce1cdde32f24e8fb5 --trust-anchor=.,20326,8,2,e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
+-avahi-daemon.service
| +-301 avahi-daemon: running [gateway.local]
| +-322 avahi-daemon: chroot helper
+-system-getty.slice
| +-getty@tty1.service
| +-644 /sbin/agetty --noclear tty1 linux
+-triggerhappy.service
| +-283 /usr/sbin/thd --triggers /etc/triggerhappy/triggers.d/ --socket /run/thd.socket --user nobody --deviceglob /dev/input/event*
+-system-openvpn.slice
| +-openvpn@server.service
| +-331 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid
+-systemd-logind.service
| +-281 /lib/systemd/systemd-logind
+-cron.service
| +-273 /usr/sbin/cron -f
+-apache2.service
| +-724 /usr/sbin/apache2 -k start
| +-726 /usr/sbin/apache2 -k start
| +-727 /usr/sbin/apache2 -k start
+-systemd-udevd.service
| +-131 /lib/systemd/systemd-udevd
+-rsyslog.service
| +-294 /usr/sbin/rsyslogd -n
+-bluetooth.service
| +-510 /usr/lib/bluetooth/bluetoothd
+-networking.service
| +-477 /sbin/wpa_supplicant -s -B -P /run/wpa_supplicant.wlan0.pid -i wlan0 -D nl80211,wext -C /run/wpa_supplicant
| +-576 /sbin/dhclient -4 -v -pf /run/dhclient.wlan0.pid -lf /var/lib/dhcp/dhclient.wlan0.leases -I -df /var/lib/dhcp/dhclient6.wlan0.leases wlan0
+-systemd-journald.service
| +-104 /lib/systemd/systemd-journald
+-ddclient.service
+-723 ddclient - sleeping for 170 seconds
• Here is my /etc/openvpn/server.conf file:
dev tun
proto tcp
port 1803
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_a6v9wsgyDAXuGevE.crt
key /etc/openvpn/easy-rsa/pki/private/server_a6v9wsgyDAXuGevE.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
• Here is the gateway.ovpn file:
client
dev tun
proto tcp
remote justbeforeyou.site 1803
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_ptHh8tHeqm2l12Ef name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIBoDCCAUWgAwIBAgIJAKmvGYkjVQ27MAoGCCqGSM49BAMCMBMxETAPBgNVBAMM
CENoYW5nZU1lMB4XDTE5MDIyNDEzMjQxMVoXDTI5MDIyMTEzMjQxMVowEzERMA8G
A1UEAwwIQ2hhbmdlTWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS1hhxgvsi5
BWUByCb6wlZ8KeDfmwzWys+Bi0L5BJZO3MHc4afD/rN/yyewpUFC9DMtk+N16Eua
hQ/uiDXRqdQ4o4GBMH8wHQYDVR0OBBYEFAzB+EbDlPPxkkOyKjbIfyJOHZqRMEMG
A1UdIwQ8MDqAFAzB+EbDlPPxkkOyKjbIfyJOHZqRoRekFTATMREwDwYDVQQDDAhD
aGFuZ2VNZYIJAKmvGYkjVQ27MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG
CCqGSM49BAMCA0kAMEYCIQC+6WedweAPFYN2wBvTRwuAgv/GXBfAoA+JfyLFxrJt
JQIhAOjMORWbIhWotZhmmbCUUxY79PqpI1UljP+dkNXGYVJk
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIBuDCCAV6gAwIBAgIQJTeTKuJG0J3dNMrLUmdNfzAKBggqhkjOPQQDAjATMREw
DwYDVQQDDAhDaGFuZ2VNZTAeFw0xOTAyMjQxNDA5NDJaFw0yOTAyMjExNDA5NDJa
MBIxEDAOBgNVBAMMB2dhdGV3YXkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASZ
waRXKwlI1QLjddDkR8fNjDkMwIQ3HfpSBaPZ4QUKB3Ao4+7RcFX64qj5850uRcS5
68XhwotUl9MyeACTP9jao4GUMIGRMAkGA1UdEwQCMAAwHQYDVR0OBBYEFMFgXgqG
46bo+2Q9s6t/xMhpKDxgMEMGA1UdIwQ8MDqAFAzB+EbDlPPxkkOyKjbIfyJOHZqR
oRekFTATMREwDwYDVQQDDAhDaGFuZ2VNZYIJAKmvGYkjVQ27MBMGA1UdJQQMMAoG
CCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAKBggqhkjOPQQDAgNIADBFAiBOMRXxpfRZ
h4fLVKJ0UwuBmNz7pVm/enj3Ud/KT5I58AIhAMBK+l6ErDltdAdH9kcDxTd5Hu+u
uudxUvoc3sppC+KI
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAgiscLqF5wpUwICCAAw
DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIuvME5ITiEmQEgZD7qoueBtcl2Zyj
glstxLbrECe1E6vO5lJ+38sMW3z++Hh1l7BFOu19N7jE0g+Zd7KlR3zHKhnGQBeh
/flGhCMHu1AXgpO3FyQt3VWhtZU/3Dn4J/sVCTkAsfkw5urqRTzHXHYYHDKXjNws
jXXRCDmMBmqLx0ItC+1Q8YFzY6OeVpwYalUWy4VgvH1jep15vfE=
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
fa267dd4652e50aab4d956757234f837
3be34b7ebfb068f157dbaf5791a8a5c7
99ba9800054ac411436b085d0279bac9
6766f1dc47fa5703ba0281c32a073fd4
e326caa0bf978e9a1aca071bb378c730
78571fb21038528e7f4de8bd638b0780
76b7203e53fd124b617b0f6a6f080c57
2318d1caab033c32749af7d6efb90d55
2a92ed0c436a52a6b82ba213a19cad62
a1ea0d2619c58b9b8736baf48d43681d
1f0edacf3424f472afe7cd4c51deb948
75bff3d0bad15a1814ea0400d74bf330
ee994d402f47af7ab51686ec05a3b879
521c782a2397a6b32806ad3af023fa73
11f22f53e8e22ebe4cb2c75f32a967ed
5cc8060012f772092e3eda93da3b1a14
-----END OpenVPN Static key V1-----
</tls-crypt>
OpenVPN GUI on the client is showing the following log:
Sun Feb 24 17:10:14 2019 MANAGEMENT: >STATE:1551024614,RECONNECTING,connection-reset,,,,,
Sun Feb 24 17:10:14 2019 Restart pause, 40 second(s)
Sun Feb 24 17:10:54 2019 MANAGEMENT: >STATE:1551024654,RESOLVE,,,,,,
Sun Feb 24 17:10:55 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:10:55 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Feb 24 17:10:55 2019 Attempting to establish TCP connection with [AF_INET]83.22.109.39:1803 [nonblock]
Sun Feb 24 17:10:55 2019 MANAGEMENT: >STATE:1551024655,TCP_CONNECT,,,,,,
Sun Feb 24 17:10:56 2019 TCP connection established with [AF_INET]83.22.109.39:1803
Sun Feb 24 17:10:56 2019 TCP_CLIENT link local: (not bound)
Sun Feb 24 17:10:56 2019 TCP_CLIENT link remote: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:10:56 2019 MANAGEMENT: >STATE:1551024656,WAIT,,,,,,
Sun Feb 24 17:10:56 2019 Connection reset, restarting [0]
Sun Feb 24 17:10:56 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sun Feb 24 17:10:56 2019 MANAGEMENT: >STATE:1551024656,RECONNECTING,connection-reset,,,,,
Sun Feb 24 17:10:56 2019 Restart pause, 80 second(s)
Sun Feb 24 17:12:16 2019 MANAGEMENT: >STATE:1551024736,RESOLVE,,,,,,
Sun Feb 24 17:12:16 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:12:16 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Feb 24 17:12:16 2019 Attempting to establish TCP connection with [AF_INET]83.22.109.39:1803 [nonblock]
Sun Feb 24 17:12:16 2019 MANAGEMENT: >STATE:1551024736,TCP_CONNECT,,,,,,
Sun Feb 24 17:12:17 2019 TCP connection established with [AF_INET]83.22.109.39:1803
Sun Feb 24 17:12:17 2019 TCP_CLIENT link local: (not bound)
Sun Feb 24 17:12:17 2019 TCP_CLIENT link remote: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:12:17 2019 MANAGEMENT: >STATE:1551024737,WAIT,,,,,,
Sun Feb 24 17:12:17 2019 Connection reset, restarting [0]
Sun Feb 24 17:12:17 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sun Feb 24 17:12:17 2019 MANAGEMENT: >STATE:1551024737,RECONNECTING,connection-reset,,,,,
/var/log/openvpn.log showing the following:
Feb 24 15:56:57 gateway ovpn-server[351]: TCP connection established with [AF_INET]5.173.40.158:18815
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 TLS: Initial packet from [AF_INET]5.173.40.158:18815, sid=6c0e365a 728d1b9d
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 tls-crypt unwrap error: packet authentication failed
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 TLS Error: tls-crypt unwrapping failed from [AF_INET]5.173.40.158:18815
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 Fatal TLS error (check_tls_errors_co), restarting
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 24 16:01:59 gateway ovpn-server[351]: TCP connection established with [AF_INET]5.173.40.158:18788
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 TLS: Initial packet from [AF_INET]5.173.40.158:18788, sid=d05afdfe 0af0a9b9
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 tls-crypt unwrap error: packet authentication failed
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 TLS Error: tls-crypt unwrapping failed from [AF_INET]5.173.40.158:18788
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 Fatal TLS error (check_tls_errors_co), restarting
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 SIGUSR1[soft,tls-error] received, client-instance restarting
Questions:
1) What does mean tls-crypt unwrap error: packet authentication failed error message in the openvpn.log? Is it related to some timeouts being set? How to fix it, in order to be able to establish the connection from OpenVPN client to the server?
tls linux openvpn
asked yesterday
readonlyreadonly
1
migrated from security.stackexchange.com 2 mins ago
This question came from our site for information security professionals.
add a comment |
0
• I am unable to set up the VPN server on my host, using OpenVPN, specifically, when connecting to the server, the connection is failing with an error tls-crypt unwrap error: packet authentication failed. It looks like the TCP connection has been established, hence, the port forwarding is working properly, however, the TLS is failing.
• I have configured the OpenVPN using PIVPN http://www.pivpn.io/
• firewalld is not running on the host, here are the running services:
Ï gateway
State: running
Jobs: 0 queued
Failed: 0 units
Since: Thu 1970-01-01 01:00:01 BST; 49 years 1 months ago
CGroup: /
+-user.slice
| +-user-1000.slice
| +-user@1000.service
| | +-init.scope
| | +-790 /lib/systemd/systemd --user
| | +-793 (sd-pam)
| +-session-c1.scope
| +- 785 sshd: pi [priv]
| +- 800 sshd: pi@pts/0
| +- 803 -bash
| +-1053 sudo systemctl status
| +-1057 systemctl status
+-init.scope
| +-1 /sbin/init
+-system.slice
+-systemd-timesyncd.service
| +-256 /lib/systemd/systemd-timesyncd
+-dbus.service
| +-303 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
+-hciuart.service
| +-505 /usr/bin/hciattach /dev/serial1 bcm43xx 3000000 flow - b8:27:eb:30:50:9d
+-ssh.service
| +-647 /usr/sbin/sshd -D
+-dnsmasq.service
| +-658 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,19036,8,2,49aac11d7b6f6446702e5
4a1607371607a1a41855200fd2ce1cdde32f24e8fb5 --trust-anchor=.,20326,8,2,e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
+-avahi-daemon.service
| +-301 avahi-daemon: running [gateway.local]
| +-322 avahi-daemon: chroot helper
+-system-getty.slice
| +-getty@tty1.service
| +-644 /sbin/agetty --noclear tty1 linux
+-triggerhappy.service
| +-283 /usr/sbin/thd --triggers /etc/triggerhappy/triggers.d/ --socket /run/thd.socket --user nobody --deviceglob /dev/input/event*
+-system-openvpn.slice
| +-openvpn@server.service
| +-331 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid
+-systemd-logind.service
| +-281 /lib/systemd/systemd-logind
+-cron.service
| +-273 /usr/sbin/cron -f
+-apache2.service
| +-724 /usr/sbin/apache2 -k start
| +-726 /usr/sbin/apache2 -k start
| +-727 /usr/sbin/apache2 -k start
+-systemd-udevd.service
| +-131 /lib/systemd/systemd-udevd
+-rsyslog.service
| +-294 /usr/sbin/rsyslogd -n
+-bluetooth.service
| +-510 /usr/lib/bluetooth/bluetoothd
+-networking.service
| +-477 /sbin/wpa_supplicant -s -B -P /run/wpa_supplicant.wlan0.pid -i wlan0 -D nl80211,wext -C /run/wpa_supplicant
| +-576 /sbin/dhclient -4 -v -pf /run/dhclient.wlan0.pid -lf /var/lib/dhcp/dhclient.wlan0.leases -I -df /var/lib/dhcp/dhclient6.wlan0.leases wlan0
+-systemd-journald.service
| +-104 /lib/systemd/systemd-journald
+-ddclient.service
+-723 ddclient - sleeping for 170 seconds
• Here is my /etc/openvpn/server.conf file:
dev tun
proto tcp
port 1803
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_a6v9wsgyDAXuGevE.crt
key /etc/openvpn/easy-rsa/pki/private/server_a6v9wsgyDAXuGevE.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
• Here is the gateway.ovpn file:
client
dev tun
proto tcp
remote justbeforeyou.site 1803
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_ptHh8tHeqm2l12Ef name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIBoDCCAUWgAwIBAgIJAKmvGYkjVQ27MAoGCCqGSM49BAMCMBMxETAPBgNVBAMM
CENoYW5nZU1lMB4XDTE5MDIyNDEzMjQxMVoXDTI5MDIyMTEzMjQxMVowEzERMA8G
A1UEAwwIQ2hhbmdlTWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS1hhxgvsi5
BWUByCb6wlZ8KeDfmwzWys+Bi0L5BJZO3MHc4afD/rN/yyewpUFC9DMtk+N16Eua
hQ/uiDXRqdQ4o4GBMH8wHQYDVR0OBBYEFAzB+EbDlPPxkkOyKjbIfyJOHZqRMEMG
A1UdIwQ8MDqAFAzB+EbDlPPxkkOyKjbIfyJOHZqRoRekFTATMREwDwYDVQQDDAhD
aGFuZ2VNZYIJAKmvGYkjVQ27MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG
CCqGSM49BAMCA0kAMEYCIQC+6WedweAPFYN2wBvTRwuAgv/GXBfAoA+JfyLFxrJt
JQIhAOjMORWbIhWotZhmmbCUUxY79PqpI1UljP+dkNXGYVJk
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIBuDCCAV6gAwIBAgIQJTeTKuJG0J3dNMrLUmdNfzAKBggqhkjOPQQDAjATMREw
DwYDVQQDDAhDaGFuZ2VNZTAeFw0xOTAyMjQxNDA5NDJaFw0yOTAyMjExNDA5NDJa
MBIxEDAOBgNVBAMMB2dhdGV3YXkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASZ
waRXKwlI1QLjddDkR8fNjDkMwIQ3HfpSBaPZ4QUKB3Ao4+7RcFX64qj5850uRcS5
68XhwotUl9MyeACTP9jao4GUMIGRMAkGA1UdEwQCMAAwHQYDVR0OBBYEFMFgXgqG
46bo+2Q9s6t/xMhpKDxgMEMGA1UdIwQ8MDqAFAzB+EbDlPPxkkOyKjbIfyJOHZqR
oRekFTATMREwDwYDVQQDDAhDaGFuZ2VNZYIJAKmvGYkjVQ27MBMGA1UdJQQMMAoG
CCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAKBggqhkjOPQQDAgNIADBFAiBOMRXxpfRZ
h4fLVKJ0UwuBmNz7pVm/enj3Ud/KT5I58AIhAMBK+l6ErDltdAdH9kcDxTd5Hu+u
uudxUvoc3sppC+KI
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAgiscLqF5wpUwICCAAw
DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIuvME5ITiEmQEgZD7qoueBtcl2Zyj
glstxLbrECe1E6vO5lJ+38sMW3z++Hh1l7BFOu19N7jE0g+Zd7KlR3zHKhnGQBeh
/flGhCMHu1AXgpO3FyQt3VWhtZU/3Dn4J/sVCTkAsfkw5urqRTzHXHYYHDKXjNws
jXXRCDmMBmqLx0ItC+1Q8YFzY6OeVpwYalUWy4VgvH1jep15vfE=
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
fa267dd4652e50aab4d956757234f837
3be34b7ebfb068f157dbaf5791a8a5c7
99ba9800054ac411436b085d0279bac9
6766f1dc47fa5703ba0281c32a073fd4
e326caa0bf978e9a1aca071bb378c730
78571fb21038528e7f4de8bd638b0780
76b7203e53fd124b617b0f6a6f080c57
2318d1caab033c32749af7d6efb90d55
2a92ed0c436a52a6b82ba213a19cad62
a1ea0d2619c58b9b8736baf48d43681d
1f0edacf3424f472afe7cd4c51deb948
75bff3d0bad15a1814ea0400d74bf330
ee994d402f47af7ab51686ec05a3b879
521c782a2397a6b32806ad3af023fa73
11f22f53e8e22ebe4cb2c75f32a967ed
5cc8060012f772092e3eda93da3b1a14
-----END OpenVPN Static key V1-----
</tls-crypt>
OpenVPN GUI on the client is showing the following log:
Sun Feb 24 17:10:14 2019 MANAGEMENT: >STATE:1551024614,RECONNECTING,connection-reset,,,,,
Sun Feb 24 17:10:14 2019 Restart pause, 40 second(s)
Sun Feb 24 17:10:54 2019 MANAGEMENT: >STATE:1551024654,RESOLVE,,,,,,
Sun Feb 24 17:10:55 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:10:55 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Feb 24 17:10:55 2019 Attempting to establish TCP connection with [AF_INET]83.22.109.39:1803 [nonblock]
Sun Feb 24 17:10:55 2019 MANAGEMENT: >STATE:1551024655,TCP_CONNECT,,,,,,
Sun Feb 24 17:10:56 2019 TCP connection established with [AF_INET]83.22.109.39:1803
Sun Feb 24 17:10:56 2019 TCP_CLIENT link local: (not bound)
Sun Feb 24 17:10:56 2019 TCP_CLIENT link remote: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:10:56 2019 MANAGEMENT: >STATE:1551024656,WAIT,,,,,,
Sun Feb 24 17:10:56 2019 Connection reset, restarting [0]
Sun Feb 24 17:10:56 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sun Feb 24 17:10:56 2019 MANAGEMENT: >STATE:1551024656,RECONNECTING,connection-reset,,,,,
Sun Feb 24 17:10:56 2019 Restart pause, 80 second(s)
Sun Feb 24 17:12:16 2019 MANAGEMENT: >STATE:1551024736,RESOLVE,,,,,,
Sun Feb 24 17:12:16 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:12:16 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Feb 24 17:12:16 2019 Attempting to establish TCP connection with [AF_INET]83.22.109.39:1803 [nonblock]
Sun Feb 24 17:12:16 2019 MANAGEMENT: >STATE:1551024736,TCP_CONNECT,,,,,,
Sun Feb 24 17:12:17 2019 TCP connection established with [AF_INET]83.22.109.39:1803
Sun Feb 24 17:12:17 2019 TCP_CLIENT link local: (not bound)
Sun Feb 24 17:12:17 2019 TCP_CLIENT link remote: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:12:17 2019 MANAGEMENT: >STATE:1551024737,WAIT,,,,,,
Sun Feb 24 17:12:17 2019 Connection reset, restarting [0]
Sun Feb 24 17:12:17 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sun Feb 24 17:12:17 2019 MANAGEMENT: >STATE:1551024737,RECONNECTING,connection-reset,,,,,
/var/log/openvpn.log showing the following:
Feb 24 15:56:57 gateway ovpn-server[351]: TCP connection established with [AF_INET]5.173.40.158:18815
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 TLS: Initial packet from [AF_INET]5.173.40.158:18815, sid=6c0e365a 728d1b9d
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 tls-crypt unwrap error: packet authentication failed
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 TLS Error: tls-crypt unwrapping failed from [AF_INET]5.173.40.158:18815
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 Fatal TLS error (check_tls_errors_co), restarting
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 24 16:01:59 gateway ovpn-server[351]: TCP connection established with [AF_INET]5.173.40.158:18788
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 TLS: Initial packet from [AF_INET]5.173.40.158:18788, sid=d05afdfe 0af0a9b9
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 tls-crypt unwrap error: packet authentication failed
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 TLS Error: tls-crypt unwrapping failed from [AF_INET]5.173.40.158:18788
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 Fatal TLS error (check_tls_errors_co), restarting
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 SIGUSR1[soft,tls-error] received, client-instance restarting
Questions:
1) What does mean tls-crypt unwrap error: packet authentication failed error message in the openvpn.log? Is it related to some timeouts being set? How to fix it, in order to be able to establish the connection from OpenVPN client to the server?
tls linux openvpn
asked yesterday
readonlyreadonly
1
migrated from security.stackexchange.com 2 mins ago
This question came from our site for information security professionals.
add a comment |
0
0
0
• I am unable to set up the VPN server on my host, using OpenVPN, specifically, when connecting to the server, the connection is failing with an error tls-crypt unwrap error: packet authentication failed. It looks like the TCP connection has been established, hence, the port forwarding is working properly, however, the TLS is failing.
• I have configured the OpenVPN using PIVPN http://www.pivpn.io/
• firewalld is not running on the host, here are the running services:
Ï gateway
State: running
Jobs: 0 queued
Failed: 0 units
Since: Thu 1970-01-01 01:00:01 BST; 49 years 1 months ago
CGroup: /
+-user.slice
| +-user-1000.slice
| +-user@1000.service
| | +-init.scope
| | +-790 /lib/systemd/systemd --user
| | +-793 (sd-pam)
| +-session-c1.scope
| +- 785 sshd: pi [priv]
| +- 800 sshd: pi@pts/0
| +- 803 -bash
| +-1053 sudo systemctl status
| +-1057 systemctl status
+-init.scope
| +-1 /sbin/init
+-system.slice
+-systemd-timesyncd.service
| +-256 /lib/systemd/systemd-timesyncd
+-dbus.service
| +-303 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
+-hciuart.service
| +-505 /usr/bin/hciattach /dev/serial1 bcm43xx 3000000 flow - b8:27:eb:30:50:9d
+-ssh.service
| +-647 /usr/sbin/sshd -D
+-dnsmasq.service
| +-658 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,19036,8,2,49aac11d7b6f6446702e5
4a1607371607a1a41855200fd2ce1cdde32f24e8fb5 --trust-anchor=.,20326,8,2,e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
+-avahi-daemon.service
| +-301 avahi-daemon: running [gateway.local]
| +-322 avahi-daemon: chroot helper
+-system-getty.slice
| +-getty@tty1.service
| +-644 /sbin/agetty --noclear tty1 linux
+-triggerhappy.service
| +-283 /usr/sbin/thd --triggers /etc/triggerhappy/triggers.d/ --socket /run/thd.socket --user nobody --deviceglob /dev/input/event*
+-system-openvpn.slice
| +-openvpn@server.service
| +-331 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid
+-systemd-logind.service
| +-281 /lib/systemd/systemd-logind
+-cron.service
| +-273 /usr/sbin/cron -f
+-apache2.service
| +-724 /usr/sbin/apache2 -k start
| +-726 /usr/sbin/apache2 -k start
| +-727 /usr/sbin/apache2 -k start
+-systemd-udevd.service
| +-131 /lib/systemd/systemd-udevd
+-rsyslog.service
| +-294 /usr/sbin/rsyslogd -n
+-bluetooth.service
| +-510 /usr/lib/bluetooth/bluetoothd
+-networking.service
| +-477 /sbin/wpa_supplicant -s -B -P /run/wpa_supplicant.wlan0.pid -i wlan0 -D nl80211,wext -C /run/wpa_supplicant
| +-576 /sbin/dhclient -4 -v -pf /run/dhclient.wlan0.pid -lf /var/lib/dhcp/dhclient.wlan0.leases -I -df /var/lib/dhcp/dhclient6.wlan0.leases wlan0
+-systemd-journald.service
| +-104 /lib/systemd/systemd-journald
+-ddclient.service
+-723 ddclient - sleeping for 170 seconds
• Here is my /etc/openvpn/server.conf file:
dev tun
proto tcp
port 1803
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_a6v9wsgyDAXuGevE.crt
key /etc/openvpn/easy-rsa/pki/private/server_a6v9wsgyDAXuGevE.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
• Here is the gateway.ovpn file:
client
dev tun
proto tcp
remote justbeforeyou.site 1803
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_ptHh8tHeqm2l12Ef name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIBoDCCAUWgAwIBAgIJAKmvGYkjVQ27MAoGCCqGSM49BAMCMBMxETAPBgNVBAMM
CENoYW5nZU1lMB4XDTE5MDIyNDEzMjQxMVoXDTI5MDIyMTEzMjQxMVowEzERMA8G
A1UEAwwIQ2hhbmdlTWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS1hhxgvsi5
BWUByCb6wlZ8KeDfmwzWys+Bi0L5BJZO3MHc4afD/rN/yyewpUFC9DMtk+N16Eua
hQ/uiDXRqdQ4o4GBMH8wHQYDVR0OBBYEFAzB+EbDlPPxkkOyKjbIfyJOHZqRMEMG
A1UdIwQ8MDqAFAzB+EbDlPPxkkOyKjbIfyJOHZqRoRekFTATMREwDwYDVQQDDAhD
aGFuZ2VNZYIJAKmvGYkjVQ27MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG
CCqGSM49BAMCA0kAMEYCIQC+6WedweAPFYN2wBvTRwuAgv/GXBfAoA+JfyLFxrJt
JQIhAOjMORWbIhWotZhmmbCUUxY79PqpI1UljP+dkNXGYVJk
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIBuDCCAV6gAwIBAgIQJTeTKuJG0J3dNMrLUmdNfzAKBggqhkjOPQQDAjATMREw
DwYDVQQDDAhDaGFuZ2VNZTAeFw0xOTAyMjQxNDA5NDJaFw0yOTAyMjExNDA5NDJa
MBIxEDAOBgNVBAMMB2dhdGV3YXkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASZ
waRXKwlI1QLjddDkR8fNjDkMwIQ3HfpSBaPZ4QUKB3Ao4+7RcFX64qj5850uRcS5
68XhwotUl9MyeACTP9jao4GUMIGRMAkGA1UdEwQCMAAwHQYDVR0OBBYEFMFgXgqG
46bo+2Q9s6t/xMhpKDxgMEMGA1UdIwQ8MDqAFAzB+EbDlPPxkkOyKjbIfyJOHZqR
oRekFTATMREwDwYDVQQDDAhDaGFuZ2VNZYIJAKmvGYkjVQ27MBMGA1UdJQQMMAoG
CCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAKBggqhkjOPQQDAgNIADBFAiBOMRXxpfRZ
h4fLVKJ0UwuBmNz7pVm/enj3Ud/KT5I58AIhAMBK+l6ErDltdAdH9kcDxTd5Hu+u
uudxUvoc3sppC+KI
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAgiscLqF5wpUwICCAAw
DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIuvME5ITiEmQEgZD7qoueBtcl2Zyj
glstxLbrECe1E6vO5lJ+38sMW3z++Hh1l7BFOu19N7jE0g+Zd7KlR3zHKhnGQBeh
/flGhCMHu1AXgpO3FyQt3VWhtZU/3Dn4J/sVCTkAsfkw5urqRTzHXHYYHDKXjNws
jXXRCDmMBmqLx0ItC+1Q8YFzY6OeVpwYalUWy4VgvH1jep15vfE=
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
fa267dd4652e50aab4d956757234f837
3be34b7ebfb068f157dbaf5791a8a5c7
99ba9800054ac411436b085d0279bac9
6766f1dc47fa5703ba0281c32a073fd4
e326caa0bf978e9a1aca071bb378c730
78571fb21038528e7f4de8bd638b0780
76b7203e53fd124b617b0f6a6f080c57
2318d1caab033c32749af7d6efb90d55
2a92ed0c436a52a6b82ba213a19cad62
a1ea0d2619c58b9b8736baf48d43681d
1f0edacf3424f472afe7cd4c51deb948
75bff3d0bad15a1814ea0400d74bf330
ee994d402f47af7ab51686ec05a3b879
521c782a2397a6b32806ad3af023fa73
11f22f53e8e22ebe4cb2c75f32a967ed
5cc8060012f772092e3eda93da3b1a14
-----END OpenVPN Static key V1-----
</tls-crypt>
OpenVPN GUI on the client is showing the following log:
Sun Feb 24 17:10:14 2019 MANAGEMENT: >STATE:1551024614,RECONNECTING,connection-reset,,,,,
Sun Feb 24 17:10:14 2019 Restart pause, 40 second(s)
Sun Feb 24 17:10:54 2019 MANAGEMENT: >STATE:1551024654,RESOLVE,,,,,,
Sun Feb 24 17:10:55 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:10:55 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Feb 24 17:10:55 2019 Attempting to establish TCP connection with [AF_INET]83.22.109.39:1803 [nonblock]
Sun Feb 24 17:10:55 2019 MANAGEMENT: >STATE:1551024655,TCP_CONNECT,,,,,,
Sun Feb 24 17:10:56 2019 TCP connection established with [AF_INET]83.22.109.39:1803
Sun Feb 24 17:10:56 2019 TCP_CLIENT link local: (not bound)
Sun Feb 24 17:10:56 2019 TCP_CLIENT link remote: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:10:56 2019 MANAGEMENT: >STATE:1551024656,WAIT,,,,,,
Sun Feb 24 17:10:56 2019 Connection reset, restarting [0]
Sun Feb 24 17:10:56 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sun Feb 24 17:10:56 2019 MANAGEMENT: >STATE:1551024656,RECONNECTING,connection-reset,,,,,
Sun Feb 24 17:10:56 2019 Restart pause, 80 second(s)
Sun Feb 24 17:12:16 2019 MANAGEMENT: >STATE:1551024736,RESOLVE,,,,,,
Sun Feb 24 17:12:16 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:12:16 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Feb 24 17:12:16 2019 Attempting to establish TCP connection with [AF_INET]83.22.109.39:1803 [nonblock]
Sun Feb 24 17:12:16 2019 MANAGEMENT: >STATE:1551024736,TCP_CONNECT,,,,,,
Sun Feb 24 17:12:17 2019 TCP connection established with [AF_INET]83.22.109.39:1803
Sun Feb 24 17:12:17 2019 TCP_CLIENT link local: (not bound)
Sun Feb 24 17:12:17 2019 TCP_CLIENT link remote: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:12:17 2019 MANAGEMENT: >STATE:1551024737,WAIT,,,,,,
Sun Feb 24 17:12:17 2019 Connection reset, restarting [0]
Sun Feb 24 17:12:17 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sun Feb 24 17:12:17 2019 MANAGEMENT: >STATE:1551024737,RECONNECTING,connection-reset,,,,,
/var/log/openvpn.log showing the following:
Feb 24 15:56:57 gateway ovpn-server[351]: TCP connection established with [AF_INET]5.173.40.158:18815
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 TLS: Initial packet from [AF_INET]5.173.40.158:18815, sid=6c0e365a 728d1b9d
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 tls-crypt unwrap error: packet authentication failed
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 TLS Error: tls-crypt unwrapping failed from [AF_INET]5.173.40.158:18815
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 Fatal TLS error (check_tls_errors_co), restarting
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 24 16:01:59 gateway ovpn-server[351]: TCP connection established with [AF_INET]5.173.40.158:18788
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 TLS: Initial packet from [AF_INET]5.173.40.158:18788, sid=d05afdfe 0af0a9b9
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 tls-crypt unwrap error: packet authentication failed
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 TLS Error: tls-crypt unwrapping failed from [AF_INET]5.173.40.158:18788
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 Fatal TLS error (check_tls_errors_co), restarting
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 SIGUSR1[soft,tls-error] received, client-instance restarting
Questions:
1) What does mean tls-crypt unwrap error: packet authentication failed error message in the openvpn.log? Is it related to some timeouts being set? How to fix it, in order to be able to establish the connection from OpenVPN client to the server?
tls linux openvpn
asked yesterday
readonlyreadonly
1
• I am unable to set up the VPN server on my host, using OpenVPN, specifically, when connecting to the server, the connection is failing with an error tls-crypt unwrap error: packet authentication failed. It looks like the TCP connection has been established, hence, the port forwarding is working properly, however, the TLS is failing.
• I have configured the OpenVPN using PIVPN http://www.pivpn.io/
• firewalld is not running on the host, here are the running services:
Ï gateway
State: running
Jobs: 0 queued
Failed: 0 units
Since: Thu 1970-01-01 01:00:01 BST; 49 years 1 months ago
CGroup: /
+-user.slice
| +-user-1000.slice
| +-user@1000.service
| | +-init.scope
| | +-790 /lib/systemd/systemd --user
| | +-793 (sd-pam)
| +-session-c1.scope
| +- 785 sshd: pi [priv]
| +- 800 sshd: pi@pts/0
| +- 803 -bash
| +-1053 sudo systemctl status
| +-1057 systemctl status
+-init.scope
| +-1 /sbin/init
+-system.slice
+-systemd-timesyncd.service
| +-256 /lib/systemd/systemd-timesyncd
+-dbus.service
| +-303 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
+-hciuart.service
| +-505 /usr/bin/hciattach /dev/serial1 bcm43xx 3000000 flow - b8:27:eb:30:50:9d
+-ssh.service
| +-647 /usr/sbin/sshd -D
+-dnsmasq.service
| +-658 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,19036,8,2,49aac11d7b6f6446702e5
4a1607371607a1a41855200fd2ce1cdde32f24e8fb5 --trust-anchor=.,20326,8,2,e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
+-avahi-daemon.service
| +-301 avahi-daemon: running [gateway.local]
| +-322 avahi-daemon: chroot helper
+-system-getty.slice
| +-getty@tty1.service
| +-644 /sbin/agetty --noclear tty1 linux
+-triggerhappy.service
| +-283 /usr/sbin/thd --triggers /etc/triggerhappy/triggers.d/ --socket /run/thd.socket --user nobody --deviceglob /dev/input/event*
+-system-openvpn.slice
| +-openvpn@server.service
| +-331 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid
+-systemd-logind.service
| +-281 /lib/systemd/systemd-logind
+-cron.service
| +-273 /usr/sbin/cron -f
+-apache2.service
| +-724 /usr/sbin/apache2 -k start
| +-726 /usr/sbin/apache2 -k start
| +-727 /usr/sbin/apache2 -k start
+-systemd-udevd.service
| +-131 /lib/systemd/systemd-udevd
+-rsyslog.service
| +-294 /usr/sbin/rsyslogd -n
+-bluetooth.service
| +-510 /usr/lib/bluetooth/bluetoothd
+-networking.service
| +-477 /sbin/wpa_supplicant -s -B -P /run/wpa_supplicant.wlan0.pid -i wlan0 -D nl80211,wext -C /run/wpa_supplicant
| +-576 /sbin/dhclient -4 -v -pf /run/dhclient.wlan0.pid -lf /var/lib/dhcp/dhclient.wlan0.leases -I -df /var/lib/dhcp/dhclient6.wlan0.leases wlan0
+-systemd-journald.service
| +-104 /lib/systemd/systemd-journald
+-ddclient.service
+-723 ddclient - sleeping for 170 seconds
• Here is my /etc/openvpn/server.conf file:
dev tun
proto tcp
port 1803
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_a6v9wsgyDAXuGevE.crt
key /etc/openvpn/easy-rsa/pki/private/server_a6v9wsgyDAXuGevE.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
• Here is the gateway.ovpn file:
client
dev tun
proto tcp
remote justbeforeyou.site 1803
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_ptHh8tHeqm2l12Ef name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIBoDCCAUWgAwIBAgIJAKmvGYkjVQ27MAoGCCqGSM49BAMCMBMxETAPBgNVBAMM
CENoYW5nZU1lMB4XDTE5MDIyNDEzMjQxMVoXDTI5MDIyMTEzMjQxMVowEzERMA8G
A1UEAwwIQ2hhbmdlTWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS1hhxgvsi5
BWUByCb6wlZ8KeDfmwzWys+Bi0L5BJZO3MHc4afD/rN/yyewpUFC9DMtk+N16Eua
hQ/uiDXRqdQ4o4GBMH8wHQYDVR0OBBYEFAzB+EbDlPPxkkOyKjbIfyJOHZqRMEMG
A1UdIwQ8MDqAFAzB+EbDlPPxkkOyKjbIfyJOHZqRoRekFTATMREwDwYDVQQDDAhD
aGFuZ2VNZYIJAKmvGYkjVQ27MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG
CCqGSM49BAMCA0kAMEYCIQC+6WedweAPFYN2wBvTRwuAgv/GXBfAoA+JfyLFxrJt
JQIhAOjMORWbIhWotZhmmbCUUxY79PqpI1UljP+dkNXGYVJk
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIBuDCCAV6gAwIBAgIQJTeTKuJG0J3dNMrLUmdNfzAKBggqhkjOPQQDAjATMREw
DwYDVQQDDAhDaGFuZ2VNZTAeFw0xOTAyMjQxNDA5NDJaFw0yOTAyMjExNDA5NDJa
MBIxEDAOBgNVBAMMB2dhdGV3YXkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASZ
waRXKwlI1QLjddDkR8fNjDkMwIQ3HfpSBaPZ4QUKB3Ao4+7RcFX64qj5850uRcS5
68XhwotUl9MyeACTP9jao4GUMIGRMAkGA1UdEwQCMAAwHQYDVR0OBBYEFMFgXgqG
46bo+2Q9s6t/xMhpKDxgMEMGA1UdIwQ8MDqAFAzB+EbDlPPxkkOyKjbIfyJOHZqR
oRekFTATMREwDwYDVQQDDAhDaGFuZ2VNZYIJAKmvGYkjVQ27MBMGA1UdJQQMMAoG
CCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAKBggqhkjOPQQDAgNIADBFAiBOMRXxpfRZ
h4fLVKJ0UwuBmNz7pVm/enj3Ud/KT5I58AIhAMBK+l6ErDltdAdH9kcDxTd5Hu+u
uudxUvoc3sppC+KI
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAgiscLqF5wpUwICCAAw
DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIuvME5ITiEmQEgZD7qoueBtcl2Zyj
glstxLbrECe1E6vO5lJ+38sMW3z++Hh1l7BFOu19N7jE0g+Zd7KlR3zHKhnGQBeh
/flGhCMHu1AXgpO3FyQt3VWhtZU/3Dn4J/sVCTkAsfkw5urqRTzHXHYYHDKXjNws
jXXRCDmMBmqLx0ItC+1Q8YFzY6OeVpwYalUWy4VgvH1jep15vfE=
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
fa267dd4652e50aab4d956757234f837
3be34b7ebfb068f157dbaf5791a8a5c7
99ba9800054ac411436b085d0279bac9
6766f1dc47fa5703ba0281c32a073fd4
e326caa0bf978e9a1aca071bb378c730
78571fb21038528e7f4de8bd638b0780
76b7203e53fd124b617b0f6a6f080c57
2318d1caab033c32749af7d6efb90d55
2a92ed0c436a52a6b82ba213a19cad62
a1ea0d2619c58b9b8736baf48d43681d
1f0edacf3424f472afe7cd4c51deb948
75bff3d0bad15a1814ea0400d74bf330
ee994d402f47af7ab51686ec05a3b879
521c782a2397a6b32806ad3af023fa73
11f22f53e8e22ebe4cb2c75f32a967ed
5cc8060012f772092e3eda93da3b1a14
-----END OpenVPN Static key V1-----
</tls-crypt>
OpenVPN GUI on the client is showing the following log:
Sun Feb 24 17:10:14 2019 MANAGEMENT: >STATE:1551024614,RECONNECTING,connection-reset,,,,,
Sun Feb 24 17:10:14 2019 Restart pause, 40 second(s)
Sun Feb 24 17:10:54 2019 MANAGEMENT: >STATE:1551024654,RESOLVE,,,,,,
Sun Feb 24 17:10:55 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:10:55 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Feb 24 17:10:55 2019 Attempting to establish TCP connection with [AF_INET]83.22.109.39:1803 [nonblock]
Sun Feb 24 17:10:55 2019 MANAGEMENT: >STATE:1551024655,TCP_CONNECT,,,,,,
Sun Feb 24 17:10:56 2019 TCP connection established with [AF_INET]83.22.109.39:1803
Sun Feb 24 17:10:56 2019 TCP_CLIENT link local: (not bound)
Sun Feb 24 17:10:56 2019 TCP_CLIENT link remote: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:10:56 2019 MANAGEMENT: >STATE:1551024656,WAIT,,,,,,
Sun Feb 24 17:10:56 2019 Connection reset, restarting [0]
Sun Feb 24 17:10:56 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sun Feb 24 17:10:56 2019 MANAGEMENT: >STATE:1551024656,RECONNECTING,connection-reset,,,,,
Sun Feb 24 17:10:56 2019 Restart pause, 80 second(s)
Sun Feb 24 17:12:16 2019 MANAGEMENT: >STATE:1551024736,RESOLVE,,,,,,
Sun Feb 24 17:12:16 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:12:16 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Feb 24 17:12:16 2019 Attempting to establish TCP connection with [AF_INET]83.22.109.39:1803 [nonblock]
Sun Feb 24 17:12:16 2019 MANAGEMENT: >STATE:1551024736,TCP_CONNECT,,,,,,
Sun Feb 24 17:12:17 2019 TCP connection established with [AF_INET]83.22.109.39:1803
Sun Feb 24 17:12:17 2019 TCP_CLIENT link local: (not bound)
Sun Feb 24 17:12:17 2019 TCP_CLIENT link remote: [AF_INET]83.22.109.39:1803
Sun Feb 24 17:12:17 2019 MANAGEMENT: >STATE:1551024737,WAIT,,,,,,
Sun Feb 24 17:12:17 2019 Connection reset, restarting [0]
Sun Feb 24 17:12:17 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sun Feb 24 17:12:17 2019 MANAGEMENT: >STATE:1551024737,RECONNECTING,connection-reset,,,,,
/var/log/openvpn.log showing the following:
Feb 24 15:56:57 gateway ovpn-server[351]: TCP connection established with [AF_INET]5.173.40.158:18815
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 TLS: Initial packet from [AF_INET]5.173.40.158:18815, sid=6c0e365a 728d1b9d
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 tls-crypt unwrap error: packet authentication failed
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 TLS Error: tls-crypt unwrapping failed from [AF_INET]5.173.40.158:18815
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 Fatal TLS error (check_tls_errors_co), restarting
Feb 24 15:56:58 gateway ovpn-server[351]: 5.173.40.158:18815 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 24 16:01:59 gateway ovpn-server[351]: TCP connection established with [AF_INET]5.173.40.158:18788
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 TLS: Initial packet from [AF_INET]5.173.40.158:18788, sid=d05afdfe 0af0a9b9
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 tls-crypt unwrap error: packet authentication failed
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 TLS Error: tls-crypt unwrapping failed from [AF_INET]5.173.40.158:18788
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 Fatal TLS error (check_tls_errors_co), restarting
Feb 24 16:02:00 gateway ovpn-server[351]: 5.173.40.158:18788 SIGUSR1[soft,tls-error] received, client-instance restarting
Questions:
1) What does mean tls-crypt unwrap error: packet authentication failed error message in the openvpn.log? Is it related to some timeouts being set? How to fix it, in order to be able to establish the connection from OpenVPN client to the server?
tls linux openvpn
tls linux openvpn
asked yesterday
readonlyreadonly
1
asked yesterday
readonlyreadonly
1
asked yesterday
readonlyreadonly
1
asked yesterday
readonlyreadonly
1
asked yesterday
readonlyreadonly
1
1
migrated from security.stackexchange.com 2 mins ago
This question came from our site for information security professionals.
migrated from security.stackexchange.com 2 mins ago
This question came from our site for information security professionals.
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1409873%2ftls-crypt-unwrap-error-packet-authentication-failed-connection-error-for-open%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
draft saved
draft discarded
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1409873%2ftls-crypt-unwrap-error-packet-authentication-failed-connection-error-for-open%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
