OpenWRT LEDE - TLS Error: tls-crypt unwrapping failed from
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVPN User
- Posts: 22
- Joined: Sun Jun 03, 2012 11:14 am
OpenWRT LEDE - TLS Error: tls-crypt unwrapping failed from
Tue Jan 10 00:31:14 2017 tls-crypt unwrap error: packet too short
Tue Jan 10 00:31:14 2017 TLS Error: tls-crypt unwrapping failed from [AF_INET6]::ffff:93.245.255.104:55912
How to fix this error?
OpenVPN 2.4.0 windows (server)
and
OpenVPN 2.4.0 Linux (openWRT/DD-wrt/LEDE they all have the same message) as client
windows - windows client I don't see this error
linux - linux I don't see it either.
windows server - linux client = error message..
how to fix it.
Tue Jan 10 00:31:14 2017 TLS Error: tls-crypt unwrapping failed from [AF_INET6]::ffff:93.245.255.104:55912
How to fix this error?
OpenVPN 2.4.0 windows (server)
and
OpenVPN 2.4.0 Linux (openWRT/DD-wrt/LEDE they all have the same message) as client
windows - windows client I don't see this error
linux - linux I don't see it either.
windows server - linux client = error message..
how to fix it.
-
- OpenVPN User
- Posts: 22
- Joined: Sun Jun 03, 2012 11:14 am
Re: TLS Error: tls-crypt unwrapping failed from
ehm.. I know reverting back to tls-auth solves this error message, but that's not what I'm asking really although it fixes the error..
I do want to use the tls-crypt but working LOL
I do want to use the tls-crypt but working LOL
-
- OpenVPN User
- Posts: 22
- Joined: Sun Jun 03, 2012 11:14 am
Re: TLS Error: tls-crypt unwrapping failed from
never mind.. although I ./scripts/feeds update -a
and ./scripts/feeds install -a
then I did make and it did show 2.4.0 in the GUI interface but in command openvpn shows version 2.3.13
so I guess I have to do make dirclean
or even make distclean which I hope to avoid so my menuconfig remains..
and ./scripts/feeds install -a
then I did make and it did show 2.4.0 in the GUI interface but in command openvpn shows version 2.3.13
so I guess I have to do make dirclean
or even make distclean which I hope to avoid so my menuconfig remains..
-
- OpenVPN User
- Posts: 22
- Joined: Sun Jun 03, 2012 11:14 am
Re: TLS Error: tls-crypt unwrapping failed from
well. I now have definately 2.4.0 running and still the error.
tls-crypt with the ta.key under linux can't connect to a windows 2.4.0 with tls-crypt.
tls-crypt with the ta.key under linux can't connect to a windows 2.4.0 with tls-crypt.
-
- OpenVPN User
- Posts: 22
- Joined: Sun Jun 03, 2012 11:14 am
Re: TLS Error: tls-crypt unwrapping failed from
Here's the server settings in WINDOWS:
Here's the client settings in openWRT/LEDE:
So once again, if I change
to
and
to
than everything is working out of the box and all verifications result in OK and no errors whatsoever!
So it's really the tls-crypt on the linux side as other windows clients with tls-crypt just work fine!
Code: Select all
port 1197
proto udp
dev tap
dev-node TAP_IPV6
tun-mtu 1500
tun-mtu-extra 32
ca ca.crt
cert server-ipv4.crt
key server-ipv4.key
dh dh2048.pem
tls-crypt ta.key
remote-cert-tls client
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
auth SHA384
server-bridge 172.22.50.1 255.255.0.0 172.22.50.2 172.22.50.49
client-to-client
comp-lzo no
keepalive 10 60
persist-key
persist-tun
status status.txt
log log.txt
ifconfig-pool-persist ipp.txt
Here's the client settings in openWRT/LEDE:
Code: Select all
config openvpn 'private'
option client '1'
option float '1'
option remote 'domain.com'
option port '1197'
option proto 'udp'
option dev 'tap0'
option tun_mtu '1500'
option tun_mtu_extra '32'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/client-ipv4.crt'
option key '/etc/openvpn/client-ipv4.key'
option tls_crypt '/etc/openvpn/ta.key'
option remote_cert_tls 'server'
option verify_x509_name 'SERVERNAME name'
option tls_version_min '1.2'
option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'
option cipher 'AES-256-GCM'
option auth 'SHA384'
option comp_lzo 'no'
option persist_tun '1'
option persist_key '1'
option nobind '1'
option verb '5'
option log '/etc/openvpn/log'
option status '/etc/openvpn/status 5'
option resolv_retry 'infinite'
option enabled '1'
So once again, if I change
Code: Select all
option tls_crypt '/etc/openvpn/ta.key'
Code: Select all
option tls_auth '/etc/openvpn/ta.key 1'
Code: Select all
tls-crypt ta.key
Code: Select all
tls-auth ta.key 0
So it's really the tls-crypt on the linux side as other windows clients with tls-crypt just work fine!
-
- OpenVPN Protagonist
- Posts: 11136
- Joined: Fri Jun 03, 2016 1:17 pm
Re: TLS Error: tls-crypt unwrapping failed from
I have a W10 Server and a Linux client both running openvpn-2.4.0 with --tls-crypt enabled correctly and it works perfectly for me. You must restart your server & client if you change a configuration option.mrgenie wrote:tls-crypt with the ta.key under linux can't connect to a windows 2.4.0 with tls-crypt
Client log:
Code: Select all
Tue Jan 10 16:52:00 2017 us=981569 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jan 10 16:52:00 2017 us=981692 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jan 10 16:52:00 2017 us=983514 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jan 10 16:52:00 2017 us=983577 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Code: Select all
Tue Jan 10 16:40:03 2017 us=807425 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jan 10 16:40:03 2017 us=807425 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jan 10 16:40:03 2017 us=807425 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jan 10 16:40:03 2017 us=807425 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
-
- OpenVPN User
- Posts: 22
- Joined: Sun Jun 03, 2012 11:14 am
Re: TLS Error: tls-crypt unwrapping failed from
hi TinCanTech.
Thank you for your reply.
I did already restart the whole system. Shutdown. No power.
So I'm pretty sure it's not a restart issue.
If it works on your end, then I presume it's working and thus something
is wrong on my end.
I'll build the firmware from scratch. Maybe some old 2.3 objects still somewhere
in the firmware, although it says 2.4.0 when I openvpn --version.
But thank you anyway, now I know it's working for someone, it means it should be working
for me as well.
Thank you for your reply.
I did already restart the whole system. Shutdown. No power.
So I'm pretty sure it's not a restart issue.
If it works on your end, then I presume it's working and thus something
is wrong on my end.
I'll build the firmware from scratch. Maybe some old 2.3 objects still somewhere
in the firmware, although it says 2.4.0 when I openvpn --version.
But thank you anyway, now I know it's working for someone, it means it should be working
for me as well.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sun Jan 15, 2017 6:04 pm
Re: TLS Error: tls-crypt unwrapping failed from
Hi,
I'm having the same problem with a LEDE build in a router. I'm using OpenVPN 2.4.0 but still it looks like the
is not applied to the LEDE code, because if you enabled it you can still connect to the server if you disable the tls-auth option in the server config.
Maybe it's something to do with LEDE/OpenWRT, I'll open a new post in their forums.
I'm having the same problem with a LEDE build in a router. I'm using OpenVPN 2.4.0 but still it looks like the
Code: Select all
option tls_crypt '/etc/openvpn/ta.key'
Maybe it's something to do with LEDE/OpenWRT, I'll open a new post in their forums.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sun Jan 15, 2017 6:04 pm
Re: TLS Error: tls-crypt unwrapping failed from
Hi,
this is the post on the LEDE forums.
https://forum.lede-project.org/t/openvp ... orking/995
Maybe we could help them.
Thanks.
this is the post on the LEDE forums.
https://forum.lede-project.org/t/openvp ... orking/995
Maybe we could help them.
Thanks.
-
- OpenVPN Protagonist
- Posts: 11136
- Joined: Fri Jun 03, 2016 1:17 pm
Re: TLS Error: tls-crypt unwrapping failed from
Complete logs at verb 4 pleasechuckler wrote:I'm having the same problem with a LEDE build in a router. I'm using OpenVPN 2.4.0 but
-
- OpenVPN User
- Posts: 22
- Joined: Sun Jun 03, 2012 11:14 am
Re: TLS Error: tls-crypt unwrapping failed from
I found out the error comes from AES-256-GCM
or any other encryption method.
The only thing that tls-crypt is compatible with is AES-256-CTR
All other encryption options are now just useless if you want to use tls-crypt.
or any other encryption method.
The only thing that tls-crypt is compatible with is AES-256-CTR
All other encryption options are now just useless if you want to use tls-crypt.
-
- OpenVPN User
- Posts: 22
- Joined: Sun Jun 03, 2012 11:14 am
Re: TLS Error: tls-crypt unwrapping failed from
Ok, so it should work with AES-256-GCM as it applies CTR
Must be LEDE/OpenWRT specific then.
Back to LEDE forums
Must be LEDE/OpenWRT specific then.
Back to LEDE forums
-
- OpenVPN User
- Posts: 22
- Joined: Sun Jun 03, 2012 11:14 am
Re: TLS Error: tls-crypt unwrapping failed from
Solution to the problem I wrote in the last comment:
https://forum.lede-project.org/t/openvp ... king/995/5
will be applied to the standard git some time in future. Maybe even today, maybe next month.
But there's a manual fix for those who are interested.
https://forum.lede-project.org/t/openvp ... king/995/5
will be applied to the standard git some time in future. Maybe even today, maybe next month.
But there's a manual fix for those who are interested.
-
- OpenVPN Protagonist
- Posts: 11136
- Joined: Fri Jun 03, 2016 1:17 pm
Re: OpenWRT LEDE - TLS Error: tls-crypt unwrapping failed from
What this essentially boils down to:
Openvpn was not involved in that.
With regard to this:
See: https://www.mail-archive.com/openvpn-de ... 12970.html
It is complicated but well documented .. worth your time to read.
Source: https://forum.lede-project.org/t/openvp ... king/995/2makro:forum.lede-project.org wrote:Apparently the updates to the OpenVPN init script got lost between the initial 2.4_rc1 patch [1] and the final 2.4.0 version, so LEDE doesn't apply any of the new options introduced <s>
[1] https://patchwork.ozlabs.org/patch/704655/
Openvpn was not involved in that.
With regard to this:
AES-256-CTR has been initially selected for use with --tls-crypt because it is "a nonce misuse-resistant authenticated encryption scheme".mrgenie wrote:The only thing that tls-crypt is compatible with is AES-256-CTR
See: https://www.mail-archive.com/openvpn-de ... 12970.html
--tls-crypt only effects the control channel not the data channel. Ciphers available to the data channel are as they always have been and can be configured with --cipher and/or negotiated internally by openvpn with --ncp-ciphers, which is enabled by default in 2.4mrgenie wrote:All other encryption options are now just useless if you want to use tls-crypt
It is complicated but well documented .. worth your time to read.
-
- OpenVPN User
- Posts: 22
- Joined: Sun Jun 03, 2012 11:14 am
Re: OpenWRT LEDE - TLS Error: tls-crypt unwrapping failed from
Hi TinCanTech, thank you for sharing your expertise!
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sun Jan 21, 2018 7:34 am
Re: OpenWRT LEDE - TLS Error: tls-crypt unwrapping failed from
Thanks mrgenie for sharing your experience.
I have this problem too.
You said "The only thing that tls-crypt is compatible with is AES-256-CTR", by this you mean I change GCM in the config line "cipher AES-256-GCM" to AES-256-CTR or change the GCM in this line: "tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384" ????
Another question:
you used the tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 and the "auth SHA384". They have to be the same SHA384 or can I use the "auth SHA512"??
I have this problem too.
You said "The only thing that tls-crypt is compatible with is AES-256-CTR", by this you mean I change GCM in the config line "cipher AES-256-GCM" to AES-256-CTR or change the GCM in this line: "tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384" ????
Another question:
you used the tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 and the "auth SHA384". They have to be the same SHA384 or can I use the "auth SHA512"??
-
- OpenVPN Protagonist
- Posts: 11136
- Joined: Fri Jun 03, 2016 1:17 pm
Re: OpenWRT LEDE - TLS Error: tls-crypt unwrapping failed from
No .. --tls-crypt uses AES-256-CTR and it is not a configurable option.
This is simply wrong .. you are mixing up different options that are not linked.