AEAD Decrypt error: cipher final failed

Use this forum to share your network setup and what's been working for you.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
dnguyen76
OpenVpn Newbie
Posts: 2
Joined: Wed Dec 05, 2018 4:14 pm

AEAD Decrypt error: cipher final failed

Post by dnguyen76 » Sun Jan 13, 2019 8:02 am

I am running an OpenVPN 2.4.0 network with TCP protocol and 443 port to mimic https stream (server software installation in a Raspberry pi3 has been done using pivpn )

After connection, I have random "AEAD Decrypt error: cipher final failed" message every 5 ti 10 minutes when receiving from Raspbian openvpn client thru a firewall . After each software reset the Raspbian client succeed to reconnect but again 5 to 10 minutes later another "AEAD Decrypt error: cipher final failed" .


( The openvpn server is running in a Raspberry 3 and working well with others clients ( Windows, Android) but another network without firewall in this case)

Is anybody an idea how to correct these random "AEAD Decrypt error: cipher final failed" ? :)

Daniel

Jan 13 08:37:11 raspberrypi ovpn-server[395]: E/xx.xx.xx.xx.:13885 AEAD Decrypt error: cipher final failed
Jan 13 08:37:11 raspberrypi ovpn-server[395]: E/xx.xx.xx.xx:13885 Fatal decryption error (process_incoming_link), restarting
Jan 13 08:37:11 raspberrypi ovpn-server[395]: E/xx.xx.xx.xx:13885 SIGUSR1[soft,decryption-error] received, client-instance restarting

inixi
OpenVpn Newbie
Posts: 2
Joined: Wed Apr 17, 2019 1:13 pm

Re: AEAD Decrypt error: cipher final failed

Post by inixi » Wed Apr 17, 2019 1:44 pm

Hello,
I have the same issue. In server logs there are plenty of ERRORS like:

Code: Select all

ovpn-vpn-udp[11613]: some.guy/123.231.132.33:2371 AEAD Decrypt error: cipher final failed
Restarting server works for quite some time, but after this time a client attempts to connect and I still receive those errors.

My configuration:
System: Debian 4.9.0-3-amd64 #1 SMP
OpenVPN version: 2.4.0-6
server configuration:

Code: Select all

port 3434
proto udp
dev udp-tun
dev-type tun
topology subnet
persist-tun
persist-key
user nobody
group nogroup
server 172.17.1.0 255.255.255
ca ca_file.pem
cert cert_file.pem
key key_file.pem
dh dh.pem
crl-verify crl_file.pem
tls-auth ta.key 0
client-config-dir udp-tun.d
ifconfig-pool-persist udp-tun.pool
keepalive 10 120
compress lzo
log-append /var/log/openvpn/udp-tun.log
verb 3
auth SHA1

push "dhcp-option DNS 172.17.1.2"
push "route 172.17.1.0 255.255.0.0"
push "route 172.17.2.0 255.255.0.0"
push "route 172.17.3.0 255.255.0.0"
Client configuration

Code: Select all

client
dev tun
proto udp
remote my.remote.server.com 3434
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
auth-nocache
comp-lzo                                           
keepalive 10 120
verb 4
This happens randomly and only after some time (more than 10 hours of uptime) and when 20 or more clients are connected.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: AEAD Decrypt error: cipher final failed

Post by TinCanTech » Wed Apr 17, 2019 7:31 pm

Try removing --persist-* from your client config.

I do not know if this is a fix but it may help.

Also, you may want to use 2.4.7 from here:
https://openvpn.net/community-downloads/

inixi
OpenVpn Newbie
Posts: 2
Joined: Wed Apr 17, 2019 1:13 pm

Re: AEAD Decrypt error: cipher final failed

Post by inixi » Tue Apr 30, 2019 3:25 pm

Thanks for the reply!
I just commented out those options from server configuration only. Why?
In my case changing configuration for clients is a bit of trouble since not all users or endpoints can adapt to changes...

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: AEAD Decrypt error: cipher final failed

Post by TinCanTech » Tue Apr 30, 2019 3:29 pm

inixi wrote:
Tue Apr 30, 2019 3:25 pm
I just commented out those options from server configuration only
So you just did the opposite of what I recommend and have now broken your server config.

Post Reply