TLS Error: incoming packet authentication failed

AntonEroxin · Post by **AntonEroxin** » Tue Jul 28, 2020 3:46 pm

Hey. I also started getting a TLC error, see the picture for details. Tell me what's wrong? The TLC key is the same on the client and on the server.

TinCanTech · Post by **TinCanTech** » Tue Jul 28, 2020 4:08 pm

viewtopic.php?f=30&t=22603#p68963

AntonEroxin · Post by **AntonEroxin** » Tue Jul 28, 2020 4:29 pm

TinCanTech wrote: ↑
Tue Jul 28, 2020 4:08 pm
viewtopic.php?f=30&t=22603#p68963

Server Config

mode server
port 443
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.20.10.0 255.255.255.0
push "redirect-gateway"
#push "route 10.20.10.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
ping-restart 0
reneg-sec 0
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA256
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log /etc/openvpn/1.log
verb 4
push "sndbuf 524288"
push "rcvbuf 524288"
explicit-exit-notify 1

Client Config

client
dev tun
proto udp
#провереть сертификат сервера
remote-cert-tls server
tls-timeout 120
tls-auth ta.key 1
remote x.x.x.x.: 3 443
#resolv-retry infinite 1111111111111111
nobind
persist-key
persist-tun
cipher AES-256-CBC
auth SHA256
verb 3
push "sndbuf 524288"
push "rcvbuf 524288"
<ca>
-----BEGIN CERTIFICATE-----
MIIDQjCCAiqgAwIBAgIUAinsDkp9rs8jnSuE564hQMqfScIwDQYJKoZIhvcNAQEL
BQAwEzERMA8GA1UEAwwIU2VydmVyQ0EwHhcNMjAwNzI2MTQwMzUwWhcNMzAwNzI0
MTQwMzUwWjATMREwDwYDVQQDDAhTZXJ2ZXJDQTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAK7iIfOn3qrSi4iqyW+eHyNqj67qTO4KGgaSrWKL6r/9mr3g

part of the key was removed by me in (in this post)

HxMfiUrBEk7bgWnICfEOmHdTiter1b7lNw6qP
D/Jxhc4ErxdsEcWq4mcg3VtN/ths63XLIryjgIAN1EsEOjbBLXMMeH6JjvoWKTeK
qel3Pjl+ts3rDpyG68kFd09YYw0EX3eFFbJYKmvnIp9MRbJ16wm9xCGQ/ooBB1wx
7/ciXBHues53YkaQ3fhaEr1QMPFscw==
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
88:06:2e:33:98:ee:ed:5e:0a:0b:3e:5f:4d:13:e6:34
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=ServerCA
Validity
Not Before: Jul 26 14:12:10 2020 GMT
Not After : Oct 29 14:12:10 2022 GMT
Subject: CN=client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ce:65:c7:e0:40:26:a0:d6:35:e3:fd:e8:0f:1b:
e4:04:85:3a:ff:92:87:79:93:70:39:07:0d:85:84:
70:04:b1:43:05:13:66:be:13:ef:ff:80:39:23:6e:
0a:94:e8:63:b2:07:9b:c2

15:ad:77:44:e6:96:

part of the key was removed by me in (in this post)

4e:2f:c1:d0:6a:2c:a4:a6:54:cf:79:9e:5e:b1:8b:
aa:fe:c4:2f:b1:64:d1:e4:42:d3:9c:f3:81:77:9b:
d6:82:1f:88:52:ff:e6:01:26:7d:b0:b6:c9:2d:99:
60:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
90:3F:00:E0:DA:FB:F6:CC:2B:6E:F9:52:88:FE:C6:77:EE
X509v3 Authority Key Identifier:
keyid:EF:23:48:7D:D3:F8:78:14:48:6B:5B:49:F9:22:A8
DirName:/CN=ServerCA
serial:02:29:EC:0E:4A:7D:AE:CF:23:9D:2B:84:E7:AE:21

X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
5c:82:f1:be:31:78:cc:08:04:93:da:e3:74:c0:57:dc:56:02:
28:1b:43:c6:28:56:fd:0f:20:8a:cb

00:c7:b9:99:6e:0e:
10:da:99:7f:b8:c0:5b:12:6d:09:c8:00:87:02:ed:e8:ea:ed:
5a:ec:a3:6f:d9:61:39:11:b7:ca:22:11:32:8e:f1:12:72:a9:
bc:29:86:dc:1c:15:b1:d7:db:81:7c:0e:64:a8:ef:e0:dd:71:
0e:8e:96:dd:3c:34:6c:c3:12:91:1f:20:a4:af:67:72:94:c9:
c2:13:0b:50:00:95:7a:f7:93:f6:6e:5a:03:dc:f3:c3:89:f8:
6e:a5:12:4e:14:39:24

75:92:41:51:70:40:48:1f:21:14:
69:2f:bd:4f:70:44:c4:d4:34:d7:95:2d:01:03:27:cf:e5:e8:
69:56:23:aa:03:0e:05:74:2c:dd:42:6e:c2:58:e4:88:a6:bf:
2f

81:23:50:7f:fd:24:26:c3:9e:a8:2b:cb:c2:a6:d4:ea:
8d:56:b4:8b:e2:81:b2:22:b7:3f:4a:88:c6:28:0a:0f:89:82:
c0:34:b5:3c:45:ad:26:3d:aa:e5:8d:50:ea:02:19:5a:bf:ef:
20:56:a3:e0:fb:27:ba:7f:db:c8:fc:66:08:5d:ad:e2:22:07:
ab:ae:27:48
-----BEGIN CERTIFICATE-----
MIIDTzCCAjegAwIBAgIRAIgGLjOY7u1eCgs+X00T5jQwDQYJKoZIhvcNAQELBQAw
EzERMA8GA1UEAwwIU2VydmVyQ0EwHhcNMjAwNzI2MTQxMjEwWhcNMjIxMDI5MTQx
MjEwWjARMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDOZcfgQCag1jXj/egPG+QEhTr/kod5k3A5Bw2FhHAEsUMFE2a+E+//

part of the key was removed by me in (in this post)

3gDHuZluDhDamX+4wFsSbQnIAIcC7ejq7Vrso2/ZYTkRt8oiETKO8RJyqbwphtwc
FbHX24F8DmSo7+DdcQ6Olt08NGzDEpEfIKSvZ3KUycITC1AAlXr3k/ZuWgPc88OJ
+G6lEk4UOSTNdZJBUXBASB8hFGkvvU9wRMTUNNeVLQEDJ8/l6GlWI6oDDgV0LN1C
bsJY5Iimvy+rgSNQf/0kJsOeqCvLwqbU6o1WtIvigbIitz9KiMYoCg+JgsA0tTxF
rSY9quWNUOoCGVq/7yBWo+D7J7p/28j8ZghdreIiB6uuJ0g=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDOZcfgQCag1jXj
/egPG+QEhTr/kod5k3A5Bw2FhHAEsUMFE2a+E+//gDkjbgqU6GOyB5vCqxWtd0Tm
lsBcGQHtoCKL/INKF8Np/zDHB1gMLzEdo6Mr8VxqzVSVgstOolk82Y7W5kBzQR/K
xqYi/ils/ErGI/a1xOJ1O7AbmeRLC0n/lKNtaiXhcQmCke6cZCv8fIew9RFvfslp
0HVv4bJb26Zur1SDMcN2vo8hVqGvrbKZKFCGWbdzIhrCf3gE2Bkn4CIMWlWfUb3y

part of the key was removed by me in (in this post)

rQ4t6j0IexNLvqhVTTgfnpy/dZ8zgXGL6tS4DV3+1R9rXAJQsKXza+kd0qKMxYhz
JQJFAcd2q1zqHN76uNeTWdJy17grx7JW2l4reLvTfs3e776kRXh6YxsOgjUnwaiX
woIcVtsf6LSAbQr/9O03K+kPm5vNcOdhMkuxemcFAoGBAKupH4LbsY5zBZ/ir4FW
NSaoc2VrQQ+0HrPscc+xuXelvIrj6PdL5+TbQp017V/UcAdPVJZVQdNSjTl9vTFU
dnZxwBYpAFJhUc9KGlLzwkq6vgbmahiOqzVrOH37J7epY1l1lhubQGXAEGAsScII
00B3+vkVi6UAeNEE5i5BiLbM
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
2d35ca2808bb15e6e35fedc312714db8
393f4479090abadcd9572adadf4dd6f9
16c32ac263479cbb96ea22910c1d5831
631c304c25f6285e4d2b6cacd7fb68f9
e3dad4d20836a60f2d4420b015ae5c40

part of the key was removed by me in (in this post)

3cb20f21d83fa07b3acfb8a1df9636c3
cb81136c956479b212a67d42acedc237
3f01c562a83e361d672845eb026a0427
31f7938d97a47a281c249d4668a8f961
-----END OpenVPN Static key V1-----
</tls-auth>

TinCanTech · Post by **TinCanTech** » Tue Jul 28, 2020 5:01 pm

Remove the <tls-auth> inline key.

AntonEroxin · Post by **AntonEroxin** » Tue Jul 28, 2020 6:08 pm

TinCanTech wrote: ↑
Tue Jul 28, 2020 5:01 pm
Remove the <tls-auth> inline key.

Without a key, it will work. But I would like to use tls key. And it's just not clear why this error occurs ...

TinCanTech · Post by **TinCanTech** » Tue Jul 28, 2020 6:09 pm

You have tls-auth defined twice but only the second/inline one wins
and the second/inline one is missing the key direction.

AntonEroxin · Post by **AntonEroxin** » Tue Jul 28, 2020 6:46 pm

TinCanTech wrote: ↑
Tue Jul 28, 2020 6:09 pm
You have tls-auth defined twice but only the second/inline one wins
and the second/inline one is missing the key direction.

Сommented out the line in the client:#tls-auth ta.key 1
I get an error: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]ip vpn server:443

TinCanTech · Post by **TinCanTech** » Tue Jul 28, 2020 7:04 pm

Then do as instructed ..

You may also like to read the manual and/or howto for further details.

AntonEroxin · Post by **AntonEroxin** » Tue Jul 28, 2020 10:36 pm

TinCanTech wrote: ↑
Tue Jul 28, 2020 7:04 pm
Then do as instructed ..
You may also like to read the manual and/or howto for further details.

I figured out C TLS. Thanks for the advice.

OpenVPN Support Forum

TLS Error: incoming packet authentication failed

TLS Error: incoming packet authentication failed

Re: TLS Error: incoming packet authentication failed

Re: TLS Error: incoming packet authentication failed

Re: TLS Error: incoming packet authentication failed

Re: TLS Error: incoming packet authentication failed

Re: TLS Error: incoming packet authentication failed

Re: TLS Error: incoming packet authentication failed

Re: TLS Error: incoming packet authentication failed

Re: TLS Error: incoming packet authentication failed