TLS Error: incoming packet authentication failed

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
AntonEroxin
OpenVpn Newbie
Posts: 8
Joined: Tue Jul 28, 2020 11:15 am

TLS Error: incoming packet authentication failed

Post by AntonEroxin » Tue Jul 28, 2020 3:46 pm

Hey. I also started getting a TLC error, see the picture for details. Tell me what's wrong? The TLC key is the same on the client and on the server.
Image

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7584
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS Error: incoming packet authentication failed

Post by TinCanTech » Tue Jul 28, 2020 4:08 pm


AntonEroxin
OpenVpn Newbie
Posts: 8
Joined: Tue Jul 28, 2020 11:15 am

Re: TLS Error: incoming packet authentication failed

Post by AntonEroxin » Tue Jul 28, 2020 4:29 pm

TinCanTech wrote:
Tue Jul 28, 2020 4:08 pm
viewtopic.php?f=30&t=22603#p68963
Server Config

mode server
port 443
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.20.10.0 255.255.255.0
push "redirect-gateway"
#push "route 10.20.10.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
ping-restart 0
reneg-sec 0
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA256
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log /etc/openvpn/1.log
verb 4
push "sndbuf 524288"
push "rcvbuf 524288"
explicit-exit-notify 1


Client Config

client
dev tun
proto udp
#провереть сертификат сервера
remote-cert-tls server
tls-timeout 120
tls-auth ta.key 1
remote x.x.x.x.: 3 443
#resolv-retry infinite 1111111111111111
nobind
persist-key
persist-tun
cipher AES-256-CBC
auth SHA256
verb 3
push "sndbuf 524288"
push "rcvbuf 524288"
<ca>
-----BEGIN CERTIFICATE-----
MIIDQjCCAiqgAwIBAgIUAinsDkp9rs8jnSuE564hQMqfScIwDQYJKoZIhvcNAQEL
BQAwEzERMA8GA1UEAwwIU2VydmVyQ0EwHhcNMjAwNzI2MTQwMzUwWhcNMzAwNzI0
MTQwMzUwWjATMREwDwYDVQQDDAhTZXJ2ZXJDQTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAK7iIfOn3qrSi4iqyW+eHyNqj67qTO4KGgaSrWKL6r/9mr3g

part of the key was removed by me in (in this post)

HxMfiUrBEk7bgWnICfEOmHdTiter1b7lNw6qP
D/Jxhc4ErxdsEcWq4mcg3VtN/ths63XLIryjgIAN1EsEOjbBLXMMeH6JjvoWKTeK
qel3Pjl+ts3rDpyG68kFd09YYw0EX3eFFbJYKmvnIp9MRbJ16wm9xCGQ/ooBB1wx
7/ciXBHues53YkaQ3fhaEr1QMPFscw==
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
88:06:2e:33:98:ee:ed:5e:0a:0b:3e:5f:4d:13:e6:34
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=ServerCA
Validity
Not Before: Jul 26 14:12:10 2020 GMT
Not After : Oct 29 14:12:10 2022 GMT
Subject: CN=client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ce:65:c7:e0:40:26:a0:d6:35:e3:fd:e8:0f:1b:
e4:04:85:3a:ff:92:87:79:93:70:39:07:0d:85:84:
70:04:b1:43:05:13:66:be:13:ef:ff:80:39:23:6e:
0a:94:e8:63:b2:07:9b:c2:ab:15:ad:77:44:e6:96:

part of the key was removed by me in (in this post)

4e:2f:c1:d0:6a:2c:a4:a6:54:cf:79:9e:5e:b1:8b:
aa:fe:c4:2f:b1:64:d1:e4:42:d3:9c:f3:81:77:9b:
d6:82:1f:88:52:ff:e6:01:26:7d:b0:b6:c9:2d:99:
60:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
90:3F:00:E0:DA:FB:F6:CC:2B:6E:F9:52:88:FE:C6:77:EE
X509v3 Authority Key Identifier:
keyid:EF:23:48:7D:D3:F8:78:14:48:6B:5B:49:F9:22:A8
DirName:/CN=ServerCA
serial:02:29:EC:0E:4A:7D:AE:CF:23:9D:2B:84:E7:AE:21

X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
5c:82:f1:be:31:78:cc:08:04:93:da:e3:74:c0:57:dc:56:02:
28:1b:43:c6:28:56:fd:0f:20:8a:cb:de:00:c7:b9:99:6e:0e:
10:da:99:7f:b8:c0:5b:12:6d:09:c8:00:87:02:ed:e8:ea:ed:
5a:ec:a3:6f:d9:61:39:11:b7:ca:22:11:32:8e:f1:12:72:a9:
bc:29:86:dc:1c:15:b1:d7:db:81:7c:0e:64:a8:ef:e0:dd:71:
0e:8e:96:dd:3c:34:6c:c3:12:91:1f:20:a4:af:67:72:94:c9:
c2:13:0b:50:00:95:7a:f7:93:f6:6e:5a:03:dc:f3:c3:89:f8:
6e:a5:12:4e:14:39:24:cd:75:92:41:51:70:40:48:1f:21:14:
69:2f:bd:4f:70:44:c4:d4:34:d7:95:2d:01:03:27:cf:e5:e8:
69:56:23:aa:03:0e:05:74:2c:dd:42:6e:c2:58:e4:88:a6:bf:
2f:ab:81:23:50:7f:fd:24:26:c3:9e:a8:2b:cb:c2:a6:d4:ea:
8d:56:b4:8b:e2:81:b2:22:b7:3f:4a:88:c6:28:0a:0f:89:82:
c0:34:b5:3c:45:ad:26:3d:aa:e5:8d:50:ea:02:19:5a:bf:ef:
20:56:a3:e0:fb:27:ba:7f:db:c8:fc:66:08:5d:ad:e2:22:07:
ab:ae:27:48
-----BEGIN CERTIFICATE-----
MIIDTzCCAjegAwIBAgIRAIgGLjOY7u1eCgs+X00T5jQwDQYJKoZIhvcNAQELBQAw
EzERMA8GA1UEAwwIU2VydmVyQ0EwHhcNMjAwNzI2MTQxMjEwWhcNMjIxMDI5MTQx
MjEwWjARMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDOZcfgQCag1jXj/egPG+QEhTr/kod5k3A5Bw2FhHAEsUMFE2a+E+//

part of the key was removed by me in (in this post)

3gDHuZluDhDamX+4wFsSbQnIAIcC7ejq7Vrso2/ZYTkRt8oiETKO8RJyqbwphtwc
FbHX24F8DmSo7+DdcQ6Olt08NGzDEpEfIKSvZ3KUycITC1AAlXr3k/ZuWgPc88OJ
+G6lEk4UOSTNdZJBUXBASB8hFGkvvU9wRMTUNNeVLQEDJ8/l6GlWI6oDDgV0LN1C
bsJY5Iimvy+rgSNQf/0kJsOeqCvLwqbU6o1WtIvigbIitz9KiMYoCg+JgsA0tTxF
rSY9quWNUOoCGVq/7yBWo+D7J7p/28j8ZghdreIiB6uuJ0g=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDOZcfgQCag1jXj
/egPG+QEhTr/kod5k3A5Bw2FhHAEsUMFE2a+E+//gDkjbgqU6GOyB5vCqxWtd0Tm
lsBcGQHtoCKL/INKF8Np/zDHB1gMLzEdo6Mr8VxqzVSVgstOolk82Y7W5kBzQR/K
xqYi/ils/ErGI/a1xOJ1O7AbmeRLC0n/lKNtaiXhcQmCke6cZCv8fIew9RFvfslp
0HVv4bJb26Zur1SDMcN2vo8hVqGvrbKZKFCGWbdzIhrCf3gE2Bkn4CIMWlWfUb3y

part of the key was removed by me in (in this post)

rQ4t6j0IexNLvqhVTTgfnpy/dZ8zgXGL6tS4DV3+1R9rXAJQsKXza+kd0qKMxYhz
JQJFAcd2q1zqHN76uNeTWdJy17grx7JW2l4reLvTfs3e776kRXh6YxsOgjUnwaiX
woIcVtsf6LSAbQr/9O03K+kPm5vNcOdhMkuxemcFAoGBAKupH4LbsY5zBZ/ir4FW
NSaoc2VrQQ+0HrPscc+xuXelvIrj6PdL5+TbQp017V/UcAdPVJZVQdNSjTl9vTFU
dnZxwBYpAFJhUc9KGlLzwkq6vgbmahiOqzVrOH37J7epY1l1lhubQGXAEGAsScII
00B3+vkVi6UAeNEE5i5BiLbM
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
2d35ca2808bb15e6e35fedc312714db8
393f4479090abadcd9572adadf4dd6f9
16c32ac263479cbb96ea22910c1d5831
631c304c25f6285e4d2b6cacd7fb68f9
e3dad4d20836a60f2d4420b015ae5c40

part of the key was removed by me in (in this post)

3cb20f21d83fa07b3acfb8a1df9636c3
cb81136c956479b212a67d42acedc237
3f01c562a83e361d672845eb026a0427
31f7938d97a47a281c249d4668a8f961
-----END OpenVPN Static key V1-----
</tls-auth>

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7584
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS Error: incoming packet authentication failed

Post by TinCanTech » Tue Jul 28, 2020 5:01 pm

Remove the <tls-auth> inline key.

AntonEroxin
OpenVpn Newbie
Posts: 8
Joined: Tue Jul 28, 2020 11:15 am

Re: TLS Error: incoming packet authentication failed

Post by AntonEroxin » Tue Jul 28, 2020 6:08 pm

TinCanTech wrote:
Tue Jul 28, 2020 5:01 pm
Remove the <tls-auth> inline key.
Without a key, it will work. But I would like to use tls key. And it's just not clear why this error occurs ...

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7584
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS Error: incoming packet authentication failed

Post by TinCanTech » Tue Jul 28, 2020 6:09 pm

You have tls-auth defined twice but only the second/inline one wins
and the second/inline one is missing the key direction.

AntonEroxin
OpenVpn Newbie
Posts: 8
Joined: Tue Jul 28, 2020 11:15 am

Re: TLS Error: incoming packet authentication failed

Post by AntonEroxin » Tue Jul 28, 2020 6:46 pm

TinCanTech wrote:
Tue Jul 28, 2020 6:09 pm
You have tls-auth defined twice but only the second/inline one wins
and the second/inline one is missing the key direction.
Сommented out the line in the client:#tls-auth ta.key 1
I get an error: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]ip vpn server:443

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7584
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS Error: incoming packet authentication failed

Post by TinCanTech » Tue Jul 28, 2020 7:04 pm

Then do as instructed .. :roll:

You may also like to read the manual and/or howto for further details.

AntonEroxin
OpenVpn Newbie
Posts: 8
Joined: Tue Jul 28, 2020 11:15 am

Re: TLS Error: incoming packet authentication failed

Post by AntonEroxin » Tue Jul 28, 2020 10:36 pm

TinCanTech wrote:
Tue Jul 28, 2020 7:04 pm
Then do as instructed .. :roll:
You may also like to read the manual and/or howto for further details.
I figured out C TLS. Thanks for the advice.

Post Reply