[Solved] tls-crypt unwrap error: packet too short

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
KokosBot
OpenVpn Newbie
Posts: 2
Joined: Mon Aug 31, 2020 8:22 pm

[Solved] tls-crypt unwrap error: packet too short

Post by KokosBot » Mon Aug 31, 2020 9:34 pm

Hello openvpn forum,

I try to create a VPN, currently with a server and a client.
My problem is, I have arch linux server for the openVPN server and
a debian server for the openVPN client.

Used packets:
Arch Linux: openvpn (2.4.9-2)
Debian: openvpn (2.4.7-1)

I used the Arch Linux tutorial for the openVPN server side.
https://wiki.archlinux.org/index.php/Op ... ation_file
https://wiki.archlinux.org/index.php/Easy-RSA
=> Elliptic curve cryptography.

For the client side of openVPN the I used the debian tutorial.
https://wiki.debian.org/OpenVPN

To test my setup I started the server side and and then on an other maschine my client.

Server output:

Code: Select all

Mon Aug 31 21:15:07 2020 Initialization Sequence Completed
Mon Aug 31 21:31:00 2020 tls-crypt unwrap error: packet too short
Mon Aug 31 21:31:00 2020 TLS Error: tls-crypt unwrapping failed from [AF_INET]XXXXX:33577
Mon Aug 31 21:31:02 2020 tls-crypt unwrap error: packet too short
Mon Aug 31 21:31:02 2020 TLS Error: tls-crypt unwrapping failed from [AF_INET]XXXXX:33577
Mon Aug 31 21:31:06 2020 tls-crypt unwrap error: packet too short
Mon Aug 31 21:31:06 2020 TLS Error: tls-crypt unwrapping failed from [AF_INET]XXXXX:33577
Client output:

Code: Select all

Mon Aug 31 19:31:00 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Mon Aug 31 19:31:00 2020 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Mon Aug 31 19:31:00 2020 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Aug 31 19:31:00 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]YYYYY:1194
Mon Aug 31 19:31:00 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Aug 31 19:31:00 2020 UDP link local: (not bound)
Mon Aug 31 19:31:00 2020 UDP link remote: [AF_INET]YYYYY:1194
Mon Aug 31 19:32:01 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Aug 31 19:32:01 2020 TLS Error: TLS handshake failed
Mon Aug 31 19:32:01 2020 SIGUSR1[soft,tls-error] received, process restarting
Mon Aug 31 19:32:01 2020 Restart pause, 5 second(s)
Server config:

Code: Select all

port 1194
proto udp
dev tun

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/openVPN_srv.crt
key /etc/openvpn/server/openVPN_srv.key  # This file should be kept secret
tls-crypt /etc/openvpn/server/ta.key
cipher AES-256-CBC

dh none
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
cipher AES-256-GCM

cipher AES-256-GCM
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
Client config:

Code: Select all

client
port 1194
proto udp

remote mydomain.de 1194             # VPN server IP : PORT
nobind

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/openVPN_client_build.crt
key /etc/openvpn/easy-rsa/keys/openVPN_client_build.key

dev tun
#comp-lzo
#persist-key
#persist-tun
verb 3
How to fix this problem, or setup my configs correctly?
Greetings, KokosBot.
Last edited by KokosBot on Tue Sep 01, 2020 1:01 am, edited 1 time in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt unwrap error: packet too short

Post by TinCanTech » Mon Aug 31, 2020 10:09 pm

Your client also needs the --tls-crypt key-file

KokosBot
OpenVpn Newbie
Posts: 2
Joined: Mon Aug 31, 2020 8:22 pm

Re: tls-crypt unwrap error: packet too short

Post by KokosBot » Tue Sep 01, 2020 12:59 am

Thank you for your help and time. It is working now.

Post Reply