TLS Error: cannot locate HMAC in incoming packet

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
thegorski
OpenVpn Newbie
Posts: 2
Joined: Thu Jun 17, 2021 6:50 pm

TLS Error: cannot locate HMAC in incoming packet

Post by thegorski » Thu Jun 17, 2021 7:20 pm

Hello,

I'm having trouble with OpenVPN client initiating a connection with OpenVPN server. I've read through threads with a similar error but all suggestions related to tls-auth files matching between server and client don't seem to help as they already match. Initially I tried using tls-crypt instead of tls-auth but kept receiving tls-crypt unwrap error: packet too short and was unable to solve that issue with any existing forum support threads. Any help is appreciated.

Server:

OS: Linux ovpns 5.8.0-55-generic #62~20.04.1-Ubuntu SMP Wed Jun 2 08:55:04 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Network Setup:

Code: Select all

enp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.122.25  netmask 255.255.255.0  broadcast 192.168.122.255
        inet6 fe80::edfa:f677:a174:ebe3  prefixlen 64  scopeid 0x20<link>
        ether 52:54:00:66:52:52  txqueuelen 1000  (Ethernet)
        RX packets 388447  bytes 251739916 (251.7 MB)
        RX errors 0  dropped 129832  overruns 0  frame 0
        TX packets 177419  bytes 33855654 (33.8 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 18010  bytes 1797104 (1.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 18010  bytes 1797104 (1.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.15.0.1  netmask 255.255.255.0  destination 10.15.0.1
        inet6 fe80::9717:4bb6:890c:af7a  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7  bytes 336 (336.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
Server conf
local 192.168.122.25
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth tc.key 0
#key-direction 0
#tls-crypt tc.key
topology subnet
server 10.15.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 4
crl-verify crl.pem
explicit-exit-notify
status openvpn-status.log


Server Log:

Code: Select all

  GNU nano 4.8                    /etc/openvpn/server/openvpn-status.log                              
TITLE,OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AE>
TIME,Thu Jun 17 14:59:38 2021,1623956378
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes>
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
GLOBAL_STATS,Max bcast/mcast queue length,0
END
Client

OS: Linux xxx 5.8.0-55-generic #62~20.04.1-Ubuntu SMP Wed Jun 2 08:55:04 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Network Setup:

Code: Select all

enp112s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.110  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::1bd:cf94:5c02:1ff9  prefixlen 64  scopeid 0x20<link>
        ether a4:ae:11:1e:4c:1f  txqueuelen 1000  (Ethernet)
        RX packets 535240  bytes 285665915 (285.6 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 440074  bytes 44375190 (44.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device memory 0x6e100000-6e17ffff  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 48414  bytes 5082905 (5.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 48414  bytes 5082905 (5.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
Client conf
client
dev tun
proto udp
remote xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
ignore-unknown-option block-outside-dns
#block-outside-dns
verb 4
#tls-client
tls-auth /etc/openvpn/tc.key 1
<ca>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
xxx
-----END PRIVATE KEY-----
</key>


Client Log:

Code: Select all

Thu Jun 17 15:12:08 2021 us=615949 WARNING: file '/etc/openvpn/tc.key' is group or others accessible
Thu Jun 17 15:12:08 2021 us=615972 Current Parameter Settings:
Thu Jun 17 15:12:08 2021 us=615976   config = 'ov-ubuntu.ovpn'
Thu Jun 17 15:12:08 2021 us=616007   mode = 0
Thu Jun 17 15:12:08 2021 us=616010   persist_config = DISABLED
Thu Jun 17 15:12:08 2021 us=616014   persist_mode = 1
Thu Jun 17 15:12:08 2021 us=616018   show_ciphers = DISABLED
Thu Jun 17 15:12:08 2021 us=616022   show_digests = DISABLED
Thu Jun 17 15:12:08 2021 us=616025   show_engines = DISABLED
Thu Jun 17 15:12:08 2021 us=616029   genkey = DISABLED
Thu Jun 17 15:12:08 2021 us=616032   key_pass_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616036   show_tls_ciphers = DISABLED
Thu Jun 17 15:12:08 2021 us=616040   connect_retry_max = 0
Thu Jun 17 15:12:08 2021 us=616043 Connection profiles [0]:
Thu Jun 17 15:12:08 2021 us=616047   proto = udp
Thu Jun 17 15:12:08 2021 us=616051   local = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616054   local_port = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616058   remote = 'xxx'
Thu Jun 17 15:12:08 2021 us=616061   remote_port = '1194'
Thu Jun 17 15:12:08 2021 us=616065   remote_float = DISABLED
Thu Jun 17 15:12:08 2021 us=616069   bind_defined = DISABLED
Thu Jun 17 15:12:08 2021 us=616072   bind_local = DISABLED
Thu Jun 17 15:12:08 2021 us=616075   bind_ipv6_only = DISABLED
Thu Jun 17 15:12:08 2021 us=616079   connect_retry_seconds = 5
Thu Jun 17 15:12:08 2021 us=616083   connect_timeout = 120
Thu Jun 17 15:12:08 2021 us=616086   socks_proxy_server = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616115   socks_proxy_port = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616120   tun_mtu = 1500
Thu Jun 17 15:12:08 2021 us=616123   tun_mtu_defined = ENABLED
Thu Jun 17 15:12:08 2021 us=616127   link_mtu = 1500
Thu Jun 17 15:12:08 2021 us=616146   link_mtu_defined = DISABLED
Thu Jun 17 15:12:08 2021 us=616150   tun_mtu_extra = 0
Thu Jun 17 15:12:08 2021 us=616154   tun_mtu_extra_defined = DISABLED
Thu Jun 17 15:12:08 2021 us=616157   mtu_discover_type = -1
Thu Jun 17 15:12:08 2021 us=616161   fragment = 0
Thu Jun 17 15:12:08 2021 us=616164   mssfix = 1450
Thu Jun 17 15:12:08 2021 us=616168   explicit_exit_notification = 0
Thu Jun 17 15:12:08 2021 us=616172 Connection profiles END
Thu Jun 17 15:12:08 2021 us=616175   remote_random = DISABLED
Thu Jun 17 15:12:08 2021 us=616179   ipchange = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616182   dev = 'tun'
Thu Jun 17 15:12:08 2021 us=616186   dev_type = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616190   dev_node = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616193   lladdr = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616197   topology = 1
Thu Jun 17 15:12:08 2021 us=616200   ifconfig_local = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616204   ifconfig_remote_netmask = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616207   ifconfig_noexec = DISABLED
Thu Jun 17 15:12:08 2021 us=616211   ifconfig_nowarn = DISABLED
Thu Jun 17 15:12:08 2021 us=616215   ifconfig_ipv6_local = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616218   ifconfig_ipv6_netbits = 0
Thu Jun 17 15:12:08 2021 us=616222   ifconfig_ipv6_remote = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616226   shaper = 0
Thu Jun 17 15:12:08 2021 us=616229   mtu_test = 0
Thu Jun 17 15:12:08 2021 us=616233   mlock = DISABLED
Thu Jun 17 15:12:08 2021 us=616236   keepalive_ping = 0
Thu Jun 17 15:12:08 2021 us=616240   keepalive_timeout = 0
Thu Jun 17 15:12:08 2021 us=616263   inactivity_timeout = 0
Thu Jun 17 15:12:08 2021 us=616266   ping_send_timeout = 0
Thu Jun 17 15:12:08 2021 us=616270   ping_rec_timeout = 0
Thu Jun 17 15:12:08 2021 us=616273   ping_rec_timeout_action = 0
Thu Jun 17 15:12:08 2021 us=616277   ping_timer_remote = DISABLED
Thu Jun 17 15:12:08 2021 us=616281   remap_sigusr1 = 0
Thu Jun 17 15:12:08 2021 us=616284   persist_tun = ENABLED
Thu Jun 17 15:12:08 2021 us=616288   persist_local_ip = DISABLED
Thu Jun 17 15:12:08 2021 us=616292   persist_remote_ip = DISABLED
Thu Jun 17 15:12:08 2021 us=616311   persist_key = ENABLED
Thu Jun 17 15:12:08 2021 us=616315   passtos = DISABLED
Thu Jun 17 15:12:08 2021 us=616318   resolve_retry_seconds = 1000000000
Thu Jun 17 15:12:08 2021 us=616322   resolve_in_advance = DISABLED
Thu Jun 17 15:12:08 2021 us=616325   username = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616329   groupname = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616332   chroot_dir = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616350   cd_dir = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616353   writepid = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616356   up_script = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616360   down_script = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616363   down_pre = DISABLED
Thu Jun 17 15:12:08 2021 us=616367   up_restart = DISABLED
Thu Jun 17 15:12:08 2021 us=616370   up_delay = DISABLED
Thu Jun 17 15:12:08 2021 us=616373   daemon = DISABLED
Thu Jun 17 15:12:08 2021 us=616377   inetd = 0
Thu Jun 17 15:12:08 2021 us=616380   log = DISABLED
Thu Jun 17 15:12:08 2021 us=616384   suppress_timestamps = DISABLED
Thu Jun 17 15:12:08 2021 us=616387   machine_readable_output = DISABLED
Thu Jun 17 15:12:08 2021 us=616391   nice = 0
Thu Jun 17 15:12:08 2021 us=616394   verbosity = 4
Thu Jun 17 15:12:08 2021 us=616398   mute = 0
Thu Jun 17 15:12:08 2021 us=616401   gremlin = 0
Thu Jun 17 15:12:08 2021 us=616404   status_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616408   status_file_version = 1
Thu Jun 17 15:12:08 2021 us=616411   status_file_update_freq = 60
Thu Jun 17 15:12:08 2021 us=616415   occ = ENABLED
Thu Jun 17 15:12:08 2021 us=616418   rcvbuf = 0
Thu Jun 17 15:12:08 2021 us=616422   sndbuf = 0
Thu Jun 17 15:12:08 2021 us=616425   mark = 0
Thu Jun 17 15:12:08 2021 us=616428   sockflags = 0
Thu Jun 17 15:12:08 2021 us=616432   fast_io = DISABLED
Thu Jun 17 15:12:08 2021 us=616435   comp.alg = 0
Thu Jun 17 15:12:08 2021 us=616439   comp.flags = 0
Thu Jun 17 15:12:08 2021 us=616442   route_script = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616446   route_default_gateway = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616449   route_default_metric = 0
Thu Jun 17 15:12:08 2021 us=616453   route_noexec = DISABLED
Thu Jun 17 15:12:08 2021 us=616456   route_delay = 0
Thu Jun 17 15:12:08 2021 us=616460   route_delay_window = 30
Thu Jun 17 15:12:08 2021 us=616476   route_delay_defined = DISABLED
Thu Jun 17 15:12:08 2021 us=616480   route_nopull = DISABLED
Thu Jun 17 15:12:08 2021 us=616484   route_gateway_via_dhcp = DISABLED
Thu Jun 17 15:12:08 2021 us=616487   allow_pull_fqdn = DISABLED
Thu Jun 17 15:12:08 2021 us=616491   management_addr = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616495   management_port = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616498   management_user_pass = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616502   management_log_history_cache = 250
Thu Jun 17 15:12:08 2021 us=616506   management_echo_buffer_size = 100
Thu Jun 17 15:12:08 2021 us=616510   management_write_peer_info_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616513   management_client_user = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616517   management_client_group = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616521   management_flags = 0
Thu Jun 17 15:12:08 2021 us=616525   shared_secret_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616529   key_direction = 1
Thu Jun 17 15:12:08 2021 us=616532   ciphername = 'AES-256-CBC'
Thu Jun 17 15:12:08 2021 us=616536   ncp_enabled = ENABLED
Thu Jun 17 15:12:08 2021 us=616540   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Thu Jun 17 15:12:08 2021 us=616544   authname = 'SHA512'
Thu Jun 17 15:12:08 2021 us=616548   prng_hash = 'SHA1'
Thu Jun 17 15:12:08 2021 us=616552   prng_nonce_secret_len = 16
Thu Jun 17 15:12:08 2021 us=616555   keysize = 0
Thu Jun 17 15:12:08 2021 us=616559   engine = DISABLED
Thu Jun 17 15:12:08 2021 us=616563   replay = ENABLED
Thu Jun 17 15:12:08 2021 us=616567   mute_replay_warnings = DISABLED
Thu Jun 17 15:12:08 2021 us=616570   replay_window = 64
Thu Jun 17 15:12:08 2021 us=616574   replay_time = 15
Thu Jun 17 15:12:08 2021 us=616578   packet_id_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616582   use_iv = ENABLED
Thu Jun 17 15:12:08 2021 us=616585   test_crypto = DISABLED
Thu Jun 17 15:12:08 2021 us=616589   tls_server = DISABLED
Thu Jun 17 15:12:08 2021 us=616593   tls_client = ENABLED
Thu Jun 17 15:12:08 2021 us=616597   key_method = 2
Thu Jun 17 15:12:08 2021 us=616600   ca_file = '[[INLINE]]'
Thu Jun 17 15:12:08 2021 us=616604   ca_path = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616608   dh_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616612   cert_file = '[[INLINE]]'
Thu Jun 17 15:12:08 2021 us=616615   extra_certs_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616619   priv_key_file = '[[INLINE]]'
Thu Jun 17 15:12:08 2021 us=616623   pkcs12_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616627   cipher_list = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616630   cipher_list_tls13 = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616634   tls_cert_profile = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616638   tls_verify = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616641   tls_export_cert = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616645   verify_x509_type = 0
Thu Jun 17 15:12:08 2021 us=616649   verify_x509_name = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616652   crl_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616656   ns_cert_type = 0
Thu Jun 17 15:12:08 2021 us=616660   remote_cert_ku[i] = 65535
Thu Jun 17 15:12:08 2021 us=616664   remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616668   remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616671   remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616675   remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616678   remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616682   remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616686   remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616689   remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616693   remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616697   remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616700   remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616704   remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616707   remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616711   remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616715   remote_cert_ku[i] = 0
Thu Jun 17 15:12:08 2021 us=616718   remote_cert_eku = 'TLS Web Server Authentication'
Thu Jun 17 15:12:08 2021 us=616722   ssl_flags = 0
Thu Jun 17 15:12:08 2021 us=616726   tls_timeout = 2
Thu Jun 17 15:12:08 2021 us=616730   renegotiate_bytes = -1
Thu Jun 17 15:12:08 2021 us=616734   renegotiate_packets = 0
Thu Jun 17 15:12:08 2021 us=616737   renegotiate_seconds = 3600
Thu Jun 17 15:12:08 2021 us=616741   handshake_window = 60
Thu Jun 17 15:12:08 2021 us=616745   transition_window = 3600
Thu Jun 17 15:12:08 2021 us=616748   single_session = DISABLED
Thu Jun 17 15:12:08 2021 us=616752   push_peer_info = DISABLED
Thu Jun 17 15:12:08 2021 us=616756   tls_exit = DISABLED
Thu Jun 17 15:12:08 2021 us=616760   tls_auth_file = '/etc/openvpn/tc.key'
Thu Jun 17 15:12:08 2021 us=616763   tls_crypt_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616767   pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616771   pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616775   pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616778   pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616782   pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616786   pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616790   pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616793   pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616797   pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616801   pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616805   pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616808   pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616812   pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616816   pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616819   pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616823   pkcs11_protected_authentication = DISABLED
Thu Jun 17 15:12:08 2021 us=616827   pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616831   pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616834   pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616838   pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616842   pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616846   pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616849   pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616853   pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616857   pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616860   pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616864   pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616867   pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616871   pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616875   pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616878   pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616882   pkcs11_private_mode = 00000000
Thu Jun 17 15:12:08 2021 us=616886   pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616889   pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616893   pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616897   pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616901   pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616904   pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616908   pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616911   pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616915   pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616919   pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616923   pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616926   pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616930   pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616933   pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616937   pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616941   pkcs11_cert_private = DISABLED
Thu Jun 17 15:12:08 2021 us=616944   pkcs11_pin_cache_period = -1
Thu Jun 17 15:12:08 2021 us=616948   pkcs11_id = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=616952   pkcs11_id_management = DISABLED
Thu Jun 17 15:12:08 2021 us=616956   server_network = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=616961   server_netmask = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=616967   server_network_ipv6 = ::
Thu Jun 17 15:12:08 2021 us=616971   server_netbits_ipv6 = 0
Thu Jun 17 15:12:08 2021 us=616975   server_bridge_ip = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=616980   server_bridge_netmask = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=616984   server_bridge_pool_start = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=616990   server_bridge_pool_end = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=616994   ifconfig_pool_defined = DISABLED
Thu Jun 17 15:12:08 2021 us=616998   ifconfig_pool_start = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=617002   ifconfig_pool_end = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=617006   ifconfig_pool_netmask = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=617010   ifconfig_pool_persist_filename = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=617014   ifconfig_pool_persist_refresh_freq = 600
Thu Jun 17 15:12:08 2021 us=617017   ifconfig_ipv6_pool_defined = DISABLED
Thu Jun 17 15:12:08 2021 us=617021   ifconfig_ipv6_pool_base = ::
Thu Jun 17 15:12:08 2021 us=617025   ifconfig_ipv6_pool_netbits = 0
Thu Jun 17 15:12:08 2021 us=617029   n_bcast_buf = 256
Thu Jun 17 15:12:08 2021 us=617033   tcp_queue_limit = 64
Thu Jun 17 15:12:08 2021 us=617037   real_hash_size = 256
Thu Jun 17 15:12:08 2021 us=617040   virtual_hash_size = 256
Thu Jun 17 15:12:08 2021 us=617044   client_connect_script = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=617048   learn_address_script = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=617052   client_disconnect_script = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=617055   client_config_dir = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=617059   ccd_exclusive = DISABLED
Thu Jun 17 15:12:08 2021 us=617063   tmp_dir = '/tmp'
Thu Jun 17 15:12:08 2021 us=617067   push_ifconfig_defined = DISABLED
Thu Jun 17 15:12:08 2021 us=617071   push_ifconfig_local = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=617075   push_ifconfig_remote_netmask = 0.0.0.0
Thu Jun 17 15:12:08 2021 us=617079   push_ifconfig_ipv6_defined = DISABLED
Thu Jun 17 15:12:08 2021 us=617083   push_ifconfig_ipv6_local = ::/0
Thu Jun 17 15:12:08 2021 us=617087   push_ifconfig_ipv6_remote = ::
Thu Jun 17 15:12:08 2021 us=617091   enable_c2c = DISABLED
Thu Jun 17 15:12:08 2021 us=617095   duplicate_cn = DISABLED
Thu Jun 17 15:12:08 2021 us=617099   cf_max = 0
Thu Jun 17 15:12:08 2021 us=617102   cf_per = 0
Thu Jun 17 15:12:08 2021 us=617106   max_clients = 1024
Thu Jun 17 15:12:08 2021 us=617110   max_routes_per_client = 256
Thu Jun 17 15:12:08 2021 us=617113   auth_user_pass_verify_script = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=617117   auth_user_pass_verify_script_via_file = DISABLED
Thu Jun 17 15:12:08 2021 us=617121   auth_token_generate = DISABLED
Thu Jun 17 15:12:08 2021 us=617125   auth_token_lifetime = 0
Thu Jun 17 15:12:08 2021 us=617129   port_share_host = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=617132   port_share_port = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=617136   client = ENABLED
Thu Jun 17 15:12:08 2021 us=617140   pull = ENABLED
Thu Jun 17 15:12:08 2021 us=617144   auth_user_pass_file = '[UNDEF]'
Thu Jun 17 15:12:08 2021 us=617148 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021
Thu Jun 17 15:12:08 2021 us=617157 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Thu Jun 17 15:12:08 2021 us=617447 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Jun 17 15:12:08 2021 us=617457 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Jun 17 15:12:08 2021 us=617497 Control Channel MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Thu Jun 17 15:12:08 2021 us=617514 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Thu Jun 17 15:12:08 2021 us=617528 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Thu Jun 17 15:12:08 2021 us=617533 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Thu Jun 17 15:12:08 2021 us=617540 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx:1194
Thu Jun 17 15:12:08 2021 us=617554 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Jun 17 15:12:08 2021 us=617559 UDP link local: (not bound)
Thu Jun 17 15:12:08 2021 us=617563 UDP link remote: [AF_INET]xxx:1194
Thu Jun 17 15:12:08 2021 us=620961 TLS: Initial packet from [AF_INET]xxx:1194, sid=24ede69b 4a2fa0f4
Thu Jun 17 15:12:08 2021 us=620975 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]xxx:1194
Thu Jun 17 15:12:10 2021 us=701228 TLS: Initial packet from [AF_INET]xxx:1194, sid=24ede69b 4a2fa0f4
Thu Jun 17 15:12:10 2021 us=701300 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]xxx:1194
Thu Jun 17 15:12:14 2021 us=363139 TLS: Initial packet from [AF_INET]xxx:1194, sid=24ede69b 4a2fa0f4
Thu Jun 17 15:12:14 2021 us=363209 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]xxx:1194

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS Error: cannot locate HMAC in incoming packet

Post by TinCanTech » Thu Jun 17, 2021 7:45 pm

thegorski wrote:
Thu Jun 17, 2021 7:20 pm
I've read through threads with a similar error but all suggestions related to tls-auth files matching between server and client don't seem to help as they already match
No they don't ....
thegorski wrote:
Thu Jun 17, 2021 7:20 pm

Code: Select all

auth SHA512
tls-auth tc.key 0
topology subnet
server 10.15.0.0 255.255.255.0
thegorski wrote:
Thu Jun 17, 2021 7:20 pm

Code: Select all

client
auth SHA512
tls-auth /etc/openvpn/tc.key 1
You have been experimenting with TLS-Auth and TLS-Crypt and somehow your keys are not match.

FYI: auth SHA512 is wasting your CPU time.

If you are in the mood to experiment then you may find this useful:
https://github.com/TinCanTech/easy-tls

Does all your keys and inline files for you .. and even more besides.

thegorski
OpenVpn Newbie
Posts: 2
Joined: Thu Jun 17, 2021 6:50 pm

Re: TLS Error: cannot locate HMAC in incoming packet

Post by thegorski » Thu Jun 17, 2021 9:00 pm

Thank you for the prompt response. I've commented out the auth SHA512 line.

I've checked the md5sum of the tc.key files on server and client machines and they match. The client log has the correct path for the tc.key file however I don't see that information in the server log. Could it be loading an incorrect file? If so is there a way the log can display the file path?

I see that easy-tls requires OpenVPN 2.5.0+, I'll have to upgrade both server and client sides before experimenting with it.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS Error: cannot locate HMAC in incoming packet

Post by TinCanTech » Thu Jun 17, 2021 9:05 pm

thegorski wrote:
Thu Jun 17, 2021 9:00 pm
I see that easy-tls requires OpenVPN 2.5.0+, I'll have to upgrade both server and client sides before experimenting with it.
For TLS-Auth and TLS-Crypt keys Easy-TLS will still work for you.
thegorski wrote:
Thu Jun 17, 2021 9:00 pm
I've checked the md5sum of the tc.key files on server and client machines and they match. The client log has the correct path for the tc.key file however I don't see that information in the server log. Could it be loading an incorrect file? If so is there a way the log can display the file path?
You have done something wrong .. if Openvpn were to fail at such a low level then it would have died long ago.

Tip: Check your systemd files.

Post Reply