tls-crypt unwrap error: packet too short

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
MrMoore
OpenVPN User
Posts: 12
Joined: Fri Nov 01, 2019 8:16 pm

tls-crypt unwrap error: packet too short

Post by MrMoore » Fri Nov 01, 2019 8:20 pm

Hello All,

I recently setup my openvpn server on my Pi, however after 2/3 weeks of it running with zero issues today I found I couldnt connect to it. I've ran pivpn debug and I see the following in the logs.

Code: Select all

::::      Snippet of the server log      ::::
Oct 31 21:10:52 raspberrypi ovpn-server[489]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 31 21:10:52 raspberrypi ovpn-server[489]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 31 21:10:52 raspberrypi ovpn-server[489]: TUN/TAP device tun0 opened
Oct 31 21:10:52 raspberrypi ovpn-server[489]: TUN/TAP TX queue length set to 100
Oct 31 21:10:52 raspberrypi ovpn-server[489]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Oct 31 21:10:52 raspberrypi ovpn-server[489]: /sbin/ip link set dev tun0 up mtu 1500
Oct 31 21:10:52 raspberrypi ovpn-server[489]: /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Oct 31 21:10:52 raspberrypi ovpn-server[489]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Oct 31 21:10:52 raspberrypi ovpn-server[489]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Oct 31 21:10:52 raspberrypi ovpn-server[489]: UDPv4 link local (bound): [AF_INET][undef]:1194
Oct 31 21:10:52 raspberrypi ovpn-server[489]: UDPv4 link remote: [AF_UNSPEC]
Oct 31 21:10:52 raspberrypi ovpn-server[489]: GID set to nogroup
Oct 31 21:10:52 raspberrypi ovpn-server[489]: UID set to nobody
Oct 31 21:10:52 raspberrypi ovpn-server[489]: MULTI: multi_init called, r=256 v=256
Oct 31 21:10:52 raspberrypi ovpn-server[489]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Oct 31 21:10:52 raspberrypi ovpn-server[489]: Initialization Sequence Completed
Nov  1 03:08:43 raspberrypi ovpn-server[489]: tls-crypt unwrap error: packet too short
Nov  1 03:08:43 raspberrypi ovpn-server[489]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:33219
Nov  1 09:57:52 raspberrypi ovpn-server[489]: tls-crypt unwrap error: packet too short
Nov  1 09:57:52 raspberrypi ovpn-server[489]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:39842
Any advice would be highly appreciated as im very new to this so still learning the ropes.

Many Thanks,
Aaron

User avatar
Pippin
OpenVPN Expert
Posts: 490
Joined: Wed Jul 01, 2015 8:03 am

Re: tls-crypt unwrap error: packet too short

Post by Pippin » Fri Nov 01, 2019 8:43 pm

Post your server config and client config.

MrMoore
OpenVPN User
Posts: 12
Joined: Fri Nov 01, 2019 8:16 pm

Re: tls-crypt unwrap error: packet too short

Post by MrMoore » Fri Nov 01, 2019 9:31 pm

Pippin wrote:
Fri Nov 01, 2019 8:43 pm
Post your server config and client config.
Sounds stupid but I dont actually know the command to get these.

Hahahaha Im a noob

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6182
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt unwrap error: packet too short

Post by TinCanTech » Fri Nov 01, 2019 9:52 pm

Perhaps thistle help ..

Please see:
viewtopic.php?f=30&t=22603

MrMoore
OpenVPN User
Posts: 12
Joined: Fri Nov 01, 2019 8:16 pm

Re: tls-crypt unwrap error: packet too short

Post by MrMoore » Fri Nov 01, 2019 10:18 pm

TinCanTech wrote:
Fri Nov 01, 2019 9:52 pm
Perhaps thistle help ..

Please see:
viewtopic.php?f=30&t=22603
I've had a read and still haven't found how to get the server clients...

MrMoore
OpenVPN User
Posts: 12
Joined: Fri Nov 01, 2019 8:16 pm

Re: tls-crypt unwrap error: packet too short

Post by MrMoore » Fri Nov 01, 2019 10:36 pm

SERVER:
file
dev tun
proto udp
port 1194
ca
cert
key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io

MrMoore
OpenVPN User
Posts: 12
Joined: Fri Nov 01, 2019 8:16 pm

Re: tls-crypt unwrap error: packet too short

Post by MrMoore » Fri Nov 01, 2019 10:38 pm

CLIENT:
file
client
dev tun
proto udp
remote 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name foo name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>

</ca>
<cert>

</cert>
<key>

</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-crypt>

MrMoore
OpenVPN User
Posts: 12
Joined: Fri Nov 01, 2019 8:16 pm

Re: tls-crypt unwrap error: packet too short

Post by MrMoore » Sat Nov 02, 2019 8:02 am

any update on this would be appreciated as currently unable to securely VPN when away from home.

User avatar
Pippin
OpenVPN Expert
Posts: 490
Joined: Wed Jul 01, 2015 8:03 am

Re: tls-crypt unwrap error: packet too short

Post by Pippin » Sat Nov 02, 2019 1:20 pm

Try following:
Copy ta.key from server to client.
Remove inline tls-crypt key from client config.
Add to client config:

Code: Select all

tls-crypt /path/to/ta.key

MrMoore
OpenVPN User
Posts: 12
Joined: Fri Nov 01, 2019 8:16 pm

Re: tls-crypt unwrap error: packet too short

Post by MrMoore » Sat Nov 02, 2019 8:45 pm

Pippin wrote:
Sat Nov 02, 2019 1:20 pm
Try following:
Copy ta.key from server to client.
Remove inline tls-crypt key from client config.
Add to client config:

Code: Select all

tls-crypt /path/to/ta.key
Nope, still nothing... no luck I'm afraid

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6182
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt unwrap error: packet too short

Post by TinCanTech » Sat Nov 02, 2019 9:04 pm

Try removing these from the client:
MrMoore wrote:
Fri Nov 01, 2019 10:38 pm

Code: Select all

persist-key
persist-tun

MrMoore
OpenVPN User
Posts: 12
Joined: Fri Nov 01, 2019 8:16 pm

Re: tls-crypt unwrap error: packet too short

Post by MrMoore » Sun Nov 03, 2019 1:10 pm

TinCanTech wrote:
Sat Nov 02, 2019 9:04 pm
Try removing these from the client:
MrMoore wrote:
Fri Nov 01, 2019 10:38 pm

Code: Select all

persist-key
persist-tun
Still nothing, I've now uninstalled this all together and reinstalled thinking it could have been something corrupt.

User avatar
Pippin
OpenVPN Expert
Posts: 490
Joined: Wed Jul 01, 2015 8:03 am

Re: tls-crypt unwrap error: packet too short

Post by Pippin » Sun Nov 03, 2019 1:24 pm

What client is this?

MrMoore
OpenVPN User
Posts: 12
Joined: Fri Nov 01, 2019 8:16 pm

Re: tls-crypt unwrap error: packet too short

Post by MrMoore » Sun Nov 03, 2019 5:44 pm

Pippin wrote:
Sun Nov 03, 2019 1:24 pm
What client is this?
I'm not quite sure what you mean? I've installed the pivpn, which uses openvpn.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6182
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt unwrap error: packet too short

Post by TinCanTech » Sun Nov 03, 2019 6:39 pm

I use --tls-crypt with no such issue, so you have either corrupted the key file or used the wrong key.

Also, sorry but we do not support your script.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6182
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt unwrap error: packet too short

Post by TinCanTech » Sun Nov 03, 2019 9:40 pm

Having double checked my settings, I am actually seeing the same .. will investigate further.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6182
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt unwrap error: packet too short

Post by TinCanTech » Sun Nov 03, 2019 9:48 pm

Please post full details of your sanitized logs as per my link:
viewtopic.php?f=30&t=22603#p68963

MrMoore
OpenVPN User
Posts: 12
Joined: Fri Nov 01, 2019 8:16 pm

tls-crypt unwrap error: packet too short

Post by MrMoore » Fri Nov 08, 2019 9:33 pm

Hello All,

I logged a ticket a few weeks back however still having issues. When trying to connect to my openvpn server i get the following error;

Debug Log

Code: Select all

Nov  6 21:19:58 raspberrypi ovpn-server[378]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:43249
Nov  7 08:47:13 raspberrypi ovpn-server[378]: tls-crypt unwrap error: packet too short
Nov  7 08:47:13 raspberrypi ovpn-server[378]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:38132
Nov  7 14:38:26 raspberrypi ovpn-server[378]: tls-crypt unwrap error: packet too short
Nov  7 14:38:26 raspberrypi ovpn-server[378]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:34135
Nov  7 14:56:10 raspberrypi ovpn-server[378]: tls-crypt unwrap error: packet too short
Nov  7 14:56:10 raspberrypi ovpn-server[378]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:26876
Nov  7 22:26:22 raspberrypi ovpn-server[378]: tls-crypt unwrap error: packet too short
Nov  7 22:26:22 raspberrypi ovpn-server[378]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:35169
Nov  8 10:05:12 raspberrypi ovpn-server[378]: tls-crypt unwrap error: packet too short
Nov  8 10:05:12 raspberrypi ovpn-server[378]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:43865
Nov  8 13:17:00 raspberrypi ovpn-server[378]: tls-crypt unwrap error: packet too short
Nov  8 13:17:00 raspberrypi ovpn-server[378]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:51915
Nov  8 21:24:34 raspberrypi ovpn-server[378]: tls-crypt unwrap error: packet too short
Nov  8 21:24:34 raspberrypi ovpn-server[378]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:52264
Please see below my client & server config files as requested by @TinCanTech.

Client Config

Code: Select all

client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name raspberrypi_e4d22d0b-cf8b-420d-a88d-da9585d8beb0 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----

-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-crypt>

Server Config

Code: Select all

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert .crt
key .key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io
any assistance to get this resolved would be greatly appreciated.

Many Thanks,
Last edited by MrMoore on Sat Nov 09, 2019 2:46 pm, edited 6 times in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6182
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt unwrap error: packet too short

Post by TinCanTech » Sat Nov 09, 2019 1:54 pm

TinCanTech wrote:
Sun Nov 03, 2019 9:48 pm
Please post full details of your sanitized logs as per my link:
viewtopic.php?f=30&t=22603#p68963

MrMoore
OpenVPN User
Posts: 12
Joined: Fri Nov 01, 2019 8:16 pm

Re: tls-crypt unwrap error: packet too short

Post by MrMoore » Sat Nov 09, 2019 2:44 pm

TinCanTech wrote:
Sat Nov 09, 2019 1:54 pm
TinCanTech wrote:
Sun Nov 03, 2019 9:48 pm
Please post full details of your sanitized logs as per my link:
viewtopic.php?f=30&t=22603#p68963
Edited my above post as per the link you provided.

Any assistance would be highly appreciated as I'm getting more and more desperate.

Post Reply