TLS Error: Cannot Locate HMAC

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Pruney
OpenVpn Newbie
Posts: 3
Joined: Fri Feb 09, 2018 11:00 am

TLS Error: Cannot Locate HMAC

Post by Pruney » Fri Feb 09, 2018 11:54 am

Hello! I have looked through the forums and tried various solutions but cannot seem to solve this issue. To give a bit of background, I am very new to Linux as a whole and adding OpenVPN to my Dedi is another project to improve my skills.

Firstly, I have followed this guide to help me set it up.
https://www.digitalocean.com/community/ ... untu-16-04

Code: Select all

Linux Prune 4.4.0-101-generic #124-Ubuntu SMP Fri Nov 10 18:29:59 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Code: Select all

enp1s0f0  Link encap:Ethernet  HWaddr ***
          inet addr:***.***.***.***  Bcast:***.***.***.***  Mask:255.255.255.0
          inet6 addr: *** Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:23205295 errors:0 dropped:0 overruns:0 frame:0
          TX packets:334080 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1451692898 (1.4 GB)  TX bytes:102976953 (102.9 MB)
          Memory:c0000000-c001ffff

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:100 errors:0 dropped:0 overruns:0 frame:0
          TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:23811 (23.8 KB)  TX bytes:23811 (23.8 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
I have completed all the steps and when running OpenVPN on the client, these are the errors.

Code: Select all

Fri Feb 09 11:04:13 2018 NOTE: --user option is not implemented on Windows
Fri Feb 09 11:04:13 2018 NOTE: --group option is not implemented on Windows
Fri Feb 09 11:04:13 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Fri Feb 09 11:04:13 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Feb 09 11:04:13 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Fri Feb 09 11:04:13 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Feb 09 11:04:13 2018 Need hold release from management interface, waiting...
Fri Feb 09 11:04:14 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Feb 09 11:04:14 2018 MANAGEMENT: CMD 'state on'
Fri Feb 09 11:04:14 2018 MANAGEMENT: CMD 'log all on'
Fri Feb 09 11:04:14 2018 MANAGEMENT: CMD 'echo all on'
Fri Feb 09 11:04:14 2018 MANAGEMENT: CMD 'hold off'
Fri Feb 09 11:04:14 2018 MANAGEMENT: CMD 'hold release'
Fri Feb 09 11:04:14 2018 MANAGEMENT: CMD 'password [...]'
Fri Feb 09 11:04:14 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Feb 09 11:04:14 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Feb 09 11:04:14 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Feb 09 11:04:14 2018 TCP/UDP: Preserving recently used remote address: [AF_INET] ***.***.***.***:1194
Fri Feb 09 11:04:14 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Feb 09 11:04:14 2018 UDP link local: (not bound)
Fri Feb 09 11:04:14 2018 UDP link remote: [AF_INET] ***.***.***.***:1194
Fri Feb 09 11:04:14 2018 MANAGEMENT: >STATE:1518174254,WAIT,,,,,,
Fri Feb 09 11:04:14 2018 MANAGEMENT: >STATE:1518174254,AUTH,,,,,,
Fri Feb 09 11:04:14 2018 TLS: Initial packet from [AF_INET] ***.***.***.***:1194, sid=c4097541 d580c913
Fri Feb 09 11:04:14 2018 TLS Error: cannot locate HMAC in incoming packet from [AF_INET] ***.***.***.***:1194
Fri Feb 09 11:04:16 2018 MANAGEMENT: >STATE:1518174256,AUTH,,,,,,
Fri Feb 09 11:04:16 2018 TLS: Initial packet from [AF_INET] ***.***.***.***:1194, sid=c4097541 d580c913
Fri Feb 09 11:04:16 2018 TLS Error: cannot locate HMAC in incoming packet from [AF_INET] ***.***.***.***:1194
Fri Feb 09 11:04:20 2018 MANAGEMENT: >STATE:1518174260,AUTH,,,,,,
Fri Feb 09 11:04:20 2018 TLS: Initial packet from [AF_INET] ***.***.***.***:1194, sid=c4097541 d580c913
Fri Feb 09 11:04:20 2018 TLS Error: cannot locate HMAC in incoming packet from [AF_INET] ***.***.***.***:1194
Server.conf

port 1194
proto udp
dev tun
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
key-direction 0
cipher AES-128-CBC # AES
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 4


Client

client
dev tun
proto udp
remote ***.***.***.*** 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
auth SHA256
key-direction 1
comp-lzo
verb 4

Code: Select all

Feb  9 03:12:05 Prune ovpn-server[862]: ***.***.***.***:60744 TLS Error: TLS handshake failed
Feb  9 03:12:05 Prune ovpn-server[862]:  ***.***.***.***:60744 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb  9 03:12:45 Prune ovpn-server[862]:  ***.***.***.***:24788 TLS: Initial packet from [AF_INET] ***.***.***.***:24788, sid=$
Feb  9 03:12:45 Prune ovpn-server[862]:  ***.***.***.***:24788 TLS Error: reading acknowledgement record from packet
Feb  9 03:13:15 Prune ovpn-server[862]: message repeated 4 times: [  ***.***.***.***:24788 TLS Error: reading acknowledgeme$
Feb  9 03:13:45 Prune ovpn-server[862]:  ***.***.***.***:24788 TLS Error: TLS key negotiation failed to occur within 60 sec$
Feb  9 03:13:45 Prune ovpn-server[862]:  ***.***.***.***:24788 TLS Error: TLS handshake failed
Feb  9 03:13:45 Prune ovpn-server[862]:  ***.***.***.***:24788 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb  9 03:13:59 Prune kernel: [674329.698868] [UFW BLOCK] IN=enp1s0f0 OUT= MAC= $
Feb  9 03:14:42 Prune kernel: [674373.030616] [UFW BLOCK] IN=enp1s0f0 OUT= MAC= $
Feb  9 03:15:05 Prune ovpn-server[862]:  ***.***.***.***:39303 TLS: Initial packet from [AF_INET] ***.***.***.***:39303, sid=$
Feb  9 03:15:05 Prune ovpn-server[862]:  ***.***.***.***:39303 TLS Error: reading acknowledgement record from packet
Feb  9 03:15:33 Prune kernel: [674424.072810] [UFW BLOCK] IN=enp1s0f0 OUT= MAC= $
Feb  9 03:15:19 Prune ovpn-server[862]: message repeated 3 times: [  ***.***.***.***:39303 TLS Error: reading acknowledgeme$
Feb  9 03:16:05 Prune ovpn-server[862]:  ***.***.***.***:39303 TLS Error: TLS key negotiation failed to occur within 60 sec$
Feb  9 03:16:05 Prune ovpn-server[862]:  ***.***.***.***:39303 TLS Error: TLS handshake failed
Feb  9 03:16:05 Prune ovpn-server[862]:  ***.***.***.***:39303 SIGUSR1[soft,tls-error] received, client-instance restarting
If I have missed anything out, please let me know.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4291
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS Error: Cannot Locate HMAC

Post by TinCanTech » Fri Feb 09, 2018 2:26 pm

You have done something wrong with --tls-auth

Pruney
OpenVpn Newbie
Posts: 3
Joined: Fri Feb 09, 2018 11:00 am

Re: TLS Error: Cannot Locate HMAC

Post by Pruney » Mon Feb 12, 2018 1:18 pm

I'll try to rerun the key generation section on the guide (if I should even be following that)

Anything specific?

Pruney
OpenVpn Newbie
Posts: 3
Joined: Fri Feb 09, 2018 11:00 am

Re: TLS Error: Cannot Locate HMAC

Post by Pruney » Wed Feb 14, 2018 11:56 am

The issue has been resolved. I ran through generating the keys again, had an issue with OpenVPN not being able to find the CA, so I uncommented the ca.crt and server.crt and server.key in server.conf and it came to life!

Post Reply