TLS Error: Cannot Locate HMAC

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Pruney
OpenVpn Newbie
Posts: 3
Joined: Fri Feb 09, 2018 11:00 am

TLS Error: Cannot Locate HMAC

Post by Pruney » Fri Feb 09, 2018 11:54 am

Hello! I have looked through the forums and tried various solutions but cannot seem to solve this issue. To give a bit of background, I am very new to Linux as a whole and adding OpenVPN to my Dedi is another project to improve my skills.

Firstly, I have followed this guide to help me set it up.
https://www.digitalocean.com/community/ ... untu-16-04

Code: Select all

Linux Prune 4.4.0-101-generic #124-Ubuntu SMP Fri Nov 10 18:29:59 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Code: Select all

enp1s0f0  Link encap:Ethernet  HWaddr ***
          inet addr:***.***.***.***  Bcast:***.***.***.***  Mask:255.255.255.0
          inet6 addr: *** Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:23205295 errors:0 dropped:0 overruns:0 frame:0
          TX packets:334080 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1451692898 (1.4 GB)  TX bytes:102976953 (102.9 MB)
          Memory:c0000000-c001ffff

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:100 errors:0 dropped:0 overruns:0 frame:0
          TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:23811 (23.8 KB)  TX bytes:23811 (23.8 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
I have completed all the steps and when running OpenVPN on the client, these are the errors.

Code: Select all

Fri Feb 09 11:04:13 2018 NOTE: --user option is not implemented on Windows
Fri Feb 09 11:04:13 2018 NOTE: --group option is not implemented on Windows
Fri Feb 09 11:04:13 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Fri Feb 09 11:04:13 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Feb 09 11:04:13 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Fri Feb 09 11:04:13 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Feb 09 11:04:13 2018 Need hold release from management interface, waiting...
Fri Feb 09 11:04:14 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Feb 09 11:04:14 2018 MANAGEMENT: CMD 'state on'
Fri Feb 09 11:04:14 2018 MANAGEMENT: CMD 'log all on'
Fri Feb 09 11:04:14 2018 MANAGEMENT: CMD 'echo all on'
Fri Feb 09 11:04:14 2018 MANAGEMENT: CMD 'hold off'
Fri Feb 09 11:04:14 2018 MANAGEMENT: CMD 'hold release'
Fri Feb 09 11:04:14 2018 MANAGEMENT: CMD 'password [...]'
Fri Feb 09 11:04:14 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Feb 09 11:04:14 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Feb 09 11:04:14 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Feb 09 11:04:14 2018 TCP/UDP: Preserving recently used remote address: [AF_INET] ***.***.***.***:1194
Fri Feb 09 11:04:14 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Feb 09 11:04:14 2018 UDP link local: (not bound)
Fri Feb 09 11:04:14 2018 UDP link remote: [AF_INET] ***.***.***.***:1194
Fri Feb 09 11:04:14 2018 MANAGEMENT: >STATE:1518174254,WAIT,,,,,,
Fri Feb 09 11:04:14 2018 MANAGEMENT: >STATE:1518174254,AUTH,,,,,,
Fri Feb 09 11:04:14 2018 TLS: Initial packet from [AF_INET] ***.***.***.***:1194, sid=c4097541 d580c913
Fri Feb 09 11:04:14 2018 TLS Error: cannot locate HMAC in incoming packet from [AF_INET] ***.***.***.***:1194
Fri Feb 09 11:04:16 2018 MANAGEMENT: >STATE:1518174256,AUTH,,,,,,
Fri Feb 09 11:04:16 2018 TLS: Initial packet from [AF_INET] ***.***.***.***:1194, sid=c4097541 d580c913
Fri Feb 09 11:04:16 2018 TLS Error: cannot locate HMAC in incoming packet from [AF_INET] ***.***.***.***:1194
Fri Feb 09 11:04:20 2018 MANAGEMENT: >STATE:1518174260,AUTH,,,,,,
Fri Feb 09 11:04:20 2018 TLS: Initial packet from [AF_INET] ***.***.***.***:1194, sid=c4097541 d580c913
Fri Feb 09 11:04:20 2018 TLS Error: cannot locate HMAC in incoming packet from [AF_INET] ***.***.***.***:1194
Server.conf

port 1194
proto udp
dev tun
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
key-direction 0
cipher AES-128-CBC # AES
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 4


Client

client
dev tun
proto udp
remote ***.***.***.*** 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
auth SHA256
key-direction 1
comp-lzo
verb 4

Code: Select all

Feb  9 03:12:05 Prune ovpn-server[862]: ***.***.***.***:60744 TLS Error: TLS handshake failed
Feb  9 03:12:05 Prune ovpn-server[862]:  ***.***.***.***:60744 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb  9 03:12:45 Prune ovpn-server[862]:  ***.***.***.***:24788 TLS: Initial packet from [AF_INET] ***.***.***.***:24788, sid=$
Feb  9 03:12:45 Prune ovpn-server[862]:  ***.***.***.***:24788 TLS Error: reading acknowledgement record from packet
Feb  9 03:13:15 Prune ovpn-server[862]: message repeated 4 times: [  ***.***.***.***:24788 TLS Error: reading acknowledgeme$
Feb  9 03:13:45 Prune ovpn-server[862]:  ***.***.***.***:24788 TLS Error: TLS key negotiation failed to occur within 60 sec$
Feb  9 03:13:45 Prune ovpn-server[862]:  ***.***.***.***:24788 TLS Error: TLS handshake failed
Feb  9 03:13:45 Prune ovpn-server[862]:  ***.***.***.***:24788 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb  9 03:13:59 Prune kernel: [674329.698868] [UFW BLOCK] IN=enp1s0f0 OUT= MAC= $
Feb  9 03:14:42 Prune kernel: [674373.030616] [UFW BLOCK] IN=enp1s0f0 OUT= MAC= $
Feb  9 03:15:05 Prune ovpn-server[862]:  ***.***.***.***:39303 TLS: Initial packet from [AF_INET] ***.***.***.***:39303, sid=$
Feb  9 03:15:05 Prune ovpn-server[862]:  ***.***.***.***:39303 TLS Error: reading acknowledgement record from packet
Feb  9 03:15:33 Prune kernel: [674424.072810] [UFW BLOCK] IN=enp1s0f0 OUT= MAC= $
Feb  9 03:15:19 Prune ovpn-server[862]: message repeated 3 times: [  ***.***.***.***:39303 TLS Error: reading acknowledgeme$
Feb  9 03:16:05 Prune ovpn-server[862]:  ***.***.***.***:39303 TLS Error: TLS key negotiation failed to occur within 60 sec$
Feb  9 03:16:05 Prune ovpn-server[862]:  ***.***.***.***:39303 TLS Error: TLS handshake failed
Feb  9 03:16:05 Prune ovpn-server[862]:  ***.***.***.***:39303 SIGUSR1[soft,tls-error] received, client-instance restarting
If I have missed anything out, please let me know.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS Error: Cannot Locate HMAC

Post by TinCanTech » Fri Feb 09, 2018 2:26 pm

You have done something wrong with --tls-auth

Pruney
OpenVpn Newbie
Posts: 3
Joined: Fri Feb 09, 2018 11:00 am

Re: TLS Error: Cannot Locate HMAC

Post by Pruney » Mon Feb 12, 2018 1:18 pm

I'll try to rerun the key generation section on the guide (if I should even be following that)

Anything specific?

Pruney
OpenVpn Newbie
Posts: 3
Joined: Fri Feb 09, 2018 11:00 am

Re: TLS Error: Cannot Locate HMAC

Post by Pruney » Wed Feb 14, 2018 11:56 am

The issue has been resolved. I ran through generating the keys again, had an issue with OpenVPN not being able to find the CA, so I uncommented the ca.crt and server.crt and server.key in server.conf and it came to life!

DAB62
OpenVpn Newbie
Posts: 1
Joined: Mon Nov 22, 2021 9:46 am

Re: TLS Error: Cannot Locate HMAC

Post by DAB62 » Mon Nov 22, 2021 10:02 am

I had this error in Nov 2021 and wasted about half a day trying to fix it (yes, it is somewhat embarrassing). This was after about 3 years of OpenVPN server working perfectly, without interruption! My OpenVPN server is behind another router which is exposed to the Internet. The Internet router forwards the UDP port to the second router, and the second router forwards the UDP traffic to another port number on the OpenVPN server. The problem was that I changed the second router and lost the configuration, and it no longer forwarded the traffic to the OpenVPN server. So, the port on the Internet router *seemed* to be open to the OpenVPN client, but it didn't go anywhere and there was no reply. Once I set up the port forwarding correctly on the internal router, things started working again perfectly. The solution was to test my connection directly to the internal server, without going via the Internet, then I understood that it was a router problem.

Post Reply