[Solved] HMAC authentication failed while trying to connect

Samples of working configurations.
Locked
bznelson
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 19, 2018 1:13 am

[Solved] HMAC authentication failed while trying to connect

Post by bznelson » Mon Apr 09, 2018 10:52 pm

Client can't connect. Used PiVPN to install and generate keys/config files. Error in the server log is:

Code: Select all

Apr  9 22:02:46 raspberrypi ovpn-server[12210]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Apr  9 22:02:46 raspberrypi ovpn-server[12210]: TLS Error: incoming packet authentication failed from [AF_INET]174.206.2
2.22:7533
Server:
Linux raspberrypi 4.9.35+ #1014 Fri Jun 30 14:34:49 BST 2017 armv6l GNU/Linux

Client:
Android Oreo Pixel 2 OpenVPN client

server

dev tun
proto udp
port 1169
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_CqXZt2pzIwXhf5hu.crt
key /etc/openvpn/easy-rsa/pki/private/server_CqXZt2pzIwXhf5hu.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 10.8.0.1"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 10 120
remote-cert-tls client
mode server
tls-server
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 4

Code: Select all

Apr  9 22:01:37 raspberrypi ovpn-server[457]: event_wait : Interrupted system call (code=4)
Apr  9 22:01:37 raspberrypi ovpn-server[457]: Closing TUN/TAP interface
Apr  9 22:01:37 raspberrypi ovpn-server[457]: /sbin/ip addr del dev tun0 10.8.0.1/24
Apr  9 22:01:37 raspberrypi ovpn-server[457]: Linux ip addr del failed: external program exited with error status: 2
Apr  9 22:01:37 raspberrypi ovpn-server[457]: SIGTERM[hard,] received, process exiting
Apr  9 22:01:47 raspberrypi ovpn-server[12196]: Current Parameter Settings:
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   config = '/etc/openvpn/server.conf'
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   mode = 1
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   persist_config = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   persist_mode = 1
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   show_ciphers = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   show_digests = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   show_engines = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   genkey = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   key_pass_file = '[UNDEF]'
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   show_tls_ciphers = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]: Connection profiles [default]:
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   proto = udp
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   local = '[UNDEF]'
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   local_port = 1169
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   remote = '[UNDEF]'
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   remote_port = 1169
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   remote_float = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   bind_defined = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   bind_local = ENABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   connect_retry_seconds = 5
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   connect_timeout = 10
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   connect_retry_max = 0
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   socks_proxy_server = '[UNDEF]'
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   socks_proxy_port = 0
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   socks_proxy_retry = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   tun_mtu = 1500
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   tun_mtu_defined = ENABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   link_mtu = 1500
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   link_mtu_defined = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   tun_mtu_extra = 0
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   tun_mtu_extra_defined = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   mtu_discover_type = -1
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   fragment = 0
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   mssfix = 1450
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   explicit_exit_notification = 0
Apr  9 22:01:47 raspberrypi ovpn-server[12196]: Connection profiles END
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   remote_random = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   ipchange = '[UNDEF]'
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   dev = 'tun'
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   dev_type = '[UNDEF]'
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   dev_node = '[UNDEF]'
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   lladdr = '[UNDEF]'
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   topology = 3
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   tun_ipv6 = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   ifconfig_local = '10.8.0.1'
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   ifconfig_remote_netmask = '255.255.255.0'
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   ifconfig_noexec = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   ifconfig_nowarn = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   ifconfig_ipv6_local = '[UNDEF]'
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   ifconfig_ipv6_netbits = 0
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   ifconfig_ipv6_remote = '[UNDEF]'
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   shaper = 0
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   mtu_test = 0
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   mlock = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   keepalive_ping = 10
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   keepalive_timeout = 120
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   inactivity_timeout = 0
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   ping_send_timeout = 10
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   ping_rec_timeout = 240
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   ping_rec_timeout_action = 2
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   ping_timer_remote = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   remap_sigusr1 = 0
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   persist_tun = ENABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   persist_local_ip = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   persist_remote_ip = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   persist_key = ENABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   passtos = DISABLED
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   resolve_retry_seconds = 1000000000
Apr  9 22:01:47 raspberrypi ovpn-server[12196]:   username = 'nobody'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   groupname = 'nogroup'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   chroot_dir = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   cd_dir = '/etc/openvpn'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   writepid = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   up_script = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   down_script = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   down_pre = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   up_restart = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   up_delay = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   daemon = ENABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   inetd = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   log = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   suppress_timestamps = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   nice = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   verbosity = 4
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   mute = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   gremlin = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   status_file = '/var/log/openvpn-status.log'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   status_file_version = 3
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   status_file_update_freq = 20
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   occ = ENABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   rcvbuf = 65536
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   sndbuf = 65536
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   mark = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   sockflags = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   fast_io = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   lzo = 7
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   route_script = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   route_default_gateway = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   route_default_metric = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   route_noexec = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   route_delay = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   route_delay_window = 30
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   route_delay_defined = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   route_nopull = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   route_gateway_via_dhcp = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   max_routes = 100
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   allow_pull_fqdn = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   management_addr = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   management_port = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   management_user_pass = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   management_log_history_cache = 250
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   management_echo_buffer_size = 100
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   management_write_peer_info_file = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   management_client_user = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   management_client_group = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   management_flags = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   shared_secret_file = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   key_direction = 1
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   ciphername_defined = ENABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   ciphername = 'AES-256-CBC'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   authname_defined = ENABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   authname = 'SHA256'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   prng_hash = 'SHA1'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   prng_nonce_secret_len = 16
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   keysize = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   engine = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   replay = ENABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   mute_replay_warnings = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   replay_window = 64
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   replay_time = 15
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   packet_id_file = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   use_iv = ENABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   test_crypto = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   tls_server = ENABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   tls_client = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   key_method = 2
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   ca_file = '/etc/openvpn/easy-rsa/pki/ca.crt'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   ca_path = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   dh_file = '/etc/openvpn/easy-rsa/pki/dh2048.pem'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   cert_file = '/etc/openvpn/easy-rsa/pki/issued/server_CqXZt2pzIwXhf5hu.
crt'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   priv_key_file = '/etc/openvpn/easy-rsa/pki/private/server_CqXZt2pzIwXh
f5hu.key'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs12_file = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   cipher_list = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   tls_verify = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   tls_export_cert = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   verify_x509_type = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   verify_x509_name = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   crl_file = '/etc/openvpn/crl.pem'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   ns_cert_type = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   remote_cert_ku[i] = 128
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   remote_cert_ku[i] = 8
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   remote_cert_ku[i] = 136
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   remote_cert_ku[i] = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   remote_cert_ku[i] = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   remote_cert_ku[i] = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   remote_cert_ku[i] = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   remote_cert_ku[i] = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   remote_cert_ku[i] = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   remote_cert_ku[i] = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   remote_cert_ku[i] = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   remote_cert_ku[i] = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   remote_cert_ku[i] = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   remote_cert_ku[i] = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   remote_cert_ku[i] = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   remote_cert_ku[i] = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   remote_cert_eku = 'TLS Web Client Authentication'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   ssl_flags = 192
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   tls_timeout = 2
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   renegotiate_bytes = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   renegotiate_packets = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   renegotiate_seconds = 3600
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   handshake_window = 60
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   transition_window = 3600
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   single_session = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   push_peer_info = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   tls_exit = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   tls_auth_file = '/etc/openvpn/easy-rsa/pki/ta.key'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_protected_authentication = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_protected_authentication = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_protected_authentication = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_protected_authentication = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_protected_authentication = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_protected_authentication = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_protected_authentication = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_protected_authentication = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_protected_authentication = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_protected_authentication = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_protected_authentication = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_protected_authentication = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_protected_authentication = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_protected_authentication = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_protected_authentication = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_protected_authentication = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_private_mode = 00000000
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_private_mode = 00000000
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_private_mode = 00000000
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_private_mode = 00000000
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_private_mode = 00000000
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_private_mode = 00000000
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_private_mode = 00000000
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_private_mode = 00000000
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_private_mode = 00000000
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_private_mode = 00000000
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_private_mode = 00000000
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_private_mode = 00000000
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_private_mode = 00000000
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_private_mode = 00000000
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_private_mode = 00000000
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_private_mode = 00000000
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_cert_private = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_cert_private = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_cert_private = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_cert_private = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_cert_private = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_cert_private = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_cert_private = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_cert_private = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_cert_private = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_cert_private = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_cert_private = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_cert_private = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_cert_private = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_cert_private = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_cert_private = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_cert_private = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_pin_cache_period = -1
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_id = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pkcs11_id_management = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   server_network = 10.8.0.0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   server_netmask = 255.255.255.0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   server_network_ipv6 = ::
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   server_netbits_ipv6 = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   server_bridge_ip = 0.0.0.0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   server_bridge_netmask = 0.0.0.0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   server_bridge_pool_start = 0.0.0.0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   server_bridge_pool_end = 0.0.0.0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   push_entry = 'dhcp-option DNS 10.8.0.1'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   push_entry = 'redirect-gateway def1'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   push_entry = 'route-gateway 10.8.0.1'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   push_entry = 'topology subnet'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   push_entry = 'ping 10'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   push_entry = 'ping-restart 120'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   ifconfig_pool_defined = ENABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   ifconfig_pool_start = 10.8.0.2
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   ifconfig_pool_end = 10.8.0.253
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   ifconfig_pool_netmask = 255.255.255.0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   ifconfig_pool_persist_filename = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   ifconfig_pool_persist_refresh_freq = 600
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   ifconfig_ipv6_pool_defined = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   ifconfig_ipv6_pool_base = ::
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   ifconfig_ipv6_pool_netbits = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   n_bcast_buf = 256
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   tcp_queue_limit = 64
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   real_hash_size = 256
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   virtual_hash_size = 256
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   client_connect_script = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   learn_address_script = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   client_disconnect_script = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   client_config_dir = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   ccd_exclusive = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   tmp_dir = '/tmp'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   push_ifconfig_defined = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   push_ifconfig_local = 0.0.0.0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   push_ifconfig_remote_netmask = 0.0.0.0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   push_ifconfig_ipv6_defined = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   push_ifconfig_ipv6_local = ::/0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   push_ifconfig_ipv6_remote = ::
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   enable_c2c = ENABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   duplicate_cn = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   cf_max = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   cf_per = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   max_clients = 1024
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   max_routes_per_client = 256
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   auth_user_pass_verify_script = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   auth_user_pass_verify_script_via_file = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   port_share_host = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   port_share_port = 0
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   client = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   pull = DISABLED
Apr  9 22:01:48 raspberrypi ovpn-server[12196]:   auth_user_pass_file = '[UNDEF]'
Apr  9 22:01:48 raspberrypi ovpn-server[12196]: OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL]
[PKCS11] [MH] [IPv6] built on Jun 27 2017
Apr  9 22:01:48 raspberrypi ovpn-server[12196]: library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Apr  9 22:01:48 raspberrypi ovpn-server[12196]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.
x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locati
ons such as internet cafes that use the same subnet.
Apr  9 22:01:48 raspberrypi ovpn-server[12196]: Diffie-Hellman initialized with 2048 bit key
Apr  9 22:01:48 raspberrypi ovpn-server[12196]: Control Channel Authentication: using '/etc/openvpn/easy-rsa/pki/ta.key'
 as a OpenVPN static key file
Apr  9 22:01:49 raspberrypi ovpn-server[12196]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA
256' for HMAC authentication
Apr  9 22:01:49 raspberrypi ovpn-server[12196]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA
256' for HMAC authentication
Apr  9 22:01:49 raspberrypi ovpn-server[12196]: TLS-Auth MTU parms [ L:1570 D:178 EF:78 EB:0 ET:0 EL:0 ]
Apr  9 22:01:49 raspberrypi ovpn-server[12196]: Socket Buffers: R=[163840->131072] S=[163840->131072]
Apr  9 22:01:49 raspberrypi ovpn-server[12196]: TUN/TAP device tun0 opened
Apr  9 22:01:49 raspberrypi ovpn-server[12196]: TUN/TAP TX queue length set to 100
Apr  9 22:01:49 raspberrypi ovpn-server[12196]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Apr  9 22:01:49 raspberrypi ovpn-server[12196]: /sbin/ip link set dev tun0 up mtu 1500
Apr  9 22:01:49 raspberrypi ovpn-server[12196]: /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Apr  9 22:01:49 raspberrypi ovpn-server[12196]: Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:135 ET:0 EL:0 AF:3/1 ]
Apr  9 22:01:49 raspberrypi ovpn-server[12210]: GID set to nogroup
Apr  9 22:01:49 raspberrypi ovpn-server[12210]: UID set to nobody
Apr  9 22:01:49 raspberrypi ovpn-server[12210]: UDPv4 link local (bound): [undef]
Apr  9 22:01:49 raspberrypi ovpn-server[12210]: UDPv4 link remote: [undef]
Apr  9 22:01:49 raspberrypi ovpn-server[12210]: MULTI: multi_init called, r=256 v=256
Apr  9 22:01:49 raspberrypi ovpn-server[12210]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Apr  9 22:01:49 raspberrypi ovpn-server[12210]: Initialization Sequence Completed
Apr  9 22:02:46 raspberrypi ovpn-server[12210]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Apr  9 22:02:46 raspberrypi ovpn-server[12210]: TLS Error: incoming packet authentication failed from [AF_INET]174.206.2
2.22:7533
Apr  9 22:02:47 raspberrypi ovpn-server[12210]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Apr  9 22:02:47 raspberrypi ovpn-server[12210]: TLS Error: incoming packet authentication failed from [AF_INET]174.206.2
2.22:7533
Apr  9 22:02:48 raspberrypi ovpn-server[12210]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Apr  9 22:02:48 raspberrypi ovpn-server[12210]: TLS Error: incoming packet authentication failed from [AF_INET]174.206.2
2.22:7533
Apr  9 22:02:49 raspberrypi ovpn-server[12210]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Apr  9 22:02:49 raspberrypi ovpn-server[12210]: TLS Error: incoming packet authentication failed from [AF_INET]174.206.2
2.22:7533
client

client
dev tun
proto udp
remote my.ip.addr.ess myport
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-client
tls-version-min 1.2
verify-x509-name server_CqXZt2pzIwXhf5hu name
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 4
<ca>
-----BEGIN CERTIFICATE-----
MIIDKzCCAhOgAwIBAgIJAKz6z0Dsg1+OMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
...
p6qHSlf+LfWBCRCdVwXijFNo5Oaa1QDjuf+uwf8zR49cMFMxVF+21YDCWBRTObc=
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIDTjCCAjagAwIBAgIQVo8CQgi4k3WnDcX1berdRTANBgkqhkiG9w0BAQsFADAT
...
IDp76MrxIaRcftaMfef2dttHSyhnB98GqfhoW61mvMxubg==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,79FE993D8B53C922

rWdKn1mTqF/v+0FFDwjh2x14Lya/0Rhr+GyfzQhIbkeDZdZkJj0KrCY7dpun+PDV
...
gXgS+L7yKiSygvuLaP4+3dtL6Q33XaDVBUckz8qbxx7XvXNXmRpqYVWCBYF1Js5K
-----END RSA PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
0ed14a0c3ac769ba1c06d2d7eab07644
...
a7be8892e7cbf07c5a2284f95ec2ea35
-----END OpenVPN Static key V1-----
</tls-crypt>

Code: Select all

17:17:45.337 -- ----- OpenVPN Start -----
17:17:45.337 -- EVENT: CORE_THREAD_ACTIVE
17:17:45.339 -- Frame=512/2048/512 mssfix-ctrl=1250
17:17:45.344 -- UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
10 [tls-client] 
12 [verify-x509-name] [server_CqXZt2pzIwXhf5hu] [name] 
16 [verb] [4] 
17:17:45.345 -- EVENT: RESOLVE
17:17:45.347 -- Contacting my.ip.addr.ess:myport via UDP
17:17:45.347 -- EVENT: WAIT
17:17:45.348 -- Connecting to [my.ip.addr.ess]:myport (my.ip.addr.ess) via UDPv4
17:17:55.334 -- EVENT: CONNECTION_TIMEOUT
17:17:55.336 -- EVENT: DISCONNECTED
17:17:55.338 -- EVENT: CORE_THREAD_INACTIVE
17:17:55.338 -- Tunnel bytes per CPU second: 0
17:17:55.339 -- ----- OpenVPN Stop -----
Thanks for any help!

Brad
Last edited by bznelson on Tue Apr 10, 2018 12:34 pm, edited 1 time in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5119
Joined: Fri Jun 03, 2016 1:17 pm

Re: HMAC authentication failed while trying to connect

Post by TinCanTech » Tue Apr 10, 2018 10:54 am

You have a PKI defined in your server but no client CA/cert/key/tlsauth .. is that intentional ?

bznelson
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 19, 2018 1:13 am

Re: HMAC authentication failed while trying to connect

Post by bznelson » Tue Apr 10, 2018 12:44 pm

If you're talking about the client keys/certs, I had omitted them in my original post. I've put them in but redacted/truncated (and I see that the oconf tag does some of that as well). The server side's keys/certs match appropriately, as far as I can see:

ca matches /etc/openvpn/easy-rsa/ca.crt
cert matches one of the certs in /etc/openvpn/easy-rsa/issued
key matches the appropriate key in /etc/openvpn/easy-rsa/private
tls-crypt matches /etc/openvpn/easy-rsa/ta.key

Brad
Last edited by bznelson on Wed Apr 11, 2018 4:16 am, edited 1 time in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5119
Joined: Fri Jun 03, 2016 1:17 pm

Re: HMAC authentication failed while trying to connect

Post by TinCanTech » Tue Apr 10, 2018 1:32 pm

Try without --user/group in your server config ..

bznelson
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 19, 2018 1:13 am

Re: HMAC authentication failed while trying to connect

Post by bznelson » Tue Apr 10, 2018 9:58 pm

TinCanTech wrote:
Tue Apr 10, 2018 1:32 pm
Try without --user/group in your server config ..
Same error with this change.

Brad

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5119
Joined: Fri Jun 03, 2016 1:17 pm

Re: HMAC authentication failed while trying to connect

Post by TinCanTech » Wed Apr 11, 2018 1:02 am

bznelson wrote:
Tue Apr 10, 2018 12:44 pm
cert matches one of the certs in /etc/openvpn/easy-rsa/certs_by_serial
You mean "matches /etc/openvpn/easy-rsa/issued" .. right ?

bznelson
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 19, 2018 1:13 am

Re: HMAC authentication failed while trying to connect

Post by bznelson » Wed Apr 11, 2018 4:16 am

TinCanTech wrote:
Wed Apr 11, 2018 1:02 am
bznelson wrote:
Tue Apr 10, 2018 12:44 pm
cert matches one of the certs in /etc/openvpn/easy-rsa/certs_by_serial
You mean "matches /etc/openvpn/easy-rsa/issued" .. right ?
That, too, yes. :)

Brad

bznelson
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 19, 2018 1:13 am

Re: HMAC authentication failed while trying to connect

Post by bznelson » Wed Apr 11, 2018 12:39 pm

Any other ideas? I've tried regenerating the client ovpn profile, and I've tried doing another profile and connecting with the Windows client from a Windows 10 laptop, same error.

Brad

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5119
Joined: Fri Jun 03, 2016 1:17 pm

Re: HMAC authentication failed while trying to connect

Post by TinCanTech » Wed Apr 11, 2018 1:11 pm

bznelson wrote:
Mon Apr 09, 2018 10:52 pm
Apr 9 22:02:46 raspberrypi ovpn-server[12210]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Apr 9 22:02:46 raspberrypi ovpn-server[12210]: TLS Error: incoming packet authentication failed from [AF_INET]174.206.2 2.22:7533
This usually means you have the wrong ta.key installed somewhere.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5119
Joined: Fri Jun 03, 2016 1:17 pm

Re: HMAC authentication failed while trying to connect

Post by TinCanTech » Wed Apr 11, 2018 1:41 pm

bznelson wrote:
Mon Apr 09, 2018 10:52 pm
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
bznelson wrote:
Mon Apr 09, 2018 10:52 pm
<tls-crypt>
:mrgreen:

bznelson
OpenVpn Newbie
Posts: 6
Joined: Mon Mar 19, 2018 1:13 am

Re: HMAC authentication failed while trying to connect

Post by bznelson » Wed Apr 11, 2018 9:13 pm

Ah yes, the tls-auth/tls-crypt, that's it! Thank you so much! I was running a 2.3 server, but I had initially installed 2.4 and I guess there was some cross pollination.

Thanks again!

Brad

Locked