Windows client not connecting (macOS/Android do work)

[keypulse]

Hi

I run OpenVPN server on an Ubuntu VPS. Yesterday I had to rebuild the server and after this I discovered that my Windows client no longer connects, yet my macOS and Android clients still work perfectly.

I went from Ubuntu 20.4 LTS to 22.4 LTS, then after reinstalling the OpenVPN server I pulled down one .ovpn config file from it. I deleted the old profiles on each client and added the same new config file to each. Both Windows and Mac are using OpenVPN Connect v3.3.6 and the Android phone uses 3.3.0

Here is the client config (same for each device):

Code: Select all

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
verb 3

Here is the server config:

Code: Select all

local xxx.xxx.xxx.xxx
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
push "block-outside-dns"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify

These are the logs on the server when I attempt to connect from Windows:

Code: Select all

Oct 22 15:33:56 localhost openvpn[12517]: tls-crypt unwrap error: packet authentication failed
Oct 22 15:33:56 localhost openvpn[12517]: TLS Error: tls-crypt unwrapping failed from [AF_INET]xxx.xxx.xxx.xxx:42263
Oct 22 15:33:57 localhost openvpn[12517]: tls-crypt unwrap error: packet authentication failed
Oct 22 15:33:57 localhost openvpn[12517]: TLS Error: tls-crypt unwrapping failed from [AF_INET]xxx.xxx.xxx.xxx:42263
Oct 22 15:33:58 localhost openvpn[12517]: tls-crypt unwrap error: packet authentication failed
Oct 22 15:33:58 localhost openvpn[12517]: TLS Error: tls-crypt unwrapping failed from [AF_INET]xxx.xxx.xxx.xxx:42263
Oct 22 15:33:59 localhost openvpn[12517]: tls-crypt unwrap error: packet authentication failed
Oct 22 15:33:59 localhost openvpn[12517]: TLS Error: tls-crypt unwrapping failed from [AF_INET]xxx.xxx.xxx.xxx:42263
Oct 22 15:34:00 localhost openvpn[12517]: tls-crypt unwrap error: packet authentication failed
Oct 22 15:34:00 localhost openvpn[12517]: TLS Error: tls-crypt unwrapping failed from [AF_INET]xxx.xxx.xxx.xxx:42263

Other than deleting the old profile and recreating one by adding the new .opvn file, nothing changed on the Windows machine so I'm totally stumped. I can't remember tweaking anything on Windows to get it working the last time. Any ideas appreciated.

[Pippin]

Hi,

Make sure to use the correct tc.key.
Check paths on Windows:

Code: Select all

tls-crypt "C:\\path\\to\\the\\files"

[keypulse]

Hi,

Make sure to use the correct tc.key.
Check paths on Windows:

Code: Select all

tls-crypt "C:\\path\\to\\the\\files"

Thank you so much, it works now. I took tc.key from the server, placed it in my Windows home directory and just added the line to the .opvn file:

Code: Select all

tls-crypt tc.key

Out of interest do you know why Windows needed this but the Mac and Android phone do not? I could not find tc.key anywhere on the Windows machine so it must have been working without it prior to rebuilding the server.

[Pippin]

Hi,

Glad you got it working now.

I'm not a Windows user myself.
I somewhat regularly look in OpenVPN Wiki:
https://community.openvpn.net/openvpn/wiki/

Regarding,

Code: Select all

tls-crypt unwrap error: packet authentication failed

There are three causes I can think of:
1. It's the wrong file.
2. The path to the file is wrong. (for Windows: https://community.openvpn.net/openvpn/w ... dows_Guide)
3. The file is not present at all.

Out of interest do you know why Windows needed this but the Mac and Android phone do not?

If your Windows machine needs it then Mac and Android need it also.

You setup OpenVPN on your server so you (should) know what you configured.
Or you used a script (which changed since last time) to do it for you....
Or...?

[keypulse]

Hi,

Glad you got it working now.

I'm not a Windows user myself.
I somewhat regularly look in OpenVPN Wiki:
https://community.openvpn.net/openvpn/wiki/

Regarding,

Code: Select all

tls-crypt unwrap error: packet authentication failed

There are three causes I can think of:
1. It's the wrong file.
2. The path to the file is wrong. (for Windows: https://community.openvpn.net/openvpn/w ... dows_Guide)
3. The file is not present at all.

Out of interest do you know why Windows needed this but the Mac and Android phone do not?

If your Windows machine needs it then Mac and Android need it also.

You setup OpenVPN on your server so you (should) know what you configured.
Or you used a script (which changed since last time) to do it for you....
Or...?

Hi

I did indeed use a script, both times I followed the instructions here but notice that page has been updated since the first time I used it, so things could have changed.

The tc.key file was not present on the Windows or Mac machines, the phone isn't rooted so I can't be sure if it's in there or not. There was no path to it in the .opvn config file used for all three devices.

After your advice I generated a key file on the server (but one could have been there already) and copied it to the Windows machine with scp, then deleted the profile on the Windows client and edited the config file, used it to add the profile again and it just worked.

But I've searched everywhere on the Mac and the key file isn't there, despite the client connecting fine. And the path still isn't in the only .opvn file in /Users/keypulse/Library/Application Support/OpenVPN Connect/profiles

View OriginalMac config

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
verb 3

I'm very happy it's working on all three devices (thanks again!) but also curious when things work when they shouldn't, so I'm happy to do any testing and post logs to help to understand why.

[Pippin]

Hi,

It's simple, if the server has --tls-crypt configured all clients need it also.
I assume you re-imported the configs on your clients.
They probably have inline files.

If you have questions about what the script did you can contact the one that wrote it.
Third party install scripts are basically out of scope on this forum.