Server with ed25519 certs fails on LAN with TLS Error: local/remote TLS keys are out of sync

stvs · Post by **stvs** » Sun Nov 06, 2022 3:19 am

[oconf]

I've configured a server with ed25519 and two routes. The server works fine for clients off the LAN. However, on the LAN trying the connect throws the error "TLS Error: local/remote TLS keys are out of sync" (partial log below).

I am able to ping clients when connected from the WAN. I do not observe this issue with RSA or P384 keys.

server.ovpn:

Code: Select all

local 10.0.1.3
port 443
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
tls-crypt ta.key
dh none
ecdh-curve ed25519
server 10.8.0.0 255.255.255.0
route 10.0.1.0 255.255.255.0
route 10.8.0.0 255.255.255.0
topology subnet
push "route 10.0.1.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 10.0.1.3"
cipher AES-256-GCM
tls-version-min 1.3
persist-key
persist-tun
ifconfig-pool-persist "/usr/local/ipp.txt"
verb 3

client.ovpn:

Code: Select all

client
dev tun
proto udp
remote server.com 443
redirect-gateway def1
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
<ca>
…
</ca>
<cert>
…
</cert>
<key>
…
</key>
key-direction 1
<tls-crypt>
…
</tls-crypt>
cipher AES-256-GCM
tls-version-min 1.3
verb 3

Logs:

Code: Select all

2022-11-05 22:39:36.684724 10.0.1.29:60304 TLS: Initial packet from [AF_INET]10.0.1.29:60304, sid=19ec786c fb2cc2f9
2022-11-05 22:39:37.138273 TLS Error: local/remote TLS keys are out of sync: [AF_INET]10.0.1.29:60304 [0]
2022-11-05 22:39:37.672571 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1667702376) 2022-11-05 22:39:36 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2022-11-05 22:39:37.672614 tls-crypt unwrap error: packet replay
2022-11-05 22:39:37.672635 TLS Error: tls-crypt unwrapping failed from [AF_INET]10.0.1.29:60304
2022-11-05 22:39:38.679025 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1667702376) 2022-11-05 22:39:36 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2022-11-05 22:39:38.679061 tls-crypt unwrap error: packet replay
2022-11-05 22:39:38.679078 TLS Error: tls-crypt unwrapping failed from [AF_INET]10.0.1.29:60304
2022-11-05 22:39:39.558470 TLS Error: local/remote TLS keys are out of sync: [AF_INET]10.0.1.29:60304 [0]
2022-11-05 22:39:39.566405 TLS Error: local/remote TLS keys are out of sync: [AF_INET]10.0.1.29:60304 [0]
2022-11-05 22:39:39.637268 TLS Error: local/remote TLS keys are out of sync: [AF_INET]10.0.1.29:60304 [0]
2022-11-05 22:39:39.674872 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1667702376) 2022-11-05 22:39:36 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2022-11-05 22:39:39.674914 tls-crypt unwrap error: packet replay
2022-11-05 22:39:39.674936 TLS Error: tls-crypt unwrapping failed from [AF_INET]10.0.1.29:60304

Post by **Pippin** » Mon Nov 07, 2022 10:11 pm

Hi,

Can you try

Code: Select all

push "redirect-gateway local"

OpenVPN Support Forum

Server with ed25519 certs fails on LAN with TLS Error: local/remote TLS keys are out of sync

Server with ed25519 certs fails on LAN with TLS Error: local/remote TLS keys are out of sync

Re: Server with ed25519 certs fails on LAN with TLS Error: local/remote TLS keys are out of sync