TLS errors that make no sense to me

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
scarville
OpenVpn Newbie
Posts: 2
Joined: Wed Jul 31, 2019 6:54 pm

TLS errors that make no sense to me

Post by scarville » Tue Jul 11, 2023 7:26 am

I am having a heckuva time setting up openvpn between two servers. Eventually I intend to use the tunnel to reach a proxy but, right now, I am just trying to get a connection up. When I try, I get TLS errors that I can't figure out.

Code: Select all

$  sudo openvpn --config client-rw.ovpn 

Tue Jul 11 00:05:10 2023 OpenVPN 2.4.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 25 2022
Tue Jul 11 00:05:10 2023 library versions: OpenSSL 1.1.1k  FIPS 25 Mar 2021, LZO 2.08
Tue Jul 11 00:05:10 2023 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Jul 11 00:05:10 2023 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Jul 11 00:05:10 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]10.222.75.25:1194
Tue Jul 11 00:05:10 2023 Socket Buffers: R=[131072->131072] S=[16384->16384]
Tue Jul 11 00:05:10 2023 Attempting to establish TCP connection with [AF_INET]10.222.75.25:1194 [nonblock]
Tue Jul 11 00:05:11 2023 TCP connection established with [AF_INET]10.222.75.25:1194
Tue Jul 11 00:05:11 2023 TCP_CLIENT link local: (not bound)
Tue Jul 11 00:05:11 2023 TCP_CLIENT link remote: [AF_INET]10.222.75.25:1194
Tue Jul 11 00:05:11 2023 Connection reset, restarting [0]
Tue Jul 11 00:05:11 2023 SIGUSR1[soft,connection-reset] received, process restarting
Tue Jul 11 00:05:11 2023 Restart pause, 5 second(s)
^CTue Jul 11 00:05:12 2023 SIGINT[hard,init_instance] received, process exiting
The corresponding server log tells me:

Code: Select all

Jul 11 00:05:10 scaovpn01 openvpn[7258]: MULTI: multi_create_instance called
Jul 11 00:05:10 scaovpn01 openvpn[7258]: Re-using SSL/TLS context
Jul 11 00:05:10 scaovpn01 openvpn[7258]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jul 11 00:05:10 scaovpn01 openvpn[7258]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jul 11 00:05:10 scaovpn01 openvpn[7258]: Control Channel MTU parms [ L:1623 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Jul 11 00:05:10 scaovpn01 openvpn[7258]: Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Jul 11 00:05:10 scaovpn01 openvpn[7258]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
Jul 11 00:05:10 scaovpn01 openvpn[7258]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
Jul 11 00:05:10 scaovpn01 openvpn[7258]: TCP connection established with [AF_INET]10.222.75.104:37672
Jul 11 00:05:10 scaovpn01 openvpn[7258]: TCPv4_SERVER link local: (not bound)
Jul 11 00:05:10 scaovpn01 openvpn[7258]: TCPv4_SERVER link remote: [AF_INET]10.222.75.104:37672
Jul 11 00:05:11 scaovpn01 openvpn[7258]: 10.222.75.104:37672 TLS: Initial packet from [AF_INET]10.222.75.104:37672, sid=3aa65a05 84ee8977
Jul 11 00:05:11 scaovpn01 openvpn[7258]: 10.222.75.104:37672 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jul 11 00:05:11 scaovpn01 openvpn[7258]: 10.222.75.104:37672 TLS Error: incoming packet authentication failed from [AF_INET]10.222.75.104:37672
Jul 11 00:05:11 scaovpn01 openvpn[7258]: 10.222.75.104:37672 Fatal TLS error (check_tls_errors_co), restarting
Jul 11 00:05:11 scaovpn01 openvpn[7258]: 10.222.75.104:37672 SIGUSR1[soft,tls-error] received, client-instance restarting
Jul 11 00:05:11 scaovpn01 openvpn[7258]: TCP/UDP: Closing socket
The above errors make no sense to me. I checked and double checked every cert and key. I even tore the whole thing done and started again from scratch double checking every part of TLS along the way. The firewall on the server is is configured to allow port 1194/tcp. I turned off both firewalls for a few tests but that didn't help either. l set selinux to permissive JIC but that didn't help. I am running out of things to try.

I've set up openvpn dozens of times in the past with no problems beyond an occasional typo. Those were with older versions so maybe that is the problem.

What am I overlooking?

---

Server Side

OS: Oracle Linux 9
OpenVPN 2.5.9

Server Config

mode server
dev tun
local 10.222.75.25
port 1194
proto tcp-server

# TLS parms
tls-server
cert /etc/pki/openvpn/certs/ovpn-scraper.crt
key /etc/pki/openvpn/private/ovpn-scraper.key
ca /etc/pki/openvpn/ca.crt
dh /etc/pki/openvpn/dh.pem
tls-auth /etc/pki/openvpn/ta.key

auth SHA512

# don't require client certs
# verify-client-cert none

# login with username and password
# plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login

# The server's virtual endpoints
ifconfig 10.8.0.1 10.8.0.2

# pool if /30 subnets to allocate to clients
ifconfig-pool 10.8.0.4 10.8.0.255

# Push route to client to bind it to our local virtual endpoint.
push "route 10.8.0.1 255.255.255.255"

push "dhcp-option DOMAIN lereta.net"
push "dhcp-option DNS 10.222.75.6"

keepalive 10 60
inactive 600

# Route the --ifconfig pool range into the OpenVPN server.
route 10.8.0.0 255.255.255.0

# drop privileges
user openvpn
group openvpn

# Keep TUN devices and keys open across restarts.
persist-tun
persist-key

verb 4

tun-mtu 1500


Client side

OS: Oracle Linux 8
OpenVPN 2.4.12

Client Config

#------------------------------------------------
# openvpn client configuration for ovpn-scraper.lereta.ent
# DTL047IO
#------------------------------------------------
client
dev tun
proto tcp-client

# authentication
# auth-user-pass
# setenv CLIENT_CERT 0

remote 10.222.75.25 1194

remote-random
resolv-retry infinite
nobind

# New clients automatically negotiate the optimal cipher.
cipher AES-256-GCM

auth SHA512
verb 3

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun

reneg-sec 0

remote-cert-tls server
pull

# Windows only
# block-outside-dns

<cert>
-----BEGIN CERTIFICATE-----
MIIDaDCCAlCgAwIBAgIQIhLCo+SgNuB0nH+rt+ZEiTANBgkqhkiG9w0BAQsFADAc
.
.
.
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDLp9gSBT3eT1Av
.
.
.
-----END PRIVATE KEY-----
</key>

<ca>
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIULY7hS5yiZy/79gKcWByOU2dEVCMwDQYJKoZIhvcNAQEL
.
.
.
-----END CERTIFICATE-----
</ca>

key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
2ac1c16b233228f51f2eab190fb7e990
.
.
.
-----END OpenVPN Static key V1-----
</tls-auth>
Top
User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: TLS errors that make no sense to me

Post by Pippin » Tue Jul 11, 2023 8:01 am

Hi,

Looks like you forgot --key-direction.
.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Top
scarville
OpenVpn Newbie
Posts: 2
Joined: Wed Jul 31, 2019 6:54 pm

Re: TLS errors that make no sense to me

Post by scarville » Tue Jul 11, 2023 1:18 pm

Yeah, I did. Thank you. I can now connect Linux-to-Linux. Still won't import into the Windows client and the routing doesn't seem to work. ¯\_ (' ')_/¯

I don't remember openvpn being so damned contrary. Maybe I am getting too old for this work.
Top
Post Reply

Return to “Configuration”