Openvpn: tls-crypt unwrap error: packet too short

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Asher256
OpenVpn Newbie
Posts: 1
Joined: Fri Apr 20, 2018 6:38 pm

Openvpn: tls-crypt unwrap error: packet too short

Post by Asher256 » Fri Apr 20, 2018 6:39 pm

Hi,

I configured OpenVPN server v2.4.5 and the Linux workstations were able to connect to the VPN successfully.

The only clients that did not work were Android phones (Android apps: "OpenVPN for Android" or "OpenVPN connect"). Each time I try to connect with an Android phone, I have the error below on the OpenVPN server side:
TLS: Initial packet from [AF_INET]208.74.193.21:47546, sid=dc5eafbc 22024732
tls-crypt unwrap error: packet too short
TLS Error: tls-crypt unwrapping failed from [AF_INET]208.74.193.21:47546
Fatal TLS error (check_tls_errors_co), restarting
SIGUSR1[soft,tls-error] received, client-instance restarting
This is the OpenVPN server side configuration:

Code: Select all

# MANAGED BY ANSIBLE
port 1194
proto tcp
dev tun
auth SHA512
cipher AES-256-CBC
tls-crypt /etc/openvpn/easy-rsa/keys/ta.key
key-direction 0
user nobody
group nogroup
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret
server 172.25.0.0 255.255.0.0
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 3
client-config-dir /etc/openvpn/ccd
client-to-client
This is the Android client "*.ovpn" file:

Code: Select all

client
dev tun
remote URL.DOMAIN.COM 1194
proto tcp
remote-cert-tls server
resolv-retry infinite
nobind
persist-key
persist-tun
verb 1
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
Do you have any idea how to solve this issue? (It is caused by tls-crypt/tls-auth according to my last test. Check the "PS:" below)

Thank you!

PS: I was able to connect my Android phones to the VPN server by removing tls-crypt from the server side and tls-auth from the Android side. It looks like the issue is related to the extra protection tls-crypt.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5013
Joined: Fri Jun 03, 2016 1:17 pm

Re: Openvpn: tls-crypt unwrap error: packet too short

Post by TinCanTech » Fri Apr 20, 2018 7:20 pm

--tls-crypt is a superior replacement for --tls-auth .. use the same both ends.

Post Reply