tls-crypt unwrap error: packet too short

[MrMoore]

Hello All,

I recently setup my openvpn server on my Pi, however after 2/3 weeks of it running with zero issues today I found I couldnt connect to it. I've ran pivpn debug and I see the following in the logs.

Code: Select all

::::      Snippet of the server log      ::::
Oct 31 21:10:52 raspberrypi ovpn-server[489]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 31 21:10:52 raspberrypi ovpn-server[489]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 31 21:10:52 raspberrypi ovpn-server[489]: TUN/TAP device tun0 opened
Oct 31 21:10:52 raspberrypi ovpn-server[489]: TUN/TAP TX queue length set to 100
Oct 31 21:10:52 raspberrypi ovpn-server[489]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Oct 31 21:10:52 raspberrypi ovpn-server[489]: /sbin/ip link set dev tun0 up mtu 1500
Oct 31 21:10:52 raspberrypi ovpn-server[489]: /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Oct 31 21:10:52 raspberrypi ovpn-server[489]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Oct 31 21:10:52 raspberrypi ovpn-server[489]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Oct 31 21:10:52 raspberrypi ovpn-server[489]: UDPv4 link local (bound): [AF_INET][undef]:1194
Oct 31 21:10:52 raspberrypi ovpn-server[489]: UDPv4 link remote: [AF_UNSPEC]
Oct 31 21:10:52 raspberrypi ovpn-server[489]: GID set to nogroup
Oct 31 21:10:52 raspberrypi ovpn-server[489]: UID set to nobody
Oct 31 21:10:52 raspberrypi ovpn-server[489]: MULTI: multi_init called, r=256 v=256
Oct 31 21:10:52 raspberrypi ovpn-server[489]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Oct 31 21:10:52 raspberrypi ovpn-server[489]: Initialization Sequence Completed
Nov  1 03:08:43 raspberrypi ovpn-server[489]: tls-crypt unwrap error: packet too short
Nov  1 03:08:43 raspberrypi ovpn-server[489]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:33219
Nov  1 09:57:52 raspberrypi ovpn-server[489]: tls-crypt unwrap error: packet too short
Nov  1 09:57:52 raspberrypi ovpn-server[489]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:39842

Any advice would be highly appreciated as im very new to this so still learning the ropes.

Many Thanks,
Aaron

[Pippin]

Post your server config and client config.

[MrMoore]

Post your server config and client config.

Sounds stupid but I dont actually know the command to get these.

Hahahaha Im a noob

[TinCanTech]

Perhaps thistle help ..

Please see:
viewtopic.php?f=30&t=22603

[MrMoore]

Perhaps thistle help ..

Please see:
viewtopic.php?f=30&t=22603

I've had a read and still haven't found how to get the server clients...

[MrMoore]

SERVER:

View Originalfile

dev tun
proto udp
port 1194
ca
cert
key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io

[MrMoore]

CLIENT:

View Originalfile

client
dev tun
proto udp
remote 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name foo name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>

</ca>
<cert>

</cert>
<key>

</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-crypt>

[MrMoore]

any update on this would be appreciated as currently unable to securely VPN when away from home.

[Pippin]

Try following:
Copy ta.key from server to client.
Remove inline tls-crypt key from client config.
Add to client config:

Code: Select all

tls-crypt /path/to/ta.key

[MrMoore]

Try following:
Copy ta.key from server to client.
Remove inline tls-crypt key from client config.
Add to client config:

Code: Select all

tls-crypt /path/to/ta.key

Nope, still nothing... no luck I'm afraid

[TinCanTech]

Try removing these from the client:

Code: Select all

persist-key
persist-tun

[MrMoore]

Try removing these from the client:

Code: Select all

persist-key
persist-tun

Still nothing, I've now uninstalled this all together and reinstalled thinking it could have been something corrupt.

[Pippin]

What client is this?

[MrMoore]

What client is this?

I'm not quite sure what you mean? I've installed the pivpn, which uses openvpn.

[TinCanTech]

I use --tls-crypt with no such issue, so you have either corrupted the key file or used the wrong key.

Also, sorry but we do not support your script.

[TinCanTech]

Having double checked my settings, I am actually seeing the same .. will investigate further.

[TinCanTech]

Please post full details of your sanitized logs as per my link:
viewtopic.php?f=30&t=22603#p68963

[MrMoore]

Hello All,

I logged a ticket a few weeks back however still having issues. When trying to connect to my openvpn server i get the following error;

Debug Log

Code: Select all

Nov  6 21:19:58 raspberrypi ovpn-server[378]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:43249
Nov  7 08:47:13 raspberrypi ovpn-server[378]: tls-crypt unwrap error: packet too short
Nov  7 08:47:13 raspberrypi ovpn-server[378]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:38132
Nov  7 14:38:26 raspberrypi ovpn-server[378]: tls-crypt unwrap error: packet too short
Nov  7 14:38:26 raspberrypi ovpn-server[378]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:34135
Nov  7 14:56:10 raspberrypi ovpn-server[378]: tls-crypt unwrap error: packet too short
Nov  7 14:56:10 raspberrypi ovpn-server[378]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:26876
Nov  7 22:26:22 raspberrypi ovpn-server[378]: tls-crypt unwrap error: packet too short
Nov  7 22:26:22 raspberrypi ovpn-server[378]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:35169
Nov  8 10:05:12 raspberrypi ovpn-server[378]: tls-crypt unwrap error: packet too short
Nov  8 10:05:12 raspberrypi ovpn-server[378]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:43865
Nov  8 13:17:00 raspberrypi ovpn-server[378]: tls-crypt unwrap error: packet too short
Nov  8 13:17:00 raspberrypi ovpn-server[378]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:51915
Nov  8 21:24:34 raspberrypi ovpn-server[378]: tls-crypt unwrap error: packet too short
Nov  8 21:24:34 raspberrypi ovpn-server[378]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:52264

Please see below my client & server config files as requested by @TinCanTech.

Client Config

Code: Select all

client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name raspberrypi_e4d22d0b-cf8b-420d-a88d-da9585d8beb0 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----

-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-crypt>

Server Config

Code: Select all

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert .crt
key .key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io

any assistance to get this resolved would be greatly appreciated.

Many Thanks,

[TinCanTech]

Please post full details of your sanitized logs as per my link:
viewtopic.php?f=30&t=22603#p68963

[MrMoore]

Please post full details of your sanitized logs as per my link:
viewtopic.php?f=30&t=22603#p68963

Edited my above post as per the link you provided.

Any assistance would be highly appreciated as I'm getting more and more desperate.