Authenticate/Decrypt packet error: packet HMAC authentication failed

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
darior87
OpenVpn Newbie
Posts: 3
Joined: Thu Jun 25, 2020 1:04 pm

Authenticate/Decrypt packet error: packet HMAC authentication failed

Post by darior87 » Thu Jun 25, 2020 1:08 pm

I know there are a tons (even here in these forums) of discussions about this error, but none of the solution provided works in my case.

I had a server configuration that used to works, but now it isn't. I don't know why.

Here's my client ovpn file

Client config
client
proto udp
explicit-exit-notify
remote PUBLIC_IP 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_2CAzflUWmRFturMk name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
CERT
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
CERT
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
KEY
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
KEY
-----END OpenVPN Static key V1-----
</tls-crypt>


and this server.conf

Server config
port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.0.0.1"
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_2CAzflUWmRFturMk.crt
key server_2CAzflUWmRFturMk.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log /var/log/openvpn.log
verb 3
mode server


ufw firewall is disabled and have generated the openvpn client file through [this][1] script (but have tried many different).

here's the iptables

Code: Select all

sudo iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn
    AS0_ACCEPT  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    AS0_ACCEPT  all  --  anywhere             anywhere            
    AS0_IN_PRE  all  --  anywhere             anywhere             mark match 0x2000000/0x2000000
    AS0_ACCEPT  tcp  --  anywhere             *.website.org  state NEW tcp dpt:915
    AS0_ACCEPT  tcp  --  anywhere             *.website.org  state NEW tcp dpt:914
    AS0_ACCEPT  udp  --  anywhere             *.website.org  state NEW udp dpt:917
    AS0_ACCEPT  udp  --  anywhere             *.website.org  state NEW udp dpt:916
    AS0_WEBACCEPT  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    AS0_WEBACCEPT  tcp  --  anywhere             *.website.org  state NEW tcp dpt:943
    ufw-before-logging-input  all  --  anywhere             anywhere            
    ufw-before-input  all  --  anywhere             anywhere            
    ufw-after-input  all  --  anywhere             anywhere            
    ufw-after-logging-input  all  --  anywhere             anywhere            
    ufw-reject-input  all  --  anywhere             anywhere            
    ufw-track-input  all  --  anywhere             anywhere            
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     all  --  10.8.0.0/24          anywhere            
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     all  --  10.8.0.0/24          anywhere            
    AS0_ACCEPT  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    AS0_IN_PRE  all  --  anywhere             anywhere             mark match 0x2000000/0x2000000
    AS0_OUT_S2C  all  --  anywhere             anywhere            
    ufw-before-logging-forward  all  --  anywhere             anywhere            
    ufw-before-forward  all  --  anywhere             anywhere            
    ufw-after-forward  all  --  anywhere             anywhere            
    ufw-after-logging-forward  all  --  anywhere             anywhere            
    ufw-reject-forward  all  --  anywhere             anywhere            
    ufw-track-forward  all  --  anywhere             anywhere            
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    AS0_OUT_LOCAL  all  --  anywhere             anywhere            
    ufw-before-logging-output  all  --  anywhere             anywhere            
    ufw-before-output  all  --  anywhere             anywhere            
    ufw-after-output  all  --  anywhere             anywhere            
    ufw-after-logging-output  all  --  anywhere             anywhere            
    ufw-reject-output  all  --  anywhere             anywhere            
    ufw-track-output  all  --  anywhere             anywhere            
    
    Chain AS0_ACCEPT (7 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    
    Chain AS0_IN (4 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             Mico2026WebAppIaaSLinux 
    AS0_IN_POST  all  --  anywhere             anywhere            
    
    Chain AS0_IN_NAT (0 references)
    target     prot opt source               destination         
    MARK       all  --  anywhere             anywhere             MARK or 0x8000000
    ACCEPT     all  --  anywhere             anywhere            
    
    Chain AS0_IN_POST (1 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             10.1.0.0/24         
    AS0_OUT    all  --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            
    
    Chain AS0_IN_PRE (2 references)
    target     prot opt source               destination         
    AS0_IN     all  --  anywhere             link-local/16       
    AS0_IN     all  --  anywhere             192.168.0.0/16      
    AS0_IN     all  --  anywhere             172.16.0.0/12       
    AS0_IN     all  --  anywhere             10.0.0.0/8          
    ACCEPT     all  --  anywhere             anywhere            
    
    Chain AS0_IN_ROUTE (0 references)
    target     prot opt source               destination         
    MARK       all  --  anywhere             anywhere             MARK or 0x4000000
    ACCEPT     all  --  anywhere             anywhere            
    
    Chain AS0_OUT (2 references)
    target     prot opt source               destination         
    AS0_OUT_POST  all  --  anywhere             anywhere            
    
    Chain AS0_OUT_LOCAL (1 references)
    target     prot opt source               destination         
    DROP       icmp --  anywhere             anywhere             icmp redirect
    ACCEPT     all  --  anywhere             anywhere            
    
    Chain AS0_OUT_POST (1 references)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere            
    
    Chain AS0_OUT_S2C (1 references)
    target     prot opt source               destination         
    AS0_OUT    all  --  anywhere             anywhere            
    
    Chain AS0_WEBACCEPT (2 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    
    Chain ufw-after-forward (1 references)
    target     prot opt source               destination         
    
    Chain ufw-after-input (1 references)
    target     prot opt source               destination         
    
    Chain ufw-after-logging-forward (1 references)
    target     prot opt source               destination         
    
    Chain ufw-after-logging-input (1 references)
    target     prot opt source               destination         
    
    Chain ufw-after-logging-output (1 references)
    target     prot opt source               destination         
    
    Chain ufw-after-output (1 references)
    target     prot opt source               destination         
    
    Chain ufw-before-forward (1 references)
    target     prot opt source               destination         
    
    Chain ufw-before-input (1 references)
    target     prot opt source               destination         
    
    Chain ufw-before-logging-forward (1 references)
    target     prot opt source               destination         
    
    Chain ufw-before-logging-input (1 references)
    target     prot opt source               destination         
    
    Chain ufw-before-logging-output (1 references)
    target     prot opt source               destination         
    
    Chain ufw-before-output (1 references)
    target     prot opt source               destination         
    
    Chain ufw-reject-forward (1 references)
    target     prot opt source               destination         
    
    Chain ufw-reject-input (1 references)
    target     prot opt source               destination         
    
    Chain ufw-reject-output (1 references)
    target     prot opt source               destination         
    
    Chain ufw-track-forward (1 references)
    target     prot opt source               destination         
    
    Chain ufw-track-input (1 references)
    target     prot opt source               destination         
    
    Chain ufw-track-output (1 references)
    target     prot opt source               destination        


The client is hanging on "waiting for server response" and the server logs this:

openvpn.log

Code: Select all

    Thu Jun 25 11:50:29 2020 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
    Thu Jun 25 11:50:29 2020 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
    Thu Jun 25 11:50:29 2020 ECDH curve prime256v1 added
    Thu Jun 25 11:50:29 2020 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
    Thu Jun 25 11:50:29 2020 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
    Thu Jun 25 11:50:29 2020 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
    Thu Jun 25 11:50:29 2020 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
    Thu Jun 25 11:50:29 2020 TUN/TAP device tun0 opened
    Thu Jun 25 11:50:29 2020 TUN/TAP TX queue length set to 100
    Thu Jun 25 11:50:29 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Thu Jun 25 11:50:29 2020 /sbin/ip link set dev tun0 up mtu 1500
    Thu Jun 25 11:50:29 2020 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
    Thu Jun 25 11:50:29 2020 Could not determine IPv4/IPv6 protocol. Using AF_INET
    Thu Jun 25 11:50:29 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
    Thu Jun 25 11:50:29 2020 UDPv4 link local (bound): [AF_INET][undef]:1194
    Thu Jun 25 11:50:29 2020 UDPv4 link remote: [AF_UNSPEC]
    Thu Jun 25 11:50:29 2020 GID set to nogroup
    Thu Jun 25 11:50:29 2020 UID set to nobody
    Thu Jun 25 11:50:29 2020 MULTI: multi_init called, r=256 v=256
    Thu Jun 25 11:50:29 2020 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
    Thu Jun 25 11:50:29 2020 IFCONFIG POOL LIST
    Thu Jun 25 11:50:29 2020 Initialization Sequence Completed
and the other log (openvpnas.log)

Code: Select all

 2020-06-25 11:55:39+0000 [-] OVPN 2 OUT: 'Thu Jun 25 11:55:39 2020 Authenticate/Decrypt packet error: packet HMAC authentication failed'
    2020-06-25 11:55:39+0000 [-] OVPN 2 OUT: 'Thu Jun 25 11:55:39 2020 TLS Error: incoming packet authentication failed from [AF_INET]IP:55955'
and that's the client log

Code: Select all

 2020-06-25 13:56:33.282083 SIGUSR1[soft,tls-error] received, process restarting
    2020-06-25 13:56:33.282124 MANAGEMENT: >STATE:1593086193,RECONNECTING,tls-error,,,,,
    2020-06-25 13:56:35.328014 MANAGEMENT: CMD 'hold release'
    2020-06-25 13:56:35.328137 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    2020-06-25 13:56:35.328327 TCP/UDP: Preserving recently used remote address: [AF_INET]1194
    2020-06-25 13:56:35.328479 Socket Buffers: R=[786896->786896] S=[9216->9216]
    2020-06-25 13:56:35.328505 UDP link local: (not bound)
    2020-06-25 13:56:35.328531 UDP link remote: [AF_INET]SERVERIP:1194
    2020-06-25 13:56:35.328575 MANAGEMENT: >STATE:1593086195,WAIT,,,,,,
    2020-06-25 13:56:35.328919 MANAGEMENT: CMD 'hold release'
My vpn server used to works but I don't know what I did to break it.

I tried also to reinstall openvpn, but don't know how to fix it and let clients connect

[1]: https://github.com/angristan/openvpn-install
Last edited by Pippin on Thu Jun 25, 2020 1:34 pm, edited 1 time in total.
Reason: Formatting

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Authenticate/Decrypt packet error: packet HMAC authentication failed

Post by TinCanTech » Thu Jun 25, 2020 1:18 pm

darior87 wrote:
Thu Jun 25, 2020 1:08 pm
and the other log (openvpnas.log)
Does angristan support openvpn-AS ? :roll:

darior87
OpenVpn Newbie
Posts: 3
Joined: Thu Jun 25, 2020 1:04 pm

Re: Authenticate/Decrypt packet error: packet HMAC authentication failed

Post by darior87 » Thu Jun 25, 2020 1:28 pm

I created the client files using that script and when I try to connect, the log gets updated.

This problem is driving me crazy. 3 days on it. can't even reset openvp completely.

I have done something in configurations or routing stuff since it stopped to works that broke everything.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Authenticate/Decrypt packet error: packet HMAC authentication failed

Post by TinCanTech » Thu Jun 25, 2020 1:51 pm

darior87 wrote:
Thu Jun 25, 2020 1:28 pm
I created the client files using that script
So you are not even using the script correctly .... :facepalm:

http://xyproblem.info/

darior87
OpenVpn Newbie
Posts: 3
Joined: Thu Jun 25, 2020 1:04 pm

Re: Authenticate/Decrypt packet error: packet HMAC authentication failed

Post by darior87 » Thu Jun 25, 2020 2:52 pm

I'm new to openvpn server configuration.

I followed this
https://github.com/angristan/openvpn-install

what you mean "you are not even using the script correctly"?

the first time I used this everything worked. now it doesn't. don't know what happened. I wrote my config and logs in this topic.

what do I do to run the script correctly?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Authenticate/Decrypt packet error: packet HMAC authentication failed

Post by TinCanTech » Thu Jun 25, 2020 2:54 pm

darior87 wrote:
Thu Jun 25, 2020 2:52 pm
what you mean "you are not even using the script correctly"?
The script must be used correctly if you want it to work.

angristan provides support for his script at github.

Post Reply