OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Assertion failed at crypto.c:179

https://forums.openvpn.net/viewtopic.php?t=20348

Page 1 of 1

Assertion failed at crypto.c:179

Posted: Tue Dec 01, 2015 2:55 am
by brs404
I am trying to setup a simple gateway and I keep getting assertion failed messages. I tried a couple different types of ciphers...

System authenticates client, client says it gets a private IP in the range I set, then the service dies. (VPN on an OpenVZ, TUN enabled via control panel)

iptables as follows:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Log:

Tue Dec 1 02:35:55 2015 us=387520 GET INST BY REAL: <MyIP>:49586 [succeeded]
Tue Dec 1 02:35:55 2015 us=387543 myclient/<MyIP>:49586 UDPv4 READ [90] from [AF_INET]<MyIP>:49586: P_DATA_V1 kid=0 DATA e72cd8c7 31c997a7 5322204f 9cb9ba23 5d7d6c85 00000027 565d0780 0000000[more...]
Tue Dec 1 02:35:55 2015 us=387551 myclient/<MyIP>:49586 TLS: tls_pre_decrypt, key_id=0, IP=[AF_INET]<MyIP>:49586
Tue Dec 1 02:35:55 2015 us=387570 myclient/<MyIP>:49586 DECRYPT IV: 00000027 565d0780 00000000 00000000
Tue Dec 1 02:35:55 2015 us=387586 myclient/<MyIP>:49586 DECRYPT TO: fa450000 3402ac40 00800614 f90a3201 064a7d8d 6af69f00 507c3bde 8400000[more...]
Tue Dec 1 02:35:55 2015 us=387593 myclient/<MyIP>:49586 PID TEST 1448937344:38 1448937344:39
Tue Dec 1 02:35:55 2015 us=387605 myclient/<MyIP>:49586 GET INST BY VIRT: 10.50.1.6 -> myclient/<MyIP>:49586 via 10.50.1.6
Tue Dec 1 02:35:55 2015 us=387619 PO_CTL rwflags=0x0000 ev=5 arg=0x7fe3a112b130
Tue Dec 1 02:35:55 2015 us=387625 PO_CTL rwflags=0x0002 ev=6 arg=0x7fe3a112b064
Tue Dec 1 02:35:55 2015 us=387633 I/O WAIT Tr|TW|Sr|Sw [1/189483]
Tue Dec 1 02:35:55 2015 us=387641 PO_WAIT[1,0] fd=6 rev=0x00000004 rwflags=0x0002 arg=0x7fe3a112b064
Tue Dec 1 02:35:55 2015 us=387647 event_wait returned 1
Tue Dec 1 02:35:55 2015 us=387652 I/O WAIT status=0x0008
Tue Dec 1 02:35:55 2015 us=387658 myclient/<MyIP>:49586 TUN WRITE [52]
Tue Dec 1 02:35:55 2015 us=387684 myclient/<MyIP>:49586 write to TUN/TAP returned 52
Tue Dec 1 02:35:55 2015 us=387692 PO_CTL rwflags=0x0001 ev=5 arg=0x7fe3a112b130
Tue Dec 1 02:35:55 2015 us=387698 PO_CTL rwflags=0x0001 ev=6 arg=0x7fe3a112b064
Tue Dec 1 02:35:55 2015 us=387704 I/O WAIT TR|Tw|SR|Sw [1/189483]
Tue Dec 1 02:35:56 2015 us=581648 event_wait returned 0
Tue Dec 1 02:35:56 2015 us=581694 I/O WAIT status=0x0020
Tue Dec 1 02:35:56 2015 us=581705 MULTI: REAP range 208 -> 224
Tue Dec 1 02:35:56 2015 us=581720 myclient/<MyIP>:49586 TLS: tls_pre_encrypt: key_id=0
Tue Dec 1 02:35:56 2015 us=581735 myclient/<MyIP>:49586 ENCRYPT IV: 00000001 565d078c 00000000 00000000
Tue Dec 1 02:35:56 2015 us=581747 myclient/<MyIP>:49586 ENCRYPT FROM: fa2a187b f3641eb4 cb07ed2d 0a981fc7 48
Tue Dec 1 02:35:56 2015 us=581766 myclient/<MyIP>:49586 Assertion failed at crypto.c:179
Tue Dec 1 02:35:56 2015 us=581775 myclient/<MyIP>:49586 Exiting
Tue Dec 1 02:35:56 2015 us=581802 myclient/<MyIP>:49586 /sbin/route del -net 10.50.1.0 netmask 255.255.255.0
Tue Dec 1 02:35:56 2015 us=582150 myclient/<MyIP>:49586 PKCS#11: __pkcs11h_forkFixup entry pid=20650, activate_slotevent=1
Tue Dec 1 02:35:56 2015 us=582199 myclient/<MyIP>:49586 PKCS#11: __pkcs11h_forkFixup return
SIOCDELRT: Operation not permitted
Tue Dec 1 02:35:56 2015 us=582875 myclient/<MyIP>:49586 ERROR: Linux route delete command failed: external program exited with error status: 7
Tue Dec 1 02:35:56 2015 us=582904 myclient/<MyIP>:49586 Closing TUN/TAP interface
Tue Dec 1 02:35:56 2015 us=582922 myclient/<MyIP>:49586 /sbin/ifconfig tun0 0.0.0.0
Tue Dec 1 02:35:56 2015 us=583133 myclient/<MyIP>:49586 PKCS#11: __pkcs11h_forkFixup entry pid=20651, activate_slotevent=1
Tue Dec 1 02:35:56 2015 us=583184 myclient/<MyIP>:49586 PKCS#11: __pkcs11h_forkFixup return
SIOCSIFADDR: Permission denied
SIOCSIFFLAGS: Permission denied
Tue Dec 1 02:35:56 2015 us=583863 myclient/<MyIP>:49586 Linux ip addr del failed: external program exited with error status: 255

-----

Assertion fails, daemon dies. Any advice on how to proceed?

Re: Assertion failed at crypto.c:179

Posted: Tue Dec 01, 2015 7:39 pm
by Traffic
Please post config files and full logs (incluing openvpn version).

Note:
brs404 wrote:VPN on an OpenVZ, TUN enabled via control panel)

iptables as follows:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables for a VZ:

Code: Select all

iptables -t nat -A POSTROUTING -s {range} -o eth0 -j SNAT --to-source {ip.address}
adjust to your setup ..

Re: Assertion failed at crypto.c:179

Posted: Tue Dec 01, 2015 11:25 pm
by brs404
Version: OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014

Entered:

iptables -t nat -A POSTROUTING -s 10.50.1.0/24 -o eth0 -j SNAT --to-source <MyServerIP>

Attempted reconnect and generated OpenVPN.log --> http://pastebin.com/kc548eUT

-------------

Server Config: MyVpn (OpenVZ)

Code: Select all

port 1194
proto udp
dev tun0
ca keys/mycertauthority/ca.crt
cert keys/mycertauthority/myserver.crt
key keys/mycertauthority/myserver.key
dh keys/mycertauthority/dh2048.pem
server 10.50.1.0 255.255.255.0
crl-verify keys/mycertauthority/crl.pem
ifconfig-pool-persist servers/MyVPN/logs/ipp.txt
cipher AES-256-CFB
user nobody
group nogroup
status servers/MyVPN/logs/openvpn-status.log
log-append servers/MyVPN/logs/openvpn.log
verb 5
mute 20
max-clients 100
keepalive 10 120
client-config-dir /etc/openvpn/servers/MyVPN/ccd
comp-lzo adaptive
persist-key
persist-tun
ccd-exclusive
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
Client: Windows

Code: Select all

client
proto udp
dev tun
ca ca.crt
dh dh2048.pem
cert myclient.crt
key myclient.key
remote <IPAddressOfServer> 1194
cipher AES-256-CFB
verb 2
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
nobind
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

Re: Assertion failed at crypto.c:179

Posted: Mon Dec 28, 2015 6:38 pm
by Traffic
Server log:
Tue Dec 1 23:07:49 2015 us=893071 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014
Probably need an update there ..

Re: Assertion failed at crypto.c:179

Posted: Wed Aug 31, 2016 12:32 pm
by noskies
Having the same issue here I learned that the problem appears to be your configured cipher:

>>> cipher AES-256-CFB
^^^^

openvpn's manual clearly states: "however CBC is recommended and CFB and OFB should be considered advanced modes"

Openvpn is not yet capable of handling those advanced modes.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/