OpenWRT LEDE - TLS Error: tls-crypt unwrapping failed from

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Locked
mrgenie
OpenVPN User
Posts: 22
Joined: Sun Jun 03, 2012 11:14 am

OpenWRT LEDE - TLS Error: tls-crypt unwrapping failed from

Post by mrgenie » Mon Jan 09, 2017 11:32 pm

Tue Jan 10 00:31:14 2017 tls-crypt unwrap error: packet too short
Tue Jan 10 00:31:14 2017 TLS Error: tls-crypt unwrapping failed from [AF_INET6]::ffff:93.245.255.104:55912

How to fix this error?

OpenVPN 2.4.0 windows (server)
and
OpenVPN 2.4.0 Linux (openWRT/DD-wrt/LEDE they all have the same message) as client


windows - windows client I don't see this error
linux - linux I don't see it either.

windows server - linux client = error message..

how to fix it.

mrgenie
OpenVPN User
Posts: 22
Joined: Sun Jun 03, 2012 11:14 am

Re: TLS Error: tls-crypt unwrapping failed from

Post by mrgenie » Mon Jan 09, 2017 11:38 pm

ehm.. I know reverting back to tls-auth solves this error message, but that's not what I'm asking really although it fixes the error..

I do want to use the tls-crypt but working LOL

mrgenie
OpenVPN User
Posts: 22
Joined: Sun Jun 03, 2012 11:14 am

Re: TLS Error: tls-crypt unwrapping failed from

Post by mrgenie » Mon Jan 09, 2017 11:58 pm

never mind.. although I ./scripts/feeds update -a
and ./scripts/feeds install -a

then I did make and it did show 2.4.0 in the GUI interface but in command openvpn shows version 2.3.13

so I guess I have to do make dirclean

or even make distclean which I hope to avoid so my menuconfig remains..

mrgenie
OpenVPN User
Posts: 22
Joined: Sun Jun 03, 2012 11:14 am

Re: TLS Error: tls-crypt unwrapping failed from

Post by mrgenie » Tue Jan 10, 2017 2:16 am

well. I now have definately 2.4.0 running and still the error.

tls-crypt with the ta.key under linux can't connect to a windows 2.4.0 with tls-crypt.

mrgenie
OpenVPN User
Posts: 22
Joined: Sun Jun 03, 2012 11:14 am

Re: TLS Error: tls-crypt unwrapping failed from

Post by mrgenie » Tue Jan 10, 2017 12:27 pm

Here's the server settings in WINDOWS:

Code: Select all

port 1197
proto udp
dev tap
dev-node TAP_IPV6
tun-mtu 1500
tun-mtu-extra 32

ca ca.crt
cert server-ipv4.crt
key server-ipv4.key  
dh dh2048.pem
tls-crypt ta.key
remote-cert-tls client

tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
auth SHA384

server-bridge 172.22.50.1 255.255.0.0 172.22.50.2 172.22.50.49
client-to-client

comp-lzo no
keepalive 10 60
persist-key
persist-tun

status status.txt
log log.txt

ifconfig-pool-persist ipp.txt

Here's the client settings in openWRT/LEDE:

Code: Select all

config openvpn 'private'
        option client '1'
        option float '1'
        option remote 'domain.com'
        option port '1197'
        option proto 'udp'
        option dev 'tap0'
        option tun_mtu '1500'
        option tun_mtu_extra '32'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/client-ipv4.crt'
        option key '/etc/openvpn/client-ipv4.key'
        option tls_crypt '/etc/openvpn/ta.key'
        option remote_cert_tls 'server'
        option verify_x509_name 'SERVERNAME name'
        option tls_version_min '1.2'
        option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'
        option cipher 'AES-256-GCM'
        option auth 'SHA384'
        option comp_lzo 'no'
        option persist_tun '1'
        option persist_key '1'
        option nobind '1'
        option verb '5'
        option log '/etc/openvpn/log'
        option status '/etc/openvpn/status 5'
        option resolv_retry 'infinite'
        option enabled '1'

So once again, if I change

Code: Select all

option tls_crypt '/etc/openvpn/ta.key'  
to

Code: Select all

option tls_auth '/etc/openvpn/ta.key 1'
and

Code: Select all

tls-crypt ta.key
to

Code: Select all

tls-auth ta.key 0
than everything is working out of the box and all verifications result in OK and no errors whatsoever!

So it's really the tls-crypt on the linux side as other windows clients with tls-crypt just work fine!

User avatar
TinCanTech
Forum Team
Posts: 11003
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS Error: tls-crypt unwrapping failed from

Post by TinCanTech » Tue Jan 10, 2017 5:06 pm

mrgenie wrote:tls-crypt with the ta.key under linux can't connect to a windows 2.4.0 with tls-crypt
I have a W10 Server and a Linux client both running openvpn-2.4.0 with --tls-crypt enabled correctly and it works perfectly for me. You must restart your server & client if you change a configuration option.

Client log:

Code: Select all

Tue Jan 10 16:52:00 2017 us=981569 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jan 10 16:52:00 2017 us=981692 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jan 10 16:52:00 2017 us=983514 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jan 10 16:52:00 2017 us=983577 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Server log:

Code: Select all

Tue Jan 10 16:40:03 2017 us=807425 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jan 10 16:40:03 2017 us=807425 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jan 10 16:40:03 2017 us=807425 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jan 10 16:40:03 2017 us=807425 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

mrgenie
OpenVPN User
Posts: 22
Joined: Sun Jun 03, 2012 11:14 am

Re: TLS Error: tls-crypt unwrapping failed from

Post by mrgenie » Wed Jan 11, 2017 9:09 pm

hi TinCanTech.

Thank you for your reply.
I did already restart the whole system. Shutdown. No power.
So I'm pretty sure it's not a restart issue.

If it works on your end, then I presume it's working and thus something
is wrong on my end.

I'll build the firmware from scratch. Maybe some old 2.3 objects still somewhere
in the firmware, although it says 2.4.0 when I openvpn --version.

But thank you anyway, now I know it's working for someone, it means it should be working
for me as well.

chuckler
OpenVpn Newbie
Posts: 2
Joined: Sun Jan 15, 2017 6:04 pm

Re: TLS Error: tls-crypt unwrapping failed from

Post by chuckler » Sun Jan 15, 2017 6:06 pm

Hi,

I'm having the same problem with a LEDE build in a router. I'm using OpenVPN 2.4.0 but still it looks like the

Code: Select all

option tls_crypt '/etc/openvpn/ta.key' 
is not applied to the LEDE code, because if you enabled it you can still connect to the server if you disable the tls-auth option in the server config.

Maybe it's something to do with LEDE/OpenWRT, I'll open a new post in their forums.

chuckler
OpenVpn Newbie
Posts: 2
Joined: Sun Jan 15, 2017 6:04 pm

Re: TLS Error: tls-crypt unwrapping failed from

Post by chuckler » Sun Jan 15, 2017 6:13 pm

Hi,

this is the post on the LEDE forums.

https://forum.lede-project.org/t/openvp ... orking/995

Maybe we could help them.

Thanks.

User avatar
TinCanTech
Forum Team
Posts: 11003
Joined: Fri Jun 03, 2016 1:17 pm

Re: TLS Error: tls-crypt unwrapping failed from

Post by TinCanTech » Sun Jan 15, 2017 8:25 pm

chuckler wrote:I'm having the same problem with a LEDE build in a router. I'm using OpenVPN 2.4.0 but
Complete logs at verb 4 please

mrgenie
OpenVPN User
Posts: 22
Joined: Sun Jun 03, 2012 11:14 am

Re: TLS Error: tls-crypt unwrapping failed from

Post by mrgenie » Tue Jan 24, 2017 8:46 pm

I found out the error comes from AES-256-GCM

or any other encryption method.


The only thing that tls-crypt is compatible with is AES-256-CTR

All other encryption options are now just useless if you want to use tls-crypt.

mrgenie
OpenVPN User
Posts: 22
Joined: Sun Jun 03, 2012 11:14 am

Re: TLS Error: tls-crypt unwrapping failed from

Post by mrgenie » Wed Jan 25, 2017 7:43 am

Ok, so it should work with AES-256-GCM as it applies CTR

Must be LEDE/OpenWRT specific then.

Back to LEDE forums

mrgenie
OpenVPN User
Posts: 22
Joined: Sun Jun 03, 2012 11:14 am

Re: TLS Error: tls-crypt unwrapping failed from

Post by mrgenie » Wed Jan 25, 2017 9:05 am

Solution to the problem I wrote in the last comment:

https://forum.lede-project.org/t/openvp ... king/995/5


will be applied to the standard git some time in future. Maybe even today, maybe next month.
But there's a manual fix for those who are interested.

User avatar
TinCanTech
Forum Team
Posts: 11003
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenWRT LEDE - TLS Error: tls-crypt unwrapping failed from

Post by TinCanTech » Wed Jan 25, 2017 2:51 pm

What this essentially boils down to:
makro:forum.lede-project.org wrote:Apparently the updates to the OpenVPN init script got lost between the initial 2.4_rc1 patch [1] and the final 2.4.0 version, so LEDE doesn't apply any of the new options introduced <s>
[1] https://patchwork.ozlabs.org/patch/704655/
Source: https://forum.lede-project.org/t/openvp ... king/995/2

Openvpn was not involved in that.

With regard to this:
mrgenie wrote:The only thing that tls-crypt is compatible with is AES-256-CTR
AES-256-CTR has been initially selected for use with --tls-crypt because it is "a nonce misuse-resistant authenticated encryption scheme".

See: https://www.mail-archive.com/openvpn-de ... 12970.html
mrgenie wrote:All other encryption options are now just useless if you want to use tls-crypt
--tls-crypt only effects the control channel not the data channel. Ciphers available to the data channel are as they always have been and can be configured with --cipher and/or negotiated internally by openvpn with --ncp-ciphers, which is enabled by default in 2.4

It is complicated but well documented .. worth your time to read. :ugeek:

mrgenie
OpenVPN User
Posts: 22
Joined: Sun Jun 03, 2012 11:14 am

Re: OpenWRT LEDE - TLS Error: tls-crypt unwrapping failed from

Post by mrgenie » Fri Apr 07, 2017 7:52 pm

Hi TinCanTech, thank you for sharing your expertise! :)

xioxify
OpenVpn Newbie
Posts: 2
Joined: Sun Jan 21, 2018 7:34 am

Re: OpenWRT LEDE - TLS Error: tls-crypt unwrapping failed from

Post by xioxify » Sun Jan 21, 2018 7:47 am

Thanks mrgenie for sharing your experience.
I have this problem too.
You said "The only thing that tls-crypt is compatible with is AES-256-CTR", by this you mean I change GCM in the config line "cipher AES-256-GCM" to AES-256-CTR or change the GCM in this line: "tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384" ????

Another question:
you used the tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 and the "auth SHA384". They have to be the same SHA384 or can I use the "auth SHA512"??

User avatar
TinCanTech
Forum Team
Posts: 11003
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenWRT LEDE - TLS Error: tls-crypt unwrapping failed from

Post by TinCanTech » Sun Jan 21, 2018 3:28 pm

xioxify wrote:
Sun Jan 21, 2018 7:47 am
You said "The only thing that tls-crypt is compatible with is AES-256-CTR", by this you mean I change GCM in the config line "cipher AES-256-GCM" to AES-256-CTR or change the GCM in this line: "tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384" ????
No .. --tls-crypt uses AES-256-CTR and it is not a configurable option.
xioxify wrote:
Sun Jan 21, 2018 7:47 am
you used the tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 and the "auth SHA384". They have to be the same SHA384 or can I use the "auth SHA512"??
This is simply wrong .. you are mixing up different options that are not linked.

:ugeek:

Locked