Can't connect to server "TLS Error: cannot locate HMAC in incoming packet from"

[cybermailer]

Hi,

i have a problem that i cannot solve.

So far:
-) Client Connection to Server Possible IP from Client is shown on server logs...
-> BUT TLS error

SERVER LOG

root@OpenWrt:~# cat /tmp/openvpn.log
Sat Jul 8 21:14:29 2017 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [L ZO] [EPOLL] [MH] [IPv6] built on Jul 25 2015
Sat Jul 8 21:14:29 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Sat Jul 8 21:14:29 2017 Diffie-Hellman initialized with 2048 bit key
Sat Jul 8 21:14:29 2017 Control Channel Authentication: using '/etc/openvpn/tls auth.key' as a OpenVPN static key file
Sat Jul 8 21:14:29 2017 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Jul 8 21:14:29 2017 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Jul 8 21:14:29 2017 Socket Buffers: R=[163840->131072] S=[163840->131072]
Sat Jul 8 21:14:29 2017 TUN/TAP device tun0 opened
Sat Jul 8 21:14:29 2017 TUN/TAP TX queue length set to 100
Sat Jul 8 21:14:29 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Jul 8 21:14:29 2017 /sbin/ifconfig tun0 10.20.30.1 pointopoint 10.20.30.2 m tu 1500
Sat Jul 8 21:14:29 2017 /sbin/route add -net 10.20.30.0 netmask 255.255.255.0 g w 10.20.30.2
Sat Jul 8 21:14:29 2017 UDPv4 link local (bound): [undef]
Sat Jul 8 21:14:29 2017 UDPv4 link remote: [undef]
Sat Jul 8 21:14:29 2017 MULTI: multi_init called, r=256 v=256
Sat Jul 8 21:14:29 2017 IFCONFIG POOL: base=10.20.30.4 size=62, ipv6=0
Sat Jul 8 21:14:29 2017 Initialization Sequence Completed
Sat Jul 8 21:59:12 2017 TLS Error: cannot locate HMAC in incoming packet from [ AF_INET]XXX.XXX.XXX.XXX:50567

Client Error

TLS Error: TLS key negotiation failed to occur within 60 seconds

Client config file *.ovpn

client
dev tun
proto udp
remote dyndns.xxx.at 1194 # Change to your router's External IP
resolv-retry infinite
nobind
ca ca.crt
cert xxx.crt
key xxx.key
dh dh2048.pem
tls-auth tlsauth.key 1
cipher AES-256-CBC
persist-tun
persist-key
verb 3

Server config file

config openvpn 'myvpn'
option enabled '1'
option dev 'tun'
option proto 'udp'
option log '/tmp/openvpn.log'
option verb '3'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh2048.pem'
option server '10.20.30.0 255.255.255.0'
option cipher 'AES-256-CBC'
option auth 'SHA256'
option tls_auth '/etc/openvpn/tlsauth.key 0'
option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TL
option port '1194'
option keepalive '10 120'
option tls_server '1'
option tls_version_min '1.2'
list push 'redirect-gateway def1'
list push 'route 192.168.1.0 255.255.255.0'
list push 'dhcp-option DNS XXX'
list push 'dhcp-option DNS XXX'
list push 'block-outside-dns'

Any ideas?
thx

[TinCanTech]

TLS Error: cannot locate HMAC in incoming packet

Did you google that ?

It means, most likely, you have the wrong --tls-auth file direction

[cybermailer]

You mean the file position or the file itself is wrong?
All files are in the same folder:

[TinCanTech]

Try removing this from your server config:

option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TL

[Pippin]

I would think tls-auth takes place before anything else...?

option auth 'SHA256' in server,
where is

Code: Select all

auth SHA256

in client config?

[Pippin]

Also,

Code: Select all

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:..............TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

is not supported on

Code: Select all

OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [L ZO] [EPOLL] [MH] [IPv6] built on Jul 25 2015

[cybermailer]

yes -> i removed all tls lines and now connection is possible i don't know if some kind of tls is possible but for now i removed it...thx for support

Question: I have configured routes:
VPN -> LAN
LAN -> VPN
VPN -> WAN

I'm getting on my client 10.8.0.5 ip my server has 10.8.0.1/192.168.1.1

How can i now connect from 192.168.1.x device to 10.8.0.x and reverse?

Sorry for that question but its my second day with vpn's....

[cybermailer]

I can connect from 192.x to 10.x but not reverse.

The post before was wrong it mentioned my firewall settings:

uci set firewall.vpn_forwarding_lan_in=forwarding
uci set firewall.vpn_forwarding_lan_in.src=vpn
uci set firewall.vpn_forwarding_lan_in.dest=lan

uci set firewall.vpn_forwarding_lan_out=forwarding
uci set firewall.vpn_forwarding_lan_out.src=lan
uci set firewall.vpn_forwarding_lan_out.dest=vpn

uci set firewall.vpn_forwarding_wan=forwarding
uci set firewall.vpn_forwarding_wan.src=vpn
uci set firewall.vpn_forwarding_wan.dest=wan

my new (working)server config:

config openvpn 'myvpn'
option enabled=1
option verb=3
option port=1194
option proto=udp
option dev=tun
option server='10.8.0.0 255.255.255.0'
option keepalive='10 120'
option ca=/etc/openvpn/ca.crt
option cert=/etc/openvpn/my-server.crt
option key=/etc/openvpn/my-server.key
option dh=/etc/openvpn/dh2048.pem
list push 'redirect-gateway def1'
list push 'route 192.168.1.0 255.255.255.0'
list push 'dhcp-option DNS 208.67.220.220'
list push 'dhcp-option DNS 208.67.222.222'
list push 'block-outside-dns'

So the only think that makes problem is the reverse communicating from 10.x to 192.x

[cybermailer]

restartet all my machines now it works. some kind of magic here...

[TinCanTech]

That is why the tech support mantra .. did you reboot it ?

Thanks for letting us know