OpenVPN 2.4.4 "TLS Error: tls-crypt unwrapping failed from"

[colombiunpride]

I'm still seeing the same issue. Running OpenVPN Server 2.4.4 on
RASPBIAN STRETCH LITE.

OpenVPN Client is the latest 2.4.4 on Windows.

When I use tls-auth the VPN connection works fine. So I can verify that OpenVPN works fine when using tls-auth.


When I switch over to tls-crypt I get the following error

Wed Nov 8 00:11:50 2017 TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.50.1:59056
Wed Nov 8 00:11:55 2017 tls-crypt unwrap error: packet authentication failed

server.conf snippet

Code: Select all

remote-cert-tls client
tls-version-min 1.2
#tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256

client .opvn config snippet: I've tried using tls-auth and tls-crypt tags and still receive the same "tls-crypt unwrapping failed" error

Code: Select all

<tls-auth>
[KEY REMOVED]
</tls-auth>

Code: Select all

<tls-crypt>
[KEY REMOVED]
</tls-crypt>

OpenVPN Log:

Code: Select all

Wed Nov  8 00:09:36 2017 OpenVPN 2.4.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 25 2017
Wed Nov  8 00:09:36 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Wed Nov  8 00:09:36 2017 TUN/TAP device tun0 opened
Wed Nov  8 00:09:36 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Nov  8 00:09:36 2017 /sbin/ip link set dev tun0 up mtu 1500
Wed Nov  8 00:09:36 2017 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Wed Nov  8 00:09:36 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Nov  8 00:09:36 2017 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Nov  8 00:09:36 2017 UDPv4 link remote: [AF_UNSPEC]
Wed Nov  8 00:09:36 2017 GID set to nogroup
Wed Nov  8 00:09:36 2017 UID set to nobody
Wed Nov  8 00:09:36 2017 Initialization Sequence Completed
Wed Nov  8 00:11:49 2017 tls-crypt unwrap error: packet authentication failed
Wed Nov  8 00:11:49 2017 TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.50.1:59056
Wed Nov  8 00:11:50 2017 tls-crypt unwrap error: packet authentication failed
Wed Nov  8 00:11:50 2017 TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.50.1:59056
Wed Nov  8 00:11:55 2017 tls-crypt unwrap error: packet authentication failed
Wed Nov  8 00:11:55 2017 TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.50.1:59056

OpenVPN Client log on Windows 10:

Code: Select all

Tue Nov 07 19:11:47 2017 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Tue Nov 07 19:11:47 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Nov 07 19:11:47 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Tue Nov 07 19:11:50 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Nov 07 19:11:50 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]24.189.83.110:1194
Tue Nov 07 19:11:50 2017 UDP link local: (not bound)
Tue Nov 07 19:11:50 2017 UDP link remote: [AF_INET]24.189.83.110:1194
Tue Nov 07 19:12:50 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Nov 07 19:12:50 2017 TLS Error: TLS handshake failed

Has anyone gotten a valid tls-crypt set up to work? Am I right in using <tls-crypt> tags around my static key within the .opvn config for the client?

Thanks ahead of time for the help!

[TinCanTech]

Has anyone gotten a valid tls-crypt set up to work?

Yes ..

Am I right in using <tls-crypt> tags around my static key within the .opvn config for the client?

Yes ..

Please see:
HOWTO: Request Help ! {2}