OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

OpenVPN Connect 3.0.2 (894) fails to connect. TLS error

https://forums.openvpn.net/viewtopic.php?t=27308

Page 1 of 1

OpenVPN Connect 3.0.2 (894) fails to connect. TLS error

Posted: Tue Oct 23, 2018 8:34 pm
by cavallad
I am using an OpenVPN server on an Asus RT-68U router that connects fine from a MacBook Pro via a TunnelBlick client, but fails to connect with an OpenVPN Connect client ver 3.0.2 (894) on an iPhone running iOS 12.0.1.

In other words, with the *same* .ovpn file, the iPhone fails to connect but the MacBook Pro works well. The difference is the client software.

The server log is as follows (scroll to end for the final error message):

Oct 23 20:30:25 ovpn-server1[4388]: MULTI: multi_create_instance called
Oct 23 20:30:25 ovpn-server1[4388]: 192.168.250.120 Re-using SSL/TLS context
Oct 23 20:30:25 ovpn-server1[4388]: 192.168.250.120 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Oct 23 20:30:25 ovpn-server1[4388]: 192.168.250.120 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Oct 23 20:30:25 ovpn-server1[4388]: 192.168.250.120 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Oct 23 20:30:25 ovpn-server1[4388]: 192.168.250.120 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Oct 23 20:30:25 ovpn-server1[4388]: 192.168.250.120 TLS: Initial packet from [AF_INET6]::ffff:192.168.250.120:54923, sid=4ddfffe4 b431df1c
Oct 23 20:30:26 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326625) Tue Oct 23 20:30:25 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:26 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:54923
Oct 23 20:30:27 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326625) Tue Oct 23 20:30:25 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:27 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:54923
Oct 23 20:30:28 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326625) Tue Oct 23 20:30:25 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:28 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:54923
Oct 23 20:30:29 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326625) Tue Oct 23 20:30:25 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:29 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:54923
Oct 23 20:30:30 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326625) Tue Oct 23 20:30:25 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:30 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:54923
Oct 23 20:30:31 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326625) Tue Oct 23 20:30:25 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:31 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:54923
Oct 23 20:30:32 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326625) Tue Oct 23 20:30:25 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:32 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:54923
Oct 23 20:30:33 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326625) Tue Oct 23 20:30:25 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:33 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:54923
Oct 23 20:30:34 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326625) Tue Oct 23 20:30:25 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:34 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:54923
Oct 23 20:30:35 ovpn-server1[4388]: MULTI: multi_create_instance called
Oct 23 20:30:35 ovpn-server1[4388]: 192.168.250.120 Re-using SSL/TLS context
Oct 23 20:30:35 ovpn-server1[4388]: 192.168.250.120 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Oct 23 20:30:35 ovpn-server1[4388]: 192.168.250.120 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Oct 23 20:30:35 ovpn-server1[4388]: 192.168.250.120 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Oct 23 20:30:35 ovpn-server1[4388]: 192.168.250.120 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Oct 23 20:30:35 ovpn-server1[4388]: 192.168.250.120 TLS: Initial packet from [AF_INET6]::ffff:192.168.250.120:50940, sid=63f5d151 1c5cb8f7
Oct 23 20:30:36 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326635) Tue Oct 23 20:30:35 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:36 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:50940
Oct 23 20:30:37 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326635) Tue Oct 23 20:30:35 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:37 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:50940
Oct 23 20:30:38 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326635) Tue Oct 23 20:30:35 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:38 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:50940
Oct 23 20:30:39 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326635) Tue Oct 23 20:30:35 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:39 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:50940
Oct 23 20:30:40 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326635) Tue Oct 23 20:30:35 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:40 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:50940
Oct 23 20:30:41 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326635) Tue Oct 23 20:30:35 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:41 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:50940
Oct 23 20:30:42 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326635) Tue Oct 23 20:30:35 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:42 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:50940
Oct 23 20:30:43 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326635) Tue Oct 23 20:30:35 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:43 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:50940
Oct 23 20:30:44 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326635) Tue Oct 23 20:30:35 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:44 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:50940
Oct 23 20:30:45 ovpn-server1[4388]: MULTI: multi_create_instance called
Oct 23 20:30:45 ovpn-server1[4388]: 192.168.250.120 Re-using SSL/TLS context
Oct 23 20:30:45 ovpn-server1[4388]: 192.168.250.120 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Oct 23 20:30:45 ovpn-server1[4388]: 192.168.250.120 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Oct 23 20:30:45 ovpn-server1[4388]: 192.168.250.120 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Oct 23 20:30:45 ovpn-server1[4388]: 192.168.250.120 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Oct 23 20:30:45 ovpn-server1[4388]: 192.168.250.120 TLS: Initial packet from [AF_INET6]::ffff:192.168.250.120:58626, sid=a4ea8fd6 a819eb2b
Oct 23 20:30:46 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326645) Tue Oct 23 20:30:45 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:46 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:58626
Oct 23 20:30:47 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326645) Tue Oct 23 20:30:45 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:47 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:58626
Oct 23 20:30:48 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326645) Tue Oct 23 20:30:45 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:48 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:58626
Oct 23 20:30:49 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326645) Tue Oct 23 20:30:45 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:49 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:58626
Oct 23 20:30:50 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326645) Tue Oct 23 20:30:45 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:50 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:58626
Oct 23 20:30:51 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326645) Tue Oct 23 20:30:45 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:51 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:58626
Oct 23 20:30:52 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326645) Tue Oct 23 20:30:45 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:52 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:58626
Oct 23 20:30:54 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326645) Tue Oct 23 20:30:45 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:54 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:58626
Oct 23 20:30:55 ovpn-server1[4388]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540326645) Tue Oct 23 20:30:45 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 20:30:55 ovpn-server1[4388]: 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:58626
Oct 23 20:31:25 ovpn-server1[4388]: 192.168.250.120 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 23 20:31:25 ovpn-server1[4388]: 192.168.250.120 TLS Error: TLS handshake failed
Oct 23 20:31:25 ovpn-server1[4388]: 192.168.250.120 SIGUSR1[soft,tls-error] received, client-instance restarting
Oct 23 20:31:35 ovpn-server1[4388]: 192.168.250.120 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 23 20:31:35 ovpn-server1[4388]: 192.168.250.120 TLS Error: TLS handshake failed
Oct 23 20:31:35 ovpn-server1[4388]: 192.168.250.120 SIGUSR1[soft,tls-error] received, client-instance restarting
Oct 23 20:31:45 ovpn-server1[4388]: 192.168.250.120 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 23 20:31:45 ovpn-server1[4388]: 192.168.250.120 TLS Error: TLS handshake failed
Oct 23 20:31:45 ovpn-server1[4388]: 192.168.250.120 SIGUSR1[soft,tls-error] received, client-instance restarting

Any help gratefully received.

Re: OpenVPN Connect 3.0.2 (894) fails to connect. TLS error

Posted: Wed Oct 24, 2018 12:15 pm
by ordex
This seems to be a problem with your tls-auth or tls-crypt settings.
How is it configured on the client?

Re: OpenVPN Connect 3.0.2 (894) fails to connect. TLS error

Posted: Wed Oct 24, 2018 12:31 pm
by cavallad
Thanks, the clienf conf is:

client
dev tun
proto udp
remote xxxx 1194
float
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-256-CBC
auth SHA256
keepalive 15 60
auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
/
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
/
-----END OpenVPN Static key V1-----
</tls-auth>
resolv-retry infinite
nobind

Re: OpenVPN Connect 3.0.2 (894) fails to connect. TLS error

Posted: Wed Oct 24, 2018 1:14 pm
by TinCanTech
cavallad wrote:
Wed Oct 24, 2018 12:31 pm
 <tls-auth>
-----BEGIN OpenVPN Static key V1-----
/
-----END OpenVPN Static key V1-----
</tls-auth>
This requires --key-direction

See https://community.openvpn.net/openvpn/w ... nPage#lbAJ

Re: OpenVPN Connect 3.0.2 (894) fails to connect. TLS error

Posted: Wed Oct 24, 2018 2:03 pm
by cavallad
Thanks for the suggestion.

I have the same problem with 'key-direction 1' included.

The client.ovpn is:

client
dev tun
proto udp
key-direction 1
resolv-retry infinite
nobind
remote xxx 1194
float
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
keepalive 15 60
auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
[...]
-----END OpenVPN Static key V1-----
</tls-auth>

...and the error is:

Oct 24 13:55:31 ovpn-server1[3368]: MULTI: multi_create_instance called
Oct 24 13:55:31 ovpn-server1[3368]: 192.168.250.120 Re-using SSL/TLS context
Oct 24 13:55:31 ovpn-server1[3368]: 192.168.250.120 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Oct 24 13:55:31 ovpn-server1[3368]: 192.168.250.120 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Oct 24 13:55:31 ovpn-server1[3368]: 192.168.250.120 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Oct 24 13:55:31 ovpn-server1[3368]: 192.168.250.120 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Oct 24 13:55:31 ovpn-server1[3368]: 192.168.250.120 TLS: Initial packet from [AF_INET6]::ffff:192.168.250.120:58281, sid=b1f5f4dd 37e97b89
Oct 24 13:55:32 ovpn-server1[3368]: 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540389331) Wed Oct 24 13:55:31 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

...etc etc

Re: OpenVPN Connect 3.0.2 (894) fails to connect. TLS error

Posted: Wed Oct 24, 2018 2:33 pm
by TinCanTech
We also need to see your server log at verb 4 when the client is trying to connect.

You server config will probably help as well.

Re: OpenVPN Connect 3.0.2 (894) fails to connect. TLS error

Posted: Wed Oct 24, 2018 3:08 pm
by cavallad
Server log:
Wed Oct 24 15:01:00 2018 OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 21 2018
Wed Oct 24 15:01:00 2018 library versions: OpenSSL 1.0.2p 14 Aug 2018, LZO 2.08
Wed Oct 24 15:01:00 2018 PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Wed Oct 24 15:01:00 2018 Diffie-Hellman initialized with 2048 bit key
Wed Oct 24 15:01:00 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Oct 24 15:01:00 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Oct 24 15:01:00 2018 TUN/TAP device tun21 opened
Wed Oct 24 15:01:00 2018 TUN/TAP TX queue length set to 100
Wed Oct 24 15:01:00 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Oct 24 15:01:00 2018 /usr/sbin/ip link set dev tun21 up mtu 1500
Wed Oct 24 15:01:00 2018 /usr/sbin/ip addr add dev tun21 10.8.0.1/24 broadcast 10.8.0.255
Wed Oct 24 15:01:00 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET6
Wed Oct 24 15:01:00 2018 Socket Buffers: R=[122880->122880] S=[122880->122880]
Wed Oct 24 15:01:00 2018 setsockopt(IPV6_V6ONLY=0)
Wed Oct 24 15:01:00 2018 UDPv6 link local (bound): [AF_INET6][undef]:1194
Wed Oct 24 15:01:00 2018 UDPv6 link remote: [AF_UNSPEC]
Wed Oct 24 15:01:00 2018 MULTI: multi_init called, r=256 v=256
Wed Oct 24 15:01:00 2018 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Wed Oct 24 15:01:00 2018 Initialization Sequence Completed
Wed Oct 24 15:01:20 2018 192.168.250.120 TLS: Initial packet from [AF_INET6]::ffff:192.168.250.120:57825, sid=e5e1a3b3 515c4e6f
Wed Oct 24 15:01:21 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393280) Wed Oct 24 15:01:20 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:21 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:57825
Wed Oct 24 15:01:22 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393280) Wed Oct 24 15:01:20 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:22 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:57825
Wed Oct 24 15:01:23 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393280) Wed Oct 24 15:01:20 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:23 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:57825
Wed Oct 24 15:01:24 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393280) Wed Oct 24 15:01:20 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:24 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:57825
Wed Oct 24 15:01:25 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393280) Wed Oct 24 15:01:20 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:25 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:57825
Wed Oct 24 15:01:26 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393280) Wed Oct 24 15:01:20 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:26 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:57825
Wed Oct 24 15:01:27 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393280) Wed Oct 24 15:01:20 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:27 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:57825
Wed Oct 24 15:01:28 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393280) Wed Oct 24 15:01:20 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:28 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:57825
Wed Oct 24 15:01:29 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393280) Wed Oct 24 15:01:20 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:29 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:57825
Wed Oct 24 15:01:30 2018 192.168.250.120 TLS: Initial packet from [AF_INET6]::ffff:192.168.250.120:56908, sid=d5f00dc2 dbc4398b
Wed Oct 24 15:01:31 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393290) Wed Oct 24 15:01:30 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:31 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:56908
Wed Oct 24 15:01:32 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393290) Wed Oct 24 15:01:30 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:32 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:56908
Wed Oct 24 15:01:33 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393290) Wed Oct 24 15:01:30 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:33 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:56908
Wed Oct 24 15:01:34 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393290) Wed Oct 24 15:01:30 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:34 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:56908
Wed Oct 24 15:01:35 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393290) Wed Oct 24 15:01:30 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:35 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:56908
Wed Oct 24 15:01:36 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393290) Wed Oct 24 15:01:30 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:36 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:56908
Wed Oct 24 15:01:37 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393290) Wed Oct 24 15:01:30 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:37 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:56908
Wed Oct 24 15:01:38 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393290) Wed Oct 24 15:01:30 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:38 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:56908
Wed Oct 24 15:01:39 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393290) Wed Oct 24 15:01:30 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:39 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:56908
Wed Oct 24 15:01:40 2018 192.168.250.120 TLS: Initial packet from [AF_INET6]::ffff:192.168.250.120:63960, sid=3b926274 df3f1886
Wed Oct 24 15:01:41 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393300) Wed Oct 24 15:01:40 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:41 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:63960
Wed Oct 24 15:01:43 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393300) Wed Oct 24 15:01:40 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:43 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:63960
Wed Oct 24 15:01:44 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393300) Wed Oct 24 15:01:40 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:44 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:63960
Wed Oct 24 15:01:45 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393300) Wed Oct 24 15:01:40 2018 ] -- see the man page entry for --no-replay and --repl
Wed Oct 24 15:01:45 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:63960
Wed Oct 24 15:02:21 2018 192.168.250.120 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Oct 24 15:02:21 2018 192.168.250.120 TLS Error: TLS handshake failed
Wed Oct 24 15:02:21 2018 192.168.250.120 SIGUSR1[soft,tls-error] received, client-instance restarting
Wed Oct 24 15:02:30 2018 192.168.250.120 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Oct 24 15:02:30 2018 192.168.250.120 TLS Error: TLS handshake failed
Wed Oct 24 15:02:30 2018 192.168.250.120 SIGUSR1[soft,tls-error] received, client-instance restarting
Wed Oct 24 15:02:40 2018 192.168.250.120 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Oct 24 15:02:40 2018 192.168.250.120 TLS Error: TLS handshake failed
Wed Oct 24 15:02:40 2018 192.168.250.120 SIGUSR1[soft,tls-error] received, client-instance restarting

------------------

Server config:
# Automatically generated configuration
daemon ovpn-server1
topology subnet
server 10.8.0.0 255.255.255.0
proto udp
port 1194
dev tun21
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
keepalive 15 60
verb 4
duplicate-cn
push "redirect-gateway def1"
tls-auth static.key 0
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
verify-client-cert none
username-as-common-name
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status 5

Thanks again!

Re: OpenVPN Connect 3.0.2 (894) fails to connect. TLS error

Posted: Wed Oct 24, 2018 3:13 pm
by cavallad
Apologies,here is the server log at verb 4:

Wed Oct 24 15:09:56 2018 us=141337 Current Parameter Settings:
Wed Oct 24 15:09:56 2018 us=141562 config = 'config.ovpn'
Wed Oct 24 15:09:56 2018 us=141620 mode = 1
Wed Oct 24 15:09:56 2018 us=141666 persist_config = DISABLED
Wed Oct 24 15:09:56 2018 us=141712 persist_mode = 1
Wed Oct 24 15:09:56 2018 us=141756 show_ciphers = DISABLED
Wed Oct 24 15:09:56 2018 us=141800 show_digests = DISABLED
Wed Oct 24 15:09:56 2018 us=141843 show_engines = DISABLED
Wed Oct 24 15:09:56 2018 us=141886 genkey = DISABLED
Wed Oct 24 15:09:56 2018 us=141929 key_pass_file = '[UNDEF]'
Wed Oct 24 15:09:56 2018 us=141972 show_tls_ciphers = DISABLED
Wed Oct 24 15:09:56 2018 us=142016 connect_retry_max = 0
Wed Oct 24 15:09:56 2018 us=142060 Connection profiles [0]:
Wed Oct 24 15:09:56 2018 us=142117 proto = udp
Wed Oct 24 15:09:56 2018 us=142167 local = '[UNDEF]'
Wed Oct 24 15:09:56 2018 us=142212 local_port = '1194'
Wed Oct 24 15:09:56 2018 us=142257 remote = '[UNDEF]'
Wed Oct 24 15:09:56 2018 us=142300 remote_port = '1194'
Wed Oct 24 15:09:56 2018 us=142344 remote_float = DISABLED
Wed Oct 24 15:09:56 2018 us=142387 bind_defined = DISABLED
Wed Oct 24 15:09:56 2018 us=142430 bind_local = ENABLED
Wed Oct 24 15:09:56 2018 us=142474 bind_ipv6_only = DISABLED
Wed Oct 24 15:09:56 2018 us=142518 connect_retry_seconds = 5
Wed Oct 24 15:09:56 2018 us=142561 connect_timeout = 120
Wed Oct 24 15:09:56 2018 us=142627 socks_proxy_server = '[UNDEF]'
Wed Oct 24 15:09:56 2018 us=142676 socks_proxy_port = '[UNDEF]'
Wed Oct 24 15:09:56 2018 us=142722 tun_mtu = 1500
Wed Oct 24 15:09:56 2018 us=142766 tun_mtu_defined = ENABLED
Wed Oct 24 15:09:56 2018 us=142810 link_mtu = 1500
Wed Oct 24 15:09:56 2018 us=142853 link_mtu_defined = DISABLED
Wed Oct 24 15:09:56 2018 us=142898 tun_mtu_extra = 0
Wed Oct 24 15:09:56 2018 us=142942 tun_mtu_extra_defined = DISABLED
Wed Oct 24 15:09:56 2018 us=142985 mtu_discover_type = -1
Wed Oct 24 15:09:56 2018 us=143029 fragment = 0
Wed Oct 24 15:09:56 2018 us=143073 mssfix = 1450
Wed Oct 24 15:09:56 2018 us=143117 explicit_exit_notification = 0
Wed Oct 24 15:09:56 2018 us=143158 Connection profiles END
Wed Oct 24 15:09:56 2018 us=143201 remote_random = DISABLED
Wed Oct 24 15:09:56 2018 us=143244 ipchange = '[UNDEF]'
Wed Oct 24 15:09:56 2018 us=143287 dev = 'tun21'
Wed Oct 24 15:09:56 2018 us=143368 dev_type = '[UNDEF]'
Wed Oct 24 15:09:56 2018 us=143416 dev_node = '[UNDEF]'
Wed Oct 24 15:09:56 2018 us=143460 lladdr = '[UNDEF]'
Wed Oct 24 15:09:56 2018 us=143504 topology = 3
Wed Oct 24 15:09:56 2018 us=143547 ifconfig_local = '10.8.0.1'
Wed Oct 24 15:09:56 2018 us=143591 ifconfig_remote_netmask = '255.255.255.0'
Wed Oct 24 15:09:56 2018 us=143635 ifconfig_noexec = DISABLED
Wed Oct 24 15:09:56 2018 us=143703 ifconfig_nowarn = DISABLED
Wed Oct 24 15:09:56 2018 us=143753 ifconfig_ipv6_local = '[UNDEF]'
Wed Oct 24 15:09:56 2018 us=143799 ifconfig_ipv6_netbits = 0
Wed Oct 24 15:09:56 2018 us=143842 ifconfig_ipv6_remote = '[UNDEF]'
Wed Oct 24 15:09:56 2018 us=143885 shaper = 0
Wed Oct 24 15:09:56 2018 us=143929 mtu_test = 0
Wed Oct 24 15:09:56 2018 us=143973 mlock = DISABLED
Wed Oct 24 15:09:56 2018 us=144017 keepalive_ping = 15
Wed Oct 24 15:09:56 2018 us=144061 keepalive_timeout = 60
Wed Oct 24 15:09:56 2018 us=144104 inactivity_timeout = 0
Wed Oct 24 15:09:56 2018 us=144148 ping_send_timeout = 15
Wed Oct 24 15:09:56 2018 us=144191 ping_rec_timeout = 120
Wed Oct 24 15:09:56 2018 us=144234 ping_rec_timeout_action = 2
Wed Oct 24 15:09:56 2018 us=144277 ping_timer_remote = DISABLED
Wed Oct 24 15:09:56 2018 us=144320 remap_sigusr1 = 0
Wed Oct 24 15:09:56 2018 us=144364 persist_tun = DISABLED
Wed Oct 24 15:09:56 2018 us=144407 persist_local_ip = DISABLED
Wed Oct 24 15:09:56 2018 us=144449 persist_remote_ip = DISABLED
Wed Oct 24 15:09:56 2018 us=144492 persist_key = DISABLED
Wed Oct 24 15:09:56 2018 us=144535 passtos = DISABLED
Wed Oct 24 15:09:56 2018 us=144581 resolve_retry_seconds = 1000000000
Wed Oct 24 15:09:56 2018 us=144624 resolve_in_advance = DISABLED
Wed Oct 24 15:09:56 2018 us=144684 username = '[UNDEF]'
Wed Oct 24 15:09:56 2018 us=144731 groupname = '[UNDEF]'
Wed Oct 24 15:09:56 2018 us=144803 chroot_dir = '[UNDEF]'
Wed Oct 24 15:09:56 2018 us=144849 cd_dir = '/etc/openvpn/server1'
Wed Oct 24 15:09:56 2018 us=144893 writepid = '[UNDEF]'
Wed Oct 24 15:09:56 2018 us=144965 up_script = '[UNDEF]'
Wed Oct 24 15:09:56 2018 us=145015 down_script = '[UNDEF]'
Wed Oct 24 15:09:56 2018 us=145060 down_pre = DISABLED
Wed Oct 24 15:09:56 2018 us=145105 up_restart = DISABLED
Wed Oct 24 15:09:56 2018 us=145148 up_delay = DISABLED
Wed Oct 24 15:09:56 2018 us=145191 daemon = ENABLED
Wed Oct 24 15:09:56 2018 us=145235 inetd = 0

Re: OpenVPN Connect 3.0.2 (894) fails to connect. TLS error

Posted: Wed Oct 24, 2018 4:25 pm
by TinCanTech
cavallad wrote:
Wed Oct 24, 2018 3:08 pm
 Wed Oct 24 15:01:21 2018 192.168.250.120 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1540393280) Wed Oct 24 15:01:20 2018 ] -- see the man page entry for --no-replay and --repl
You can ignore this for now.
cavallad wrote:
Wed Oct 24, 2018 3:08 pm
 Wed Oct 24 15:01:21 2018 192.168.250.120 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:192.168.250.120:57825
This suggests you are using the wrong --tls-auth key file.

Re: OpenVPN Connect 3.0.2 (894) fails to connect. TLS error

Posted: Wed Oct 24, 2018 8:09 pm
by ordex
yeah, I agree with the post above.
And if on the server you have "key-direction 0" (the second argument on the tls-auth line), you *must* keep "key-direction 1" on the client.

Re: OpenVPN Connect 3.0.2 (894) fails to connect. TLS error

Posted: Thu Oct 25, 2018 10:26 am
by cavallad
Thanks for all your help, I really appreciate it. I tried all of the above options, but none of them worked.

The only thing that DID work was switching to TCP rather than UDP.

The strange thing is that connections via TunnelBlick from a MacBook Pro work fine over UDP, but those via OpenVPN Connect for iOS from an iPhone running iOS v12.0.1 require, in this instance, TCP.

Re: OpenVPN Connect 3.0.2 (894) fails to connect. TLS error

Posted: Thu Oct 25, 2018 5:36 pm
by ordex
if that's the case then maybe something is mangling the UDP packets, thus resulting in the server rejecting them as they can't be authenticated...Interesting, so far nobody else has seen this behaviour on iOS12.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/