[Solved] tls-crypt unwrap error: packet too short

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
KokosBot
OpenVpn Newbie
Posts: 2
Joined: Mon Aug 31, 2020 8:22 pm

[Solved] tls-crypt unwrap error: packet too short

Post by KokosBot » Mon Aug 31, 2020 9:34 pm

Hello openvpn forum,

I try to create a VPN, currently with a server and a client.
My problem is, I have arch linux server for the openVPN server and
a debian server for the openVPN client.

Used packets:
Arch Linux: openvpn (2.4.9-2)
Debian: openvpn (2.4.7-1)

I used the Arch Linux tutorial for the openVPN server side.
https://wiki.archlinux.org/index.php/Op ... ation_file
https://wiki.archlinux.org/index.php/Easy-RSA
=> Elliptic curve cryptography.

For the client side of openVPN the I used the debian tutorial.
https://wiki.debian.org/OpenVPN

To test my setup I started the server side and and then on an other maschine my client.

Server output:

Code: Select all

Mon Aug 31 21:15:07 2020 Initialization Sequence Completed
Mon Aug 31 21:31:00 2020 tls-crypt unwrap error: packet too short
Mon Aug 31 21:31:00 2020 TLS Error: tls-crypt unwrapping failed from [AF_INET]XXXXX:33577
Mon Aug 31 21:31:02 2020 tls-crypt unwrap error: packet too short
Mon Aug 31 21:31:02 2020 TLS Error: tls-crypt unwrapping failed from [AF_INET]XXXXX:33577
Mon Aug 31 21:31:06 2020 tls-crypt unwrap error: packet too short
Mon Aug 31 21:31:06 2020 TLS Error: tls-crypt unwrapping failed from [AF_INET]XXXXX:33577
Client output:

Code: Select all

Mon Aug 31 19:31:00 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Mon Aug 31 19:31:00 2020 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Mon Aug 31 19:31:00 2020 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Aug 31 19:31:00 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]YYYYY:1194
Mon Aug 31 19:31:00 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Aug 31 19:31:00 2020 UDP link local: (not bound)
Mon Aug 31 19:31:00 2020 UDP link remote: [AF_INET]YYYYY:1194
Mon Aug 31 19:32:01 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Aug 31 19:32:01 2020 TLS Error: TLS handshake failed
Mon Aug 31 19:32:01 2020 SIGUSR1[soft,tls-error] received, process restarting
Mon Aug 31 19:32:01 2020 Restart pause, 5 second(s)
Server config:

Code: Select all

port 1194
proto udp
dev tun

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/openVPN_srv.crt
key /etc/openvpn/server/openVPN_srv.key  # This file should be kept secret
tls-crypt /etc/openvpn/server/ta.key
cipher AES-256-CBC

dh none
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
cipher AES-256-GCM

cipher AES-256-GCM
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
Client config:

Code: Select all

client
port 1194
proto udp

remote mydomain.de 1194             # VPN server IP : PORT
nobind

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/openVPN_client_build.crt
key /etc/openvpn/easy-rsa/keys/openVPN_client_build.key

dev tun
#comp-lzo
#persist-key
#persist-tun
verb 3
How to fix this problem, or setup my configs correctly?
Greetings, KokosBot.
Last edited by KokosBot on Tue Sep 01, 2020 1:01 am, edited 1 time in total.

TinCanTech
OpenVPN Protagonist
Posts: 11138
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt unwrap error: packet too short

Post by TinCanTech » Mon Aug 31, 2020 10:09 pm

Your client also needs the --tls-crypt key-file

KokosBot
OpenVpn Newbie
Posts: 2
Joined: Mon Aug 31, 2020 8:22 pm

Re: tls-crypt unwrap error: packet too short

Post by KokosBot » Tue Sep 01, 2020 12:59 am

Thank you for your help and time. It is working now.

postcd
OpenVPN User
Posts: 26
Joined: Sun Jan 24, 2016 9:22 pm

Re: [Solved] tls-crypt unwrap error: packet too short

Post by postcd » Fri Aug 26, 2022 12:59 pm

What is mean by --tls-crypt key-file and where does this file come from and where belong? I am using NetworkManager to import the .ovpn file.

TinCanTech
OpenVPN Protagonist
Posts: 11138
Joined: Fri Jun 03, 2016 1:17 pm

Re: [Solved] tls-crypt unwrap error: packet too short

Post by TinCanTech » Fri Aug 26, 2022 1:11 pm

You need to ask your server administrator for a key.

msaad100
OpenVpn Newbie
Posts: 1
Joined: Fri Aug 02, 2024 6:47 pm

Re: [Solved] tls-crypt unwrap error: packet too short

Post by msaad100 » Fri Aug 02, 2024 6:49 pm

I also added the details of --tls-crypt key-file on the client, but still connection is not established

Post Reply