Server with ed25519 certs fails on LAN with TLS Error: local/remote TLS keys are out of sync
Posted: Sun Nov 06, 2022 3:19 am
[oconf]
I've configured a server with ed25519 and two routes. The server works fine for clients off the LAN. However, on the LAN trying the connect throws the error "TLS Error: local/remote TLS keys are out of sync" (partial log below).
I am able to ping clients when connected from the WAN. I do not observe this issue with RSA or P384 keys.
server.ovpn:
client.ovpn:
Logs:
I've configured a server with ed25519 and two routes. The server works fine for clients off the LAN. However, on the LAN trying the connect throws the error "TLS Error: local/remote TLS keys are out of sync" (partial log below).
I am able to ping clients when connected from the WAN. I do not observe this issue with RSA or P384 keys.
server.ovpn:
Code: Select all
local 10.0.1.3
port 443
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
tls-crypt ta.key
dh none
ecdh-curve ed25519
server 10.8.0.0 255.255.255.0
route 10.0.1.0 255.255.255.0
route 10.8.0.0 255.255.255.0
topology subnet
push "route 10.0.1.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 10.0.1.3"
cipher AES-256-GCM
tls-version-min 1.3
persist-key
persist-tun
ifconfig-pool-persist "/usr/local/ipp.txt"
verb 3
Code: Select all
client
dev tun
proto udp
remote server.com 443
redirect-gateway def1
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
<ca>
…
</ca>
<cert>
…
</cert>
<key>
…
</key>
key-direction 1
<tls-crypt>
…
</tls-crypt>
cipher AES-256-GCM
tls-version-min 1.3
verb 3
Code: Select all
2022-11-05 22:39:36.684724 10.0.1.29:60304 TLS: Initial packet from [AF_INET]10.0.1.29:60304, sid=19ec786c fb2cc2f9
2022-11-05 22:39:37.138273 TLS Error: local/remote TLS keys are out of sync: [AF_INET]10.0.1.29:60304 [0]
2022-11-05 22:39:37.672571 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1667702376) 2022-11-05 22:39:36 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2022-11-05 22:39:37.672614 tls-crypt unwrap error: packet replay
2022-11-05 22:39:37.672635 TLS Error: tls-crypt unwrapping failed from [AF_INET]10.0.1.29:60304
2022-11-05 22:39:38.679025 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1667702376) 2022-11-05 22:39:36 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2022-11-05 22:39:38.679061 tls-crypt unwrap error: packet replay
2022-11-05 22:39:38.679078 TLS Error: tls-crypt unwrapping failed from [AF_INET]10.0.1.29:60304
2022-11-05 22:39:39.558470 TLS Error: local/remote TLS keys are out of sync: [AF_INET]10.0.1.29:60304 [0]
2022-11-05 22:39:39.566405 TLS Error: local/remote TLS keys are out of sync: [AF_INET]10.0.1.29:60304 [0]
2022-11-05 22:39:39.637268 TLS Error: local/remote TLS keys are out of sync: [AF_INET]10.0.1.29:60304 [0]
2022-11-05 22:39:39.674872 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1667702376) 2022-11-05 22:39:36 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2022-11-05 22:39:39.674914 tls-crypt unwrap error: packet replay
2022-11-05 22:39:39.674936 TLS Error: tls-crypt unwrapping failed from [AF_INET]10.0.1.29:60304