OpenVPN Support Forum

Posted: **Sat Jul 22, 2023 12:53 pm**

Hello,

Could anybody please help me with a tls problem? (see logs below)
Tunnelblick says it's an OpenVPN problem. Which tls config lines should I change?
Regards, Harald

Tunnelblick developer:
Yes, that looks like a TLS problem, perhaps caused by a problem with the files in /tmp as I wrote earlier.
This is a problem with OpenVPN, not a problem with Tunnelblick. You should ask for help from dd-wrt experts or OpenVPN experts (see our Support page).

On Saturday, July 22, 2023 at 12:45:55 AM UTC-4 Harald Vogt wrote:
Hi,

Getting the following log (a problem with tls config?):

Regards, Harald

20230722 06:40:21 I TCP connection established with [AF_INET]109.38.158.134:1396
20230722 06:40:21 109.38.158.134:1396 TLS: Initial packet from [AF_INET]109.38.158.134:1396 sid=2fed45a2 f62e8ddd
20230722 06:40:21 N 109.38.158.134:1396 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1396
20230722 06:40:21 N 109.38.158.134:1396 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:21 109.38.158.134:1396 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:21 I TCP connection established with [AF_INET]109.38.158.134:1397
20230722 06:40:21 109.38.158.134:1397 TLS: Initial packet from [AF_INET]109.38.158.134:1397 sid=e7c9166c b9ace5a7
20230722 06:40:21 N 109.38.158.134:1397 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1397
20230722 06:40:21 N 109.38.158.134:1397 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:21 109.38.158.134:1397 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:21 I TCP connection established with [AF_INET]109.38.158.134:1398
20230722 06:40:21 109.38.158.134:1398 TLS: Initial packet from [AF_INET]109.38.158.134:1398 sid=fb080c40 8844a53e
20230722 06:40:21 N 109.38.158.134:1398 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1398
20230722 06:40:21 N 109.38.158.134:1398 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:21 109.38.158.134:1398 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:21 I TCP connection established with [AF_INET]109.38.158.134:1399
20230722 06:40:21 109.38.158.134:1399 TLS: Initial packet from [AF_INET]109.38.158.134:1399 sid=69c1e28f 1a2a5d59
20230722 06:40:21 N 109.38.158.134:1399 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1399
20230722 06:40:21 N 109.38.158.134:1399 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:21 109.38.158.134:1399 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:22 I TCP connection established with [AF_INET]109.38.158.134:1400
20230722 06:40:22 109.38.158.134:1400 TLS: Initial packet from [AF_INET]109.38.158.134:1400 sid=0e028053 3fe4248c
20230722 06:40:22 N 109.38.158.134:1400 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1400
20230722 06:40:22 N 109.38.158.134:1400 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:22 109.38.158.134:1400 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:22 I TCP connection established with [AF_INET]109.38.158.134:1401
20230722 06:40:22 109.38.158.134:1401 TLS: Initial packet from [AF_INET]109.38.158.134:1401 sid=0080675d c5ebe03f
20230722 06:40:22 N 109.38.158.134:1401 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1401
20230722 06:40:22 N 109.38.158.134:1401 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:22 109.38.158.134:1401 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:22 I TCP connection established with [AF_INET]109.38.158.134:1402
20230722 06:40:22 109.38.158.134:1402 TLS: Initial packet from [AF_INET]109.38.158.134:1402 sid=e82c4223 fc2864ee
20230722 06:40:22 N 109.38.158.134:1402 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]109.38.158.134:1402
20230722 06:40:22 N 109.38.158.134:1402 Fatal TLS error (check_tls_errors_co) restarting
20230722 06:40:22 109.38.158.134:1402 SIGUSR1[soft tls-error] received client-instance restarting
20230722 06:40:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230722 06:40:43 D MANAGEMENT: CMD 'state'
20230722 06:40:43 MANAGEMENT: Client disconnected
20230722 06:40:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230722 06:40:43 D MANAGEMENT: CMD 'state'
20230722 06:40:43 MANAGEMENT: Client disconnected
20230722 06:40:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230722 06:40:43 D MANAGEMENT: CMD 'state'
20230722 06:40:43 MANAGEMENT: Client disconnected
20230722 06:40:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230722 06:40:43 MANAGEMENT: Client disconnected
20230722 06:40:43 NOTE: --mute triggered...
20230722 06:40:43 1 variation(s) on previous 3 message(s) suppressed by --mute
20230722 06:40:43 D MANAGEMENT: CMD 'status 2'
20230722 06:40:43 MANAGEMENT: Client disconnected
20230722 06:40:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230722 06:40:43 D MANAGEMENT: CMD 'status 2'
20230722 06:40:43 MANAGEMENT: Client disconnected
20230722 06:40:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230722 06:40:43 D MANAGEMENT: CMD 'log 500'

Op vrijdag 21 juli 2023 om 22:11:14 UTC+2 schreef Tunnelblick developer:
I'm not an expert on dd-wrt, but the configuration file looks OK to me.

However, in the "Additional config" section, putting the dh, ca, cert and key files in /tmp seems like a mistake to me. As I understand it, /tmp may be cleared on reboot, and you'd loose those keys. These are all generated once and then reused until they expire. Or does dd-wrt generate new ones each time it is booted? (That would be odd because the dh key takes many seconds to generate, maybe even minutes on a slow machine.)

Maybe those files have been deleted because of a reboot and that's why the problem is happening? I would think the server log would show that.

On Friday, July 21, 2023 at 4:01:44 PM UTC-4 Harald Vogt wrote:
Hello,

Below my server configuration.

OpenVPN Server/Daemon

OpenVPN Enable
Config as Server
Server mode Router (TUN)
Network 10.1.1.0
Netmask 255.255.255.0
Port 443
Tunnel Protocol TCP
Encryption Cipher AES-256 CBC
Hash Algorithm SHA256
Advanced Options Enable
TLS Cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
LZO Compression Adaptive
Redirect default Gateway Disable
Allow Client to Client Enable
Allow duplicate cn Disable
Tunnel MTU setting 1500
Tunnel UDP Fragment (Default: Disable)
Tunnel UDP MSS-FiX Disable

CCD-Dir DEFAULT file
empty
Client connect script
empty
Static Key
empty
PKCS12 Key
empty

Public Server Cert
...
CA Cert
...
Private Server Key
....
DH PEM
...

Additional config
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"
server 10.1.1.0 255.255.255.0
dev tun0
keepalive 10 120
comp-lzo
tls-server
remote-cert-tls client
tls-version-min 1.2
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key 0
port-share 192.168.1.53 8443

TLS Auth Key
...
Certificate Revoke List
empty

Regards, Harald

Op vrijdag 21 juli 2023 om 13:37:36 UTC+2 schreef Tunnelblick developer:
Please post your server configuration.

On Friday, July 21, 2023 at 4:32:06 AM UTC-4 Harald Vogt wrote:
Hello,

I forgot to mention that I am connecting with the newest 3. Tunnelblick version:

2023-07-15 06:06:47.510542 *Tunnelblick: macOS 10.15.7 (19H2026); Tunnelblick 3.8.8b (build 5777); prior version 3.8.8a (build 5776)

Furthermore, my router is running dd-wrt (and not the other one, sorry) and shows the following logs.

Adnybody any clues?

Regards, Harald

Log Serverlog:
20230721 08:20:44 N 64.62.197.143:31577 Non-OpenVPN client protocol detected
20230721 08:20:44 64.62.197.143:31577 SIGTERM[soft port-share-redirect] received client-instance exiting
20230721 08:20:46 I TCP connection established with [AF_INET]64.62.197.151:5637
20230721 08:20:46 N 64.62.197.151:5637 Non-OpenVPN client protocol detected
20230721 08:20:46 64.62.197.151:5637 SIGTERM[soft port-share-redirect] received client-instance exiting
20230721 08:20:47 I TCP connection established with [AF_INET]64.62.197.143:44991
20230721 08:20:47 N 64.62.197.143:44991 Non-OpenVPN client protocol detected
20230721 08:20:47 64.62.197.143:44991 SIGTERM[soft port-share-redirect] received client-instance exiting
20230721 08:22:14 I TCP connection established with [AF_INET]64.62.197.137:51309
20230721 08:22:14 N 64.62.197.137:51309 Non-OpenVPN client protocol detected
20230721 08:22:14 64.62.197.137:51309 SIGTERM[soft port-share-redirect] received client-instance exiting
20230721 08:23:16 I TCP connection established with [AF_INET]64.62.197.141:64847
20230721 08:23:16 N 64.62.197.141:64847 Non-OpenVPN client protocol detected

Op zaterdag 15 juli 2023 om 13:03:10 UTC+2 schreef Harald Vogt:
Hi,

Tried to connect to home server (openwrt 2.x) but are getting the following over and over.

2023-07-15 06:07:06.869031 MANAGEMENT: >STATE:1689394026,TCP_CONNECT,,,,,,
2023-07-15 06:07:06.891096 TCP connection established with [AF_INET]84.107.223.202:443
2023-07-15 06:07:06.891224 TCP_CLIENT link local: (not bound)
2023-07-15 06:07:06.891297 TCP_CLIENT link remote: [AF_INET]84.107.223.202:443
2023-07-15 06:07:06.891392 MANAGEMENT: >STATE:1689394026,WAIT,,,,,,
2023-07-15 06:07:06.895367 MANAGEMENT: CMD 'hold release'
2023-07-15 06:07:06.917453 Connection reset, restarting [0]
2023-07-15 06:07:06.917685 SIGUSR1[soft,connection-reset] received, process restarting
2023-07-15 06:07:06.917742 MANAGEMENT: >STATE:1689394026,RECONNECTING,connection-

client.ovpn
client
dev tun
proto tcp
remote xxx.duckdns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
route-delay 5
verb 5
remote-cert-tls server
cipher 'AES-256-CBC'
comp-lzo no

Any ideas?

Best regards,
H

Posted: **Mon Jul 24, 2023 3:10 pm**

Hi,

After some time found the following working server and cliënt conf.

Regards, Harald

server
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.XX"
push "redirect-gateway def1"
server 10.1.1.0 255.255.255.0

cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

dev tun0
keepalive 10 120
comp-lzo

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key 0
port-share 192.168.1.53 8443

client (Android openvpn connect, for Tunnelblick remove the inline tls key and replace by tls-auth client/ta.key)

client
dev tun0
proto tcp
remote XX.duckdns.org 443

remote-cert-tls server

cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

comp-lzo no

key-direction 1

<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
f289c44efb4ffd2620f55bcca68655dc
a5f558028f9ab0570c530383df8947d3
0b7a5f6db00a38671d39683a0182a92b
...............1d6
6287f2c336f10b6d42f8530280c76969
b7d4eea8029604ebb15d4ad729f41c60
8b7ee31b43257611b24aaff6fb370fd6
ed4c455710d23713a1129a3a2dae6d57
-----END OpenVPN Static key V1-----
</tls-auth>
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
route-delay 2

Posted: **Sat Sep 07, 2024 7:28 am**

Hello.
Same problem with connecting mikrotik to openvpn server.

Openvpn server on Debian 12 system.
version soft:

Code: Select all

OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10

config openvpn server

Code: Select all

/etc/openvpn/server.conf
local 10.129.0.3
port 1194
proto udp

dev tun

ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/ypnprod.crt
key /etc/openvpn/easy-rsa/pki/private/ypnprod.key
#dh /etc/openvpn/easy-rsa/pki/dh.pem
dh none
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
crl-verify /etc/openvpn/client/crl.pem

comp-lzo no
allow-compression no

persist-key
persist-tun

server 10.8.20.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 8.8.8.8 255.255.255.255 vpn_gateway"
push "route 8.8.4.4 255.255.255.255 vpn_gateway"
#push "route 10.129.0.3 255.255.255.255 vpn_gateway"
push "route 10.128.0.0 255.255.255.0 vpn_gateway"

client-to-client
cipher AES-256-GCM
#cipher AES-256-CBC
auth SHA256
#auth null

keepalive 30 900

user nobody
group nogroup

status /var/log/openvpn/status.log
log /var/log/openvpn/openvpn.log
verb 3

explicit-exit-notify 1

connects fine with from Linux/windows.
But when from Mikrotik (version 7.15.3) connects, the connection does not occur.
log from openvpn server

Code: Select all

2024-09-07 06:57:07 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]1.3.7.24:49325
2024-09-07 06:57:07 Authenticate/Decrypt packet error: packet HMAC authentication failed
2024-09-07 06:57:07 TLS Error: incoming packet authentication failed from [AF_INET]1.3.7.24:49325
2024-09-07 06:57:08 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]1.3.7.24:49325
2024-09-07 06:57:08 Authenticate/Decrypt packet error: packet HMAC authentication failed

Please tell me how to fix this situation?

Posted: **Thu Oct 31, 2024 3:56 pm**

Hello.
Same problem latest server v2.6.12 (unix) + latest client git:v2.6.12/038a94bae57a446c (windows), arch x86_64, with defined dh2048.key, this may be HANDSHAKE complications.

Error type:
Authenticate/Decrypt packet error: packet HMAC authentication failed
TLS Error: incoming packet authentication failed from [AF_INET]MY_CLIENT_IPV4_ADDRESS:MY_CLIENT_PORT

Posted: **Thu Oct 31, 2024 4:07 pm**

In help i found own solution:
On the Server:
tls-auth /etc/openvpn/server/ta.key 0
On the Client:
key-direction 1
<tls-crypt>SHARED_TA_KEY_HERE</tls-crypt>

This nothing done for me. I tested it, but answer with same error:
Authenticate/Decrypt packet error: packet HMAC authentication failed
TLS Error: incoming packet authentication failed from [AF_INET]MY_CLIENT_IPV4_ADDRESS:MY_CLIENT_PORT

OpenVPN Support Forum

TLS config problem

TLS config problem

[SOLVED] Re: TLS config problem

Re: TLS config problem

Re: TLS config problem

Re: TLS config problem