What's new

OpenVPN TLS Error: tls-crypt unwrapping failed

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

brzvlg

New Around Here
Hello!
I can't connect my OpenVPN client on RT-AC68U router (Asuswrt-Merlin version 386.11) to OpenVPN 2.5.5 (linux) server.
I couldn't connect even after I changed the default port and protocol to 55777/TCP.

But:

I tried to connect from a smartphone with the configuration file as below (Internet provider was also not changed) - this connection work.
I tried to connect from my router with stock firmware - this connection works.

If anyone has come across the same situation or similar or have any thoughts on this situation - please tell me))

client.ovpn
client
dev tun
proto tcp-server
remote <IP> 55777
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
key-direction 1
tls-client
verb 3
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>

server.conf
port 55777
proto tcp-server
dev tun
ca ca.crt
cert <server>.crt
key <server>.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 6

openvpn.log
MULTI: multi_create_instance called
Re-using SSL/TLS context
Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Control Channel MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ]
Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
TCP connection established with [AF_INET]IP:port
TCPv4_SERVER link local: (not bound)
TCPv4_SERVER link remote: [AF_INET]IP:port
IP
:port TCPv4_SERVER READ [54] from [AF_INET]IP:port: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 1454576213 2901697534 1650249908 1401841773 446090794 3405874145 562729282 3043350528 356 2070450688 0 ]
IP:port TLS: Initial packet from [AF_INET]IP:port, sid=68820f60 277402ee
IP:port tls-crypt unwrap error: packet authentication failed
IP:port TLS Error: tls-crypt unwrapping failed from [AF_INET]IP:port
IP
:port Fatal TLS error (check_tls_errors_co), restarting
IP:port SIGUSR1[soft,tls-error] received, client-instance restarting
TCP/UDP: Closing socket

router log
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Re-using SSL/TLS context
Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
TCP/UDP: Preserving recently used remote address: [AF_INET]public IP:55777
Socket Buffers: R=[87380->87380] S=[16384->16384]
Attempting to establish TCP connection with [AF_INET]public IP:55777
TCP connection established with [AF_INET]public IP:55777
TCPv4_CLIENT link local: (not bound)
TCPv4_CLIENT link remote: [AF_INET]public IP:55777
TCPv4_CLIENT WRITE [54] to [AF_INET]public IP:55777: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 1720593455 198464590 1222502404 1119666410 3836811855 2859902725 130295184 3021454336 356 2070527488 0 ]
Connection reset, restarting [0]
TCP/UDP: Closing socket
SIGUSR1[soft,connection-reset] received, process restarting
Restart pause, 300 second(s)
 

Attachments

  • settings.png
    settings.png
    89 KB · Views: 115
  • keys.png
    keys.png
    139.6 KB · Views: 114
I solved my problem. I removed the "key-direction 1" directive and did as in the screenshot.

server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert vpnserv.crt
key vpnserv.key # This file should be kept secret
dh none
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
push "redirect-gateway def1"
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
auth SHA512
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 4
 

Attachments

  • 2023-08-29 20_29_32-Window.png
    2023-08-29 20_29_32-Window.png
    13 KB · Views: 115

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top