Openvpn configuration not connecting to server

Question

I have an openvpn connection that I'm creating on a linux host to another linux host. I believe that there may be a config error or misunderstanding here. I have my client keys and server keys generated, and the CA in place, but I can't seem to connect at all to the server. the server logs are this:

Mon Jun 29 15:38:28 2020 tls-crypt unwrap error: packet authentication failed

Mon Jun 29 15:38:28 2020 TLS Error: tls-crypt unwrapping failed from [AF_INET]70.15.128.216:55352

On the client, this is what I see:

Mon Jun 29 11:40:18 2020 TLS Error: TLS handshake failed
Mon Jun 29 11:40:18 2020 SIGUSR1[soft,tls-error] received, process restarting
Mon Jun 29 11:40:18 2020 Restart pause, 5 second(s)
Mon Jun 29 11:40:23 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]*.*.*.*:1194
Mon Jun 29 11:40:23 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Jun 29 11:40:23 2020 UDP link local: (not bound)
Mon Jun 29 11:40:23 2020 UDP link remote: [AF_INET]*.*.*.*:1194
Mon Jun 29 11:41:23 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jun 29 11:41:23 2020 TLS Error: TLS handshake failed
Mon Jun 29 11:41:23 2020 SIGUSR1[soft,tls-error] received, process restarting
Mon Jun 29 11:41:23 2020 Restart pause, 5 second(s)
Mon Jun 29 11:41:28 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]*.*.*.*:1194
Mon Jun 29 11:41:28 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Jun 29 11:41:28 2020 UDP link local: (not bound)
Mon Jun 29 11:41:28 2020 UDP link remote: [AF_INET]*.*.*.*:1194

Here is my client config file:

client
proto udp
remote *.*.*.* 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
dhcp-option DNS 8.8.8.8
verb 3

and my server config:

local *.*.*.*
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt ta.key 0
topology subnet
server 10.1.0.0  255.255.255.0
ifconfig-pool-persist ipp.txt
push "route *.*.*.* 255.255.255.255" #api
push "route *.*.*.* 255.255.255.255" #rabbitMQ
push "route *.*.*.* 255.255.255.255" #ui
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify
client-config-dir ccd
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log

I just want to confirm that the server is running and is accepting connections. I'm pretty sure my connection request is just malformed. The question is, what is malformed? just an FYI, I've used this tutorial to get me going thus far: Install OpenVPN on Debian 10

I've also ensured that the client.key file is 400 for permissions.

score 5 · Accepted Answer · answered Jun 30 '20 at 15:31

5

Need to update the client and server to use either tls-crypt or tls-auth exclusively, and in both places.

answered Jun 30 '20 at 15:31

Chris Rutherford

1,592
3
22
58

Thank you this is obvious, but I could not see it. Solved my issue – Kwaadpepper Jul 05 '21 at 20:56
Omg, had similar issue in my config and I didn't realise there are two similarly named options. Thanks! – TeoTN Mar 06 '22 at 15:57
Late to the party, but why is this needed...? `tls-crypt` and `tls-auth` are both aliases for `secret`, according to the manpage. – Per Lundberg Feb 17 '23 at 11:39
the issue was I was using one on one side, and the other on the other. – Chris Rutherford Mar 16 '23 at 14:25

Openvpn configuration not connecting to server

1 Answers1