Peer-to-peer authentication fails—why?

DominikHoffmann

I am wondering, whether there is a way to find out more specifically, why my peer-to-peer client authentication fails. This is from the OpenVPN server log file:

May 6 22:34:59	openvpn	45982	TLS Error: incoming packet authentication failed from [AF_INET]<clientIP>:59914
May 6 22:35:03	openvpn	45982	Authenticate/Decrypt packet error: packet HMAC authentication failed

in the client log file it looks like this (I know the time stamps don’t coincide—at 22:34 I was not at the site of the client, while I had been at 21:29):

May 6 21:29:50	openvpn	70917	TCP/UDP: Preserving recently used remote address: [AF_INET]yyy.yyy.yyy.yyy:1194
May 6 21:29:50	openvpn	70917	UDPv4 link local (bound): [AF_INET]<clientIP:0
May 6 21:29:50	openvpn	70917	UDPv4 link remote: [AF_INET]<serverIP>:1194
May 6 21:30:50	openvpn	70917	TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 6 21:30:50	openvpn	70917	TLS Error: TLS handshake failed
May 6 21:30:50	openvpn	70917	SIGUSR1[soft,tls-error] received, process restarting

This is part of my collection of problems setting up a reliable peer-to-peer network. I have also originated these posts:

• Can’t reach remote host in peer-to-peer network
• What’s wrong with this peer to peer routing table?
• Is this a problem: “Bad encapsulated packet length from peer…”?

I am most grateful for @viragomann’s help, so far.

The Party of Hell No

@DominikHoffmann
Has this worked previously, or are you starting new?

DominikHoffmann

@The-Party-of-Hell-No: It has recently worked (albeit intermittently), until I pasted a new TLS key.

The Party of Hell No

@DominikHoffmann
So you correctly pasted the TLS key? As in no spaces before or at the end or missed characters?

Did you update the other end of the peer-to-peer with the new TLS Key?

DominikHoffmann

@DominikHoffmann: I am going to have to go back to the other location and check, whether the TLS key is the one coming from the Peer Certificate Authority currently imported. There may be a mismatch there.

The Party of Hell No

@DominikHoffmann
Are you doing an openvpn road warrior connection? Or are you openVPNing into another office?

DominikHoffmann

@The-Party-of-Hell-No: I have a second site running pfSense behind CGNAT, and the only way I can access it remotely is to establish a peer-to-peer connection.

DominikHoffmann

I have made progress on the authentication front. Here is what I did.

1. Change the peer-to-peer server to remote access mode.
2. Use the OpenVPN Client Export module (an installable package) to export the desired client user’s configuration.
3. Change the peer-to-peer server back to peer-to-peer mode.
4. On the remote pfSense instance use the Import Client module (also an installable package) to import the configuration file from Step 2.
5. A successfully authenticated connection is made almost immediately.

It still does not work the way I would like it to, maybe even not as it is supposed to. So, there is more work to be done on this.

DominikHoffmann

Please see https://forum.netgate.com/post/1181349 for the final puzzle piece that got it to work.