Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Errors with my OpenVPN

    OpenVPN
    3
    8
    6.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DamienD
      last edited by

      Hello,

      I have my openVPN set up for more than one year and recently it started to give me errors like:

      Sat Jun 09 15:23:55 2012 OpenVPN 2.3-alpha1 Win32-MSVC++ [SSL (OpenSSL)] [LZO2] [PF_INET6] [IPv6 payload 20110522-1 (2.2.0)] built on Feb 21 2012
Enter Management Password:
Sat Jun 09 15:24:04 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Jun 09 15:24:04 2012 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Sat Jun 09 15:24:04 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Jun 09 15:24:04 2012 Control Channel Authentication: using 'grenwall-udp-1194-tls.key' as a OpenVPN static key file
Sat Jun 09 15:24:04 2012 UDPv4 link local (bound): [undef]
Sat Jun 09 15:24:04 2012 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Jun 09 15:24:05 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Jun 09 15:24:05 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:24:05 2012 TLS Error: incoming packet authentication failed from [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Jun 09 15:24:05 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:24:05 2012 TLS Error: incoming packet authentication failed from [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Jun 09 15:24:05 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:24:05 2012 TLS Error: incoming packet authentication failed from [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Jun 09 15:24:13 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:24:13 2012 TLS Error: incoming packet authentication failed from [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Jun 09 15:24:17 2012 TLS Error: unknown opcode received from [AF_INET]XXX.XXX.XXX.XXX:1194 op=12
Sat Jun 09 15:24:23 2012 [Road Warrior Server Certificate] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Jun 09 15:24:25 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:24:25 2012 TLS Error: incoming packet authentication failed from [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Jun 09 15:24:28 2012 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Jun 09 15:24:28 2012 open_tun, tt->ipv6=0
Sat Jun 09 15:24:28 2012 TAP-WIN32 device [Connexion au réseau local 2] opened: \\.\Global\{6415A5F7-F1C9-480C-B99B-477592EC39AC}.tap
Sat Jun 09 15:24:28 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.200.6/255.255.255.252 on interface {6415A5F7-F1C9-480C-B99B-477592EC39AC} [DHCP-serv: 192.168.200.5, lease-time: 31536000]
Sat Jun 09 15:24:28 2012 Successful ARP Flush on interface [15] {6415A5F7-F1C9-480C-B99B-477592EC39AC}
Sat Jun 09 15:24:33 2012 Initialization Sequence Completed
Sat Jun 09 15:24:40 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:25:04 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:25:04 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:25:04 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:25:07 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:25:09 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:25:13 2012 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #259 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sat Jun 09 15:25:17 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed

      pFSense 2.0.1-RELEASE (i386) on an ALIX
      Windows 7 client

      any idea?

      Thank you for your time!

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        Did you check the OpenVPN man page ?

        http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
        Take a look at:
        –no-replay
        --replay-window n [t]

        They wrote to set OpenVPN verbose to 4 and check if the replay-windows is ok.

        1 Reply Last reply Reply Quote 0
        • D
          DamienD
          last edited by

          Hello thank you for your time, apologies I hav'nt been able to look at it yet.

          I'll come back to you as soon as I find time!

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Those errors usually indicate a couple things:

            1. cipher mismatch between server and client
            2. clock is way off on one or the other

            It could also be some other general mismatch of settings, but to say for sure we'd need to see the server and client config both

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • D
              DamienD
              last edited by

              Hello,

              1. It worked flawlessly for about one year so I don't understand what could be wrong
              2. It is not the case

              I also used the client export plugin…

              What files do you need to see?

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                The client config file, and /var/etc/openvpn/server(whatever).conf

                Could also be a TLS key mismatch, something would have to have changed for it to do this though. Unless it's something in between corrupting the traffic.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • D
                  DamienD
                  last edited by

                  @/var/etc/openvpn/server2.conf:

                  dev ovpns2
                  dev-type tun
                  dev-node /dev/tun2
                  writepid /var/run/openvpn_server2.pid
                  #user nobody
                  #group nobody
                  script-security 3
                  daemon
                  keepalive 10 60
                  ping-timer-rem
                  persist-tun
                  persist-key
                  proto udp
                  cipher BF-CBC
                  up /usr/local/sbin/ovpn-linkup
                  down /usr/local/sbin/ovpn-linkdown
                  local 178.198.100.136
                  tls-server
                  server 192.168.200.0 255.255.255.0
                  client-config-dir /var/etc/openvpn-csc
                  username-as-common-name
                  auth-user-pass-verify /var/etc/openvpn/server2.php via-env
                  tls-verify /var/etc/openvpn/server2.tls-verify.php
                  lport 1194
                  management /var/etc/openvpn/server2.sock unix
                  max-clients 4
                  push "route 192.168.1.0 255.255.255.0"
                  client-to-client
                  ca /var/etc/openvpn/server2.ca
                  cert /var/etc/openvpn/server2.cert
                  key /var/etc/openvpn/server2.key
                  dh /etc/dh-parameters.1024
                  tls-auth /var/etc/openvpn/server2.tls-auth 0
                  comp-lzo
                  persist-remote-ip
                  float

                  @openvpn.ovpn:

                  dev tun
                  persist-tun
                  persist-key
                  proto udp
                  cipher BF-CBC
                  tls-client
                  client
                  resolv-retry infinite
                  remote MYADRESS 1194
                  tls-remote Road Warrior Server Certificate
                  auth-user-pass
                  pkcs12 grenwall-udp-1194.p12
                  tls-auth grenwall-udp-1194-tls.key 1
                  comp-lzo

                  1 Reply Last reply Reply Quote 0
                  • D
                    DamienD
                    last edited by

                    Did I put the wrong files??  ???

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.