OpenVPN errors



  • Hi guys, ive almost setup my VPN, and can connect a test client ok.

    but i got the following errors showing up in the OpenVPN log:

    lots of:
    *TLS Error: incoming packet authentication failed from [AF_INET]
    *Authenticate/Decrypt packet error: packet HMAC authentication failed
    *WARNING: No server certificate verification method has been enabled

    i get the errors even though no vpn clients are connected

    secondly, only 2 of 5 clients show in the "export client" list.

    ive tried restarting all CA, OpenVPN services etc, but nothing worked.

    Sep 11 08:48:48 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:43843
    Sep 11 08:48:48 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:48:46 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:43843
    Sep 11 08:48:46 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:48:46 	openvpn 	42188 	UDPv4 link remote: [AF_INET]#WAN_IP#:1194
    Sep 11 08:48:46 	openvpn 	42188 	UDPv4 link local (bound): [AF_INET]#WAN_IP#:0
    Sep 11 08:48:46 	openvpn 	42188 	TCP/UDP: Preserving recently used remote address: [AF_INET]#WAN_IP#:1194
    Sep 11 08:48:46 	openvpn 	42188 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Sep 11 08:48:46 	openvpn 	42188 	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Sep 11 08:48:39 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:54912
    Sep 11 08:48:39 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:48:36 	openvpn 	42188 	SIGUSR1[soft,ping-restart] received, process restarting
    Sep 11 08:48:36 	openvpn 	42188 	[UNDEF] Inactivity timeout (--ping-restart), restarting
    Sep 11 08:48:35 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:59224
    Sep 11 08:48:35 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:48:31 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:54912
    Sep 11 08:48:31 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:48:27 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:20656
    Sep 11 08:48:27 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:48:27 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:54912
    Sep 11 08:48:27 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:48:27 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:59224
    Sep 11 08:48:27 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:48:26 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:42747
    Sep 11 08:48:26 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:48:25 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:54912
    Sep 11 08:48:25 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:48:25 	openvpn 	93499 	UDPv4 link remote: [AF_INET]#WAN_IP#:1194
    Sep 11 08:48:25 	openvpn 	93499 	UDPv4 link local (bound): [AF_INET]#WAN_IP#:0
    Sep 11 08:48:25 	openvpn 	93499 	TCP/UDP: Preserving recently used remote address: [AF_INET]#WAN_IP#:1194
    Sep 11 08:48:25 	openvpn 	93499 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Sep 11 08:48:25 	openvpn 	93499 	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Sep 11 08:48:23 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:59224
    Sep 11 08:48:23 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:48:21 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:59224
    Sep 11 08:48:21 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:48:21 	openvpn 	61446 	UDPv4 link remote: [AF_INET]#WAN_IP#:1194
    Sep 11 08:48:21 	openvpn 	61446 	UDPv4 link local (bound): [AF_INET]#WAN_IP#:0
    Sep 11 08:48:21 	openvpn 	61446 	TCP/UDP: Preserving recently used remote address: [AF_INET]#WAN_IP#:1194
    Sep 11 08:48:21 	openvpn 	61446 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Sep 11 08:48:21 	openvpn 	61446 	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Sep 11 08:48:15 	openvpn 	93499 	SIGUSR1[soft,ping-restart] received, process restarting
    Sep 11 08:48:15 	openvpn 	93499 	[UNDEF] Inactivity timeout (--ping-restart), restarting
    Sep 11 08:48:11 	openvpn 	61446 	SIGUSR1[soft,ping-restart] received, process restarting
    Sep 11 08:48:11 	openvpn 	61446 	[UNDEF] Inactivity timeout (--ping-restart), restarting
    Sep 11 08:48:11 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:20656
    Sep 11 08:48:11 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:48:10 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:42747
    Sep 11 08:48:10 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:48:07 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:22109
    Sep 11 08:48:07 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:48:03 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:20656
    Sep 11 08:48:03 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:48:02 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:42747
    Sep 11 08:48:02 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:47:58 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:42747
    Sep 11 08:47:58 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:47:58 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:20656
    Sep 11 08:47:58 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:47:56 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:42747
    Sep 11 08:47:56 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:47:56 	openvpn 	9149 	UDPv4 link remote: [AF_INET]#WAN_IP#:1194
    Sep 11 08:47:56 	openvpn 	9149 	UDPv4 link local (bound): [AF_INET]#WAN_IP#:0
    Sep 11 08:47:56 	openvpn 	9149 	TCP/UDP: Preserving recently used remote address: [AF_INET]#WAN_IP#:1194
    Sep 11 08:47:56 	openvpn 	9149 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Sep 11 08:47:56 	openvpn 	9149 	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Sep 11 08:47:55 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:20656
    Sep 11 08:47:55 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 11 08:47:55 	openvpn 	4266 	UDPv4 link remote: [AF_INET]#WAN_IP#:1194
    Sep 11 08:47:55 	openvpn 	4266 	UDPv4 link local (bound): [AF_INET]#WAN_IP#:0
    Sep 11 08:47:55 	openvpn 	4266 	TCP/UDP: Preserving recently used remote address: [AF_INET]#WAN_IP#:1194
    Sep 11 08:47:55 	openvpn 	4266 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Sep 11 08:47:55 	openvpn 	4266 	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 
    


  • screenshot of openvpn server setting below. Has its own OpenVPN CA
    OpenVPN Servers settings.png

    screenshot of setting below. i have 5 clients with same settings. each has their own User_CA
    OpenVPN Clients settings.png


  • Global Moderator

    What is pfSense version on hosts?

    secondly, only 2 of 5 clients show in the "export client" list.

    it seems these clients don't client certificate, check System / User Manager / Users / Edit - User Certificates



  • ok just figured out .
    so i didnt have "System / User Manager / Users" added for the new VPNclients. doh!
    ive sorted all of that out.

    as for

    TLS Error: incoming packet authentication failed from [AF_INET]
    

    this was due to the VPNclients not having the same key as VPNserver.
    so all TLS keys match. all certs are correctly linked

    now where i am confused.
    the VPNClient services stop working after TLS key was made the same between VPNclient/server settings. But clients can connect, and Certificate Revocation works....

    whats the reason for the VPNclients service? i was under the impression that needed to be running for the client to connect?

    on the below pic, the U1 client is connected, but doesnt show a C after ip address. and the client service isnt running.
    or is the Client instance only for P2P connections and exporting settings to openvpn exe/config etc.

    openvpn services.png


  • Global Moderator

    I made a copy of your configuration in VM and it works OK.

    Copy TLS keys from server to clients again and check.
    And put here OpenVPN log from server and clients.



  • seems to be all working.

    think i got confused on what the "OpenVPN clients" are.
    kept seeing the services being stopped, so thought it was a error.

    am i correct in saying its...

    • for either connecting to another vpn server elsewhere (aka p2p router connection)

    • and generally for exporting the config files for win/linux clients, instead of doing it manually.

    the client isntance doesnt actually get used for imcoming openvpn conenctions from say a windows client


Log in to reply