Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN errors

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Solway
      last edited by

      Hi guys, ive almost setup my VPN, and can connect a test client ok.

      but i got the following errors showing up in the OpenVPN log:

      lots of:
      *TLS Error: incoming packet authentication failed from [AF_INET]
      *Authenticate/Decrypt packet error: packet HMAC authentication failed
      *WARNING: No server certificate verification method has been enabled

      i get the errors even though no vpn clients are connected

      secondly, only 2 of 5 clients show in the "export client" list.

      ive tried restarting all CA, OpenVPN services etc, but nothing worked.

      Sep 11 08:48:48 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:43843
      Sep 11 08:48:48 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:48:46 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:43843
      Sep 11 08:48:46 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:48:46 	openvpn 	42188 	UDPv4 link remote: [AF_INET]#WAN_IP#:1194
      Sep 11 08:48:46 	openvpn 	42188 	UDPv4 link local (bound): [AF_INET]#WAN_IP#:0
      Sep 11 08:48:46 	openvpn 	42188 	TCP/UDP: Preserving recently used remote address: [AF_INET]#WAN_IP#:1194
      Sep 11 08:48:46 	openvpn 	42188 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Sep 11 08:48:46 	openvpn 	42188 	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Sep 11 08:48:39 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:54912
      Sep 11 08:48:39 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:48:36 	openvpn 	42188 	SIGUSR1[soft,ping-restart] received, process restarting
      Sep 11 08:48:36 	openvpn 	42188 	[UNDEF] Inactivity timeout (--ping-restart), restarting
      Sep 11 08:48:35 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:59224
      Sep 11 08:48:35 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:48:31 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:54912
      Sep 11 08:48:31 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:48:27 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:20656
      Sep 11 08:48:27 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:48:27 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:54912
      Sep 11 08:48:27 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:48:27 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:59224
      Sep 11 08:48:27 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:48:26 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:42747
      Sep 11 08:48:26 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:48:25 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:54912
      Sep 11 08:48:25 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:48:25 	openvpn 	93499 	UDPv4 link remote: [AF_INET]#WAN_IP#:1194
      Sep 11 08:48:25 	openvpn 	93499 	UDPv4 link local (bound): [AF_INET]#WAN_IP#:0
      Sep 11 08:48:25 	openvpn 	93499 	TCP/UDP: Preserving recently used remote address: [AF_INET]#WAN_IP#:1194
      Sep 11 08:48:25 	openvpn 	93499 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Sep 11 08:48:25 	openvpn 	93499 	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Sep 11 08:48:23 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:59224
      Sep 11 08:48:23 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:48:21 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:59224
      Sep 11 08:48:21 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:48:21 	openvpn 	61446 	UDPv4 link remote: [AF_INET]#WAN_IP#:1194
      Sep 11 08:48:21 	openvpn 	61446 	UDPv4 link local (bound): [AF_INET]#WAN_IP#:0
      Sep 11 08:48:21 	openvpn 	61446 	TCP/UDP: Preserving recently used remote address: [AF_INET]#WAN_IP#:1194
      Sep 11 08:48:21 	openvpn 	61446 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Sep 11 08:48:21 	openvpn 	61446 	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Sep 11 08:48:15 	openvpn 	93499 	SIGUSR1[soft,ping-restart] received, process restarting
      Sep 11 08:48:15 	openvpn 	93499 	[UNDEF] Inactivity timeout (--ping-restart), restarting
      Sep 11 08:48:11 	openvpn 	61446 	SIGUSR1[soft,ping-restart] received, process restarting
      Sep 11 08:48:11 	openvpn 	61446 	[UNDEF] Inactivity timeout (--ping-restart), restarting
      Sep 11 08:48:11 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:20656
      Sep 11 08:48:11 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:48:10 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:42747
      Sep 11 08:48:10 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:48:07 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:22109
      Sep 11 08:48:07 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:48:03 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:20656
      Sep 11 08:48:03 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:48:02 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:42747
      Sep 11 08:48:02 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:47:58 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:42747
      Sep 11 08:47:58 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:47:58 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:20656
      Sep 11 08:47:58 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:47:56 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:42747
      Sep 11 08:47:56 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:47:56 	openvpn 	9149 	UDPv4 link remote: [AF_INET]#WAN_IP#:1194
      Sep 11 08:47:56 	openvpn 	9149 	UDPv4 link local (bound): [AF_INET]#WAN_IP#:0
      Sep 11 08:47:56 	openvpn 	9149 	TCP/UDP: Preserving recently used remote address: [AF_INET]#WAN_IP#:1194
      Sep 11 08:47:56 	openvpn 	9149 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Sep 11 08:47:56 	openvpn 	9149 	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
      Sep 11 08:47:55 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:20656
      Sep 11 08:47:55 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 11 08:47:55 	openvpn 	4266 	UDPv4 link remote: [AF_INET]#WAN_IP#:1194
      Sep 11 08:47:55 	openvpn 	4266 	UDPv4 link local (bound): [AF_INET]#WAN_IP#:0
      Sep 11 08:47:55 	openvpn 	4266 	TCP/UDP: Preserving recently used remote address: [AF_INET]#WAN_IP#:1194
      Sep 11 08:47:55 	openvpn 	4266 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Sep 11 08:47:55 	openvpn 	4266 	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 
      
      1 Reply Last reply Reply Quote 0
      • S
        Solway
        last edited by Solway

        screenshot of openvpn server setting below. Has its own OpenVPN CA
        OpenVPN Servers settings.png

        screenshot of setting below. i have 5 clients with same settings. each has their own User_CA
        OpenVPN Clients settings.png

        1 Reply Last reply Reply Quote 0
        • viktor_gV
          viktor_g Netgate
          last edited by viktor_g

          What is pfSense version on hosts?

          secondly, only 2 of 5 clients show in the "export client" list.

          it seems these clients don't client certificate, check System / User Manager / Users / Edit - User Certificates

          1 Reply Last reply Reply Quote 0
          • S
            Solway
            last edited by

            ok just figured out .
            so i didnt have "System / User Manager / Users" added for the new VPNclients. doh!
            ive sorted all of that out.

            as for

            TLS Error: incoming packet authentication failed from [AF_INET]
            

            this was due to the VPNclients not having the same key as VPNserver.
            so all TLS keys match. all certs are correctly linked

            now where i am confused.
            the VPNClient services stop working after TLS key was made the same between VPNclient/server settings. But clients can connect, and Certificate Revocation works....

            whats the reason for the VPNclients service? i was under the impression that needed to be running for the client to connect?

            on the below pic, the U1 client is connected, but doesnt show a C after ip address. and the client service isnt running.
            or is the Client instance only for P2P connections and exporting settings to openvpn exe/config etc.

            openvpn services.png

            1 Reply Last reply Reply Quote 0
            • viktor_gV
              viktor_g Netgate
              last edited by

              I made a copy of your configuration in VM and it works OK.

              Copy TLS keys from server to clients again and check.
              And put here OpenVPN log from server and clients.

              1 Reply Last reply Reply Quote 0
              • S
                Solway
                last edited by Solway

                seems to be all working.

                think i got confused on what the "OpenVPN clients" are.
                kept seeing the services being stopped, so thought it was a error.

                am i correct in saying its...

                • for either connecting to another vpn server elsewhere (aka p2p router connection)

                • and generally for exporting the config files for win/linux clients, instead of doing it manually.

                the client isntance doesnt actually get used for imcoming openvpn conenctions from say a windows client

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.