OpenVPN errors

Solway

Hi guys, ive almost setup my VPN, and can connect a test client ok.

but i got the following errors showing up in the OpenVPN log:

lots of:
*TLS Error: incoming packet authentication failed from [AF_INET]
*Authenticate/Decrypt packet error: packet HMAC authentication failed
*WARNING: No server certificate verification method has been enabled

i get the errors even though no vpn clients are connected

secondly, only 2 of 5 clients show in the "export client" list.

ive tried restarting all CA, OpenVPN services etc, but nothing worked.

Sep 11 08:48:48 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:43843
Sep 11 08:48:48 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:48:46 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:43843
Sep 11 08:48:46 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:48:46 	openvpn 	42188 	UDPv4 link remote: [AF_INET]#WAN_IP#:1194
Sep 11 08:48:46 	openvpn 	42188 	UDPv4 link local (bound): [AF_INET]#WAN_IP#:0
Sep 11 08:48:46 	openvpn 	42188 	TCP/UDP: Preserving recently used remote address: [AF_INET]#WAN_IP#:1194
Sep 11 08:48:46 	openvpn 	42188 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 11 08:48:46 	openvpn 	42188 	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sep 11 08:48:39 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:54912
Sep 11 08:48:39 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:48:36 	openvpn 	42188 	SIGUSR1[soft,ping-restart] received, process restarting
Sep 11 08:48:36 	openvpn 	42188 	[UNDEF] Inactivity timeout (--ping-restart), restarting
Sep 11 08:48:35 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:59224
Sep 11 08:48:35 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:48:31 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:54912
Sep 11 08:48:31 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:48:27 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:20656
Sep 11 08:48:27 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:48:27 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:54912
Sep 11 08:48:27 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:48:27 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:59224
Sep 11 08:48:27 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:48:26 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:42747
Sep 11 08:48:26 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:48:25 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:54912
Sep 11 08:48:25 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:48:25 	openvpn 	93499 	UDPv4 link remote: [AF_INET]#WAN_IP#:1194
Sep 11 08:48:25 	openvpn 	93499 	UDPv4 link local (bound): [AF_INET]#WAN_IP#:0
Sep 11 08:48:25 	openvpn 	93499 	TCP/UDP: Preserving recently used remote address: [AF_INET]#WAN_IP#:1194
Sep 11 08:48:25 	openvpn 	93499 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 11 08:48:25 	openvpn 	93499 	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sep 11 08:48:23 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:59224
Sep 11 08:48:23 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:48:21 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:59224
Sep 11 08:48:21 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:48:21 	openvpn 	61446 	UDPv4 link remote: [AF_INET]#WAN_IP#:1194
Sep 11 08:48:21 	openvpn 	61446 	UDPv4 link local (bound): [AF_INET]#WAN_IP#:0
Sep 11 08:48:21 	openvpn 	61446 	TCP/UDP: Preserving recently used remote address: [AF_INET]#WAN_IP#:1194
Sep 11 08:48:21 	openvpn 	61446 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 11 08:48:21 	openvpn 	61446 	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sep 11 08:48:15 	openvpn 	93499 	SIGUSR1[soft,ping-restart] received, process restarting
Sep 11 08:48:15 	openvpn 	93499 	[UNDEF] Inactivity timeout (--ping-restart), restarting
Sep 11 08:48:11 	openvpn 	61446 	SIGUSR1[soft,ping-restart] received, process restarting
Sep 11 08:48:11 	openvpn 	61446 	[UNDEF] Inactivity timeout (--ping-restart), restarting
Sep 11 08:48:11 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:20656
Sep 11 08:48:11 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:48:10 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:42747
Sep 11 08:48:10 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:48:07 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:22109
Sep 11 08:48:07 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:48:03 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:20656
Sep 11 08:48:03 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:48:02 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:42747
Sep 11 08:48:02 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:47:58 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:42747
Sep 11 08:47:58 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:47:58 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:20656
Sep 11 08:47:58 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:47:56 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:42747
Sep 11 08:47:56 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:47:56 	openvpn 	9149 	UDPv4 link remote: [AF_INET]#WAN_IP#:1194
Sep 11 08:47:56 	openvpn 	9149 	UDPv4 link local (bound): [AF_INET]#WAN_IP#:0
Sep 11 08:47:56 	openvpn 	9149 	TCP/UDP: Preserving recently used remote address: [AF_INET]#WAN_IP#:1194
Sep 11 08:47:56 	openvpn 	9149 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 11 08:47:56 	openvpn 	9149 	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sep 11 08:47:55 	openvpn 	29667 	TLS Error: incoming packet authentication failed from [AF_INET]#WAN_IP#:20656
Sep 11 08:47:55 	openvpn 	29667 	Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 08:47:55 	openvpn 	4266 	UDPv4 link remote: [AF_INET]#WAN_IP#:1194
Sep 11 08:47:55 	openvpn 	4266 	UDPv4 link local (bound): [AF_INET]#WAN_IP#:0
Sep 11 08:47:55 	openvpn 	4266 	TCP/UDP: Preserving recently used remote address: [AF_INET]#WAN_IP#:1194
Sep 11 08:47:55 	openvpn 	4266 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 11 08:47:55 	openvpn 	4266 	WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 

Solway

screenshot of openvpn server setting below. Has its own OpenVPN CA

screenshot of setting below. i have 5 clients with same settings. each has their own User_CA

viktor_g

What is pfSense version on hosts?

secondly, only 2 of 5 clients show in the "export client" list.

it seems these clients don't client certificate, check System / User Manager / Users / Edit - User Certificates

Solway

ok just figured out .
so i didnt have "System / User Manager / Users" added for the new VPNclients. doh!
ive sorted all of that out.

as for

TLS Error: incoming packet authentication failed from [AF_INET]

this was due to the VPNclients not having the same key as VPNserver.
so all TLS keys match. all certs are correctly linked

now where i am confused.
the VPNClient services stop working after TLS key was made the same between VPNclient/server settings. But clients can connect, and Certificate Revocation works....

whats the reason for the VPNclients service? i was under the impression that needed to be running for the client to connect?

on the below pic, the U1 client is connected, but doesnt show a C after ip address. and the client service isnt running.
or is the Client instance only for P2P connections and exporting settings to openvpn exe/config etc.

viktor_g

I made a copy of your configuration in VM and it works OK.

Copy TLS keys from server to clients again and check.
And put here OpenVPN log from server and clients.

Solway

seems to be all working.

think i got confused on what the "OpenVPN clients" are.
kept seeing the services being stopped, so thought it was a error.

am i correct in saying its...

• for either connecting to another vpn server elsewhere (aka p2p router connection)

• and generally for exporting the config files for win/linux clients, instead of doing it manually.

the client isntance doesnt actually get used for imcoming openvpn conenctions from say a windows client