Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TLS Error in OpenVPN log

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 731 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bennyc
      last edited by

      Since upgrading to 2.5.0, I started seeing these entries in my OpenVPN log:

      Mar 25 21:48:11 openvpn 30065 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]185.200.118.47:37364
      Mar 25 20:22:18 openvpn 30065 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]74.120.14.20:26278
      Mar 25 11:40:09 openvpn 30065 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]167.248.133.17:34560

      This is without active client connection. Wondering... Why do they show in my log? I've seen this in multiple installations...

      4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
      1x PC Engines APU2C4, 1x PC Engines APU1C4

      1 Reply Last reply Reply Quote 0
      • D
        divsys
        last edited by

        Looks to me like a connect attempt with invalid certificate/TLS info. Those IP addresses should correspond to the device(s) making the attempt.

        The issues I've seen similar to this under 2.5.0 revolve around some changes in the internal handling of certificate verifications. One of the simplest work arounds seems to be to to set "Certificate Depth" to "Do Not Check" on the Server and then restart the server process.

        This has helped a few of my TLS/SSL S2S links that were fine under 2.4.5 but failed under 2.5.0. If that doesn't help you'll probably have to turn up the logging verbosity on at least the server to get more info on what's going on.

        -jfp

        B 1 Reply Last reply Reply Quote 0
        • B
          bennyc @divsys
          last edited by

          @divsys
          Looks like that. But what is strange, since my post here I've set logging to my WAN rule to see incoming traffic to the OpenVPN port, yet for the 2 entries in the OpenVPN log I only see one matched entry in the firewall log. I would expect them both in the firewall log.

          4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
          1x PC Engines APU2C4, 1x PC Engines APU1C4

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.