TLS Error in OpenVPN log
-
Since upgrading to 2.5.0, I started seeing these entries in my OpenVPN log:
Mar 25 21:48:11 openvpn 30065 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]185.200.118.47:37364
Mar 25 20:22:18 openvpn 30065 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]74.120.14.20:26278
Mar 25 11:40:09 openvpn 30065 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]167.248.133.17:34560This is without active client connection. Wondering... Why do they show in my log? I've seen this in multiple installations...
-
Looks to me like a connect attempt with invalid certificate/TLS info. Those IP addresses should correspond to the device(s) making the attempt.
The issues I've seen similar to this under 2.5.0 revolve around some changes in the internal handling of certificate verifications. One of the simplest work arounds seems to be to to set "Certificate Depth" to "Do Not Check" on the Server and then restart the server process.
This has helped a few of my TLS/SSL S2S links that were fine under 2.4.5 but failed under 2.5.0. If that doesn't help you'll probably have to turn up the logging verbosity on at least the server to get more info on what's going on.
-
@divsys
Looks like that. But what is strange, since my post here I've set logging to my WAN rule to see incoming traffic to the OpenVPN port, yet for the 2 entries in the OpenVPN log I only see one matched entry in the firewall log. I would expect them both in the firewall log.