Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Authenticate/Decrypt packet error: packet HMAC authentication failed

    Scheduled Pinned Locked Moved OpenVPN
    17 Posts 3 Posters 8.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      swixo @hispeed
      last edited by

      @hispeed Hey - as I learned recently, you have to take the Tunnel Network Address (10.0.5.0/24) out of the client config - When using an override.

      I'm assuming your TLS keys match and your certs are in order. Try the tunnel network and report back.

      H 1 Reply Last reply Reply Quote 0
      • H
        hispeed @swixo
        last edited by

        @swixo
        No luck still the same error.

        CA:
        5dd8ab85-12ad-47b1-9d2b-7b5b26a0f6ab-image.png

        Server Certificate:
        85218f2a-856c-46c3-b902-5dcff2a6b53e-image.png

        Client Certificate:
        af8bbe12-8c56-4f22-b8d6-49f656d4fde6-image.png

        Is this fine like that?

        S 1 Reply Last reply Reply Quote 0
        • S
          swixo @hispeed
          last edited by

          @hispeed also - have the process widget on your dashboard - restart the openvpn server and client services manually after making changes like this. For some reason - mine requires that.

          S 1 Reply Last reply Reply Quote 0
          • S
            swixo @swixo
            last edited by

            @swixo Oh here is a problem - you have TLS Auth+Encryption on the Server and TLS Auth only on client.

            Those need to match.

            H 1 Reply Last reply Reply Quote 0
            • H
              hispeed @swixo
              last edited by

              @swixo

              I restarted the client and server, doesn't help. I also changed the TLS Auth on both side to TLS Auth only.

              Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
              Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
              Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 SIGUSR1[soft,tls-error] received, client-instance restarting
              Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 TLS Error: TLS handshake failed
              Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 TLS Error: TLS object -> incoming plaintext read error
              Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 TLS_ERROR: BIO read tls_read_plaintext error
              Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
              Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: CN=CUCKOXXXXXX, C=CH, serial=4

              S 1 Reply Last reply Reply Quote 0
              • S
                swixo @hispeed
                last edited by

                @hispeed Can you show your client override?

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by

                  @hispeed
                  The client and server certificates are issued by different CAs.

                  Both have to be from the CA you've selected in the server settings and copied to the client.

                  H 1 Reply Last reply Reply Quote 1
                  • H
                    hispeed @viragomann
                    last edited by

                    @swixo

                    yes of course i can:

                    86400e46-46f6-48ea-a7e2-e94fb8cde242-image.png

                    IPv4 Remote Network = Client Network

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      swixo @hispeed
                      last edited by

                      @hispeed
                      Is the CN from the Client? And these are both coming from the same CA / Copied from the Server to the client?

                      S 1 Reply Last reply Reply Quote 0
                      • S
                        swixo @swixo
                        last edited by swixo

                        @swixo Since its tough to see the certs because of redaction,
                        the general process I would follow:

                        On Server:
                        Create CA. From the CA->Generate the Server Cert and the Client Cert. Make sure server bit set (on the server cert).

                        Export the CA Cert (no key) to a file - and Import that to the client.

                        Export the Client .P12 file on the server, and import it to the Client.

                        Assign the certs in the server and client config. Pay attention to the CN in the override.

                        H 1 Reply Last reply Reply Quote 1
                        • H
                          hispeed @swixo
                          last edited by

                          @swixo and @viragomann

                          It works finally. Thank you for this hint viragomann and also swixo. Boah i was so close to give up. My fault I took the wrong CA for the client certificate.

                          Stupid error i have spent several hours and recreated several times the certificates.....

                          Thank you and have a good weekend.

                          S 1 Reply Last reply Reply Quote 0
                          • S
                            swixo @hispeed
                            last edited by

                            @hispeed Great! Another triumph!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.