• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Authenticate/Decrypt packet error: packet HMAC authentication failed

Scheduled Pinned Locked Moved OpenVPN
17 Posts 3 Posters 8.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    swixo @hispeed
    last edited by Aug 6, 2022, 1:59 PM

    @hispeed Hey - as I learned recently, you have to take the Tunnel Network Address (10.0.5.0/24) out of the client config - When using an override.

    I'm assuming your TLS keys match and your certs are in order. Try the tunnel network and report back.

    H 1 Reply Last reply Aug 6, 2022, 2:25 PM Reply Quote 0
    • H
      hispeed @swixo
      last edited by Aug 6, 2022, 2:25 PM

      @swixo
      No luck still the same error.

      CA:
      5dd8ab85-12ad-47b1-9d2b-7b5b26a0f6ab-image.png

      Server Certificate:
      85218f2a-856c-46c3-b902-5dcff2a6b53e-image.png

      Client Certificate:
      af8bbe12-8c56-4f22-b8d6-49f656d4fde6-image.png

      Is this fine like that?

      S 1 Reply Last reply Aug 6, 2022, 2:35 PM Reply Quote 0
      • S
        swixo @hispeed
        last edited by Aug 6, 2022, 2:35 PM

        @hispeed also - have the process widget on your dashboard - restart the openvpn server and client services manually after making changes like this. For some reason - mine requires that.

        S 1 Reply Last reply Aug 6, 2022, 2:37 PM Reply Quote 0
        • S
          swixo @swixo
          last edited by Aug 6, 2022, 2:37 PM

          @swixo Oh here is a problem - you have TLS Auth+Encryption on the Server and TLS Auth only on client.

          Those need to match.

          H 1 Reply Last reply Aug 6, 2022, 2:54 PM Reply Quote 0
          • H
            hispeed @swixo
            last edited by Aug 6, 2022, 2:54 PM

            @swixo

            I restarted the client and server, doesn't help. I also changed the TLS Auth on both side to TLS Auth only.

            Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
            Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
            Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 SIGUSR1[soft,tls-error] received, client-instance restarting
            Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 TLS Error: TLS handshake failed
            Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 TLS Error: TLS object -> incoming plaintext read error
            Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 TLS_ERROR: BIO read tls_read_plaintext error
            Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
            Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: CN=CUCKOXXXXXX, C=CH, serial=4

            S 1 Reply Last reply Aug 6, 2022, 3:04 PM Reply Quote 0
            • S
              swixo @hispeed
              last edited by Aug 6, 2022, 3:04 PM

              @hispeed Can you show your client override?

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by Aug 6, 2022, 3:26 PM

                @hispeed
                The client and server certificates are issued by different CAs.

                Both have to be from the CA you've selected in the server settings and copied to the client.

                H 1 Reply Last reply Aug 6, 2022, 3:28 PM Reply Quote 1
                • H
                  hispeed @viragomann
                  last edited by Aug 6, 2022, 3:28 PM

                  @swixo

                  yes of course i can:

                  86400e46-46f6-48ea-a7e2-e94fb8cde242-image.png

                  IPv4 Remote Network = Client Network

                  S 1 Reply Last reply Aug 6, 2022, 3:29 PM Reply Quote 0
                  • S
                    swixo @hispeed
                    last edited by Aug 6, 2022, 3:29 PM

                    @hispeed
                    Is the CN from the Client? And these are both coming from the same CA / Copied from the Server to the client?

                    S 1 Reply Last reply Aug 6, 2022, 3:35 PM Reply Quote 0
                    • S
                      swixo @swixo
                      last edited by swixo Aug 6, 2022, 3:37 PM Aug 6, 2022, 3:35 PM

                      @swixo Since its tough to see the certs because of redaction,
                      the general process I would follow:

                      On Server:
                      Create CA. From the CA->Generate the Server Cert and the Client Cert. Make sure server bit set (on the server cert).

                      Export the CA Cert (no key) to a file - and Import that to the client.

                      Export the Client .P12 file on the server, and import it to the Client.

                      Assign the certs in the server and client config. Pay attention to the CN in the override.

                      H 1 Reply Last reply Aug 6, 2022, 3:38 PM Reply Quote 1
                      • H
                        hispeed @swixo
                        last edited by Aug 6, 2022, 3:38 PM

                        @swixo and @viragomann

                        It works finally. Thank you for this hint viragomann and also swixo. Boah i was so close to give up. My fault I took the wrong CA for the client certificate.

                        Stupid error i have spent several hours and recreated several times the certificates.....

                        Thank you and have a good weekend.

                        S 1 Reply Last reply Aug 6, 2022, 3:39 PM Reply Quote 0
                        • S
                          swixo @hispeed
                          last edited by Aug 6, 2022, 3:39 PM

                          @hispeed Great! Another triumph!

                          1 Reply Last reply Reply Quote 0
                          17 out of 17
                          • First post
                            17/17
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received