• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Authenticate/Decrypt packet error: packet HMAC authentication failed

Scheduled Pinned Locked Moved OpenVPN
17 Posts 3 Posters 7.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    swixo @hispeed
    last edited by Aug 6, 2022, 2:35 PM

    @hispeed also - have the process widget on your dashboard - restart the openvpn server and client services manually after making changes like this. For some reason - mine requires that.

    S 1 Reply Last reply Aug 6, 2022, 2:37 PM Reply Quote 0
    • S
      swixo @swixo
      last edited by Aug 6, 2022, 2:37 PM

      @swixo Oh here is a problem - you have TLS Auth+Encryption on the Server and TLS Auth only on client.

      Those need to match.

      H 1 Reply Last reply Aug 6, 2022, 2:54 PM Reply Quote 0
      • H
        hispeed @swixo
        last edited by Aug 6, 2022, 2:54 PM

        @swixo

        I restarted the client and server, doesn't help. I also changed the TLS Auth on both side to TLS Auth only.

        Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
        Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
        Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 SIGUSR1[soft,tls-error] received, client-instance restarting
        Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 TLS Error: TLS handshake failed
        Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 TLS Error: TLS object -> incoming plaintext read error
        Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 TLS_ERROR: BIO read tls_read_plaintext error
        Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
        Aug 6 16:48:03 openvpn 71708 XX.XXX.179.XXX:19708 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: CN=CUCKOXXXXXX, C=CH, serial=4

        S 1 Reply Last reply Aug 6, 2022, 3:04 PM Reply Quote 0
        • S
          swixo @hispeed
          last edited by Aug 6, 2022, 3:04 PM

          @hispeed Can you show your client override?

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by Aug 6, 2022, 3:26 PM

            @hispeed
            The client and server certificates are issued by different CAs.

            Both have to be from the CA you've selected in the server settings and copied to the client.

            H 1 Reply Last reply Aug 6, 2022, 3:28 PM Reply Quote 1
            • H
              hispeed @viragomann
              last edited by Aug 6, 2022, 3:28 PM

              @swixo

              yes of course i can:

              86400e46-46f6-48ea-a7e2-e94fb8cde242-image.png

              IPv4 Remote Network = Client Network

              S 1 Reply Last reply Aug 6, 2022, 3:29 PM Reply Quote 0
              • S
                swixo @hispeed
                last edited by Aug 6, 2022, 3:29 PM

                @hispeed
                Is the CN from the Client? And these are both coming from the same CA / Copied from the Server to the client?

                S 1 Reply Last reply Aug 6, 2022, 3:35 PM Reply Quote 0
                • S
                  swixo @swixo
                  last edited by swixo Aug 6, 2022, 3:37 PM Aug 6, 2022, 3:35 PM

                  @swixo Since its tough to see the certs because of redaction,
                  the general process I would follow:

                  On Server:
                  Create CA. From the CA->Generate the Server Cert and the Client Cert. Make sure server bit set (on the server cert).

                  Export the CA Cert (no key) to a file - and Import that to the client.

                  Export the Client .P12 file on the server, and import it to the Client.

                  Assign the certs in the server and client config. Pay attention to the CN in the override.

                  H 1 Reply Last reply Aug 6, 2022, 3:38 PM Reply Quote 1
                  • H
                    hispeed @swixo
                    last edited by Aug 6, 2022, 3:38 PM

                    @swixo and @viragomann

                    It works finally. Thank you for this hint viragomann and also swixo. Boah i was so close to give up. My fault I took the wrong CA for the client certificate.

                    Stupid error i have spent several hours and recreated several times the certificates.....

                    Thank you and have a good weekend.

                    S 1 Reply Last reply Aug 6, 2022, 3:39 PM Reply Quote 0
                    • S
                      swixo @hispeed
                      last edited by Aug 6, 2022, 3:39 PM

                      @hispeed Great! Another triumph!

                      1 Reply Last reply Reply Quote 0
                      17 out of 17
                      • First post
                        17/17
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received