Peer-to-peer authentication fails—why?

DominikHoffmann · May 7, 2024, 2:51 AM

I am wondering, whether there is a way to find out more specifically, why my peer-to-peer client authentication fails. This is from the OpenVPN server log file:

May 6 22:34:59	openvpn	45982	TLS Error: incoming packet authentication failed from [AF_INET]<clientIP>:59914
May 6 22:35:03	openvpn	45982	Authenticate/Decrypt packet error: packet HMAC authentication failed

in the client log file it looks like this (I know the time stamps don’t coincide—at 22:34 I was not at the site of the client, while I had been at 21:29):

May 6 21:29:50	openvpn	70917	TCP/UDP: Preserving recently used remote address: [AF_INET]yyy.yyy.yyy.yyy:1194
May 6 21:29:50	openvpn	70917	UDPv4 link local (bound): [AF_INET]<clientIP:0
May 6 21:29:50	openvpn	70917	UDPv4 link remote: [AF_INET]<serverIP>:1194
May 6 21:30:50	openvpn	70917	TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 6 21:30:50	openvpn	70917	TLS Error: TLS handshake failed
May 6 21:30:50	openvpn	70917	SIGUSR1[soft,tls-error] received, process restarting

This is part of my collection of problems setting up a reliable peer-to-peer network. I have also originated these posts:

I am most grateful for @viragomann’s help, so far.

The Party of Hell No · May 7, 2024, 3:08 AM

@DominikHoffmann
Has this worked previously, or are you starting new?

DominikHoffmann · May 7, 2024, 3:11 AM

@The-Party-of-Hell-No: It has recently worked (albeit intermittently), until I pasted a new TLS key.

The Party of Hell No · May 7, 2024, 3:19 AM

@DominikHoffmann
So you correctly pasted the TLS key? As in no spaces before or at the end or missed characters?

Did you update the other end of the peer-to-peer with the new TLS Key?

DominikHoffmann · May 7, 2024, 3:32 AM

@DominikHoffmann: I am going to have to go back to the other location and check, whether the TLS key is the one coming from the Peer Certificate Authority currently imported. There may be a mismatch there.

The Party of Hell No · May 7, 2024, 3:41 AM

@DominikHoffmann
Are you doing an openvpn road warrior connection? Or are you openVPNing into another office?

DominikHoffmann · Aug 20, 2024, 1:22 PM

@The-Party-of-Hell-No: I have a second site running pfSense behind CGNAT, and the only way I can access it remotely is to establish a peer-to-peer connection.

DominikHoffmann · Aug 20, 2024, 1:32 PM

I have made progress on the authentication front. Here is what I did.

Change the peer-to-peer server to remote access mode.
Use the OpenVPN Client Export module (an installable package) to export the desired client user’s configuration.
Change the peer-to-peer server back to peer-to-peer mode.
On the remote pfSense instance use the Import Client module (also an installable package) to import the configuration file from Step 2.
A successfully authenticated connection is made almost immediately.

It still does not work the way I would like it to, maybe even not as it is supposed to. So, there is more work to be done on this.

DominikHoffmann · Aug 21, 2024, 3:32 PM

Please see https://forum.netgate.com/post/1181349 for the final puzzle piece that got it to work.