• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Peer-to-peer authentication fails—why?

Scheduled Pinned Locked Moved OpenVPN
9 Posts 2 Posters 809 Views 2 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D Offline
    DominikHoffmann
    last edited by May 7, 2024, 2:51 AM

    I am wondering, whether there is a way to find out more specifically, why my peer-to-peer client authentication fails. This is from the OpenVPN server log file:

    May 6 22:34:59	openvpn	45982	TLS Error: incoming packet authentication failed from [AF_INET]<clientIP>:59914
    May 6 22:35:03	openvpn	45982	Authenticate/Decrypt packet error: packet HMAC authentication failed
    

    in the client log file it looks like this (I know the time stamps don’t coincide—at 22:34 I was not at the site of the client, while I had been at 21:29):

    May 6 21:29:50	openvpn	70917	TCP/UDP: Preserving recently used remote address: [AF_INET]yyy.yyy.yyy.yyy:1194
    May 6 21:29:50	openvpn	70917	UDPv4 link local (bound): [AF_INET]<clientIP:0
    May 6 21:29:50	openvpn	70917	UDPv4 link remote: [AF_INET]<serverIP>:1194
    May 6 21:30:50	openvpn	70917	TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    May 6 21:30:50	openvpn	70917	TLS Error: TLS handshake failed
    May 6 21:30:50	openvpn	70917	SIGUSR1[soft,tls-error] received, process restarting
    

    This is part of my collection of problems setting up a reliable peer-to-peer network. I have also originated these posts:

    • Can’t reach remote host in peer-to-peer network
    • What’s wrong with this peer to peer routing table?
    • Is this a problem: “Bad encapsulated packet length from peer…”?

    I am most grateful for @viragomann’s help, so far.

    T 1 Reply Last reply May 7, 2024, 3:08 AM Reply Quote 0
    • T Offline
      The Party of Hell No @DominikHoffmann
      last edited by May 7, 2024, 3:08 AM

      @DominikHoffmann
      Has this worked previously, or are you starting new?

      D 1 Reply Last reply May 7, 2024, 3:11 AM Reply Quote 0
      • D Offline
        DominikHoffmann @The Party of Hell No
        last edited by May 7, 2024, 3:11 AM

        @The-Party-of-Hell-No: It has recently worked (albeit intermittently), until I pasted a new TLS key.

        T D 2 Replies Last reply May 7, 2024, 3:19 AM Reply Quote 0
        • T Offline
          The Party of Hell No @DominikHoffmann
          last edited by The Party of Hell No May 7, 2024, 3:19 AM May 7, 2024, 3:19 AM

          @DominikHoffmann
          So you correctly pasted the TLS key? As in no spaces before or at the end or missed characters?

          Did you update the other end of the peer-to-peer with the new TLS Key?

          1 Reply Last reply Reply Quote 0
          • D Offline
            DominikHoffmann @DominikHoffmann
            last edited by May 7, 2024, 3:32 AM

            @DominikHoffmann: I am going to have to go back to the other location and check, whether the TLS key is the one coming from the Peer Certificate Authority currently imported. There may be a mismatch there.

            T 1 Reply Last reply May 7, 2024, 3:41 AM Reply Quote 0
            • T Offline
              The Party of Hell No @DominikHoffmann
              last edited by May 7, 2024, 3:41 AM

              @DominikHoffmann
              Are you doing an openvpn road warrior connection? Or are you openVPNing into another office?

              D 1 Reply Last reply Aug 20, 2024, 1:22 PM Reply Quote 0
              • D Offline
                DominikHoffmann @The Party of Hell No
                last edited by Aug 20, 2024, 1:22 PM

                @The-Party-of-Hell-No: I have a second site running pfSense behind CGNAT, and the only way I can access it remotely is to establish a peer-to-peer connection.

                1 Reply Last reply Reply Quote 0
                • D Offline
                  DominikHoffmann
                  last edited by Aug 20, 2024, 1:32 PM

                  I have made progress on the authentication front. Here is what I did.

                  1. Change the peer-to-peer server to remote access mode.
                  2. Use the OpenVPN Client Export module (an installable package) to export the desired client user’s configuration.
                  3. Change the peer-to-peer server back to peer-to-peer mode.
                  4. On the remote pfSense instance use the Import Client module (also an installable package) to import the configuration file from Step 2.
                  5. A successfully authenticated connection is made almost immediately.

                  It still does not work the way I would like it to, maybe even not as it is supposed to. So, there is more work to be done on this.

                  1 Reply Last reply Reply Quote 0
                  • D DominikHoffmann referenced this topic on Aug 20, 2024, 1:54 PM
                  • D Offline
                    DominikHoffmann
                    last edited by Aug 21, 2024, 3:32 PM

                    Please see https://forum.netgate.com/post/1181349 for the final puzzle piece that got it to work.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received