Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot Authenticate OpenVPN with Active Directory/RADIUS

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nwt_admin
      last edited by

      We have properly configured the Active Directory/RADIUS to authenticate OpenVPN users (on Windows 7 64-bit) with, but each time we try to connect (regardless if we run the program as admin or not) we are receiving the error message:

      TLS Error: incoming packet authentication failed from [AF_INET]

      Our configuration previously worked, and the only thing that has changed with pfSense is that the sync went haywire when I changed the admin password some time ago.  The sync issues have all been resolved, but still the VPN connection fails every time.

      Here's a brief copy of what the logs look like:

      openvpn[96169]: Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 26 10:13:00 openvpn[96169]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.0.16:1194
      Sep 26 10:13:15 openvpn[96169]: Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 26 10:13:15 openvpn[96169]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.0.16:1194
      Sep 26 10:13:48 openvpn[96169]: Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 26 10:13:48 openvpn[96169]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.0.16:1194
      Sep 26 10:13:50 openvpn[96169]: Authenticate/Decrypt packet error: packet HMAC authentication failed
      Sep 26 10:13:50 openvpn[96169]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.0.16:1194

      When I go to test the authentication via pfSense and RADIUS (Diagnostics > Authentication > RADIUS server and AD credentials, it comes back successful.  But still, no luck with the connection.

      All certificates have been created according to the cookbooks for using AD/RADIUS and pfSense for OpenVPN, so I don't believe it's the actual certificates that are failing.

      If it helps, the OpenVPN client works on non-domain accounts using our other OpenVPN server (we have two on the same box, one for non-domain accounts, the other for AD accounts).  So I don't think it's a pfSense issue.

      Any suggestions?  If you need anymore information please let me know.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Those are not AD/RADIUS auth errors, those are packet-level authentication errors.

        The top suspects there are:
        1. Inaccurate Clocks
        2. A mismatched TLS key
        3. You are connecting to your own WAN IP from inside your LAN or other internal segment, rather than connecting from the outside/disconnected network.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • N
          nwt_admin
          last edited by

          Hi jimp,

          I have tried this VPN connection on both internal and external networks and receive the same error message.  We have multiple WAN lines, each with a different WAN IP address, as well as some hotspots that are completely unrelated to our infrastructure.

          1. I changed the clocks on my boxes to reflect accurate times.
          2. How do I verify that I have a mismatched key or not?  I'm almost positive I created the keys properly through the cert manager and downloading the corresponding Client Export.
          3. See first part of my response.

          Thanks for your assistance.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.