Cannot Authenticate OpenVPN with Active Directory/RADIUS



  • We have properly configured the Active Directory/RADIUS to authenticate OpenVPN users (on Windows 7 64-bit) with, but each time we try to connect (regardless if we run the program as admin or not) we are receiving the error message:

    TLS Error: incoming packet authentication failed from [AF_INET]

    Our configuration previously worked, and the only thing that has changed with pfSense is that the sync went haywire when I changed the admin password some time ago.  The sync issues have all been resolved, but still the VPN connection fails every time.

    Here's a brief copy of what the logs look like:

    openvpn[96169]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 26 10:13:00 openvpn[96169]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.0.16:1194
    Sep 26 10:13:15 openvpn[96169]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 26 10:13:15 openvpn[96169]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.0.16:1194
    Sep 26 10:13:48 openvpn[96169]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 26 10:13:48 openvpn[96169]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.0.16:1194
    Sep 26 10:13:50 openvpn[96169]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sep 26 10:13:50 openvpn[96169]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.0.16:1194

    When I go to test the authentication via pfSense and RADIUS (Diagnostics > Authentication > RADIUS server and AD credentials, it comes back successful.  But still, no luck with the connection.

    All certificates have been created according to the cookbooks for using AD/RADIUS and pfSense for OpenVPN, so I don't believe it's the actual certificates that are failing.

    If it helps, the OpenVPN client works on non-domain accounts using our other OpenVPN server (we have two on the same box, one for non-domain accounts, the other for AD accounts).  So I don't think it's a pfSense issue.

    Any suggestions?  If you need anymore information please let me know.


  • Rebel Alliance Developer Netgate

    Those are not AD/RADIUS auth errors, those are packet-level authentication errors.

    The top suspects there are:
    1. Inaccurate Clocks
    2. A mismatched TLS key
    3. You are connecting to your own WAN IP from inside your LAN or other internal segment, rather than connecting from the outside/disconnected network.



  • Hi jimp,

    I have tried this VPN connection on both internal and external networks and receive the same error message.  We have multiple WAN lines, each with a different WAN IP address, as well as some hotspots that are completely unrelated to our infrastructure.

    1. I changed the clocks on my boxes to reflect accurate times.
    2. How do I verify that I have a mismatched key or not?  I'm almost positive I created the keys properly through the cert manager and downloading the corresponding Client Export.
    3. See first part of my response.

    Thanks for your assistance.


Log in to reply