OpenVPN HMAC Authentication Failure No Matter What I do?

Question

I am having an issue with my openvpn server, running Debian Wheezy x64, and my client, running Ubuntu 14.10 x64. It seems no matter what configurations I try, I get this error, over and over, a couple times per minute at least:

Mon Mar  9 22:14:10 2015 Authenticate/Decrypt packet error: packet HMAC authentication failed
Mon Mar  9 22:14:10 2015 TLS Error: incoming packet authentication failed from [AF_INET] x.x.x.(clientip)

I am using this configuration on the server:

local x.x.x.x
port xxxx
proto udp
dev tun
ca /etc/openvpn/.certs/ca.crt
cert /etc/openvpn/.certs/$up3rR@nD0mCN.crt
key /etc/openvpn/.certs/$up3rR@nD0mCN.key
dh /etc/openvpn/.certs/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir clients
client-to-client
keepalive 7 80
tls-auth /etc/openvpn/.certs/ta.key 0
cipher AES-128-CBC
comp-lzo
max-clients 3
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
tun-mtu 1500
auth SHA256

And on the client, the configuration is managed by network-manager, but I have the key direction correct, the correct tls certificate, a matching mtu, the auth SHA256 directive, and it's set to verify the DN, etc... Is there something I am missing?

I tried different auth ciphers, regenerating the tls key (with --gen-key --secret ta.key), and the error persists. The VPN works okay, although my speeds are slightly lower than they ought to be. Any help would be appreciated.

I am trying to solve the same problem, in the meantime I am running openvpn as a service manually. It is a known issue, network-manager seems to only be capable of running the default SHA1 https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1217094 — , Apr 18 '15 at 13:23

score 17 · Accepted Answer · edited Sep 05 '17 at 04:31

17

Actually, the solution in my case was to add these directives to the server.conf:

mode server
tls-server

And than to the client config:

 tls-client

And if you use an embedded tls key via <tls-auth>, add

key-direction 1

If using network manager, make sure the 'expect tls authentication' is checked.

edited Sep 05 '17 at 04:31

Stephen Smith

138

answered Apr 19 '15 at 15:21

Chev_603

1,676
3
18
30

2

I followed your post but nothing happened : ( – t q Nov 05 '17 at 11:15
1

Ran in to same issue today. This seems correct, make sure your key direction is set accordingly. Using the above config, if your client has key-direction 1 then set your server to have key-direction 0. This solved my issue – Kevin Nov 09 '18 at 15:20
Another source of error might be specifying cipher explicitly and setting it to wrong value. – arrowd Jan 10 '20 at 09:39

score 3 · Answer 2 · answered Apr 25 '16 at 13:55

Adding auth and cipher lines matching the ones in the server.conf file, to the client's .conf file should be sufficient. Or if you are using Network Manager for the client, click on Cipher and HMAC Authentication, and add the settings in the cipher and auth lines from on the server.conf. It should work.

OpenVPN HMAC Authentication Failure No Matter What I do?

2 Answers2

Linked