You are not logged in.

#1 2018-03-29 15:20:17

Asher256
Member
Registered: 2006-11-13
Posts: 7

Openvpn: tls-crypt unwrap error: packet too short

Hi,

I configured OpenVPN server v2.4.5 and the Linux workstations were able to connect to the VPN successfully.

The only clients that did not work were Android phones (Android apps: "OpenVPN for Android" or "OpenVPN connect"). Each time I try to connect with an Android phone, I have the error below on the OpenVPN server side:

TLS: Initial packet from [AF_INET]208.74.193.21:47546, sid=dc5eafbc 22024732
tls-crypt unwrap error: packet too short
TLS Error: tls-crypt unwrapping failed from [AF_INET]208.74.193.21:47546
Fatal TLS error (check_tls_errors_co), restarting
SIGUSR1[soft,tls-error] received, client-instance restarting

This is the OpenVPN server side configuration:

# MANAGED BY ANSIBLE
port 1194
proto tcp
dev tun
auth SHA512
cipher AES-256-CBC
tls-crypt /etc/openvpn/easy-rsa/keys/ta.key
key-direction 0
user nobody
group nogroup
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret
server 172.25.0.0 255.255.0.0
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 3
client-config-dir /etc/openvpn/ccd
client-to-client

This is the Android client "*.ovpn" file:

client
dev tun
remote URL.DOMAIN.COM 1194
proto tcp
remote-cert-tls server
resolv-retry infinite
nobind
persist-key
persist-tun
verb 1
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>

Do you have any idea how to solve this issue? (It is caused by tls-crypt/tls-auth according to my last test. Check the "PS:" below)

Thank you!

PS: I was able to connect my Android phones to the VPN server by removing tls-crypt from the server side and tls-auth from the Android side. It looks like the issue is related to the extra protection tls-crypt.

Last edited by Asher256 (2018-03-29 15:22:46)

Offline

Board footer

Powered by FluxBB