Openvpn tls-crypt unwrap error

Hello everybody,

after some attempts to set up openvpn I can not continue.

My target: I would like to come with a Windows notebook into the home network.

That's fine

  1. DynDNS
  2. Certificates on the client are found

Error message in Windows client:

Fri Oct 05 15:59:06 2018 TLS Error: TLS key negotiation failed within 60 seconds (check your network connectivity)
Fri Oct 05 15:59:06 2018 TLS Error: TLS handshake failed

I created the certs like this:

wget --no-check-certificate -O /tmp/create-certs.sh "https://openwrt.org/_export/code/docs/guide-user/services/vpn/openvpn/basic?codeblock=2"
sh -e -v -x /tmp/create-certs.sh

On the client it looks like this:

dev do
proto udp
log openvpn.log
verb 3
ca [Path] \\ ca.crt
cert [Path] \\ my-client.crt
key [Path] \\ my-client.key
client
remote-cert-tls server
remote [dyn-dns-IP] 1194

I copied the files ca.crt, my-client.crt, my-client.key from /etc/openvpn/ssl to the client.

ls /etc/config/openvpn *
/etc/config/openvpn
/etc/config/openvpn_recipes
/etc/config/openvpn_opkg

The log an the server says:

Fri Oct  5 16:22:35 2018 daemon.err openvpn(vpnserver)[10446]: tls-crypt unwrap error: packet too short
Fri Oct  5 16:22:35 2018 daemon.err openvpn(vpnserver)[10446]: TLS Error: tls-crypt unwrapping failed from [AF_INET][clientIP1]:1194

I wonder:

  1. What is openvpn_recipes and openvpn-opkg, shall i delete it??
  2. do i need another one certificate

Best regards

Please perform the steps listed under the troubleshooting section of the wiki, specifically the step in bold red.

uci show openvpn
      1 openvpn.vpnserver=openvpn
      2 openvpn.vpnserver.enabled='1'
      3 openvpn.vpnserver.verb='3'
      4 openvpn.vpnserver.dev='tun0'
      5 openvpn.vpnserver.topology='subnet'
      6 openvpn.vpnserver.proto='udp'
      7 openvpn.vpnserver.port='1194'
      8 openvpn.vpnserver.server='192.168.200.0 255.255.255.0'
      9 openvpn.vpnserver.client_to_client='1'
     10 openvpn.vpnserver.compress='lzo'
     11 openvpn.vpnserver.keepalive='10 120'
     12 openvpn.vpnserver.persist_tun='1'
     13 openvpn.vpnserver.persist_key='1'
     14 openvpn.vpnserver.tls_crypt='/etc/openvpn/tc.psk'
     15 openvpn.vpnserver.dh='/etc/openvpn/dh.pem'
     16 openvpn.vpnserver.ca='/etc/openvpn/ca.crt'
     17 openvpn.vpnserver.cert='/etc/openvpn/my-server.crt'
     18 openvpn.vpnserver.key='/etc/openvpn/my-server.key'
     19 openvpn.vpnserver.push='redirect-gateway def1' 'route [IP of the LAN]' 'dhcp-option DNS [IP different to the real DNS in LAN]' 'compress lzo' 'persist-tun' 'persist-key' 'dhcp-option DOMAIN [name of the local domain]'
uci show firewall
    152 firewall.@rule[11]=rule
    153 firewall.@rule[11].name='Allow-OpenVPN-Inbound'
    154 firewall.@rule[11].target='ACCEPT'
    155 firewall.@rule[11].src='*'
    156 firewall.@rule[11].proto='udp'
    157 firewall.@rule[11].dest_port='1194'
    158 firewall.@rule[12]=rule
    159 firewall.@rule[12].name='Allow-OpenVPN'
    160 firewall.@rule[12].src='wan'
    161 firewall.@rule[12].proto='tcp udp'
    162 firewall.@rule[12].dest_port='1194'
    163 firewall.@rule[12].target='ACCEPT'
    164 firewall.@zone[7]=zone
    165 firewall.@zone[7].name='vpnserver'
    166 firewall.@zone[7].network='vpnserver'
    167 firewall.@zone[7].input='ACCEPT'
    168 firewall.@zone[7].output='ACCEPT'
    169 firewall.@zone[7].forward='REJECT'
    170 firewall.@forwarding[5]=forwarding
    171 firewall.@forwarding[5].src='vpnserver'
    172 firewall.@forwarding[5].dest='wan'
    173 firewall.@forwarding[6]=forwarding
    174 firewall.@forwarding[6].src='vpnserver'
    175 firewall.@forwarding[6].dest='lan'
uci show network
     67 network.vpnserver=interface
     68 network.vpnserver.proto='none'
     69 network.vpnserver.ifname='tun0'
logread -l 250 -e openvpn
     25 Sat Oct  6 10:53:34 2018 daemon.err openvpn(vpnserver)[10446]: tls-crypt unwrap error: packet too short
     26 Sat Oct  6 10:53:34 2018 daemon.err openvpn(vpnserver)[10446]: TLS Error: tls-crypt unwrapping failed from [AF_INET][IP of the Client]:1194
     27 Sat Oct  6 10:53:49 2018 daemon.err openvpn(vpnserver)[10446]: tls-crypt unwrap error: packet too short
     28 Sat Oct  6 10:53:49 2018 daemon.err openvpn(vpnserver)[10446]: TLS Error: tls-crypt unwrapping failed from [AF_INET][IP of the Client]:1194

Log in Client

Sat Oct 06 10:52:15 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Sat Oct 06 10:52:15 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sat Oct 06 10:52:15 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Sat Oct 06 10:52:15 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25347
Sat Oct 06 10:52:15 2018 Need hold release from management interface, waiting...
Sat Oct 06 10:52:16 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25347
Sat Oct 06 10:52:16 2018 MANAGEMENT: CMD 'state on'
Sat Oct 06 10:52:16 2018 MANAGEMENT: CMD 'log all on'
Sat Oct 06 10:52:16 2018 MANAGEMENT: CMD 'echo all on'
Sat Oct 06 10:52:16 2018 MANAGEMENT: CMD 'hold off'
Sat Oct 06 10:52:16 2018 MANAGEMENT: CMD 'hold release'
Sat Oct 06 10:52:16 2018 MANAGEMENT: >STATE:1538815936,RESOLVE,,,,,,
Sat Oct 06 10:52:16 2018 TCP/UDP: Preserving recently used remote address: [AF_INET][IP of the server]:1194
Sat Oct 06 10:52:16 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Oct 06 10:52:16 2018 UDP link local (bound): [AF_INET][undef]:1194
Sat Oct 06 10:52:16 2018 UDP link remote: [AF_INET][IP of the server]:1194
Sat Oct 06 10:52:16 2018 MANAGEMENT: >STATE:1538815936,WAIT,,,,,,
Sat Oct 06 10:53:16 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 06 10:53:16 2018 TLS Error: TLS handshake failed
Sat Oct 06 10:53:16 2018 SIGUSR1[soft,tls-error] received, process restarting
Sat Oct 06 10:53:16 2018 MANAGEMENT: >STATE:1538815996,RECONNECTING,tls-error,,,,,
Sat Oct 06 10:53:16 2018 Restart pause, 5 second(s)
Sat Oct 06 10:53:21 2018 MANAGEMENT: >STATE:1538816001,RESOLVE,,,,,,

You are missing tls-crypt option.


Also when you perform such modifications, it could lead to unexpected results.
Because device type is derived from device name:
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

@AZNBCDDW Please post your full client config.

Please disregard prior text, as I missed the "Security Considerations" section under --tls-crypt on the man page

What should I specifically enter where?
I already tried
tls-crypt [path]\my-client.key (in the client config)
and got this error:
Key file ('[path]\my-client.key') can be a maximum of 2048 bytes

Use the 3-rd script of the guide to generate correct client config:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic#client_config

First, I get a connection now! In so far the problem is solved. Many Thanks!

But there are still some questions left:

  1. At the client I get the following message:
    WARNING: this configuration may cache passwords in memory - use the auth-nocache option to prevent this

  2. I need several TUN and several TUP connections. How can I do that best?

  3. I would like that I am asked at the mobile device (client) when connecting in addition to a password. Can one configure that? The traget is that not all the data you need to build the VPN are be stored on the mobile device.

For info to the developers:

The script does not work with "sh -e -v -x /tmp/create-ovpn.sh". There was no ovpn file generated and on the screen came a large amount of garbage.

That's how it went
cd / tmp
chmod + x create-ovpn.sh
./create-ovpn.sh

The current IP, not a DDNS name was entered in the ovpn file (note: I have multiple DDNS).

Now I tried to add a second VPN in LuCI.

No matter if I click add or save, no new VPN will be created.

Is that a mistake in LuCI or am I doing something wrong?

That's not a garbage, but information for debugging / troubleshooting.
I've updated script in the guide, it should be more fault tolerant now.

I've added auth-nocache to the script to fix the warning message.

It depends on differences in firewall zone policies and whether you need to run those VPN-connections simultaneously or not.
In general case you need to change every vpnserver to vpnserverN at least, and run the scripts again.

Package luci-app-openvpn is temporary bugged:

Since I have little experience with openwrt: How can I get this update without bending my openwrt?

How long do I have to wait until the update comes over "opkg update".

You'd better ask @dibdot.

Generally speaking, it's better to manage and configure OpenVPN via SSH, and not through LuCI, as the OpenVPN LuCI app is ridiculously convoluted and extremely inefficient to utilize. I always recommend installing it, but only utilizing it for a status check from LuCI.

  • luci-app-openvpn has been in need of a rewrite for years, as it really should either just have the most common options as check boxes, with a code box for any additional options, or just a code box with a link to the OpenVPN man page.

You'll encrypt the client key. If using an Android device, the client key must always be encrypted, as Android has a non-customizable 771 permission structure for it's internal storage due to exFAT.

1 Like

Thanks a lot for all the answers. Unfortunately, I have now lost a bit of the overview and will come back later to the other questions.

There is still a very fundamental problem. Although it is possible to set up the VPN and I can ping the router of the destination network, it is not possible to ping a client in the destination network.

Before the connection is established, ipconfig shows the following on the Windows client: IP 192.168.8.189/24, GW 192.168.8.1, after the connection is established the IP 192.168.200.2/24 but no further gateway is added.

My idea was that the password is stored on the server. This would mean that you can not build the VPN with the files on the client alone. Is that possible?

The not so good alternative I'm using so far is to encrypt the files on the client.

Okay, I see that luci-app-openvpn is not a way to set it up. Too bad, it had looked very simple.

  1. Please make the following changes:
    • Server
      • proto tcp
      • verb 5
    • Client
      • proto tcp
      • verb 7

  2. Restart the OpenVPN server: service openvpn restart
  3. Disconnect, then connect, client
    • Disconnect must be utilized in lieu of the Reconnect button, as Reconnect will not load any changes made to the config since the initial connection.

  4. Attempt to ping device in the destination network, and once the ping fails, please post:
    • Server Log: logread -l 50 -e openvpn
    • Client Log: Right click on OpenVPN tray icon → View Log

    • Ensure you remove your WAN IP, DDNS, and port number

OpenVPN can be configured to accept a user name and password for login, however I'm not entirely sure of how to configure OpenVPN to do so, and even with a username/password login, the client key should still be encrypted.

The only private portion of the client files is the client key, however the Basic wiki is using -nodes for the client key, which prevents the key from being encrypted. To encrypt a key that was created without encryption:

  • openssl rsa -in my-client.key -out my-client.key
    • Once the new key is encrypted, open the key in a text editor (Notepad, Atom, etc.), copy the contents, then paste them into the client ovpn between <key> and </key>

That looks like a routing/firewall problem.

Earlier in this topic, I posted the configuration. Can someone recognize a problem?

It requires additional client side diagnostics at least.

@windows-client:

ipconfig /all & route print