Tls-crypt-v2 in OpenVPN 2.6.14 not working?

moffet · November 9, 2025, 7:56am

I'm strugling to setup tls-crypt-v2 mechanism in OpenVPN.

Every time a client tries to connect I get the following errors in logs:

Sun Nov  9 08:28:17 2025 daemon.notice openvpn(Dom_server)[16082]: Connection Attempt Control Channel: using tls-crypt-v2 key
Sun Nov  9 08:28:17 2025 daemon.err openvpn(Dom_server)[16082]: Connection Attempt tls_crypt_v2_unwrap_client_key: client key authentication error
Sun Nov  9 08:28:17 2025 daemon.err openvpn(Dom_server)[16082]: Connection Attempt Can not unwrap tls-crypt-v2 client key
Sun Nov  9 08:28:17 2025 daemon.err openvpn(Dom_server)[16082]: Connection Attempt TLS Error: can not extract tls-crypt-v2 client key from [AF_INET]192.168.203.108:42131
Sun Nov  9 08:28:17 2025 daemon.err openvpn(Dom_server)[16082]: Connection Attempt TLS Error: could not determine wrapping from [AF_INET]192.168.203.108:42131

I'm using the latest avilable OpenVPN server which is 2.6.14-r2 and I have tested 2 clients: Windows OpenVPN 2.6.15 and the latest OpenVPN for Android by Arne Schwabe.
The same server configuration under OpenVPN 2.6.15 in Windows works fine.
I'm sure I've properly generated both tls-crypt-v2 keys and not mixed them up.
Can somone confirm this is broken right now?

brada4 · November 9, 2025, 8:10am

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
opkg list-installed | grep -e openvpn -e dco

moffet · November 9, 2025, 8:19am

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.106",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Netgear R6220",
        "board_name": "netgear,r6220",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10-SNAPSHOT",
                "revision": "r28881-406b980d97",
                "target": "ramips/mt7621",
                "description": "OpenWrt 24.10-SNAPSHOT r28881-406b980d97",
                "builddate": "1758833715"
        }
}

root@OpenWrt:~# opkg list-installed | grep -e openvpn -e dco
kmod-ovpn-dco-v2 - 6.6.106.0.2.20240320-r1
luci-app-openvpn - 25.311.74441~90493e0
luci-i18n-openvpn-pl - 25.311.74441~90493e0
openvpn-easy-rsa - 3.1.3-r1
openvpn-openssl - 2.6.14-r2

brada4 · November 9, 2025, 9:21am

Is your key generation correct?

github.com/OpenVPN/openvpn

2.6.4: ERROR: failed to read OpenVPN tls-crypt-v2 server key file (keys/myserver.tls-crypt-v2.key) ERROR: invalid tls-crypt-v2 server key format

opened 05:32PM - 16 Jul 23 UTC

mmokrejs

Hi, I am trying to setup tls-crypt-v2 but the server complain about the key b…eing wrong, somehow. I used easy-rsa3 and easy-tls to generate one but they look same even under `od -c`, where `=` and `\n` chars are in same positions. Also the header lines are exactly same. I haven't found which cipher is used to generate them. Could it be the cipher got removed in recen openssl libs? It should be specified in the description line of the key, IMO. I tried both approaches: ``` openvpn --genkey tls-crypt-v2-server myserver.tls-crypt-v2.key easytls build-tls-crypt-v2-server myserver.domainname ``` ``` Jul 16 18:51:46 myserver openvpn[20021]: OpenVPN 2.6.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] Jul 16 18:51:46 myserver openvpn[20021]: library versions: OpenSSL 1.1.1q 5 Jul 2022, LZO 2.10 Jul 16 18:51:46 myserver openvpn[20024]: WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail Jul 16 18:51:46 myserver openvpn[20024]: WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail Jul 16 18:51:46 myserver openvpn[20024]: Diffie-Hellman initialized with 4096 bit key Jul 16 18:51:46 myserver openvpn[20024]: tls-crypt-v2 server key: Cipher 'AES-256-CTR' initialized with 256 bit key Jul 16 18:51:46 myserver openvpn[20024]: tls-crypt-v2 server key: Using 256 bit message hash 'SHA256' for HMAC authentication Jul 16 18:51:46 myserver openvpn[20024]: TLS-Auth MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ] ... Jul 16 18:54:40 myserver openvpn[20024]: Control Channel: using tls-crypt-v2 key Jul 16 18:54:40 myserver openvpn[20024]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Jul 16 18:54:40 myserver openvpn[20024]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Jul 16 18:54:40 myserver openvpn[20024]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Jul 16 18:54:40 myserver openvpn[20024]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Jul 16 18:54:40 myserver openvpn[20024]: Connection Attempt Control Channel: using tls-crypt-v2 key Jul 16 18:54:40 myserver openvpn[20024]: Connection Attempt Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Jul 16 18:54:40 myserver openvpn[20024]: Connection Attempt Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Jul 16 18:54:40 myserver openvpn[20024]: Connection Attempt Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Jul 16 18:54:40 myserver openvpn[20024]: Connection Attempt Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Jul 16 18:54:40 myserver openvpn[20024]: Connection Attempt MULTI: multi_create_instance called Jul 16 18:54:40 myserver openvpn[20024]: xx.xx.xx.xx:58184 Re-using SSL/TLS context Jul 16 18:54:40 myserver openvpn[20024]: xx.xx.xx.xx:58184 ERROR: failed to read OpenVPN tls-crypt-v2 server key file (keys/myserver.domainname-tls-crypt-v2.key) Jul 16 18:54:40 myserver openvpn[20024]: xx.xx.xx.xx:58184 ERROR: invalid tls-crypt-v2 server key format Jul 16 18:54:40 myserver openvpn[20024]: xx.xx.xx.xx:58184 Exiting due to fatal error ``` Client receives only: ``` ... read UDPv4 [ECONNREFUSED]: Connection refused (fd=4,code=111) ``` Initially I thought that `openvpn` does not follow symlinks to the keys but even when full path is specified, the error is same. At least the error should appear immediately upon startup and not only after a client connects.

moffet · November 9, 2025, 10:34am

I'm using openvpn to generate the keys.

openvpn --genkey tls-crypt-v2-server certs/v2crypt-server.key

openvpn --tls-crypt-v2 certs/v2crypt-server.key --genkey tls-crypt-v2-client certs/v2crypt-phone.key
openvpn --tls-crypt-v2 certs/v2crypt-server.key --genkey tls-crypt-v2-client certs/v2crypt-laptop.key

And as I stated, they work when I use the same server configuration in Windows OpenVPN working as a server.

brada4 · November 9, 2025, 1:27pm

Server logs built in features, like dco , tc and so on. Not sure which pertains which key exchange but worth rebuilding adding options found in other vpn server platform.

moffet · November 9, 2025, 1:28pm

I just reinstalled the whole OpenWRT without keeping the settings.
Now it works. Weird.
Previously I was using images from eko.one.pl and now I used the official image.

brada4 · November 9, 2025, 1:43pm

Totally not OpenWrt problem in this case.

system · November 19, 2025, 1:44pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.