search

kylemanna / docker-openvpn

🔒 OpenVPN server in a Docker container complete with an EasyRSA PKI CA
https://hub.docker.com/r/kylemanna/openvpn/
MIT License
8.73k stars 2.39k forks source link

Authenticate/Decrypt packet error: packet HMAC authentication failed #714

Closed jonathan-gatard closed 2 years ago

jonathan-gatard commented 2 years ago

Hello,

I created a docker-compose for OpenVPN on my RaspberryPi :

openvpn:
        image: nubacuk/docker-openvpn:aarch64
        container_name: openvpn
        restart: unless-stopped
        ports:
         - "1194:1194/udp"
        cap_add:
         - NET_ADMIN
        volumes:
         - openvpn:/etc/openvpn
        sysctls:       
         net.ipv6.conf.all.disable_ipv6: 0
         net.ipv6.conf.default.forwarding: 1
         net.ipv6.conf.all.forwarding: 1

I didn't get any errors during the process. I generated my .ovpn config perfectly !

client
nobind
dev tun
remote-cert-tls server
key-direction 1
redirect-gateway def1
cipher AES-256-GCM
#data-ciphers AES-256-GCM
remote HIDDEN 1194 udp
<key>
-----BEGIN PRIVATE KEY-----
HIDDEN
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
HIDDEN
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
HIDDEN
-----END CERTIFICATE-----
</ca>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
HIDDEN
-----END OpenVPN Static key V1-----
</tls-auth>

I'm connected successfully with my Android + OpenVPN:

2022-09-27 20:40:31 xxx.xxx.xxx.xxx:55434 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-09-27 20:40:31 xxx.xxx.xxx.xxx:55434 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-09-27 20:40:31 xxx.xxx.xxx.xxx:55434 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:55434, sid=b3845b77 f513fd32
2022-09-27 20:40:32 xxx.xxx.xxx.xxx:55434 VERIFY OK: depth=1, CN=Neptune
2022-09-27 20:40:32 xxx.xxx.xxx.xxx:55434 VERIFY OK: depth=0, CN=jonathan
2022-09-27 20:40:32 xxx.xxx.xxx.xxx:55434 peer info: IV_VER=3.git::d3f8b18b:Release
2022-09-27 20:40:32 xxx.xxx.xxx.xxx:55434 peer info: IV_PLAT=android
2022-09-27 20:40:32 xxx.xxx.xxx.xxx:55434 peer info: IV_NCP=2
2022-09-27 20:40:32 xxx.xxx.xxx.xxx:55434 peer info: IV_TCPNL=1
2022-09-27 20:40:32 xxx.xxx.xxx.xxx:55434 peer info: IV_PROTO=30
2022-09-27 20:40:32 xxx.xxx.xxx.xxx:55434 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
2022-09-27 20:40:32 xxx.xxx.xxx.xxx:55434 peer info: IV_AUTO_SESS=1
2022-09-27 20:40:32 xxx.xxx.xxx.xxx:55434 peer info: IV_GUI_VER=net.openvpn.connect.android_3.3.0-8367
2022-09-27 20:40:32 xxx.xxx.xxx.xxx:55434 peer info: IV_SSO=webauth,openurl
2022-09-27 20:40:32 xxx.xxx.xxx.xxx:55434 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1521'
2022-09-27 20:40:32 xxx.xxx.xxx.xxx:55434 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
2022-09-27 20:40:32 xxx.xxx.xxx.xxx:55434 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-09-27 20:40:32 xxx.xxx.xxx.xxx:55434 [jonathan] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:55434
2022-09-27 20:40:32 jonathan/xxx.xxx.xxx.xxx:55434 MULTI_sva: pool returned IPv4=192.168.255.6, IPv6=(Not enabled)
2022-09-27 20:40:32 jonathan/xxx.xxx.xxx.xxx:55434 MULTI: Learn: 192.168.255.6 -> jonathan/xxx.xxx.xxx.xxx:55434
2022-09-27 20:40:32 jonathan/xxx.xxx.xxx.xxx:55434 MULTI: primary virtual IP for jonathan/xxx.xxx.xxx.xxx:55434: 192.168.255.6
2022-09-27 20:40:32 jonathan/xxx.xxx.xxx.xxx:55434 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-09-27 20:40:32 jonathan/xxx.xxx.xxx.xxx:55434 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-09-27 20:40:32 jonathan/xxx.xxx.xxx.xxx:55434 SENT CONTROL [jonathan]: 'PUSH_REPLY,block-outside-dns,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,dhcp-option DNS 8.8.8.8,comp-lzo no,route 192.168.255.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.255.6 192.168.255.5,peer-id 0,cipher AES-256-GCM' (status=1)
2022-09-27 20:40:32 jonathan/xxx.xxx.xxx.xxx:55434 PUSH: Received control message: 'PUSH_REQUEST'
2022-09-27 20:42:02 jonathan/xxx.xxx.xxx.xxx:55434 SIGTERM[soft,remote-exit] received, client-instance exiting

I'm sure at 100% it works on Android because when I go on "172.18.0.1" I have my nginx webpage.

image

But when I try on my computer, I have:

> >2022-09-27 20:38:01 Authenticate/Decrypt packet error: packet HMAC authentication failed
> >2022-09-27 20:38:01 TLS Error: incoming packet authentication failed from [AF_INET]xxx.xxx.xxx.xxx:55542

More information:

  1. xxx.xxx.xxx.xxx on android and computer are the same IP -> I'm on the same network

  2. nmap:

[root@neptune:/srv]# nmap -p1194 localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-27 22:54 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00018s latency).
Other addresses for localhost (not scanned): ::1

PORT     STATE  SERVICE
1194/tcp closed openvpn

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
  1. ss:
[root@neptune:/srv]# ss -tolnp
State                  Recv-Q                 Send-Q                                 Local Address:Port                                   Peer Address:Port                 Process
LISTEN                 0                      511                                          0.0.0.0:80                                          0.0.0.0:*                     users:(("nginx",pid=9687,fd=7),("nginx",pid=9686,fd=7),("nginx",pid=9685,fd=7),("nginx",pid=9684,fd=7),("nginx",pid=9634,fd=7))
LISTEN                 0                      511                                          0.0.0.0:8080                                        0.0.0.0:*                     users:(("node",pid=7194,fd=22))
LISTEN                 0                      128                                          0.0.0.0:22                                          0.0.0.0:*                     users:(("sshd",pid=515,fd=3))
LISTEN                 0                      511                                          0.0.0.0:1880                                        0.0.0.0:*                     users:(("node-red",pid=1471,fd=19))
LISTEN                 0                      128                                          0.0.0.0:8123                                        0.0.0.0:*                     users:(("python3",pid=10654,fd=11))
LISTEN                 0                      100                                        127.0.0.1:1883                                        0.0.0.0:*                     users:(("mosquitto",pid=1086,fd=4))
LISTEN                 0                      50                                           0.0.0.0:445                                         0.0.0.0:*                     users:(("smbd",pid=1347,fd=42))
LISTEN                 0                      128                                          0.0.0.0:6052                                        0.0.0.0:*                     users:(("esphome",pid=9628,fd=3))
LISTEN                 0                      50                                           0.0.0.0:139                                         0.0.0.0:*                     users:(("smbd",pid=1347,fd=43))
LISTEN                 0                      4096                                               *:8086                                              *:*                     users:(("influxd",pid=9144,fd=248))
LISTEN                 0                      128                                             [::]:22                                             [::]:*                     users:(("sshd",pid=515,fd=4))
LISTEN                 0                      4096                                               *:3000                                              *:*                     users:(("grafana-server",pid=1263019,fd=10))
LISTEN                 0                      128                                             [::]:8123                                           [::]:*                     users:(("python3",pid=10654,fd=12))
LISTEN                 0                      100                                            [::1]:1883                                           [::]:*                     users:(("mosquitto",pid=1086,fd=5))
LISTEN                 0                      50                                              [::]:445                                            [::]:*                     users:(("smbd",pid=1347,fd=40))
LISTEN                 0                      4096                                               *:8000                                              *:*                     users:(("portainer",pid=9146,fd=7))
LISTEN                 0                      4096                                               *:9443                                              *:*                     users:(("portainer",pid=9146,fd=9))
LISTEN                 0                      4096                                               *:9000                                              *:*                     users:(("portainer",pid=9146,fd=10))
LISTEN                 0                      50                                              [::]:139                                            [::]:*                     users:(("smbd",pid=1347,fd=41))

Don't hesitate if you need something

Thanks you in advance

jonathan-gatard commented 2 years ago

Resolved

What I share with you wasn't up-to-date. I just have to put "key direction" at the top and not the bottom... Strange bug...

https://github.com/kylemanna/docker-openvpn/issues/268