tls-crypt unwrap error: packet too short

[Engineer-of-Stuff]

I have tls-auth enabled on my ovpn server. I supply the required file (the TLS key from the server, which the script accepts and sends) but the command fails saying CRIT: Not responding.

Checking the ovpn logs I see that it was having trouble reading the tls key.

Tue Dec 18 21:23:01 2018 TCP connection established with [AF_INET]myip
Tue Dec 18 21:23:01 2018 myip TLS: Initial packet from [AF_INET]myip, sid=removed
Tue Dec 18 21:23:01 2018 myip tls-crypt unwrap error: packet too short
Tue Dec 18 21:23:01 2018 myip TLS Error: tls-crypt unwrapping failed from [AF_INET]myip
Tue Dec 18 21:23:01 2018 myip Fatal TLS error (check_tls_errors_co), restarting
Tue Dec 18 21:23:01 2018 myip SIGUSR1[soft,tls-error] received, client-instance restarting

Here us the command being run:

'/usr/lib/nagios/plugins/check_openvpn' '--tls-auth' '/usr/lib/nagios/plugins/ta.key' '-p' '1194' 'myip'

[Engineer-of-Stuff]

Can I get some help???

[liquidat]

Can you verify that the very same tls key file works with other clients?

[Engineer-of-Stuff]

Yes, I can connect with it.

[liquidat]

@andiwand Any idea?

[andiwand]

@Engineer-of-Stuff can you post your openvpn server config? and the version of the server binary please.

[daniel-rajcan]

@andiwand @Engineer-of-Stuff ,

hello guys, I am confirming that tls-crypt does not work at all.

I am getting the following error: Sat Feb 9 14:07:47 2019 tls-crypt unwrap error: packet authentication failed

Here is my server.conf: mode server tls-server tls-crypt /etc/openvpn/certs/tlscrypt.key 0 proto udp dev tun0 port 1194 topology subnet group openvpn user openvpn auth SHA512 cipher AES-256-GCM tls-version-min 1.2 tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 duplicate-cn reneg-sec 0 persist-key compress lz4-v2 fast-io tun-mtu 1200 verb 3 max-clients 250 auth-retry interact ping-restart 15 ping 5 inactive 1800 management 127.0.0.1 5555 status /var/log/openvpn/status.log log-append /var/log/openvpn/access.log tmp-dir /etc/openvpn/tmp plugin /etc/openvpn/plugins/openvpn-plugin-auth-script.so /etc/openvpn/scripts/authenticate.sh

Version of openvpn server binary: openvpn-2.4.6-1.el7.x86_64

Can you help me please ?

Thank you very much.

[andiwand]

@Engineer-of-Stuff i see "Tue Dec 18 21:23:01 2018 TCP connection established with [AF_INET]myip" but for the check script you use udp. @drajcan i just tested it for my setup and it works. maybe "tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384" is the problem here.

# openvpn --version
OpenVPN 2.4.3 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]

[Engineer-of-Stuff]

How do I specify TCP in the monitor? Also, do you still want my server config?

[andiwand]

you find it in the usage " -t, --tcp use tcp instead of udp"

[connorpower]

Note: tls-auth and tls-crypt are different. This tool doesn't yet have a command-line option for --tls-crypt (see separate issue https://github.com/liquidat/nagios-icinga-openvpn/issues/22).

[andiwand]

@connorpower i see, thank you for pointing this out!

[liquidat]

As discussed, we currently do not support tls-crypt. Closing the issue for now.