After a fresh re-install on a Google Cloud VM Instance I get a tls-crypt error

[begrey1]

After a fresh re-install on a Google Cloud VM Instance I get a tls-crypt error server side after I try to connect to it from my OpenVPN Client:

root@pi-hole:~# sudo systemctl status openvpn@server.service ● openvpn@server.service - OpenVPN connection to server Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2019-10-05 20:24:07 UTC; 27min ago Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Main PID: 611 (openvpn) CGroup: /system.slice/system-openvpn.slice/openvpn@server.service └─611 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid

Oct 05 20:50:41 pi-hole ovpn-server[611]: tls-crypt unwrap error: packet authentication failed Oct 05 20:50:41 pi-hole ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]174.3.116. 67:51576 Oct 05 20:50:43 pi-hole ovpn-server[611]: tls-crypt unwrap error: packet authentication failed Oct 05 20:50:43 pi-hole ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]174.3.116. 67:51576 Oct 05 20:50:47 pi-hole ovpn-server[611]: tls-crypt unwrap error: packet authentication failed Oct 05 20:50:47 pi-hole ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]174.3.116. 67:51576 Oct 05 20:50:55 pi-hole ovpn-server[611]: tls-crypt unwrap error: packet authentication failed Oct 05 20:50:55 pi-hole ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]174.3.116. 67:51576 Oct 05 20:51:11 pi-hole ovpn-server[611]: tls-crypt unwrap error: packet authentication failed Oct 05 20:51:11 pi-hole ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]174.3.116. 67:51576

Linux pi-hole 4.9.0-11-amd64 #1 SMP Debian 4.9.189-3+deb9u1 (2019-09-20) x86_64

pivpn -d is as follows:

::: Generating Debug Output :::: PiVPN debug ::::

:::: Latest commit :::: commit d0c10db6ec391961b7201fb564055c1176ca73e3 Author: 4s3ti cfcolaco@colacoweb.net Date: Tue Sep 3 10:09:48 2019 +0200

install.sh: apt-get with , uninstall.sh: added var PKG_MANAGER and replaced apt-get with

============================================= :::: Installation settings :::: /etc/pivpn/DET_PLATFORM -> Debian /etc/pivpn/FORWARD_CHAIN_EDITED -> 0 /etc/pivpn/HELP_SHOWN -> /etc/pivpn/INPUT_CHAIN_EDITED -> 0 /etc/pivpn/INSTALL_PORT -> 1194 /etc/pivpn/INSTALL_PROTO -> udp /etc/pivpn/INSTALL_USER -> bgrey /etc/pivpn/NO_UFW -> 1 /etc/pivpn/pivpnINTERFACE -> eth0 /etc/pivpn/TWO_POINT_FOUR ->

:::: setupVars file shown below :::: INSTALL_USER=bgrey UNATTUPG=unattended-upgrades pivpnInterface=eth0 IPv4dns= IPv4addr=10.138.0.4 IPv4gw=10.138.0.1 pivpnProto=udp PORT=1194 ENCRYPT=256 APPLY_TWO_POINT_FOUR=true DOWNLOAD_DH_PARAM=false PUBLICDNS= OVPNDNS1=10.8.0.1 OVPNDNS2=

:::: Server configuration shown below :::: dev tun proto udp port 1194 ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/pi-hole_a912429c-0978-4b4f-8910-f3ac71673841.crt key /etc/openvpn/easy-rsa/pki/private/pi-hole_a912429c-0978-4b4f-8910-f3ac71673841.key dh none topology subnet server 10.8.0.0 255.255.255.0

Set your primary domain name server address for clients

push "dhcp-option DNS 10.8.0.1" push "block-outside-dns"

Override the Client default gateway by using 0.0.0.0/1 and

128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of

overriding but not wiping out the original default gateway.

push "redirect-gateway def1"

client-to-client

keepalive 1800 3600

keepalive 10 60 remote-cert-tls client tls-version-min 1.2 tls-crypt /etc/openvpn/easy-rsa/pki/ta.key

cipher AES-256-CBC

cipher AES-128-GCM auth SHA256 user nobody group nogroup persist-key persist-tun crl-verify /etc/openvpn/crl.pem status /var/log/openvpn-status.log 20 status-version 3 syslog verb 3

DuplicateCNs allow access control on a less-granular, per user basis.

Remove # if you will manage access by user instead of device.

duplicate-cn

Generated for use by PiVPN.io

performance stuff

fast-io compress lz4-v2 push "compress lz4-v2"

:::: Client template file shown below :::: client dev tun proto udp remote REMOTE 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server tls-version-min 1.2 verify-x509-name pi-hole_a912429c-0978-4b4f-8910-f3ac71673841 name cipher AES-256-CBC auth SHA256 auth-nocache verb 3

:::: Recursive list of files in :::: ::: /etc/openvpn/easy-rsa/pki shows below ::: /etc/openvpn/easy-rsa/pki/: ca.crt crl.pem Default.txt ecparams extensions.temp index.txt index.txt.attr index.txt.old issued openssl-easyrsa.cnf private renewed revoked safessl-easyrsa.cnf serial serial.old ta.key

/etc/openvpn/easy-rsa/pki/ecparams: prime256v1.pem

/etc/openvpn/easy-rsa/pki/issued: pi-hole_a912429c-0978-4b4f-8910-f3ac71673841.crt

/etc/openvpn/easy-rsa/pki/private: ca.key pi-hole_a912429c-0978-4b4f-8910-f3ac71673841.key

/etc/openvpn/easy-rsa/pki/renewed: private_by_serial reqs_by_serial

/etc/openvpn/easy-rsa/pki/renewed/private_by_serial:

/etc/openvpn/easy-rsa/pki/renewed/reqs_by_serial:

/etc/openvpn/easy-rsa/pki/revoked: private_by_serial reqs_by_serial

/etc/openvpn/easy-rsa/pki/revoked/private_by_serial:

/etc/openvpn/easy-rsa/pki/revoked/reqs_by_serial:

:::: Self check :::: :: [OK] IP forwarding is enabled :: [OK] Iptables MASQUERADE rule set :: [OK] OpenVPN is running :: [OK] OpenVPN is enabled (it will automatically start on reboot) :: [OK] OpenVPN is listening on port 1194/udp

:::: Snippet of the server log :::: Oct 5 20:24:07 localhost ovpn-server[611]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0 Oct 5 20:24:07 localhost ovpn-server[611]: Initialization Sequence Completed Oct 5 20:44:55 localhost ovpn-server[611]: tls-crypt unwrap error: packet authentication failed Oct 5 20:44:55 localhost ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:51236 Oct 5 20:44:58 localhost ovpn-server[611]: tls-crypt unwrap error: packet authentication failed Oct 5 20:44:58 localhost ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:51236 Oct 5 20:45:03 localhost ovpn-server[611]: tls-crypt unwrap error: packet authentication failed Oct 5 20:45:03 localhost ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:51236 Oct 5 20:45:11 localhost ovpn-server[611]: tls-crypt unwrap error: packet authentication failed Oct 5 20:45:11 localhost ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:51236 Oct 5 20:50:41 localhost ovpn-server[611]: tls-crypt unwrap error: packet authentication failed Oct 5 20:50:41 localhost ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:51576 Oct 5 20:50:43 localhost ovpn-server[611]: tls-crypt unwrap error: packet authentication failed Oct 5 20:50:43 localhost ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:51576 Oct 5 20:50:47 localhost ovpn-server[611]: tls-crypt unwrap error: packet authentication failed Oct 5 20:50:47 localhost ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:51576 Oct 5 20:50:55 localhost ovpn-server[611]: tls-crypt unwrap error: packet authentication failed Oct 5 20:50:55 localhost ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:51576 Oct 5 20:51:11 localhost ovpn-server[611]: tls-crypt unwrap error: packet authentication failed Oct 5 20:51:11 localhost ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]REDACTED:51576

:::: Debug complete :::: ::: ::: Debug output completed above. ::: Copy saved to /tmp/debug.txt :::

[rajannpatel]

There have been some updates to OpenVPN and TLS related errors are appearing across several applications that support OpenVPN under the hood. I encountered similar TLS related issues with my Untangle device updated itself.

This is a potentially relevant discussion happening in the PiVPN github area: https://github.com/pivpn/pivpn/issues/801

I think you may find better support for this particular issue there at the moment, because I am somewhat strapped for time. I will leave this open and mark it with "needs help", and hopefully somebody from the community is able to chime in with something a bit more helpful.

Some things I would want to clarify:

1. when spinning up a fresh server, are you performing an apt-get update && apt-get upgrade -y before starting everything? this ensures all the packages are fully up to date before you begin.
2. what version of openvpn are you running on the server, and what version of the openvpn client are you running on your mobile device?
3. are you able to ensure your mobile device is using the latest version of the openvpn client?
4. if this was an older installation, and you're generating new certificates now - is it possible for you to spin up a brand new instance and start the installation from the beginning?

[begrey1]

Everything was updated before beginning.

[begrey1]

Today I redid your guide on a new VM Instance and it worked out fine. I may have missed a step? I'll leave it at your discretion whether or not you wanna close the issue.

[rajannpatel]

Did you spin up your original server a while ago, and then create your client certificate more recently? That is one potential reason it may have not worked before, and is working now. If your OpenVPN server installation predates certain updates which the clients now expect, we could encounter TLS certificate issues. I'll close this issue for now, since you got it resolved. I'm glad it worked out :-)