I am attempting to deploy an OpenVPN instance with hardened security by enabling tls-auth. I have merged the TLS authentication key into a single `.ovpn` client file, following the official documentation OpenVPN TLS Crypt documentation
However, the connection fails. The server logs report the following error:
TLS Error: cannot locate HMAC in incoming packet from [AF_INET]xxx.xxx.xx.xx:xxxx
The connection works perfectly when the tls-auth directive is removed. I have ensured that key-direction 1 is set in the client configuration.
Environment:
Server: OpenVPN 2.6.14 (x86_64-pc-linux-gnu)
Client: OpenVPN 2.5.11 (x86_64-pc-linux-gnu)
Server Configuration:
port 1194
proto udp
dev tun
ca ca.crt
cert server_infovpn.crt
key server_infovpn.key
dh dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir /etc/openvpn/ccd
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
log-append /var/log/openvpn/openvpn.log
auth SHA256
cipher AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
proto udp4
Client Configuration:
client
dev tun
proto udp
remote xxx.xxx.xx.xx 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
verb 3
-----BEGIN CERTIFICATE-----
---
-----END CERTIFICATE-----
---
-----BEGIN PRIVATE KEY-----
---
-----END PRIVATE KEY-----
# Easy-RSA TLS-CRYPT Key
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
---
-----END OpenVPN Static key V1-----
key-direction 1
Question:
Has anyone encountered this specific HMAC error when combining tls-auth with a unified configuration file? I suspect the key-direction directive might be misconfigured or missing on the server side, but I am not sure. Any insights on why the HMAC validation is failing despite the key-direction 1 setting would be greatly appreciated.
Thank you in advance.