OpenVPN: packet HMAC authentication failed

aragats

Daemon

Reaction score: 700
Messages: 1,618

After upgrading my box from 11.0-STABLE to 11.1-RELEASE my OpenVPN client fails with:
Code:
....
Aug 17 13:35:31 eldorado openvpn[60724]: Initialization Sequence Completed
Aug 17 13:35:42 eldorado openvpn[60724]: Authenticate/Decrypt packet error: packet HMAC authentication failed
I don't have much experience with OpenVPN, maybe missed something, but it worked for several months before. The configuration file is below:
Code:
client
dev tun
proto udp

remote <my server IP adderss> 1194
resolv-retry infinite

user <my user name>
group nogroup

persist-tun

ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/sm-pcsf.crt
key /usr/local/etc/openvpn/keys/private/sm-pcsf.key

remote-cert-tls server
tls-auth /usr/local/etc/openvpn/keys/private/ta.key 1
cipher AES-256-CBC

comp-lzo no
verb 3
Thanks for advises or directions!
 

ShelLuser

Son of Beastie

Reaction score: 2,091
Messages: 3,782

Are you using security/heimdal (edit: or security/krb I guess) and/or security/openssl? And if not: did you rebuild any ports?

If you upgraded your base system you also changed plenty of libraries, and some ports (in specific those which use encryption) are often build against those libraries. So if you change the libraries you should definitely rebuild those ports so that they use the new libraries.

This is one of the reasons why I rely on the port versions of OpenSSL and Kerberos (/GSSAPI).
 

ShelLuser

Son of Beastie

Reaction score: 2,091
Messages: 3,782

Initially I installed OpenVPN with pkg(8), and after upgrading the system it was telling be that all packages are up to date. That wasn't true, of course.
Then I have no idea. If you recently upgraded to a newer version then I suppose it is possible that you're using options which somehow got changed or updated over time. I'd start looking into that first.

I've just rebuilt both security/openssl and security/openvpn, but it didn't help...
Be careful with mixing binary packages and ports together, that could easily result in a huge mess.
 
Top