TLS Errors and AEAD Decrypt errors
Posted: Fri Dec 18, 2020 11:14 pm
When I upgraded my computer with new motherboard (Asus ROG Z490) and the new Intel I225 chip I started to get strange errors from Viscosity and sometimes the VPN tunnels works and sometime is does not. I cannot start the tunnel at all at sometimes too. If I run Hypervisor with a Ubuntu going throug the samt ethernet controller it works like a charm.
The errors from the log is:
==================
dec 18 12:44:18 : AEAD Decrypt error: cipher final failed
dec 18 12:44:18 : TLS Error: Unroutable control packet received from [AF_INET]xx.xx.xx.xx:1194 (si=3 op=P_ACK_V1)
dec 18 12:44:21 : AEAD Decrypt error: cipher final failed
dec 18 12:44:21 : TLS Error: client->client or server->server connection attempted from [AF_INET]xx.xx.xx.xx:1194
dec 18 12:44:22 : AEAD Decrypt error: cipher final failed
dec 18 12:44:22 : TLS Error: local/remote TLS keys are out of sync: [AF_INET]xx.xx.xx.xx:1194 [3]
dec 18 12:53:49 : TLS Error: Unroutable control packet received from [AF_INET]xx.xx.xx.xx:1194 (si=3 op=P_CONTROL_SOFT_RESET_V1)
Client config:
=========
client
dev tun
proto udp
remote server 1194
remote server 1194
remote server 1194
cipher AES-256-CBC
auth SHA256
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verb 5
key-direction 1
tls-client
<ca>
-----BEGIN CERTIFICATE-----
-----END PRIVATE KEY-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
Server Config
==========
proto udp
port 1194
dev tun
topology subnet
server xx.xx.xx.xx 255.255.0.0
ifconfig-pool-persist ipp.txt
route xx.xx.xx.xx 255.255.0.0
route xx.xx.xx.xx 255.255.0.0
# Push routes for all clients
push "route xx.xx.xx.xx 255.255.255.0 xx.xx.xx.xx"
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/server.crt
key /etc/openvpn/pki/private/server.key
dh /etc/openvpn/keys/dh2048.pem
tls-auth /etc/openvpn/keys/ta.key 0
crl-verify /etc/openvpn/pki/crl.pem
cipher AES-256-CBC
auth SHA256
verb 3
client-config-dir /etc/openvpn/server/clients
persist-key
persist-tun
keepalive 10 60
user openvpn
group openvpn
daemon
log-append /var/log/openvpn.log
syslog
explicit-exit-notify 1
management localhost 7504
script-security 2
Client Config on Server:
========================
push "route 172.18.0.0 255.255.0.0"
push "route xx.xx.xx.xx 255.255.255.255"
push "dhcp-option DNS 10.211.1.94"
push "dhcp-option DNS 10.211.1.244"
push "dhcp-option DOMAIN dns-domain-1"
push "dhcp-option DOMAIN dns-domain-2"
push "dhcp-option DOMAIN dns-domain-3"
The errors from the log is:
==================
dec 18 12:44:18 : AEAD Decrypt error: cipher final failed
dec 18 12:44:18 : TLS Error: Unroutable control packet received from [AF_INET]xx.xx.xx.xx:1194 (si=3 op=P_ACK_V1)
dec 18 12:44:21 : AEAD Decrypt error: cipher final failed
dec 18 12:44:21 : TLS Error: client->client or server->server connection attempted from [AF_INET]xx.xx.xx.xx:1194
dec 18 12:44:22 : AEAD Decrypt error: cipher final failed
dec 18 12:44:22 : TLS Error: local/remote TLS keys are out of sync: [AF_INET]xx.xx.xx.xx:1194 [3]
dec 18 12:53:49 : TLS Error: Unroutable control packet received from [AF_INET]xx.xx.xx.xx:1194 (si=3 op=P_CONTROL_SOFT_RESET_V1)
Client config:
=========
client
dev tun
proto udp
remote server 1194
remote server 1194
remote server 1194
cipher AES-256-CBC
auth SHA256
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verb 5
key-direction 1
tls-client
<ca>
-----BEGIN CERTIFICATE-----
-----END PRIVATE KEY-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
Server Config
==========
proto udp
port 1194
dev tun
topology subnet
server xx.xx.xx.xx 255.255.0.0
ifconfig-pool-persist ipp.txt
route xx.xx.xx.xx 255.255.0.0
route xx.xx.xx.xx 255.255.0.0
# Push routes for all clients
push "route xx.xx.xx.xx 255.255.255.0 xx.xx.xx.xx"
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/server.crt
key /etc/openvpn/pki/private/server.key
dh /etc/openvpn/keys/dh2048.pem
tls-auth /etc/openvpn/keys/ta.key 0
crl-verify /etc/openvpn/pki/crl.pem
cipher AES-256-CBC
auth SHA256
verb 3
client-config-dir /etc/openvpn/server/clients
persist-key
persist-tun
keepalive 10 60
user openvpn
group openvpn
daemon
log-append /var/log/openvpn.log
syslog
explicit-exit-notify 1
management localhost 7504
script-security 2
Client Config on Server:
========================
push "route 172.18.0.0 255.255.0.0"
push "route xx.xx.xx.xx 255.255.255.255"
push "dhcp-option DNS 10.211.1.94"
push "dhcp-option DNS 10.211.1.244"
push "dhcp-option DOMAIN dns-domain-1"
push "dhcp-option DOMAIN dns-domain-2"
push "dhcp-option DOMAIN dns-domain-3"