Since upgrading IPFire to 2.29 and Core 200 our OpenVPN has decided to enter a loop anytime someone attempts to connect with it,
[ Thu Mar 5 08:29:37 2026 SENT CONTROL [hostname]: ‘PUSH_REQUEST’ (status=1) ]
eventually it will time out but we are not sure what can be done to fix this as if yet, if anyone has any ideas on what we can do it would greatly appreciated. More details available upon request
Which version of the OpenVPN client?
Which operating system?
edit
Which version of IPFire has been updated to CU200?
OpenVPN client is 11.61.0.0/2.7.0
OS is Windows 11 Pro Fully up to date
IPFire V2.29 with CU 200
Which version was before the update?
We are also noticing this error;
ip’s are not accurate
| 11:52:57 | openvpnserver[3230]: | Authenticate/Decrypt packet error: packet HMAC authentication failed |
|---|---|---|
| 11:52:57 | openvpnserver[3230]: | TLS Error: incoming packet authentication failed from [AF_INET]111.222.333.444:65426 (via [AF_INET]999.888.777.666%green0) |
IPFire v2.29 with CU 199
Are you sure that incoming connections come from your client?
yes this is the only current client setup currently
I just tested my OpenVPN connection to CU200 from OpenVPN for Android which has openvpn-2.7 in the client.
The connection is using the default HMAC setting for the TLS Channel Protection.
It connected without any issues at all.
This was also something I tested several times during the CU200 Testing phase and at all times my mobile and my laptop were able to connect.
I can’t duplicate your specific setup as I have no Windows systems at all, only Linux and Android (which is based on Linux).
I ran a test. I replaced tls-auth in the configuration file. Below is the server log.
|14:11:35 |openvpnserver[18662]: |TLS Error: incoming packet authentication failed from [AF_INET]111.222.333.444:55217 (via [AF_INET]555.666.777.888%red0)|
|14:11:35 |openvpnserver[18662]: |Authenticate/Decrypt packet error: packet HMAC authentication failed|
Why is your client trying to connect via green0?
edit
I suggest creating a new client configuration after deleting the current one.
mistake on my part hadn’t switched back to external network before doing that test but even when i am using the external i am getting the same error in the server log
| 10:58:59 | openvpnserver[3230]: | Authenticate/Decrypt packet error: packet HMAC authentication failed |
|---|---|---|
| 10:58:59 | openvpnserver[3230]: | TLS Error: incoming packet authentication failed from [AF_INET]51.52.19.44:56618 (via [AF_INET]92.207.232.102%red0) |
Which version of HMAC hash do you have on your IPFire server - SHA2 (512 bit)?
It would be worth testing out creating a new connection (different connection name) and install that onto your client and see if it then connects.
Then re-install the original connection onto your client.
so from my end i get
openvpnserver[3230]
from Iptom they get
openvpnserver[18662]
is the number the destination port or a log code?
edit
You can compare the TLS-Authentication-Key for the client and server.
Open the client configuration. Go to the <tls-auth> </tls-auth> section.
Go to WUI-->Services-->OpenVPN-->Certificate Authorities and Keys-->TLS-Authentication-Key.
Click on the icon with the letter i
The client must have the same string as the server.
Neither. It is the pid for the daemon process that is running.
I would suggest just creating a new connection with a different name so that both can exist and they can each be individually installed and tested as well as comparing the tls contents for the two sets of clients compared to the server as you have suggested.
with the new client, the TSL Auth key is the same as the serveryet still returning;
2026-03-05 14:33:54 TCP/UDP: Preserving recently used remote address: [AF_INET]92.207.232.102:1194
2026-03-05 14:33:54 UDP link local: (not bound)
2026-03-05 14:33:54 UDP link remote: [AF_INET]92.207.232.102:1194
2026-03-05 14:34:54 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2026-03-05 14:34:54 TLS Error: TLS handshake failed
2026-03-05 14:34:54 SIGUSR1[soft,tls-error] received, process restarting
That is a different TLS error. That is not related to the HMAC hash but to just connecting between the two systems.
In your server setup have you specified an FQDN with a Dynamic DNS or did you specify a specific IP?
Has the IP on your internet connection changed?
The FQDN is a particular IP and the Dyncamic client subnet is a set range which we have specified, i should also re note we had no issues until the update to IPFire
The question I have is what is different between your setup and my 5 connections as all of them work for me with CU200 and if the issue is related to the CU then there has to be some additional differences that are causing your system to not work.
However with your new connection configuration the error message
means that your client was unable to make any connection to your IPFire server. It timed out.
Here is the info from the OpenVPN site on what can cause that message
As long as the OpenVPN server is enabled and running on your IPFire system, then the first three suggestions will not apply as the required firewall rules are automatically created by the IPFire code when the OpenVPN server is enabled and running.
This needs to be solved before looking further at your original TLS HMAC authentication failure.
