TLS Error: reading acknowledgement record from packet

Virtual Private Networks OpenVPN
1

Greetings,
I am trying to set up an OpenVPN server (on an IPFire mini appliance) with an iPhone client. Everything is updated to the latest level. iPhone is on mobile network, not Wifi. Used the instructions on the wiki, + the script to create an ovpn file for iOS with all certificates and keys.

In /var/syslog/messges I see

Sep  6 16:53:38 ipfire openvpnserver[14150]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Sep  6 16:53:38 ipfire openvpnserver[14150]: TCP connection established with [AF_INET]146.0.216.52:49409
Sep  6 16:53:38 ipfire openvpnserver[14150]: 146.0.216.52:49409 TLS: Initial packet from [AF_INET]146.0.216.52:49409, sid=867e549e 4b0561ac
Sep  6 16:53:38 ipfire openvpnserver[14150]: 146.0.216.52:49409 TLS Error: reading acknowledgement record from packet
Sep  6 16:53:38 ipfire openvpnserver[14150]: 146.0.216.52:49409 Fatal TLS error (check_tls_errors_co), restarting
Sep  6 16:53:38 ipfire openvpnserver[14150]: 146.0.216.52:49409 SIGUSR1[soft,tls-error] received, client-instance restarting

and on the iOS OpenVPN client

EVENT: RECONNECTING
EVENT: RESOLVE
Contacting x.y.z.t:8081/TCP via TCPv4
EVENT: WAIT
Connecting to [servername]:8081 (x.y.z.t) via TCPv4
TCP RECV EOF
Transport Error: Transport error on 'servername: NETWORK_EOF_ERROR
EVENT: Transport Error: Transport error on 'servername: NETWORK_EOF_ERROR
Client terminated, restarting in 5000ms---
EVENT: CONNECTION_TIMEOUT [ERR]

Any clues?

2

Hi,
this error appears if one side have the tls-auth option active and the other side misses it. May you can check the configuration files on server and client if the directives are active or inactive, in both cases the directive needs to be set equal.

Best,

Erik

3

The client conf says

#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto tcp
tun-mtu 1400
remote v.domain.eu 8081
#pkcs12 puiphone.p12
cipher AES-256-CBC
auth SHA512
verb 3
remote-cert-tls server
verify-x509-name v.domain.eu name
key-direction bidirectional
[...]

and the server (from /var/ipfire/ovpn/server.conf):

#OpenVPN Server conf

daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local v.domain.eu
dev tun
proto tcp
port 8081
script-security 3
ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
client-config-dir /var/ipfire/ovpn/ccd
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
server 10.2.95.0 255.255.255.0
tun-mtu 1400
keepalive 10 60
status-version 1
status /var/run/ovpnserver.log 30
ncp-disable
cipher AES-256-CBC
auth SHA512
max-clients 100
tls-verify /usr/lib/openvpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
user nobody
group nobody
persist-key
persist-tun
verb 3
# Log clients connecting/disconnecting
client-connect "/usr/sbin/openvpn-metrics client-connect"
client-disconnect "/usr/sbin/openvpn-metrics client-disconnect"

Does this look contradictory?

4

Yes the ‘–key-direction’ directive in client.ovpn is a alternative way of specifying the direction parameter for –tls-auth --> https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage whereby the server.conf misses this directive as far as i can see.

5

Erik, you are perfectly right, adding

tls-auth /var/ipfire/ovpn/certs/ta.key
in
server.conf

does the trick. Now I know what sections of the documentation to go through :wink:

Since I did this manually - do I risk having IPFire overwrite this directive at any time? Is it possible to add this option in the WUI somehow do that it won’t?

6

Yes this is possible you can activate this option in the global section which is named “TLS Channel Protection” --> https://wiki.ipfire.org/configuration/services/openvpn/config/glob_set .

Best,

Erik

1 Like
7

Yes excellent, that works like a charm.
Thank you so much!