Hello, I have a rather sporadic problem on an OpenVPN setup between different embedded devices, and would like to ask if anybody of you has an idea on what I could do wrong. I was debugging and searching around for quite some time on this now, and ran out of explanations.
I connected several devices to an OpenVPN server, using the following options (excerpt of client config file without certificates and keys), OpenVPN version is 2.6.14: ########################## # config: tls-version-min 1.2 tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 tls-cipher ECDHE+AESGCM:ECDHE+AESCCM:DHE+AESGCM:DHE+AESCCM:!AESCCM8 tls-groups X25519:brainpoolP256r1:secp256r1:X448:brainpoolP384r1:secp384r1:brainpoolP512r1:secp521r1 data-ciphers CHACHA20-POLY1305:AES-256-GCM data-ciphers-fallback AES-256-GCM auth sha512 verb 3 explicit-exit-notify 1 # reneg-sec is set on both server and client to 3600s: reneg-sec 3600 ping 30 ping-restart 60 <tls-auth> -----BEGIN OpenVPN Static key V1----- ... -----END OpenVPN Static key V1----- </tls-auth> remote-cert-tls server key-direction 1 client lport 2196 remote XXX.XX.XXX.XX remote-cert-tls server ########################## The connection between these devices mostly works fine for a few hours (typ. 24h - 300h, or less, happens sporadically), inlcuding re-keying. After the error shows up once, the connection gets interrupted by TLS crypt errors and re-established every hour during the key exchange phase, depending on the setting of "reneg-sec" parameter. For example, if I set the "reneg-sec" parameter to 24h, it seems to happen fewer times than before, but then again every ~24 hours, once the error occured. After a few OpenVPN reconnect attempts, the connection continues for another 1 hour without problems. I've debugged the network traffic on both client and server during key renegotiation phase, no packet loss, packet source and dest IPs seem ok. In case this error happens, I need to completely teardown and restart the OpenVPN client, and after that it works fine for a few hours again. OpenVPN logs on client side look like the following every hour after the error occured once: ########################## ... 2025-11-27 09:28:36.453 [openvpn1][NOTICE] Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt 2025-11-27 09:29:06.156 [openvpn1][ERR] AEAD Decrypt error: cipher final failed 2025-11-27 09:29:11.727 [openvpn1][ERR] AEAD Decrypt error: cipher final failed <<< KEY EXCHANGE (soft reset, initiated by server) 2025-11-27 10:25:00.271 [openvpn1][ERR] tls-crypt unwrap error: packet authentication failed 2025-11-27 10:25:00.272 [openvpn1][ERR] TLS Error: tls-crypt unwrapping failed from [AF_INET]XXX.XX.XXX.XX:2196 2025-11-27 10:25:02.494 [openvpn1][ERR] tls-crypt unwrap error: packet authentication failed 2025-11-27 10:25:02.494 [openvpn1][ERR] TLS Error: tls-crypt unwrapping failed from [AF_INET]XXX.XX.XXX.XX:2196 2025-11-27 10:25:06.281 [openvpn1][ERR] tls-crypt unwrap error: packet authentication failed 2025-11-27 10:25:06.282 [openvpn1][ERR] TLS Error: tls-crypt unwrapping failed from [AF_INET]XXX.XX.XXX.XX:2196 2025-11-27 10:25:14.391 [openvpn1][ERR] tls-crypt unwrap error: packet authentication failed 2025-11-27 10:25:14.391 [openvpn1][ERR] TLS Error: tls-crypt unwrapping failed from [AF_INET]XXX.XX.XXX.XX:2196 2025-11-27 10:25:29.563 [openvpn1][ERR] tls-crypt unwrap error: packet authentication failed 2025-11-27 10:25:29.563 [openvpn1][ERR] TLS Error: tls-crypt unwrapping failed from [AF_INET]XXX.XX.XXX.XX:2196 2025-11-27 10:26:00.533 [openvpn1][NOTICE] TLS: Initial packet from [AF_INET]XXX.XX.XXX.XX:2196, sid=eb6abf41 43fb8ec7 2025-11-27 10:26:01.378 [openvpn1][NOTICE] SIGTERM received, sending exit notification to peer 2025-11-27 10:26:01.378 [openvpn1][NOTICE] SENT CONTROL [serverAussen]: 'EXIT' (status=1) 2025-11-27 10:26:01.769 [openvpn1][NOTICE] VERIFY OK: ----- 2025-11-27 10:26:01.776 [openvpn1][NOTICE] VERIFY KU OK 2025-11-27 10:26:01.777 [openvpn1][NOTICE] Validating certificate extended key usage 2025-11-27 10:26:01.777 [openvpn1][NOTICE] ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2025-11-27 10:26:01.778 [openvpn1][NOTICE] VERIFY EKU OK 2025-11-27 10:26:01.778 [openvpn1][NOTICE] VERIFY OK: XXX 2025-11-27 10:26:12.462 [openvpn1][NOTICE] OpenVPN 2.6.14 armv7a-hardfloat-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] 2025-11-27 10:26:12.462 [openvpn1][NOTICE] library versions: OpenSSL 3.5.0 8 Apr 2025, LZO 2.10 2025-11-27 10:26:12.478 [openvpn1][NOTICE] TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XX.XXX.XX:2196 2025-11-27 10:26:12.479 [openvpn1][NOTICE] Socket Buffers: R=[196608->196608] S=[196608->196608] 2025-11-27 10:26:12.480 [openvpn1][NOTICE] UDPv4 link local (bound): [AF_INET][undef]:2196 2025-11-27 10:26:12.480 [openvpn1][NOTICE] UDPv4 link remote: [AF_INET]XXX.XX.XXX.XX:2196 2025-11-27 10:26:12.483 [openvpn1][ERR] TLS Error: Unroutable control packet received from [AF_INET]XXX.XX.XXX.XX:2196 (si=3 op=P_ACK_V1) 2025-11-27 10:26:14.446 [openvpn1][ERR] TLS Error: Unroutable control packet received from [AF_INET]XXX.XX.XXX.XX:2196 (si=3 op=P_ACK_V1) 2025-11-27 10:26:16.333 [openvpn1][ERR] TLS Error: Unroutable control packet received from [AF_INET]XXX.XX.XXX.XX:2196 (si=3 op=P_CONTROL_V1) 2025-11-27 10:26:18.456 [openvpn1][ERR] TLS Error: Unroutable control packet received from [AF_INET]XXX.XX.XXX.XX:2196 (si=3 op=P_ACK_V1) 2025-11-27 10:26:26.072 [openvpn1][ERR] TLS Error: Unroutable control packet received from [AF_INET]XXX.XX.XXX.XX:2196 (si=3 op=P_ACK_V1) 2025-11-27 10:26:32.536 [openvpn1][ERR] TLS Error: Unroutable control packet received from [AF_INET]XXX.XX.XXX.XX:2196 (si=3 op=P_CONTROL_V1) 2025-11-27 10:26:42.751 [openvpn1][ERR] TLS Error: Unroutable control packet received from [AF_INET]XXX.XX.XXX.XX:2196 (si=3 op=P_ACK_V1) 2025-11-27 10:27:12.769 [openvpn1][NOTICE] [UNDEF] Inactivity timeout (--ping-restart), restarting 2025-11-27 10:27:12.769 [openvpn1][NOTICE] SIGUSR1[soft,ping-restart] received, process restarting 2025-11-27 10:27:12.770 [openvpn1][NOTICE] Restart pause, 1 second(s) 2025-11-27 10:27:13.310 [openvpn1][NOTICE] TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XX.XXX.XX:2196 2025-11-27 10:27:13.311 [openvpn1][NOTICE] Socket Buffers: R=[196608->196608] S=[196608->196608] 2025-11-27 10:27:13.312 [openvpn1][NOTICE] UDPv4 link local (bound): [AF_INET][undef]:2196 2025-11-27 10:27:13.312 [openvpn1][NOTICE] UDPv4 link remote: [AF_INET]XXX.XX.XXX.XX:2196 2025-11-27 10:27:13.316 [openvpn1][NOTICE] SIGTERM received, sending exit notification to peer 2025-11-27 10:27:24.024 [openvpn1][NOTICE] OpenVPN 2.6.14 armv7a-hardfloat-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] 2025-11-27 10:27:24.024 [openvpn1][NOTICE] library versions: OpenSSL 3.5.0 8 Apr 2025, LZO 2.10 2025-11-27 10:27:24.040 [openvpn1][NOTICE] TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XX.XXX.XX:2196 2025-11-27 10:27:24.041 [openvpn1][NOTICE] Socket Buffers: R=[196608->196608] S=[196608->196608] 2025-11-27 10:27:24.042 [openvpn1][NOTICE] UDPv4 link local (bound): [AF_INET][undef]:2196 2025-11-27 10:27:24.042 [openvpn1][NOTICE] UDPv4 link remote: [AF_INET]XXX.XX.XXX.XX:2196 2025-11-27 10:27:24.045 [openvpn1][ERR] TLS Error: Unroutable control packet received from [AF_INET]XXX.XX.XXX.XX:2196 (si=3 op=P_ACK_V1) ... ########################## Could anybody please give me a hint what potential root causes of these TLS errors could be, especially "AEAD Decrypt error" and "tls-crypt unwrap error", together with "unroutable control packet received"? Could this be a routing issue, e.g. control packets are routed to wrong clients, and therefore the packet authentication fails? I'm sorry that I cannot give information on how to reproduce the error, all I currently know is to wait until it shows up sometimes. Thank you very much in advance! Stefan
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
