#1011372 openvpn 2.6 fails to communicate due to auth errors

Package:
openvpn
Source:
openvpn
Description:
virtual private network daemon
Submitter:
Antti Kultanen
Date:
2022-05-30 14:39:05 UTC
Severity:
important
#1011372#5
Date:
2022-05-21 07:49:14 UTC
From:
To:
Upgrading to openvpn 2.6 breaks communication in a tunnel I'm using.
Downgrading back to openvpn 2.5 fixes the problem.

Openvpn brings up the tunnel interface but cannot receive data. Syslog
reports auth algo inconsistency when initializing and auth errors when
receiving traffic.

I do not host the openvpn server so no logs from the server side.

Looks like a problem with the authentication algorhithm. The auth
parameter in my client config is set to "SHA256" yet the syslog
reports it as "SHA2-256".

Syslog when starting openvpn:
May 21 10:44:07 hanuri ovpn-tunnel[40673]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
May 21 10:44:07 hanuri ovpn-tunnel[40673]: Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
May 21 10:44:07 hanuri ovpn-tunnel[40673]: OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on May 20 2022
May 21 10:44:07 hanuri ovpn-tunnel[40673]: library versions: OpenSSL 3.0.3 3 May 2022, LZO 2.10
May 21 10:44:07 hanuri ovpn-tunnel[40674]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 21 10:44:07 hanuri ovpn-tunnel[40674]: TUN/TAP device tun0 opened
May 21 10:44:07 hanuri ovpn-tunnel[40674]: /opt/script/tunnel_postconfig.sh tun0 1500 0   init
May 21 10:44:07 hanuri ovpn-tunnel[40674]: TCP/UDP: Preserving recently used remote address: [AF_INET]nn.nn.nn.nn:1194
May 21 10:44:07 hanuri ovpn-tunnel[40674]: Note: enable extended error passing on TCP/UDP socket failed (IPV6_RECVERR): Protocol not available (errno=92)
May 21 10:44:07 hanuri ovpn-tunnel[40674]: UDPv4 link local: (not bound)
May 21 10:44:07 hanuri ovpn-tunnel[40674]: UDPv4 link remote: [AF_INET]nn.nn.nn.nn:1194
May 21 10:44:07 hanuri ovpn-tunnel[40674]: WARNING: 'auth' is used inconsistently, local='auth SHA2-256', remote='auth SHA256'
May 21 10:44:07 hanuri ovpn-tunnel[40674]: [openvpn] Peer Connection Initiated with [AF_INET]nn.nn.nn.nn:1194
May 21 10:44:08 hanuri ovpn-tunnel[40674]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May 21 10:44:08 hanuri ovpn-tunnel[40674]: Initialization Sequence Completed
May 21 10:44:27 hanuri ovpn-tunnel[40674]: Authenticate/Decrypt packet error: packet HMAC authentication failed
May 21 10:44:33 hanuri last message repeated 5 times

tunnel.conf:
-8<-
tls-client
dev tun
proto udp4
remote nn.nn.nn.nn 1194
cipher AES-256-CBC
auth SHA256
resolv-retry 60
nobind
persist-key
persist-tun
ca keys/tunnel-ca.crt
cert keys/tunnel.crt
key keys/tunnel.key
remote-cert-tls server
tls-auth keys/tunnel-ta.key 1
comp-lzo
verb 1
route-nopull
tun-ipv6
script-security 2
up /opt/script/tunnel_postconfig.sh
-8<-
#1011372#10
Date:
2022-05-22 19:24:24 UTC
From:
To:
Hi Antti,

 > Upgrading to openvpn 2.6 breaks communication in a tunnel I'm using.
 > Downgrading back to openvpn 2.5 fixes the problem.
 >
 > Openvpn brings up the tunnel interface but cannot receive data. Syslog
 > reports auth algo inconsistency when initializing and auth errors when
 > receiving traffic.

could you please check the changelog at
https://github.com/OpenVPN/openvpn/blob/dco/Changes.rst whether some of
the options described there make any sense to you?

I'm especially thinking of

Compatibility mode (--compat-mode)
     The modernisation of defaults can impact the compatibility of
OpenVPN 2.6.0 with older peers. The options --compat-mode allows UIs to
provide users with an easy way to still connect to older servers.
Could you set

verb 2

I'm hoping to find some clue in the data pushed by the remote side.

Best Regards,
Bernhard
#1011372#15
Date:
2022-05-23 07:24:49 UTC
From:
To:
Hi Bernhard,
"--cipher argument is no longer appended to --data-ciphers"

Adding "data-ciphers AES-256-CBC" to my client config makes it work on
openvpn 2.6.

Thank you for your help! Turns out it was a user error after all. :(
#1011372#20
Date:
2022-05-30 14:36:28 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1011372@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated openvpn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 30 May 2022 15:44:41 +0200
Source: openvpn
Architecture: source
Version: 2.6.0~git20220518+dco-2
Distribution: unstable
Urgency: medium
Maintainer: Bernhard Schmidt <berni@debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Closes: 1011372
Changes:
 openvpn (2.6.0~git20220518+dco-2) unstable; urgency=medium
 .
   * Add d/NEWS entry about the release notes and DCO (Closes: #1011372)
Checksums-Sha1:
 0b335bdd49bdc15aebb5824adeb434b0897f40c7 2289 openvpn_2.6.0~git20220518+dco-2.dsc
 4fc06128c3b0193dd841fa80d9441400fddd5cfd 59356 openvpn_2.6.0~git20220518+dco-2.debian.tar.xz
 a28c4c3f1ad41934824307fdcc7920b9be384996 7862 openvpn_2.6.0~git20220518+dco-2_amd64.buildinfo
Checksums-Sha256:
 5ac84304c1ca44301c676fe00389dbeccd79d2cb22241b9c2eb3545a48b26d2f 2289 openvpn_2.6.0~git20220518+dco-2.dsc
 b27c3813f448738a62d9a14702d572feb8caf50ba3f21dd2508d9654711a6873 59356 openvpn_2.6.0~git20220518+dco-2.debian.tar.xz
 62bdb437479997b3ea700126687f9d3473e0ce328a319b8e407aea363ae64c9e 7862 openvpn_2.6.0~git20220518+dco-2_amd64.buildinfo
Files:
 9c5952aab835e4e6e5f79d7feef8efbf 2289 net optional openvpn_2.6.0~git20220518+dco-2.dsc
 8a4e3be2ed2d29a43c15cd1fa70af2d2 59356 net optional openvpn_2.6.0~git20220518+dco-2.debian.tar.xz
 e7565c18fa58847acf3652b5c67e69ae 7862 net optional openvpn_2.6.0~git20220518+dco-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAmKUzGcRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJOighAAhkQRGiaefaUsx/KqfmZjTB0XWyS16MW4
KdK3XMLBPp7i/Vq/lCI+bQrbWj64GU99ZZPuHGFL3eJpSYPjyNh2j6gM2Q8EZAKo
iKmHmA70ULrNve8CdMS+B0zAy8dSbyxcaK4+7cBlH0e70sjZ/L95YoXAwsGBQ4Gz
Kx19uiKPYvRlsb8GroAafnez7vhD5aihvZOitALB9J1+G7snhAGpwUnQb8XfPkFA
V/qpW5fFR9Qh682HGt20XOBEDQkUHixCcM9OfwV8Bc8mYVnNcBf6P4mBWyVB1wJR
JBFrjKhzsHW9bdd6aEPUmZ7PNV2AxeGDNLNKyeUeKdXLk/mcFCd1wanb59jBewNP
OdomeCd/di7lcWOgpRKSCdCl6/av04qK4IqtI0XK0eF6TudX+iGqFH6Jb38mEFb8
mnNKjZDQ6y0GBz6VQwBKhCydNxrubnVVAjyfBsgeoPT5hi7hCHfk0h5vff/amQqK
llLACigxCIJUCiGM8JnKUxrdQ+d5WIJo47L17CWsvVgQKHiczJPhO1TuBKbBW88r
M4OsMFIPaTOjRG8vCeCp3ah+KfJZZ6N8c4yxMr2Toq5NhwlLCoFZEEalXuoswXqr
XCaWWEgHn+ynSP6Nz/Gnuw3rWtf8wtH44Z98BQ+vqRjmwiEYHxPLZoXi2IndHQVg
vWEjgaihuD8=
=4oWx
-----END PGP SIGNATURE-----