openvpn tls-crypt not working

Bug #1749562 reported by Tuxist on 2018-02-14
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
Low
Unassigned

Bug Description

Hi,

if i try to connect to my openvpn 2.4 server i got this error on serverside:

Feb 14 18:42:22 fenrir openvpn[58665]: tls-crypt unwrap error: packet too short
Feb 14 18:42:22 fenrir openvpn[58665]: TLS Error: tls-crypt unwrapping failed from [AF_INET6]::ffff:91.33.41.15:51754 (via ::ffff:192.168.2.2%igb0)

my server conf:
dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
multihome
engine cryptodev
tls-server
server 10.4.0.0 255.255.0.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user ZmVucmly false server1 1194" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'domain.local' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.4096
tls-crypt /var/etc/openvpn/server1.tls-crypt
ncp-ciphers AES-256-CBC
persist-remote-ip
float
topology subnet

my client config:

dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote tuxist.ddns.net 1194 udp
verify-x509-name "domain.local" name
auth-user-pass
remote-cert-tls server

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: network-manager 1.8.4-1ubuntu4
ProcVersionSignature: Ubuntu 4.13.0-32.35-generic 4.13.13
Uname: Linux 4.13.0-32-generic x86_64
NonfreeKernelModules: nvidia_uvm nvidia
ApportVersion: 2.20.8-0ubuntu8
Architecture: amd64
CurrentDesktop: KDE
Date: Wed Feb 14 18:46:29 2018
IfupdownConfig:
 # interfaces(5) file used by ifup(8) and ifdown(8)
 auto lo
 iface lo inet loopback
InstallationDate: Installed on 2016-08-13 (550 days ago)
InstallationMedia: Kubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
IpRoute:
 default via 10.3.0.1 dev wlp3s0 proto static metric 600
 10.3.0.0/16 dev wlp3s0 proto kernel scope link src 10.3.141.174 metric 600
 169.254.0.0/16 dev wlp3s0 scope link metric 1000
NetworkManager.state:
 [main]
 NetworkingEnabled=true
 WirelessEnabled=true
 WWANEnabled=false
SourcePackage: network-manager
UpgradeStatus: Upgraded to bionic on 2018-02-12 (1 days ago)
nmcli-dev:
 DEVICE TYPE STATE DBUS-PATH CONNECTION CON-UUID CON-PATH
 wlp3s0 wifi connected /org/freedesktop/NetworkManager/Devices/3 gameofgods 404f7dfd-a05c-4271-9a7f-6e18bc31e0cf /org/freedesktop/NetworkManager/ActiveConnection/2
 eno1 ethernet unavailable /org/freedesktop/NetworkManager/Devices/2 -- -- --
 lo loopback unmanaged /org/freedesktop/NetworkManager/Devices/1 -- -- --
nmcli-nm:
 RUNNING VERSION STATE STARTUP CONNECTIVITY NETWORKING WIFI-HW WIFI WWAN-HW WWAN
 running 1.8.4 connected started full enabled enabled enabled enabled disabled

Tuxist (jan-koester) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager (Ubuntu):
status: New → Confirmed
roland aus köln (devzero-c) wrote :

http://www.pivpn.io/ is using tls-crypt by default, so ubuntu is not even capable connecting to this popular and easy to setup vpn solution.

could you please fix network manager?

Sebastien Bacher (seb128) wrote :

The commit referenced in the previous comment is included in https://launchpad.net/ubuntu/+source/network-manager-openvpn/1.2.10-0ubuntu1 which was updated before 18.04 so that's not likely the fix/problem here

Changed in network-manager (Ubuntu):
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers