openVPN HMAC errors PrivateInternetAccess vpn

I use openVPN to access https://www.privateinternetaccess.com/. It seems to be working (their site shows me being protected), but if I check my journal using:

# journalctl -p err -b

there are many errors with the following:

Sep 11 11:09:33 chygra openvpn[15948]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 11:17:14 chygra openvpn[15948]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 11:18:18 chygra openvpn[15948]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 11:19:59 chygra openvpn[15948]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 11:41:12 chygra openvpn[15948]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 12:48:26 chygra openvpn[15948]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 12:48:40 chygra openvpn[15948]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 11 12:58:22 chygra openvpn[15948]: Authenticate/Decrypt packet error: packet HMAC authentication failed

Can anyone point me to what I should be looking for to fix this?

My config file for PrivatInternetAccess

cat /etc/openvpn/myconfig.conf
client
dev tun
proto udp
remote privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/essential
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ

So, out of 84 viewers, there’s not one person who has not even an inkling what the problem might be? Is it because I incorrectly worded my problem? Could it be that I haven’t added the correct info (which could be rectified if someone actually asked me for it)? Come on guys. Surely someone can help!

It is unclear what your problem is other then some error message then you say your are connected???

The question (which I erringly thought was clear) was/is: “Why are there those errors?” And subsequently, “How to fix it?”

I looked around some more here in this forum, and elsewhere, and came up with nothing directly addressing this.
And in a lightbulb moment, I thought about using forwarding on the router.
It seems that that may be a cause (as I haven’t had those errors in about two hours). I’ll keep my eyes on it and update my posts here.

You probably first have to say whether your VPN tunnel works to know if this is a critical or non-critical error.

Generally just about any authentication error should be at least evaluated.

So, start of with what is HMAC (Hash based message authentication code)?
https://en.wikipedia.org/wiki/Hash-based_message_authentication_code

So,
If it prevents the initial setup of your authentication, then it’s a critical issue.
If it’s “merely” verifying the integrity of the VPN traffic, then the cause might be some kind of attempted intrusion or faulty code. This might be hard to evaluate because of course a commercial vPN provider is an easy target for attacks from just about anyone you can imagine, but it is something you should raise with your provider so that they might investigate whether an MIM attack is happening. A Provider can test whether their code is bug free in an isolated environment since they own both VPN endpoints which you can’t do.

Who knows? Maybe your investigation might start something that could reveal an attempted intrusion that can’t be hidden completely… And might require a patch to address.

TSU

On the first page of google search (granted, it may be region specific): https://openvpn.net/archive/openvpn-users/2004-01/msg00175.html

And you still did not answer the main question - is your connection established or not.

I assume the connection is made because:

  1. the vpn site has a verifier script that shows if one is connected to their vpn or not.

# systemctl status openvpn@myconfigopenvpn@myconfig.service - OpenVPN tunneling daemon instance using /etc/openvpn/myconfig.conf
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled)
   Active: active (running) since Sun 2016-09-18 05:16:56 EDT; 6s ago
  Process: 1727 ExecStart=/usr/sbin/openvpn --daemon --suppress-timestamps --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=0/SUCCESS)
 Main PID: 1728 (openvpn)
   CGroup: /system.slice/system-openvpn.slice/openvpn@myconfig.service
           └─1728 /usr/sbin/openvpn --daemon --suppress-timestamps --writepid /var/run/openvpn/myconfig.pid --cd /etc/openvpn/ --config myconfig.conf


Sep 18 05:16:56 chygra systemd[1]: Started OpenVPN tunneling daemon instance using /etc/openvpn/myconfig.conf.
Sep 18 05:16:56 chygra openvpn[1728]: UDPv4 link local: [undef]
Sep 18 05:16:56 chygra openvpn[1728]: UDPv4 link remote: [AF_INET]*.*.*.*:1197
Sep 18 05:16:56 chygra openvpn[1728]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sep 18 05:16:56 chygra openvpn[1728]: [dbacd7b38d135021a698ed95e8fec612] Peer Connection Initiated with [AF_INET]*.*.*.*:1197
Sep 18 05:16:59 chygra openvpn[1728]: TUN/TAP device tun0 opened
Sep 18 05:16:59 chygra openvpn[1728]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sep 18 05:16:59 chygra openvpn[1728]: /bin/ip link set dev tun0 up mtu 1500
Sep 18 05:16:59 chygra openvpn[1728]: /bin/ip addr add dev tun0 local *.*.*.* peer *.*.*.*
Sep 18 05:16:59 chygra openvpn[1728]: Initialization Sequence Completed
#

@arvidjaar That link was what I was looking for. Exactly.

The link describes some specific causes for failed integrity checks, but as I described there’s likely nothing you can do as a commercial VPN customer, you need to have control of both ends to identify why the integrity check is failing (if that is indeed what is happening).

TSU

Yeah, I came to that conclusion after reading that link. Thanks all for the help. For me, this post is closed.