OpenVPN fail to connect: tls-crypt unwrap error: packet too short

Maxburn · July 2, 2025, 4:28pm

Seems I keep running into trouble with OpenVPN configs. This is a different server from my last post and the tunnel is TCP on this one.

Mikrotik logs contain nothing useful, just disconnected, terminating… - peer disconnected

Server logs show more info but I don’t know why this doesn’t work;

2025-07-02 10:22:44 TCP connection established with [AF_INET]40.155.66.90:55312
2025-07-02 10:22:44 40.133.69.90:55312 tls-crypt unwrap error: packet too short
2025-07-02 10:22:44 40.133.69.90:55312 TLS Error: tls-crypt unwrapping failed from [AF_INET]40.155.66.90:55312
2025-07-02 10:22:44 40.133.69.90:55312 Fatal TLS error (check_tls_errors_co), restarting
2025-07-02 10:22:44 40.133.69.90:55312 SIGUSR1[soft,tls-error] received, client-instance restarting

If I take the same OpenVPN client config file and drop it in OpenWRT it works just fine. Edit’ works in Ubiquiti Edgerouter too.

These OpenVPN config files are hand assembled so there might be something I’m doing wrong, I’ve already had to change two things;

Mikrotik will not accept “proto tcp4-client” or “proto tcp-client”, I had to use “proto tcp”. Note that OpenWRT is happy with any of those.
I had to add “auth SHA1”. Previously missing, OpenVPN docs appear to state that’s default and OpenWRT and Ubiquity deal with that, but on import to mikrotik if not present it will change to null.

Despite these two problems I’ve worked past I’ve got one additional issue I don’t know what to do with;

config ‘ovpn-import1751465884’ import completed with warnings, please see system log
unsupported configuration parameter ‘remote-cert-eku’

Example of my current OpenVPN config
client4san.ovpn.txt (1.6 KB)

MyConfig.rsc (4.2 KB)

This is the log out of OpenWRT router that is working with this same OpenVPN client config, maybe it contains something useful;

Wed Jul 2 15:51:01 2025 daemon.notice openvpn(wci44client4)[2111]: TCP/UDP: Preserving recently used remote address: [AF_INET]155.130.177.240:1194
Wed Jul 2 15:51:01 2025 daemon.notice openvpn(wci44client4)[2111]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Wed Jul 2 15:51:01 2025 daemon.notice openvpn(wci44client4)[2111]: Attempting to establish TCP connection with [AF_INET]155.130.177.240:1194
Wed Jul 2 15:51:01 2025 daemon.notice openvpn(wci44client4)[2111]: TCP connection established with [AF_INET]155.130.177.240:1194
Wed Jul 2 15:51:01 2025 daemon.notice openvpn(wci44client4)[2111]: TCPv4_CLIENT link local: (not bound)
Wed Jul 2 15:51:01 2025 daemon.notice openvpn(wci44client4)[2111]: TCPv4_CLIENT link remote: [AF_INET]155.130.177.240:1194
Wed Jul 2 15:51:01 2025 daemon.notice openvpn(wci44client4)[2111]: TLS: Initial packet from [AF_INET]155.130.177.240:1194, sid=f8e11f4b 5093ac15
Wed Jul 2 15:51:01 2025 daemon.notice openvpn(wci44client4)[2111]: VERIFY OK: depth=1, CN=wci44
Wed Jul 2 15:51:01 2025 daemon.notice openvpn(wci44client4)[2111]: Validating certificate extended key usage
Wed Jul 2 15:51:01 2025 daemon.notice openvpn(wci44client4)[2111]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jul 2 15:51:01 2025 daemon.notice openvpn(wci44client4)[2111]: VERIFY EKU OK
Wed Jul 2 15:51:01 2025 daemon.notice openvpn(wci44client4)[2111]: VERIFY OK: depth=0, CN=server
Wed Jul 2 15:51:02 2025 user.notice firewall: Reloading firewall due to ifup of wan (eth0.2)
Wed Jul 2 15:51:02 2025 daemon.notice openvpn(wci44client4)[2111]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
Wed Jul 2 15:51:02 2025 daemon.notice openvpn(wci44client4)[2111]: [server] Peer Connection Initiated with [AF_INET]155.130.177.240:1194
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: SENT CONTROL [server]: ‘PUSH_REQUEST’ (status=1)
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: PUSH: Received control message: ‘PUSH_REPLY,topology subnet,route 10.0.1.0 255.255.255.0,route 10.144.102.0 255.255.255.0,route 10.144.103.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.14 255.255.255.0,peer-id 3,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500’
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: OPTIONS IMPORT: --ifconfig/up options modified
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: OPTIONS IMPORT: route options modified
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: OPTIONS IMPORT: route-related options modified
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: OPTIONS IMPORT: tun-mtu set to 1500
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: net_route_v4_best_gw query: dst 0.0.0.0
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: net_route_v4_best_gw result: via 192.168.100.254 dev eth0.2
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: TUN/TAP device tun0 opened
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: net_iface_mtu_set: mtu 1500 for tun0
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: net_iface_up: set tun0 up
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: net_addr_v4_add: 10.8.0.14/24 dev tun0
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: /usr/libexec/openvpn-hotplug up wci44client4 tun0 1500 0 10.8.0.14 255.255.255.0 init
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: net_route_v4_add: 10.0.1.0/24 via 10.8.0.1 dev [NULL] table 0 metric -1
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: net_route_v4_add: 10.144.102.0/24 via 10.8.0.1 dev [NULL] table 0 metric -1
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: net_route_v4_add: 10.144.103.0/24 via 10.8.0.1 dev [NULL] table 0 metric -1
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: Initialization Sequence Completed
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: Data Channel: cipher ‘AES-256-GCM’, peer-id: 3
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: Timers: ping 10, ping-restart 120
Wed Jul 2 15:51:03 2025 daemon.notice openvpn(wci44client4)[2111]: Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt

Maxburn · July 3, 2025, 1:41pm

Edit; changing to auth SHA256 got this working. Not sure why one server was SHA1 and the other was SHA256 as I’m using the same scripts to stand these up. Don’t see an entry for this in vars either. Will see if I can track that down.