OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

My profile that worked fine in 1.0.0 stopped working in 1.0.1 or higher, causing “TLS Error: incoming packet authentication failed from [….]” errors on the server. How to fix?


In 1.0.1, the default value for the key-direction directive was changed to "bidirectional" for compatibility with the OpenVPN 2.x branch (in 1.0.0, the default was "1"). In general, profiles imported before upgrading should continue to work, because the previous default is retained for such profiles, however if you are importing a new profile in unified format, be sure to follow the updated FAQ entry above for setting the key-direction directive.

Also note that for iOS VPN-on-Demand profiles, it is necessary to specify the key-direction as a key-value setting, if it is "0" or "1". This could potentially cause breakage in VPN-on-Demand profiles previously imported with 1.0.0 if they don't declare a key-direction key/value pair on the assumption that it defaults to "1". The solution is to explicitly declare key-direction in VPN-on-Demand profiles if the OpenVPN configuration file they are derived from declares it as well.