OpenVPN HMAC Authentication Failure No Matter What I do?

I am having an issue with my openvpn server, running Debian Wheezy x64, and my client, running Ubuntu 14.10 x64. It seems no matter what configurations I try, I get this error, over and over, a couple times per minute at least:

Mon Mar  9 22:14:10 2015 Authenticate/Decrypt packet error: packet HMAC authentication failed
Mon Mar  9 22:14:10 2015 TLS Error: incoming packet authentication failed from [AF_INET] x.x.x.(clientip)

I am using this configuration on the server:

local x.x.x.x
port xxxx
proto udp
dev tun
ca /etc/openvpn/.certs/ca.crt
cert /etc/openvpn/.certs/[email protected]
key /etc/openvpn/.certs/[email protected]
dh /etc/openvpn/.certs/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir clients
client-to-client
keepalive 7 80
tls-auth /etc/openvpn/.certs/ta.key 0
cipher AES-128-CBC
comp-lzo
max-clients 3
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
tun-mtu 1500
auth SHA256

And on the client, the configuration is managed by network-manager, but I have the key direction correct, the correct tls certificate, a matching mtu, the auth SHA256 directive, and it's set to verify the DN, etc... Is there something I am missing?

I tried different auth ciphers, regenerating the tls key (with --gen-key --secret ta.key), and the error persists. The VPN works okay, although my speeds are slightly lower than they ought to be. Any help would be appreciated.


Solution 1:

Actually, the solution in my case was to add these directives to the server.conf:

mode server
tls-server

And than to the client config:

 tls-client

And if you use an embedded tls key via <tls-auth>, add

key-direction 1

If using network manager, make sure the 'expect tls authentication' is checked.

Solution 2:

Adding auth and cipher lines matching the ones in the server.conf file, to the client's .conf file should be sufficient. Or if you are using Network Manager for the client, click on Cipher and HMAC Authentication, and add the settings in the cipher and auth lines from on the server.conf. It should work.