diff --git a/src/local.c b/src/local.c
index 127d3cd5..7fa4bca4 100644
--- a/src/local.c
+++ b/src/local.c
@@ -473,8 +473,6 @@ static void server_recv_cb(EV_P_ ev_io *w, int revents)
                 if (!remote->direct) {
                     if (auth) {
                         ss_addr_to_send[0] |= ONETIMEAUTH_FLAG;
-                        ss_onetimeauth(ss_addr_to_send + addr_len, ss_addr_to_send, addr_len);
-                        addr_len += ONETIMEAUTH_BYTES;
                     }
 
                     memcpy(remote->buf, ss_addr_to_send, addr_len);
@@ -482,6 +480,12 @@ static void server_recv_cb(EV_P_ ev_io *w, int revents)
                         memcpy(remote->buf + addr_len, buf, r);
                     }
                     r += addr_len;
+
+                    if (auth) {
+                        ss_onetimeauth(remote->buf + r, remote->buf, r);
+                        r += ONETIMEAUTH_BYTES;
+                    }
+
                 } else {
                     if (r > 0) {
                         memcpy(remote->buf, buf, r);
diff --git a/src/server.c b/src/server.c
index 900bf655..6c5276ec 100644
--- a/src/server.c
+++ b/src/server.c
@@ -641,13 +641,13 @@ static void server_recv_cb(EV_P_ ev_io *w, int revents)
         offset += 2;
 
         if (auth || (atyp & ONETIMEAUTH_MASK)) {
-            if (ss_onetimeauth_verify(server->buf + offset, server->buf, offset)) {
+            r -= ONETIMEAUTH_BYTES;
+            if (ss_onetimeauth_verify(server->buf + r, server->buf, r)) {
                 LOGE("authentication error %d", atyp);
                 report_addr(server->fd);
                 close_and_free_server(EV_A_ server);
                 return;
             };
-            offset += ONETIMEAUTH_BYTES;
         }
 
         if (verbose) {