SHOW:
|
|
- or go back to the newest paste.
1 | We encountered a really strange behaviour with OpenVPN 2.3.6 on CentOS 5. A device of ours that is behind a SAT Link is having troubles getting through the buildup phase. | |
2 | For some strange reason it sends the packages not in the right order. | |
3 | Sometimes it works. But its pure chance and chance varies over the day. | |
4 | We can rule out firewall or connection issues, as this wrong sent packet order (from client to server) (...15, 17, 16, 17...) is already present in the logs on client side. | |
5 | If we switch to fiber connection everything is fine. | |
6 | So for us it seems that some strange circumstance with the SAT Link connection triggers a Bug in OpenVpn and it sends one packge early. | |
7 | ||
8 | So two questions: | |
9 | ||
10 | 1) Why does the client send packet 17 two times and for the first time, too early? | |
11 | ||
12 | 2) Why does the server not wait for the missing package and instead fails instantly with: "Authenticate/Decrypt packet error: packet HMAC authentication failed"? | |
13 | ||
14 | Client Side: Notice PID series: 14, 15, 17, 16, 17, 18 | |
15 | ||
16 | ... | |
17 | Apr 10 17:39:08 client openvpn[1300]: TCPv4_CLIENT WRITE [154] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #41 ] [ 39 ] pid=2 DATA len=100 | |
18 | Apr 10 17:39:08 client openvpn[1300]: TCPv4_CLIENT WRITE [142] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #42 ] [ ] pid=3 DATA len=100 | |
19 | Apr 10 17:39:08 client openvpn[1300]: TCPv4_CLIENT WRITE [142] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #43 ] [ ] pid=4 DATA len=100 | |
20 | Apr 10 17:39:08 client openvpn[1300]: TCPv4_CLIENT WRITE [142] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #44 ] [ ] pid=5 DATA len=100 | |
21 | Apr 10 17:39:09 client openvpn[1300]: TCPv4_CLIENT WRITE [142] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #45 ] [ ] pid=6 DATA len=100 | |
22 | Apr 10 17:39:10 client openvpn[1300]: TCPv4_CLIENT WRITE [142] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #46 ] [ ] pid=7 DATA len=100 | |
23 | Apr 10 17:39:10 client openvpn[1300]: TCPv4_CLIENT WRITE [142] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #47 ] [ ] pid=8 DATA len=100 | |
24 | Apr 10 17:39:10 client openvpn[1300]: TCPv4_CLIENT WRITE [142] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #48 ] [ ] pid=9 DATA len=100 | |
25 | Apr 10 17:39:10 client openvpn[1300]: TCPv4_CLIENT WRITE [142] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #49 ] [ ] pid=10 DATA len=100 | |
26 | Apr 10 17:39:11 client openvpn[1300]: TCPv4_CLIENT WRITE [142] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #50 ] [ ] pid=11 DATA len=100 | |
27 | Apr 10 17:39:11 client openvpn[1300]: TCPv4_CLIENT WRITE [142] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #51 ] [ ] pid=12 DATA len=100 | |
28 | Apr 10 17:39:11 client openvpn[1300]: TCPv4_CLIENT WRITE [142] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #52 ] [ ] pid=13 DATA len=100 | |
29 | Apr 10 17:39:12 client openvpn[1300]: TCPv4_CLIENT WRITE [142] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #53 ] [ ] pid=14 DATA len=100 | |
30 | Apr 10 17:39:12 client openvpn[1300]: TCPv4_CLIENT WRITE [142] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #54 ] [ ] pid=15 DATA len=100 | |
31 | Apr 10 17:39:13 client openvpn[1300]: TCPv4_CLIENT WRITE [142] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #55 ] [ ] pid=17 DATA len=100 | |
32 | Apr 10 17:39:13 client openvpn[1300]: TCPv4_CLIENT WRITE [142] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #56 ] [ ] pid=16 DATA len=100 | |
33 | Apr 10 17:39:13 client openvpn[1300]: TCPv4_CLIENT WRITE [142] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #57 ] [ ] pid=17 DATA len=100 | |
34 | Apr 10 17:39:13 client openvpn[1300]: TCPv4_CLIENT WRITE [142] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #58 ] [ ] pid=18 DATA len=100 | |
35 | Apr 10 17:39:14 client openvpn[1300]: TCPv4_CLIENT WRITE [142] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_V1 kid=0 pid=[ #59 ] [ ] pid=19 DATA len=100 | |
36 | Apr 10 17:39:20 client openvpn[1300]: TCPv4_CLIENT WRITE [42] to xxx.xxx.xxx.xxx:yyyy: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0 | |
37 | Apr 10 17:39:20 client openvpn[1300]: TCPv4_CLIENT READ [54] from xxx.xxx.xxx.xxx:yyyy: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ 0 ] pid=0 DATA len=0 | |
38 | ||
39 | ||
40 | Server side: Cancels on jump from PID=15 to 17 | |
41 | ||
42 | ... | |
43 | Apr 10 19:39:09 server openvpn[32482]: 192.168.19.253:48396 TCPv4_SERVER READ [154] from 192.168.19.253:48396: P_CONTROL_V1 kid=0 pid=[ #41 ] [ 39 ] pid=2 DATA len=100 | |
44 | Apr 10 19:39:09 server openvpn[32482]: 192.168.19.253:48396 TCPv4_SERVER READ [142] from 192.168.19.253:48396: P_CONTROL_V1 kid=0 pid=[ #42 ] [ ] pid=3 DATA len=100 | |
45 | Apr 10 19:39:09 server openvpn[32482]: 192.168.19.253:48396 TCPv4_SERVER READ [142] from 192.168.19.253:48396: P_CONTROL_V1 kid=0 pid=[ #43 ] [ ] pid=4 DATA len=100 | |
46 | Apr 10 19:39:09 server openvpn[32482]: 192.168.19.253:48396 TCPv4_SERVER READ [142] from 192.168.19.253:48396: P_CONTROL_V1 kid=0 pid=[ #44 ] [ ] pid=5 DATA len=100 | |
47 | Apr 10 19:39:10 server openvpn[32482]: 192.168.19.253:48396 TCPv4_SERVER READ [142] from 192.168.19.253:48396: P_CONTROL_V1 kid=0 pid=[ #45 ] [ ] pid=6 DATA len=100 | |
48 | Apr 10 19:39:10 server openvpn[32482]: 192.168.19.253:48396 TCPv4_SERVER READ [142] from 192.168.19.253:48396: P_CONTROL_V1 kid=0 pid=[ #46 ] [ ] pid=7 DATA len=100 | |
49 | Apr 10 19:39:11 server openvpn[32482]: 192.168.19.253:48396 TCPv4_SERVER READ [142] from 192.168.19.253:48396: P_CONTROL_V1 kid=0 pid=[ #47 ] [ ] pid=8 DATA len=100 | |
50 | Apr 10 19:39:11 server openvpn[32482]: 192.168.19.253:48396 TCPv4_SERVER READ [142] from 192.168.19.253:48396: P_CONTROL_V1 kid=0 pid=[ #48 ] [ ] pid=9 DATA len=100 | |
51 | Apr 10 19:39:11 server openvpn[32482]: 192.168.19.253:48396 TCPv4_SERVER READ [142] from 192.168.19.253:48396: P_CONTROL_V1 kid=0 pid=[ #49 ] [ ] pid=10 DATA len=100 | |
52 | Apr 10 19:39:12 server openvpn[32482]: 192.168.19.253:48396 TCPv4_SERVER READ [142] from 192.168.19.253:48396: P_CONTROL_V1 kid=0 pid=[ #50 ] [ ] pid=11 DATA len=100 | |
53 | Apr 10 19:39:12 server openvpn[32482]: 192.168.19.253:48396 TCPv4_SERVER READ [142] from 192.168.19.253:48396: P_CONTROL_V1 kid=0 pid=[ #51 ] [ ] pid=12 DATA len=100 | |
54 | Apr 10 19:39:12 server openvpn[32482]: 192.168.19.253:48396 TCPv4_SERVER READ [142] from 192.168.19.253:48396: P_CONTROL_V1 kid=0 pid=[ #52 ] [ ] pid=13 DATA len=100 | |
55 | Apr 10 19:39:13 server openvpn[32482]: 192.168.19.253:48396 TCPv4_SERVER READ [142] from 192.168.19.253:48396: P_CONTROL_V1 kid=0 pid=[ #53 ] [ ] pid=14 DATA len=100 | |
56 | Apr 10 19:39:13 server openvpn[32482]: 192.168.19.253:48396 TCPv4_SERVER READ [142] from 192.168.19.253:48396: P_CONTROL_V1 kid=0 pid=[ #54 ] [ ] pid=15 DATA len=100 | |
57 | Apr 10 19:39:14 server openvpn[32482]: 192.168.19.253:48396 TCPv4_SERVER READ [142] from 192.168.19.253:48396: P_CONTROL_V1 kid=0 pid=[ #55 ] [ ] pid=17 DATA len=100 | |
58 | Apr 10 19:39:14 server openvpn[32482]: 192.168.19.253:48396 Authenticate/Decrypt packet error: packet HMAC authentication failed | |
59 | ||
60 | ||
61 | Server Conf: | |
62 | ||
63 | port yyyy | |
64 | proto tcp | |
65 | dev tun | |
66 | ca ca.crt | |
67 | tls-auth ta.key 0 | |
68 | cert ______________.com.crt | |
69 | key ______________.com.key | |
70 | dh dh2048.pem | |
71 | server 172.20.0.0 255.255.0.0 | |
72 | client-config-dir clients | |
73 | ifconfig-pool-persist ipp_server.txt | |
74 | push "route 172.18.0.0 255.255.0.0" | |
75 | keepalive 10 60 | |
76 | cipher AES-256-CBC | |
77 | comp-lzo | |
78 | max-clients 5000 | |
79 | user nobody | |
80 | group nobody | |
81 | persist-key | |
82 | persist-tun | |
83 | status status.log | |
84 | verb 1 | |
85 | ||
86 | ||
87 | Client COnf: | |
88 | ||
89 | client | |
90 | dev tun0 | |
91 | proto tcp | |
92 | remote xxx.xxx.xxx.xxx yyyy | |
93 | resolv-retry infinite | |
94 | persist-key | |
95 | persist-tun | |
96 | ca ca.crt | |
97 | cert _________.crt | |
98 | key _________.key | |
99 | tls-auth ta.key 1 | |
100 | cipher AES-256-CBC | |
101 | ns-cert-type server | |
102 | verb 8 |