I have an OpenVPN-AS appliance set up successfully on Azure, with a single site-to-site client connection being opened by a Linux-based router. It connects via UDP and mostly follows the defaults created by the Azure appliance.
My problems began when I saw lots of this in the router logs:
Code: Select all
Dec 1 21:59:54 openvpn[27911]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #81361 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
After googling potential causes, my best guess as to the cause is that I use Microsoft Remote Desktop through the tunnel with the UDP flavor of that service enabled, and that I was perhaps encountering MTU issues.
This led me to try using the options mentioned in the OpenVPN manual:
At first I was unsuccessful with this because as soon as I added this to the client side config, the client would fail to connect with authentication errors. I then saw a post that suggested that fragment also needed to be added to the server side config. However doing that causes the server to fail to restart with an error that "fragment" is only valid for UDP connections, but it turns out that the default server setup multi-daemon mode causes this issue because of the running TCP listener. By turning off multi-daemon in favor of a single UDP connection, I was able to get the server to start up again, however the client still fails to connect, but now rather than an immediate authentication failure, it simply times out during the connection process with:
Code: Select all
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
At this point I am unsure what to try next to get the session authentication to complete successfully and still be able to try fragmentation options to see if I can solve the original problem, namely the log spam regarding packet IDs and potential replay attacks.
The connection between my router and Azure's US West datacenter is via Comcast, if that helps anything.
The relevant security settings, as I mentioned, are the OpenVPN AS defaults, self-signed certificates with TLS1.2, OpenSSL 1.2 for the OpenVPN server, and TLS1.1 as the minimum TLS for the Web Server. The client router connection is set up for autologin via the generated certificates.
Any help would be greatly appreciated!
