Authenticate/Decrypt packet error

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Tom7320
OpenVPN User
Posts: 38
Joined: Thu Jan 28, 2016 7:44 pm

Re: Authenticate/Decrypt packet error

Post by Tom7320 » Wed May 09, 2018 7:25 am

OK. I will setup a VM with Ubuntu server and OpenVPN 2.4.x to test things. It might take a couple days, so please be patient.... ;-)

In my eyes the most important thing is to fix the log viewing crash issue since I am kind of blind without the log file... :-(

Tom7320
OpenVPN User
Posts: 38
Joined: Thu Jan 28, 2016 7:44 pm

Re: Authenticate/Decrypt packet error

Post by Tom7320 » Thu May 10, 2018 10:53 am

TinCanTech wrote:
Mon May 07, 2018 3:35 pm
Can you give full details of your device ? iOS Versions, device name/version etc .. as much detail as you can find. I do not know enough about iOS to identify what you are using but it is possible some incompatibility or even bug has got into openvpn .. This is why we need as much detail as you can give :geek:
Here are the infos of one of the iOS devices:

Code: Select all

Operating System:
- system: iOS 11.3.1
- system build: 15E302
- multitasking support: Yes
- kernel: Darwin 17.5.0

Device Information:
- device: iPad Air 2 
- device ID: iPad5,4 
- model: J82AP 
- name: iPad 
- hostname: iPad 

CPU Information:
- CPU model: Apple A8X 
- GPU model: PowerVR G6850 
- motion coprocessor: M8 
- core number: 3 
- CPU architecture: 64-bit 
- CPU frequency: 1500 MHz 
- TB frequency: 24 MHz 
- L1 cache size: 64 KB 
- L1D cache size: 64 KB 
- L2 cache size: 2048 KB 
- byteorder: 1234 
- cacheline: 64 

Hardware Features:
- display resolution: 2048 x 1536 
- pixel density: 264 ppi 
- battery voltage: 3.75 V 
- battery capacity: 7340 mAh 
- rear camera: 8 MP 
- front camera: 1.2 MP 
- touchscreen: Yes 
- microphone: Yes 
- speaker: Yes 
- wi-fi: Yes 
- bluetooth: Yes 
- nfc: No 
- accelerometer: Yes 
- gyroscopic sensor: Yes 
- ambient light sensor: Yes 
- proximity sensor: No 
- fingerprint sensor: Yes 
- magnetometer: Yes 
- barometer: Yes 
- phone: No 
- GPS: Yes
TinCanTech wrote:
Mon May 07, 2018 3:35 pm
Also, please try a --proto tcp tunnel, the result of that can give some very useful indicators ..
Unfortunately I can't do that at the moment since I have to ask the network admin to configure the network's firewall to allow tcp traffic for OpenVPN.
TinCanTech wrote:
Mon May 07, 2018 3:35 pm
Edit: Also, just an idea .. can you try running the server on a Linux PC .. not your ARM Raspberry Pi.
(alternatively, I could give you a temporary account on my system)
I spend half of the day to try out a few things:
  • I set up an Ubuntu 18.04 LTS (Bionic Beaver) server on a local VM in my LAN (Virtual Box, OpenVPN version 2.4.4)
  • I cloned the Raspberry server's SSD to setup an exact clone in my own LAN
In both cases the only things I changed was the IP addresses of the machines and I commented out the push "route...." and route statements in the server's config:

Code: Select all

proto udp
port 1194
dev tun
server 10.205.76.0 255.255.255.0
topology subnet
persist-key
persist-tun
keepalive 10 60
#duplicate-cn
#ccd-exclusive
user nobody
group nogroup
daemon
verb 4
tls-version-min 1.2
cipher AES-256-CBC
auth SHA256
remote-cert-tls client
management 127.0.0.1 5555

client-config-dir /etc/openvpn/ccd
tls-auth          /etc/openvpn/keys/ta.key 0
dh                /etc/openvpn/keys/dh2048.pem
pkcs12            /etc/openvpn/keys/OpenVPN_PAW_Server.p12
crl-verify        /etc/openvpn/keys/OpenVPN_PAW_CRL.pem

#push "route 192.168.193.0 255.255.255.0"
#route 192.168.0.0 255.255.255.0

#client-connect    /etc/openvpn/statuschange.sh
#client-disconnect /etc/openvpn/statuschange.sh
#script-security 2
In both cases I had NO errors at all when connecting with the iOS devices. I also never had any problems when connecting with a Windows Notebook (WLAN, 4G).

Thus my conclusions are (unfortunately contradictory):
  • There must be a problem "in between", eg. concerning the routers on the way. Since the problem exists no matter what connection I use (4G, WLAN), it could be a problem on the server side. Is it possible that a router causes the problem? QoS? Firewall? I don't know...
  • The problem does not occur on a Windows Notebook (WLAN and 4G). Thus I still think it is a problem concerning the iOS App?!
As I said: the main problem is the crashing app since I cannot see the log files!

Here is a complete log of a session with the local Raspberry server and one of the iOS devices:

Code: Select all

May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: MULTI: multi_create_instance called
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 Re-using SSL/TLS context
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 Control Channel MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ]
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto
UDPv4,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1
500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 TLS: Initial packet from [AF_INET]192.168.0.143:52227, sid=f30ac251 100c2e74
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 VERIFY OK: depth=1, C=DE, ST=RLP, L=Sprendlingen, O=Praxis am Wißberg, OU=IT, CN=
OpenVPN_PAW_CA, emailAddress=paw@fenta.org
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 Validating certificate key usage
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 ++ Certificate has key usage  0080, expects 0080
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 VERIFY KU OK
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 Validating certificate extended key usage
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Clien
t Authentication
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 VERIFY EKU OK
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 VERIFY OK: depth=0, C=DE, ST=RLP, L=Sprendlingen, O=Praxis am Wißberg, OU=IT, CN=
OpenVPN_PAW_ts, emailAddress=paw@fenta.org
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 peer info: IV_GUI_VER=net.openvpn.connect.ios_1.2.9-0
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 peer info: IV_VER=3.2
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 peer info: IV_PLAT=ios
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 peer info: IV_NCP=2
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 peer info: IV_TCPNL=1
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 peer info: IV_PROTO=2
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 peer info: IV_AUTO_SESS=1
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bi
t RSA
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 [OpenVPN_PAW_ts] Peer Connection Initiated with [AF_INET]192.168.0.143:52227
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/192.168.0.143:52227 MULTI_sva: pool returned IPv4=10.205.76.2, IPv6=(Not enabled)
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/192.168.0.143:52227 MULTI: Learn: 10.205.76.2 -> OpenVPN_PAW_ts/192.168.0.143:52227
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/192.168.0.143:52227 MULTI: primary virtual IP for OpenVPN_PAW_ts/192.168.0.143:52227:
10.205.76.2
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/192.168.0.143:52227 PUSH: Received control message: 'PUSH_REQUEST'
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/192.168.0.143:52227 SENT CONTROL [OpenVPN_PAW_ts]: 'PUSH_REPLY,route-gateway 10.205.76
.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.205.76.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/192.168.0.143:52227 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/192.168.0.143:52227 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bi
t key
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/192.168.0.143:52227 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bi
t key
May 10 12:50:27 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/192.168.0.143:52227 SIGTERM[soft,remote-exit] received, client-instance exiting
Is there anything else I can do to help to find the problem?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Authenticate/Decrypt packet error

Post by TinCanTech » Thu May 10, 2018 11:57 am

Tom7320 wrote:
Thu May 10, 2018 10:53 am
Here are the infos of one of the iOS devices:

Code: Select all

Operating System:
- system: iOS 11.3.1
- system build: 15E302
- multitasking support: Yes
- kernel: Darwin 17.5.0

Device Information:
- device: iPad Air 2 
- device ID: iPad5,4 
- model: J82AP 
- name: iPad 
- hostname: iPad 

CPU Information:
- CPU model: Apple A8X 
- GPU model: PowerVR G6850 
- motion coprocessor: M8 
- core number: 3 
- CPU architecture: 64-bit 
- CPU frequency: 1500 MHz 
- TB frequency: 24 MHz 
- L1 cache size: 64 KB 
- L1D cache size: 64 KB 
- L2 cache size: 2048 KB 
- byteorder: 1234 
- cacheline: 64 

Hardware Features:
- display resolution: 2048 x 1536 
- pixel density: 264 ppi 
- battery voltage: 3.75 V 
- battery capacity: 7340 mAh 
- rear camera: 8 MP 
- front camera: 1.2 MP 
- touchscreen: Yes 
- microphone: Yes 
- speaker: Yes 
- wi-fi: Yes 
- bluetooth: Yes 
- nfc: No 
- accelerometer: Yes 
- gyroscopic sensor: Yes 
- ambient light sensor: Yes 
- proximity sensor: No 
- fingerprint sensor: Yes 
- magnetometer: Yes 
- barometer: Yes 
- phone: No 
- GPS: Yes
Thanks for this.
Tom7320 wrote:
Thu May 10, 2018 10:53 am
TinCanTech wrote:
Mon May 07, 2018 3:35 pm
Also, please try a --proto tcp tunnel, the result of that can give some very useful indicators ..
Unfortunately I can't do that at the moment since I have to ask the network admin to configure the network's firewall to allow tcp traffic for OpenVPN.
This is also the person you should be asking for help.
Tom7320 wrote:
Thu May 10, 2018 10:53 am
I spend half of the day to try out a few things:
  • I set up an Ubuntu 18.04 LTS (Bionic Beaver) server on a local VM in my LAN (Virtual Box, OpenVPN version 2.4.4)
  • I cloned the Raspberry server's SSD to setup an exact clone in my own LAN
In both cases the only things I changed was the IP addresses of the machines and I commented out the push "route...." and route statements in the server's config:

<snip>

In both cases I had NO errors at all when connecting with the iOS devices. I also never had any problems when connecting with a Windows Notebook (WLAN, 4G).

Thus my conclusions are (unfortunately contradictory):
  • There must be a problem "in between", eg. concerning the routers on the way. Since the problem exists no matter what connection I use (4G, WLAN), it could be a problem on the server side. Is it possible that a router causes the problem? QoS? Firewall? I don't know...
  • The problem does not occur on a Windows Notebook (WLAN and 4G). Thus I still think it is a problem concerning the iOS App?!
Networks are very complex things and it is entirely possible there is a fault between your client and server.

This is the problem as I see it:
  • Packet errors:
    There is very likely some network problem between your client and server, I cannot help with that, ask your network administrator for advice. This problem does not appear to be fatal as your VPN still essentially works, so if you cannot find a solution you may just have to live with it ..
  • App crashing when viewing log:
    I have no idea what this problem is caused by and neither do the two developers that have been following this thread. It appears to be localized to your devices alone because nobody else has ever reported this problem.
I have been informed that there will be a new iOS App soon, so that may help.

There is one other thing you can try: connect the ios device to the mac to grab the console ouput during the crash. You may also be able to pull the log from the device this way.

Other than that, these problems are beyond the scope of this forum .. you may have to enlist some local expertise. Or just live with it ..
Last edited by TinCanTech on Thu May 10, 2018 11:58 am, edited 1 time in total.

bbuckm
OpenVPN User
Posts: 39
Joined: Thu Apr 26, 2018 2:45 pm

Re: Authenticate/Decrypt packet error

Post by bbuckm » Thu May 10, 2018 11:57 am

It is possible that OpenVPN server 2.4 forces settings that conflict with your client ovpn and/or are not supported on iOS,but are supported by Windows. See my note in the other thread observing:

Code: Select all

SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Authenticate/Decrypt packet error

Post by TinCanTech » Thu May 10, 2018 11:59 am

bbuckm wrote:
Thu May 10, 2018 11:57 am
It is possible that OpenVPN server 2.4 forces settings that conflict with your client ovpn and/or are not supported on iOS,but are supported by Windows
The VPN essentially works, so this is probably not relevant.

The problems here are very complex so reading the entire thread carefully and even trying to replicate the setup may be of use.

But for me, it is beyond my scope ..

Tom7320
OpenVPN User
Posts: 38
Joined: Thu Jan 28, 2016 7:44 pm

Re: Authenticate/Decrypt packet error

Post by Tom7320 » Thu May 10, 2018 12:27 pm

TinCanTech wrote:
Thu May 10, 2018 11:57 am
This is the problem as I see it:
  • Packet errors:
    There is very likely some network problem between your client and server, I cannot help with that, ask your network administrator for advice. This problem does not appear to be fatal as your VPN still essentially works, so if you cannot find a solution you may just have to live with it ..
  • App crashing when viewing log:
    I have no idea what this problem is caused by and neither do the two developers that have been following this thread. It appears to be localized to your devices alone because nobody else has ever reported this problem.
I have been informed that there will be a new iOS App soon, so that may help.

There is one other thing you can try: connect the ios device to the mac to grab the console ouput during the crash. You may also be able to pull the log from the device this way.

Other than that, these problems are beyond the scope of this forum .. you may have to enlist some local expertise. Or just live with it ..
THX again for your very comprehensive answer!! I asked the network admin but he has no idea what's going wrong concerning VPNs. Basically he installed the router as part of the telephone system which is VoIP based. Is it conceivable that a router (QoS? Firewall?) is causing this kind of problems?

The VPN essentially works so I can definitely live with it! At some point I was just a little curious about finding out what's going on... :geek:

The App crashing issue is really anoying and I really hope that the new iOS App will solve this problem! I just can't believe that I am the only one who is affected by this problem??? I mean here we are talking about the very simple task of displaying a text log file....

Anyway thanks for reading and answering my questions!! I really appreciate that!

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Authenticate/Decrypt packet error

Post by TinCanTech » Thu May 10, 2018 12:54 pm

Re: Packet errors:
Tom7320 wrote:
Thu May 10, 2018 12:27 pm
Is it conceivable that a router (QoS? Firewall?) is causing this kind of problems?
It could be practically any device between you and your server.

Try a TCP connection, you should get NO errors or else something is very wrong ..
Somebody trying to hack your data in flight or a broken device.
Tom7320 wrote:
Thu May 10, 2018 12:27 pm
The VPN essentially works so I can definitely live with it! At some point I was just a little curious about finding out what's going on
You can also try adjusting --replay-window as I said above.

I strongly urge you not to use --no-replay in production. But you could try for testing purposes ..

As for the App .. it's a mystery
Other than the advice above, you could lower --verb to 0 zero, which will only log fatal errors (and a few other odd bits of log). Perhaps there is too much data at --verb 4 .. You could also try configuring a specific app to open the log file, I don't know how that works on iOS but I presume it is possible.

Let us know if any of that helps.
Tom7320 wrote:
Thu May 10, 2018 12:27 pm
thanks for reading and answering my questions!! I really appreciate that!
You're welcome.

bbuckm
OpenVPN User
Posts: 39
Joined: Thu Apr 26, 2018 2:45 pm

Re: Authenticate/Decrypt packet error

Post by bbuckm » Thu May 10, 2018 6:12 pm

TinCanTech wrote:
Thu May 10, 2018 11:59 am
trying to replicate the setup may be of use.
Yes, I did indeed set up a similar client and server, but with a different configuration, and my configuration worked. That's why I think it would be interesting to see if changing the encryption parameters fixes the problem. You can see in the log that OpenVPN 2.4 selects TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384. Yet the config files contain:

Code: Select all

cipher AES-256-CBC
auth SHA256
Does it have any effect to change this on both server and client to:

Code: Select all

cipher AES-256-GCM
auth SHA384

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Authenticate/Decrypt packet error

Post by TinCanTech » Thu May 10, 2018 6:50 pm

bbuckm wrote:
Thu May 10, 2018 6:12 pm
You can see in the log that OpenVPN 2.4 selects TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384. Yet the config files contain:

Code: Select all

cipher AES-256-CBC
auth SHA256
You are confusing --cipher with --tls-cipher ..

Also, neither of these effect the problem of:
TinCanTech wrote:
Mon May 07, 2018 1:59 pm
Authenticate/Decrypt packet error: bad packet ID (may be a replay)
In this case, the VPN is established and data is being passed over it .. the bad packet ID indicates that the packet ID is incorrect. Which often indicates a network problem ..

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: Authenticate/Decrypt packet error

Post by Pippin » Thu May 10, 2018 7:06 pm

^^^ Indeed ^^^
Was just about to write :)

The --cipher and --auth directives are used for the data channel.
--auth is also used for tls-auth control channel packets.

Code: Select all

Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
If both sides support NCP, AES-256-GCM will be negotiated, unless --ncp-disable is specified.
See manual 2.4:
https://community.openvpn.net/openvpn/w ... n24ManPage
and:
https://github.com/OpenVPN/openvpn/blob ... hanges.rst
You can see in the log that OpenVPN 2.4 selects TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Afaik, ^^^ that ^^^ is used for the initial TLS handshake and depends on the properties of the certificates.
*
Edit: I read I get/word ^^^ this ^^^ wrong, please read --tls-cipher in manual.

Tom7320
OpenVPN User
Posts: 38
Joined: Thu Jan 28, 2016 7:44 pm

Re: Authenticate/Decrypt packet error

Post by Tom7320 » Mon May 21, 2018 5:07 pm

Is it save to just omit --cipher and --auth statements and let OpenVPN decide by itself?

Tom7320
OpenVPN User
Posts: 38
Joined: Thu Jan 28, 2016 7:44 pm

Re: Authenticate/Decrypt packet error

Post by Tom7320 » Mon May 21, 2018 5:42 pm

PS: This is a session with --cipher and --auth commented out:

Code: Select all

May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: MULTI: multi_create_instance called
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 Re-using SSL/TLS context
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto
 UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu
1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 TLS: Initial packet from [AF_INET]93.221.143.162:59084, sid=a6f2298b a614bd18
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 VERIFY OK: depth=1, C=DE, ST=RLP, L=Sprendlingen, O=Praxis am Wißberg, OU=IT, CN
=OpenVPN_PAW_CA, emailAddress=paw@fenta.org
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 Validating certificate key usage
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 ++ Certificate has key usage  0080, expects 0080
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 VERIFY KU OK
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 Validating certificate extended key usage
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Clie
nt Authentication
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 VERIFY EKU OK
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 VERIFY OK: depth=0, C=DE, ST=RLP, L=Sprendlingen, O=Praxis am Wißberg, OU=IT, CN
=OpenVPN_PAW_ts, emailAddress=paw@fenta.org
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 peer info: IV_GUI_VER=net.openvpn.connect.ios_1.2.9-0
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 peer info: IV_VER=3.2
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 peer info: IV_PLAT=ios
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 peer info: IV_NCP=2
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 peer info: IV_TCPNL=1
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 peer info: IV_PROTO=2
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 peer info: IV_AUTO_SESS=1
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 peer info: IV_BS64DL=1
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 b
it RSA
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 [OpenVPN_PAW_ts] Peer Connection Initiated with [AF_INET]93.221.143.162:59084
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/93.221.143.162:59084 MULTI_sva: pool returned IPv4=10.205.76.3, IPv6=(Not enabled)
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/93.221.143.162:59084 MULTI: Learn: 10.205.76.3 -> OpenVPN_PAW_ts/93.221.143.162:59084
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/93.221.143.162:59084 MULTI: primary virtual IP for OpenVPN_PAW_ts/93.221.143.162:59084
: 10.205.76.3
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/93.221.143.162:59084 PUSH: Received control message: 'PUSH_REQUEST'
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/93.221.143.162:59084 SENT CONTROL [OpenVPN_PAW_ts]: 'PUSH_REPLY,route 192.168.193.0 25
5.255.255.0,route-gateway 10.205.76.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.205.76.3 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1)
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/93.221.143.162:59084 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/93.221.143.162:59084 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 b
it key
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/93.221.143.162:59084 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 b
it key
May 21 19:41:14 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/93.221.143.162:59084 SIGTERM[soft,remote-exit] received, client-instance exiting

Tom7320
OpenVPN User
Posts: 38
Joined: Thu Jan 28, 2016 7:44 pm

Re: Authenticate/Decrypt packet error

Post by Tom7320 » Mon May 21, 2018 6:48 pm

Heureka! I found it!!! We are on a totally wrong track! The problem is this at the end of my config:

Code: Select all

client-connect    /etc/openvpn/statuschange.sh
client-disconnect /etc/openvpn/statuschange.sh
script-security 2
statuschange.sh:

Code: Select all

#!/bin/bash

pref="<b>paw-openvpn:</b>"
now=`date`

if [ "$script_type" == "client-connect" ]; then
    telegram-send -g --format html "$pref $now $script_type $common_name @ $untrusted_ip via $proto_1"

elif [ "$script_type" == "client-disconnect" ]; then
    dur=`echo "$time_duration" | awk '{printf("%d days(s) %02d:%02d:%02d hh:mm:ss\n",($1/60/60/24),($1/60/60%24),($1/60%60),($1%60))}'`
    telegram-send -g --format html "$pref $now $script_type $common_name @ $untrusted_ip via $proto_1 (connected since $time_ascii [$dur])"

else
    telegram-send -g --format html "$pref $now $script_type"

fi

exit 0
As soon as I comment out the client-connect|disconnect scripts it works as expected! As soon as I allow script execution I have the mentioned errors in the log!

Now the question is: why?!?!?!?

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Authenticate/Decrypt packet error

Post by ordex » Fri Jun 22, 2018 9:03 am

Would you try using

Code: Select all

cipher AES-256-GCM
in your iOS device config file and remove entirely the "auth" directive, please?
Maybe something is bogus with NCP on the Connect App (NCP was introduced with 2.4.x)

Post Reply