Authenticate/Decrypt packet error

Tom7320 · Post by **Tom7320** » Thu Apr 26, 2018 8:30 am

Hi!

Recently I have two problems with the iOS app:

First there are a lot of "Authenticate/Decrypt packet error: bad packet ID (may be a replay)" and following "TLS Error: incoming packet authentication failed from [AF_INET]" errors in the server log. Here a (reduced) log of a session:

Code: Select all

Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 TLS: Initial packet from [AF_INET]93.221.134.138:49512, sid=90625056 80ee0ef3
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 VERIFY OK: depth=1, C=DE, ST=RLP, L=Sprendlingen, O=Praxis am Wißberg, OU=IT, CN=OpenVPN_PAW_CA, emailAddress=paw@fenta.org
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 Validating certificate key usage
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 ++ Certificate has key usage  0080, expects 0080
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 VERIFY KU OK
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 Validating certificate extended key usage
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 VERIFY EKU OK
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 VERIFY OK: depth=0, C=DE, ST=RLP, L=Sprendlingen, O=Praxis am Wißberg, OU=IT, CN=OpenVPN_PAW_ts, emailAddress=paw@fenta.org
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 peer info: IV_GUI_VER=net.openvpn.connect.ios_1.2.9-0
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 peer info: IV_VER=3.2
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 peer info: IV_PLAT=ios
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 peer info: IV_NCP=2
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 peer info: IV_TCPNL=1
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 peer info: IV_PROTO=2
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 peer info: IV_AUTO_SESS=1
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 [OpenVPN_PAW_ts] Peer Connection Initiated with [AF_INET]93.221.134.138:49512
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 MULTI_sva: pool returned IPv4=10.205.76.3, IPv6=(Not enabled)
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_f9a82f3430d0ccff686693203517f495.tmp
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 MULTI: Learn: 10.205.76.3 -> OpenVPN_PAW_ts/93.221.134.138:49512
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 MULTI: primary virtual IP for OpenVPN_PAW_ts/93.221.134.138:49512: 10.205.76.3
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 PUSH: Received control message: 'PUSH_REQUEST'
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 SENT CONTROL [OpenVPN_PAW_ts]: 'PUSH_REPLY,route 192.168.193.0 255.255.255.0,route-gateway 10.205.76.1,topology subnet,ping 10
,ping-restart 60,ifconfig 10.205.76.3 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1)
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #9 / time = (1524730596) Thu Apr 26 10:16:36 2018 ] -- s
ee the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 TLS Error: incoming packet authentication failed from [AF_INET]93.221.134.138:49512
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 PUSH: Received control message: 'PUSH_REQUEST'
Apr 26 10:16:39 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #9 / time = (1524730596) Thu Apr 26 10:16:36 2018 ] -- s
ee the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 26 10:16:39 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 TLS Error: incoming packet authentication failed from [AF_INET]93.221.134.138:49512
Apr 26 10:16:39 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #10 / time = (1524730596) Thu Apr 26 10:16:36 2018 ] --
see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 26 10:16:39 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 TLS Error: incoming packet authentication failed from [AF_INET]93.221.134.138:49512
Apr 26 10:16:46 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 SIGTERM[soft,remote-exit] received, client-instance exiting

The exact same config file on a client Windows notebook _does not_ produce any Auth/Decrypt packet errors?!

Thus I wanted to see what's going on and tried to have a look at the log on the iOS device. But unfortunately the app crashes reproducible as soon as I open the log viewer within the app.

Here is the server config (2.4.0 on raspbian):

server

proto udp
port 1194
dev tun
server 10.205.76.0 255.255.255.0
topology subnet
persist-key
persist-tun
keepalive 10 60
#duplicate-cn
#ccd-exclusive
user nobody
group nogroup
daemon
verb 3
tls-version-min 1.2
cipher AES-256-CBC
auth SHA256
remote-cert-tls client
management 127.0.0.1 5555

client-config-dir /etc/openvpn/ccd
tls-auth /etc/openvpn/keys/ta.key 0
dh /etc/openvpn/keys/dh2048.pem
pkcs12 /etc/openvpn/keys/OpenVPN_PAW_Server.p12
crl-verify /etc/openvpn/keys/OpenVPN_PAW_CRL.pem

push "route 192.168.193.0 255.255.255.0"
route 192.168.0.0 255.255.255.0

client-connect /etc/openvpn/statuschange.sh
client-disconnect /etc/openvpn/statuschange.sh
script-security 2

The client's config:

client

proto udp
port 1194
dev tun
client
remote remote.site.com
nobind
key-direction 1
verb 3
tls-version-min 1.2
cipher AES-256-CBC
auth SHA256
remote-cert-tls server

<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
...
</key>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>

Are this known problems? Is there a solution available?

THX a lot!

TinCanTech · Post by **TinCanTech** » Thu Apr 26, 2018 2:07 pm

Try adding to the server config --ncp-disable

Tom7320 · Post by **Tom7320** » Thu Apr 26, 2018 2:15 pm

Thx for answering but unfortunately no effect.
BTW exact same config works without errors with 2.3.10 server version.

TinCanTech · Post by **TinCanTech** » Thu Apr 26, 2018 2:19 pm

Is it an old iOS device ?

Tom7320 · Post by **Tom7320** » Thu Apr 26, 2018 3:47 pm

I tested with iPad Air 2 and iPhone 6s. Both with recent iOS 11.3.1. Same behavior.
It's ok with openvpn server 2.3.10, but not with 2.4.

TinCanTech · Post by **TinCanTech** » Thu Apr 26, 2018 5:18 pm

Please post a client log from a device that does not work.

Also this sounds similar to this:
viewtopic.php?f=36&t=26208

Tom7320 · Post by **Tom7320** » Thu Apr 26, 2018 6:18 pm

Well as I said unfortunately I can not see the log since the app alway crashes as soon as I try to show the log. Is there another way to see the log files?

TinCanTech · Post by **TinCanTech** » Thu Apr 26, 2018 6:26 pm

Tom7320 wrote: ↑
Thu Apr 26, 2018 3:47 pm
I tested with iPad Air 2 and iPhone 6s. Both with recent iOS 11.3.1. Same behavior.

Any log ..

Tom7320 · Post by **Tom7320** » Thu Apr 26, 2018 7:29 pm

This is a connection from a Windows client to the 2.4.0 server:

Code: Select all

Thu Apr 26 21:27:34 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Thu Apr 26 21:27:34 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Apr 26 21:27:34 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Enter Management Password:
Thu Apr 26 21:27:34 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Apr 26 21:27:34 2018 Need hold release from management interface, waiting...
Thu Apr 26 21:27:34 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Apr 26 21:27:35 2018 MANAGEMENT: CMD 'state on'
Thu Apr 26 21:27:35 2018 MANAGEMENT: CMD 'log all on'
Thu Apr 26 21:27:35 2018 MANAGEMENT: CMD 'echo all on'
Thu Apr 26 21:27:35 2018 MANAGEMENT: CMD 'hold off'
Thu Apr 26 21:27:35 2018 MANAGEMENT: CMD 'hold release'
Thu Apr 26 21:27:35 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Apr 26 21:27:35 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Apr 26 21:27:35 2018 MANAGEMENT: >STATE:1524770855,RESOLVE,,,,,,
Thu Apr 26 21:27:35 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]93.221.134.162:1194
Thu Apr 26 21:27:35 2018 Socket Buffers: R=[65536->65536] S=[64512->64512]
Thu Apr 26 21:27:35 2018 UDP link local: (not bound)
Thu Apr 26 21:27:35 2018 UDP link remote: [AF_INET]93.221.134.162:1194
Thu Apr 26 21:27:35 2018 MANAGEMENT: >STATE:1524770855,WAIT,,,,,,
Thu Apr 26 21:27:35 2018 MANAGEMENT: >STATE:1524770855,AUTH,,,,,,
Thu Apr 26 21:27:35 2018 TLS: Initial packet from [AF_INET]93.221.134.162:1194, sid=edd58e78 1632ae62
Thu Apr 26 21:27:35 2018 VERIFY OK: depth=1, C=DE, ST=RLP, L=Sprendlingen, O=Praxis am Wißberg, OU=IT, CN=OpenVPN_PAW_CA, emailAddress=paw@fenta.org
Thu Apr 26 21:27:35 2018 VERIFY KU OK
Thu Apr 26 21:27:35 2018 Validating certificate extended key usage
Thu Apr 26 21:27:35 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Apr 26 21:27:35 2018 VERIFY EKU OK
Thu Apr 26 21:27:35 2018 VERIFY OK: depth=0, C=DE, ST=RLP, L=Sprendlingen, O=Praxis am Wißberg, OU=IT, CN=OpenVPN_PAW_Server, emailAddress=paw@fenta.org
Thu Apr 26 21:27:35 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Apr 26 21:27:35 2018 [OpenVPN_PAW_Server] Peer Connection Initiated with [AF_INET]93.221.134.162:1194
Thu Apr 26 21:27:36 2018 MANAGEMENT: >STATE:1524770856,GET_CONFIG,,,,,,
Thu Apr 26 21:27:36 2018 SENT CONTROL [OpenVPN_PAW_Server]: 'PUSH_REQUEST' (status=1)
Thu Apr 26 21:27:37 2018 PUSH: Received control message: 'PUSH_REPLY,route 192.168.193.0 255.255.255.0,route-gateway 10.205.76.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.205.76.3 255.255.255.0,peer-id 1,cipher AES-256-GCM'
Thu Apr 26 21:27:37 2018 OPTIONS IMPORT: timers and/or timeouts modified
Thu Apr 26 21:27:37 2018 OPTIONS IMPORT: --ifconfig/up options modified
Thu Apr 26 21:27:37 2018 OPTIONS IMPORT: route options modified
Thu Apr 26 21:27:37 2018 OPTIONS IMPORT: route-related options modified
Thu Apr 26 21:27:37 2018 OPTIONS IMPORT: peer-id set
Thu Apr 26 21:27:37 2018 OPTIONS IMPORT: adjusting link_mtu to 1624
Thu Apr 26 21:27:37 2018 OPTIONS IMPORT: data channel crypto options modified
Thu Apr 26 21:27:37 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Apr 26 21:27:37 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Apr 26 21:27:37 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Apr 26 21:27:37 2018 interactive service msg_channel=660
Thu Apr 26 21:27:37 2018 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 I=8 HWADDR=00:22:4d:aa:94:21
Thu Apr 26 21:27:37 2018 open_tun
Thu Apr 26 21:27:37 2018 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{B202F078-0016-4AAB-867F-670016FE15A8}.tap
Thu Apr 26 21:27:37 2018 TAP-Windows Driver Version 9.21 
Thu Apr 26 21:27:37 2018 Set TAP-Windows TUN subnet mode network/local/netmask = 10.205.76.0/10.205.76.3/255.255.255.0 [SUCCEEDED]
Thu Apr 26 21:27:37 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.205.76.3/255.255.255.0 on interface {B202F078-0016-4AAB-867F-670016FE15A8} [DHCP-serv: 10.205.76.254, lease-time: 31536000]
Thu Apr 26 21:27:37 2018 Successful ARP Flush on interface [7] {B202F078-0016-4AAB-867F-670016FE15A8}
Thu Apr 26 21:27:37 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Apr 26 21:27:37 2018 MANAGEMENT: >STATE:1524770857,ASSIGN_IP,,10.205.76.3,,,,
Thu Apr 26 21:27:42 2018 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Thu Apr 26 21:27:42 2018 MANAGEMENT: >STATE:1524770862,ADD_ROUTES,,,,,,
Thu Apr 26 21:27:42 2018 C:\WINDOWS\system32\route.exe ADD 192.168.193.0 MASK 255.255.255.0 10.205.76.1
Thu Apr 26 21:27:42 2018 Route addition via service succeeded
Thu Apr 26 21:27:42 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Apr 26 21:27:42 2018 Initialization Sequence Completed
Thu Apr 26 21:27:42 2018 MANAGEMENT: >STATE:1524770862,CONNECTED,SUCCESS,10.205.76.3,93.221.134.162,1194,,
Thu Apr 26 21:27:49 2018 C:\WINDOWS\system32\route.exe DELETE 192.168.193.0 MASK 255.255.255.0 10.205.76.1
Thu Apr 26 21:27:49 2018 Route deletion via service succeeded
Thu Apr 26 21:27:49 2018 Closing TUN/TAP interface
Thu Apr 26 21:27:49 2018 TAP: DHCP address released
Thu Apr 26 21:27:49 2018 SIGTERM[hard,] received, process exiting
Thu Apr 26 21:27:49 2018 MANAGEMENT: >STATE:1524770869,EXITING,SIGTERM,,,,,

Tom7320 · Post by **Tom7320** » Fri Apr 27, 2018 7:17 am

Addendum:
In my opinion the app must have at least a bug regarding the crash while showing the log! This used to work in earlier versions of the app! Is there another way to show the log files?

TinCanTech · Post by **TinCanTech** » Fri Apr 27, 2018 11:38 am

Tom7320 wrote: ↑
Fri Apr 27, 2018 7:17 am
the app must have at least a bug regarding the crash while showing the log!

You are the only person to report this problem ..

Tom7320 wrote: ↑
Fri Apr 27, 2018 7:17 am
Is there another way to show the log files?

Use one of the logs from one of these:

Tom7320 wrote: ↑
Thu Apr 26, 2018 3:47 pm
I tested with iPad Air 2 and iPhone 6s. Both with recent iOS 11.3.1. Same behavior.

Not the Windows client which obviously connects .....

Tom7320 · Post by **Tom7320** » Fri Apr 27, 2018 3:58 pm

Well the app crashes reproducible on _four_ tested iOS devices as soon as I want to show the log file!! If you don't believe me here is a very short video:

https://nextcloud.steinbrenner-lahn.de/ ... eYQQLrt76n

The app connects. In the server log I find the mentioned errors.

Tom7320 · Post by **Tom7320** » Wed May 02, 2018 4:57 am

Is there a place where I can submit a ticket concerning the two issues I have with the iOS app?

TinCanTech · Post by **TinCanTech** » Sun May 06, 2018 6:27 pm

TinCanTech wrote: ↑
Thu Apr 26, 2018 2:07 pm
Try adding to the server config --ncp-disable

Also, restart the server after making the change.

Tom7320 wrote: ↑
Thu Apr 26, 2018 2:15 pm
Thx for answering but unfortunately no effect.
BTW exact same config works without errors with 2.3.10 server version.

But you did not post any log ..

And then:

Tom7320 wrote: ↑

Thu Apr 26, 2018 7:29 pm

This is a connection from a Windows client to the 2.4.0 server:

Code: Select all

Thu Apr 26 21:27:34 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Thu Apr 26 21:27:34 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Apr 26 21:27:34 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10

Thu Apr 26 21:27:37 2018 PUSH: Received control message: 'PUSH_REPLY,route 192.168.193.0 255.255.255.0,route-gateway 10.205.76.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.205.76.3 255.255.255.0,peer-id 1,cipher AES-256-GCM'

Thu Apr 26 21:27:37 2018 OPTIONS IMPORT: data channel crypto options modified
Thu Apr 26 21:27:37 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Apr 26 21:27:37 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Apr 26 21:27:37 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

** Negotiated Cipher Protocol is still in use **

In order to rule out an NCP error:

Please disable Negotiated Cipher Protocol by using --ncp-disable in your server config.
And post the server log @ verb 4 of a connection attempt from one of your afflicted devices ..

Tom7320 · Post by **Tom7320** » Mon May 07, 2018 6:59 am

OK. I added ncp-disable and verb 4 and restarted the server. Here is a connection log:

Code: Select all

May  7 08:57:21 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: MULTI: multi_create_instance called
May  7 08:57:21 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 Re-using SSL/TLS context
May  7 08:57:21 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 Control Channel MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ]
May  7 08:57:21 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
May  7 08:57:21 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tl
s-auth,key-method 2,tls-server'
May  7 08:57:21 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA256,keys
ize 256,tls-auth,key-method 2,tls-client'
May  7 08:57:21 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 TLS: Initial packet from [AF_INET]93.221.143.162:55604, sid=f887bbe3 2f7b6fb5
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 VERIFY OK: depth=1, C=DE, ST=RLP, L=Sprendlingen, O=Praxis am Wißberg, OU=IT, CN=OpenVPN_PAW_CA, emailAddress=paw@fenta.org
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 Validating certificate key usage
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 ++ Certificate has key usage  0080, expects 0080
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 VERIFY KU OK
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 Validating certificate extended key usage
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 VERIFY EKU OK
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 VERIFY OK: depth=0, C=DE, ST=RLP, L=Sprendlingen, O=Praxis am Wißberg, OU=IT, CN=OpenVPN_PAW_ts, emailAddress=paw@fenta.org
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 peer info: IV_GUI_VER=net.openvpn.connect.ios_1.2.9-0
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 peer info: IV_VER=3.2
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 peer info: IV_PLAT=ios
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 peer info: IV_NCP=2
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 peer info: IV_TCPNL=1
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 peer info: IV_PROTO=2
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 peer info: IV_AUTO_SESS=1
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: 93.221.143.162:55604 [OpenVPN_PAW_ts] Peer Connection Initiated with [AF_INET]93.221.143.162:55604
May  7 08:57:22 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: OpenVPN_PAW_ts/93.221.143.162:55604 MULTI_sva: pool returned IPv4=10.205.76.3, IPv6=(Not enabled)
May  7 08:57:24 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: OpenVPN_PAW_ts/93.221.143.162:55604 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_f8ce32f1eb327d5649a5f9daca5d7458.tmp
May  7 08:57:24 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: OpenVPN_PAW_ts/93.221.143.162:55604 MULTI: Learn: 10.205.76.3 -> OpenVPN_PAW_ts/93.221.143.162:55604
May  7 08:57:24 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: OpenVPN_PAW_ts/93.221.143.162:55604 MULTI: primary virtual IP for OpenVPN_PAW_ts/93.221.143.162:55604: 10.205.76.3
May  7 08:57:24 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: OpenVPN_PAW_ts/93.221.143.162:55604 PUSH: Received control message: 'PUSH_REQUEST'
May  7 08:57:24 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: OpenVPN_PAW_ts/93.221.143.162:55604 SENT CONTROL [OpenVPN_PAW_ts]: 'PUSH_REPLY,route 192.168.193.0 255.255.255.0,route-gateway 10.205.76.1,topology subnet,ping 10
,ping-restart 60,ifconfig 10.205.76.3 255.255.255.0,peer-id 1' (status=1)
May  7 08:57:24 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: OpenVPN_PAW_ts/93.221.143.162:55604 PID_ERR replay [0] [TLS_WRAP-0] [022222233] 1525676241:9 1525676241:9 t=1525676244[0] r=[-3,64,15,0,1] sl=[55,9,64,272]
May  7 08:57:24 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: OpenVPN_PAW_ts/93.221.143.162:55604 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #9 / time = (1525676241) Mon May  7 08:57:21 2018 ] -- s
ee the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
May  7 08:57:24 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: OpenVPN_PAW_ts/93.221.143.162:55604 TLS Error: incoming packet authentication failed from [AF_INET]93.221.143.162:55604
May  7 08:57:24 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: OpenVPN_PAW_ts/93.221.143.162:55604 PUSH: Received control message: 'PUSH_REQUEST'
May  7 08:57:24 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: OpenVPN_PAW_ts/93.221.143.162:55604 PID_ERR replay-window backtrack occurred [1] [TLS_WRAP-0] [0022222233] 1525676241:10 1525676241:9 t=1525676244[0] r=[-3,64,15,
1,1] sl=[54,10,64,272]
May  7 08:57:24 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: OpenVPN_PAW_ts/93.221.143.162:55604 PID_ERR replay [1] [TLS_WRAP-0] [0022222233] 1525676241:10 1525676241:9 t=1525676244[0] r=[-3,64,15,1,1] sl=[54,10,64,272]
May  7 08:57:24 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: OpenVPN_PAW_ts/93.221.143.162:55604 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #9 / time = (1525676241) Mon May  7 08:57:21 2018 ] -- s
ee the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
May  7 08:57:24 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: OpenVPN_PAW_ts/93.221.143.162:55604 TLS Error: incoming packet authentication failed from [AF_INET]93.221.143.162:55604
May  7 08:57:24 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: OpenVPN_PAW_ts/93.221.143.162:55604 PID_ERR replay [0] [TLS_WRAP-0] [0022222233] 1525676241:10 1525676241:10 t=1525676244[0] r=[-3,64,15,1,1] sl=[54,10,64,272]
May  7 08:57:24 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: OpenVPN_PAW_ts/93.221.143.162:55604 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #10 / time = (1525676241) Mon May  7 08:57:21 2018 ] --
see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
May  7 08:57:24 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: OpenVPN_PAW_ts/93.221.143.162:55604 TLS Error: incoming packet authentication failed from [AF_INET]93.221.143.162:55604
May  7 08:57:39 openvpn ovpn-OpenVPN_PAW_Server_udp[354]: OpenVPN_PAW_ts/93.221.143.162:55604 SIGTERM[soft,remote-exit] received, client-instance exiting

TinCanTech · Post by **TinCanTech** » Mon May 07, 2018 11:52 am

Once you make that connection above can you ping the server ? It should be possible ..

Personally, I believe you have a virus, or something like that, on all your iOS devices ..

Or it could be that your network link, I presume WIFI, is a very poor quality ..
Can you try any other network ?

Tom7320 · Post by **Tom7320** » Mon May 07, 2018 1:12 pm

Yes fortunately I can ping the server!
Well it might be possible to have some malaicious software on one of the tested devices but I think it is unlikely to have it on all tested devices!
I tested with WIFI on different locations and very fast 4G links. Same problem...

TinCanTech · Post by **TinCanTech** » Mon May 07, 2018 1:59 pm

TinCanTech wrote: ↑
Mon May 07, 2018 11:52 am
Once you make that connection above can you ping the server ? It should be possible ..

Tom7320 wrote: ↑
Mon May 07, 2018 1:12 pm
Yes fortunately I can ping the server!

OK ..

Tom7320 wrote: ↑
Mon May 07, 2018 6:59 am
PID_ERR replay [0] [TLS_WRAP-0] [022222233] 1525676241:9 1525676241:9 t=1525676244[0] r=[-3,64,15,0,1] sl=[55,9,64,272]

Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #9 / time = (1525676241) Mon May 7 08:57:21 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

TLS Error: incoming packet authentication failed from [AF_INET]93.221.143.162:55604

You can read about this under --replay-window in the manual, you could try adjusting that (make the values larger) but I would not use --no-replay

Also,

The Manual wrote:OpenVPN also adds TCP transport as an option (not offered by IPSec) in which case OpenVPN can adopt a very strict attitude towards message deletion and reordering: Don't allow it. Since TCP guarantees reliability, any packet loss or reordering event can be assumed to be an attack.

Try using TCP.

TinCanTech wrote: ↑
Mon May 07, 2018 11:52 am
Personally, I believe you have a virus, or something like that, on all your iOS devices ..

Tom7320 wrote: ↑
Mon May 07, 2018 1:12 pm
Well it might be possible to have some malaicious software on one of the tested devices but I think it is unlikely to have it on all tested devices!

Tom7320 wrote: ↑
Fri Apr 27, 2018 3:58 pm
Well the app crashes reproducible on _four_ tested iOS devices as soon as I want to show the log file!!

It seems reasonable to me that all four of your devices have the same problem, what ever that is ..

Nobody else has ever reported this problem and even two openvpn developers are sceptical about it.

Where did you download the App from ?

Also, what country are you in ? Perhaps there are restrictions on you ..

Tom7320 · Post by **Tom7320** » Mon May 07, 2018 3:19 pm

Well I just did a factory reset of my iPad. After that I installed the iOS OpenVPN Connect app as the only app. Same thing. The app crashes as soon as I want to show the log. I don't even have to be connected to an OpenVPN server!!! I downloaded the app from the official Apple app store. No "hacks". Country is Germany, thus the language of the iPad is German. It used to work with an older version of the app! I also did not have the bad package ID errors with 2.3.x server. It startet with 2.4 server version. Strange things....

Anyway THX for trying to help me!

TinCanTech · Post by **TinCanTech** » Mon May 07, 2018 3:35 pm

Tom7320 wrote: ↑
Mon May 07, 2018 3:19 pm
Well I just did a factory reset of my iPad. After that I installed the iOS OpenVPN Connect app as the only app. Same thing. The app crashes as soon as I want to show the log.

Can you give full details of your device ? iOS Versions, device name/version etc .. as much detail as you can find. I do not know enough about iOS to identify what you are using but it is possible some incompatibility or even bug has got into openvpn .. This is why we need as much detail as you can give

Also, please try a --proto tcp tunnel, the result of that can give some very useful indicators ..

Edit: Also, just an idea .. can you try running the server on a Linux PC .. not your ARM Raspberry Pi.
(alternatively, I could give you a temporary account on my system)

OpenVPN Support Forum

Authenticate/Decrypt packet error

Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error

Re: Authenticate/Decrypt packet error