Recently I have two problems with the iOS app:
First there are a lot of "Authenticate/Decrypt packet error: bad packet ID (may be a replay)" and following "TLS Error: incoming packet authentication failed from [AF_INET]" errors in the server log. Here a (reduced) log of a session:
Code: Select all
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 TLS: Initial packet from [AF_INET]93.221.134.138:49512, sid=90625056 80ee0ef3
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 VERIFY OK: depth=1, C=DE, ST=RLP, L=Sprendlingen, O=Praxis am Wißberg, OU=IT, CN=OpenVPN_PAW_CA, emailAddress=paw@fenta.org
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 Validating certificate key usage
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 ++ Certificate has key usage 0080, expects 0080
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 VERIFY KU OK
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 Validating certificate extended key usage
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 VERIFY EKU OK
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 VERIFY OK: depth=0, C=DE, ST=RLP, L=Sprendlingen, O=Praxis am Wißberg, OU=IT, CN=OpenVPN_PAW_ts, emailAddress=paw@fenta.org
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 peer info: IV_GUI_VER=net.openvpn.connect.ios_1.2.9-0
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 peer info: IV_VER=3.2
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 peer info: IV_PLAT=ios
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 peer info: IV_NCP=2
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 peer info: IV_TCPNL=1
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 peer info: IV_PROTO=2
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 peer info: IV_AUTO_SESS=1
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: 93.221.134.138:49512 [OpenVPN_PAW_ts] Peer Connection Initiated with [AF_INET]93.221.134.138:49512
Apr 26 10:16:36 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 MULTI_sva: pool returned IPv4=10.205.76.3, IPv6=(Not enabled)
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_f9a82f3430d0ccff686693203517f495.tmp
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 MULTI: Learn: 10.205.76.3 -> OpenVPN_PAW_ts/93.221.134.138:49512
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 MULTI: primary virtual IP for OpenVPN_PAW_ts/93.221.134.138:49512: 10.205.76.3
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 PUSH: Received control message: 'PUSH_REQUEST'
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 SENT CONTROL [OpenVPN_PAW_ts]: 'PUSH_REPLY,route 192.168.193.0 255.255.255.0,route-gateway 10.205.76.1,topology subnet,ping 10
,ping-restart 60,ifconfig 10.205.76.3 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1)
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #9 / time = (1524730596) Thu Apr 26 10:16:36 2018 ] -- s
ee the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 TLS Error: incoming packet authentication failed from [AF_INET]93.221.134.138:49512
Apr 26 10:16:38 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 PUSH: Received control message: 'PUSH_REQUEST'
Apr 26 10:16:39 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #9 / time = (1524730596) Thu Apr 26 10:16:36 2018 ] -- s
ee the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 26 10:16:39 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 TLS Error: incoming packet authentication failed from [AF_INET]93.221.134.138:49512
Apr 26 10:16:39 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #10 / time = (1524730596) Thu Apr 26 10:16:36 2018 ] --
see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Apr 26 10:16:39 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 TLS Error: incoming packet authentication failed from [AF_INET]93.221.134.138:49512
Apr 26 10:16:46 openvpn ovpn-OpenVPN_PAW_Server_udp[317]: OpenVPN_PAW_ts/93.221.134.138:49512 SIGTERM[soft,remote-exit] received, client-instance exiting
Thus I wanted to see what's going on and tried to have a look at the log on the iOS device. But unfortunately the app crashes reproducible as soon as I open the log viewer within the app.
Here is the server config (2.4.0 on raspbian):
proto udp
port 1194
dev tun
server 10.205.76.0 255.255.255.0
topology subnet
persist-key
persist-tun
keepalive 10 60
#duplicate-cn
#ccd-exclusive
user nobody
group nogroup
daemon
verb 3
tls-version-min 1.2
cipher AES-256-CBC
auth SHA256
remote-cert-tls client
management 127.0.0.1 5555
client-config-dir /etc/openvpn/ccd
tls-auth /etc/openvpn/keys/ta.key 0
dh /etc/openvpn/keys/dh2048.pem
pkcs12 /etc/openvpn/keys/OpenVPN_PAW_Server.p12
crl-verify /etc/openvpn/keys/OpenVPN_PAW_CRL.pem
push "route 192.168.193.0 255.255.255.0"
route 192.168.0.0 255.255.255.0
client-connect /etc/openvpn/statuschange.sh
client-disconnect /etc/openvpn/statuschange.sh
script-security 2
The client's config:
proto udp
port 1194
dev tun
client
remote remote.site.com
nobind
key-direction 1
verb 3
tls-version-min 1.2
cipher AES-256-CBC
auth SHA256
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
Are this known problems? Is there a solution available?
THX a lot!