Authenticate/Decrypt packet error
-
- OpenVPN User
- Posts: 38
- Joined: Thu Jan 28, 2016 7:44 pm
Re: Authenticate/Decrypt packet error
OK. I will setup a VM with Ubuntu server and OpenVPN 2.4.x to test things. It might take a couple days, so please be patient....
In my eyes the most important thing is to fix the log viewing crash issue since I am kind of blind without the log file...
In my eyes the most important thing is to fix the log viewing crash issue since I am kind of blind without the log file...
-
- OpenVPN User
- Posts: 38
- Joined: Thu Jan 28, 2016 7:44 pm
Re: Authenticate/Decrypt packet error
Here are the infos of one of the iOS devices:TinCanTech wrote: ↑Mon May 07, 2018 3:35 pmCan you give full details of your device ? iOS Versions, device name/version etc .. as much detail as you can find. I do not know enough about iOS to identify what you are using but it is possible some incompatibility or even bug has got into openvpn .. This is why we need as much detail as you can give
Code: Select all
Operating System:
- system: iOS 11.3.1
- system build: 15E302
- multitasking support: Yes
- kernel: Darwin 17.5.0
Device Information:
- device: iPad Air 2
- device ID: iPad5,4
- model: J82AP
- name: iPad
- hostname: iPad
CPU Information:
- CPU model: Apple A8X
- GPU model: PowerVR G6850
- motion coprocessor: M8
- core number: 3
- CPU architecture: 64-bit
- CPU frequency: 1500 MHz
- TB frequency: 24 MHz
- L1 cache size: 64 KB
- L1D cache size: 64 KB
- L2 cache size: 2048 KB
- byteorder: 1234
- cacheline: 64
Hardware Features:
- display resolution: 2048 x 1536
- pixel density: 264 ppi
- battery voltage: 3.75 V
- battery capacity: 7340 mAh
- rear camera: 8 MP
- front camera: 1.2 MP
- touchscreen: Yes
- microphone: Yes
- speaker: Yes
- wi-fi: Yes
- bluetooth: Yes
- nfc: No
- accelerometer: Yes
- gyroscopic sensor: Yes
- ambient light sensor: Yes
- proximity sensor: No
- fingerprint sensor: Yes
- magnetometer: Yes
- barometer: Yes
- phone: No
- GPS: Yes
Unfortunately I can't do that at the moment since I have to ask the network admin to configure the network's firewall to allow tcp traffic for OpenVPN.TinCanTech wrote: ↑Mon May 07, 2018 3:35 pmAlso, please try a --proto tcp tunnel, the result of that can give some very useful indicators ..
I spend half of the day to try out a few things:TinCanTech wrote: ↑Mon May 07, 2018 3:35 pmEdit: Also, just an idea .. can you try running the server on a Linux PC .. not your ARM Raspberry Pi.
(alternatively, I could give you a temporary account on my system)
- I set up an Ubuntu 18.04 LTS (Bionic Beaver) server on a local VM in my LAN (Virtual Box, OpenVPN version 2.4.4)
- I cloned the Raspberry server's SSD to setup an exact clone in my own LAN
Code: Select all
proto udp
port 1194
dev tun
server 10.205.76.0 255.255.255.0
topology subnet
persist-key
persist-tun
keepalive 10 60
#duplicate-cn
#ccd-exclusive
user nobody
group nogroup
daemon
verb 4
tls-version-min 1.2
cipher AES-256-CBC
auth SHA256
remote-cert-tls client
management 127.0.0.1 5555
client-config-dir /etc/openvpn/ccd
tls-auth /etc/openvpn/keys/ta.key 0
dh /etc/openvpn/keys/dh2048.pem
pkcs12 /etc/openvpn/keys/OpenVPN_PAW_Server.p12
crl-verify /etc/openvpn/keys/OpenVPN_PAW_CRL.pem
#push "route 192.168.193.0 255.255.255.0"
#route 192.168.0.0 255.255.255.0
#client-connect /etc/openvpn/statuschange.sh
#client-disconnect /etc/openvpn/statuschange.sh
#script-security 2
Thus my conclusions are (unfortunately contradictory):
- There must be a problem "in between", eg. concerning the routers on the way. Since the problem exists no matter what connection I use (4G, WLAN), it could be a problem on the server side. Is it possible that a router causes the problem? QoS? Firewall? I don't know...
- The problem does not occur on a Windows Notebook (WLAN and 4G). Thus I still think it is a problem concerning the iOS App?!
Here is a complete log of a session with the local Raspberry server and one of the iOS devices:
Code: Select all
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: MULTI: multi_create_instance called
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 Re-using SSL/TLS context
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 Control Channel MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ]
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto
UDPv4,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1
500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 TLS: Initial packet from [AF_INET]192.168.0.143:52227, sid=f30ac251 100c2e74
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 VERIFY OK: depth=1, C=DE, ST=RLP, L=Sprendlingen, O=Praxis am Wißberg, OU=IT, CN=
OpenVPN_PAW_CA, emailAddress=paw@fenta.org
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 Validating certificate key usage
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 ++ Certificate has key usage 0080, expects 0080
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 VERIFY KU OK
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 Validating certificate extended key usage
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Clien
t Authentication
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 VERIFY EKU OK
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 VERIFY OK: depth=0, C=DE, ST=RLP, L=Sprendlingen, O=Praxis am Wißberg, OU=IT, CN=
OpenVPN_PAW_ts, emailAddress=paw@fenta.org
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 peer info: IV_GUI_VER=net.openvpn.connect.ios_1.2.9-0
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 peer info: IV_VER=3.2
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 peer info: IV_PLAT=ios
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 peer info: IV_NCP=2
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 peer info: IV_TCPNL=1
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 peer info: IV_PROTO=2
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 peer info: IV_AUTO_SESS=1
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bi
t RSA
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 192.168.0.143:52227 [OpenVPN_PAW_ts] Peer Connection Initiated with [AF_INET]192.168.0.143:52227
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/192.168.0.143:52227 MULTI_sva: pool returned IPv4=10.205.76.2, IPv6=(Not enabled)
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/192.168.0.143:52227 MULTI: Learn: 10.205.76.2 -> OpenVPN_PAW_ts/192.168.0.143:52227
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/192.168.0.143:52227 MULTI: primary virtual IP for OpenVPN_PAW_ts/192.168.0.143:52227:
10.205.76.2
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/192.168.0.143:52227 PUSH: Received control message: 'PUSH_REQUEST'
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/192.168.0.143:52227 SENT CONTROL [OpenVPN_PAW_ts]: 'PUSH_REPLY,route-gateway 10.205.76
.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.205.76.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/192.168.0.143:52227 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/192.168.0.143:52227 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bi
t key
May 10 12:50:04 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/192.168.0.143:52227 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bi
t key
May 10 12:50:27 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/192.168.0.143:52227 SIGTERM[soft,remote-exit] received, client-instance exiting
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Authenticate/Decrypt packet error
Thanks for this.Tom7320 wrote: ↑Thu May 10, 2018 10:53 amHere are the infos of one of the iOS devices:
Code: Select all
Operating System: - system: iOS 11.3.1 - system build: 15E302 - multitasking support: Yes - kernel: Darwin 17.5.0 Device Information: - device: iPad Air 2 - device ID: iPad5,4 - model: J82AP - name: iPad - hostname: iPad CPU Information: - CPU model: Apple A8X - GPU model: PowerVR G6850 - motion coprocessor: M8 - core number: 3 - CPU architecture: 64-bit - CPU frequency: 1500 MHz - TB frequency: 24 MHz - L1 cache size: 64 KB - L1D cache size: 64 KB - L2 cache size: 2048 KB - byteorder: 1234 - cacheline: 64 Hardware Features: - display resolution: 2048 x 1536 - pixel density: 264 ppi - battery voltage: 3.75 V - battery capacity: 7340 mAh - rear camera: 8 MP - front camera: 1.2 MP - touchscreen: Yes - microphone: Yes - speaker: Yes - wi-fi: Yes - bluetooth: Yes - nfc: No - accelerometer: Yes - gyroscopic sensor: Yes - ambient light sensor: Yes - proximity sensor: No - fingerprint sensor: Yes - magnetometer: Yes - barometer: Yes - phone: No - GPS: Yes
This is also the person you should be asking for help.Tom7320 wrote: ↑Thu May 10, 2018 10:53 amUnfortunately I can't do that at the moment since I have to ask the network admin to configure the network's firewall to allow tcp traffic for OpenVPN.TinCanTech wrote: ↑Mon May 07, 2018 3:35 pmAlso, please try a --proto tcp tunnel, the result of that can give some very useful indicators ..
Networks are very complex things and it is entirely possible there is a fault between your client and server.Tom7320 wrote: ↑Thu May 10, 2018 10:53 amI spend half of the day to try out a few things:
In both cases the only things I changed was the IP addresses of the machines and I commented out the push "route...." and route statements in the server's config:
- I set up an Ubuntu 18.04 LTS (Bionic Beaver) server on a local VM in my LAN (Virtual Box, OpenVPN version 2.4.4)
- I cloned the Raspberry server's SSD to setup an exact clone in my own LAN
<snip>
In both cases I had NO errors at all when connecting with the iOS devices. I also never had any problems when connecting with a Windows Notebook (WLAN, 4G).
Thus my conclusions are (unfortunately contradictory):
- There must be a problem "in between", eg. concerning the routers on the way. Since the problem exists no matter what connection I use (4G, WLAN), it could be a problem on the server side. Is it possible that a router causes the problem? QoS? Firewall? I don't know...
- The problem does not occur on a Windows Notebook (WLAN and 4G). Thus I still think it is a problem concerning the iOS App?!
This is the problem as I see it:
- Packet errors:
There is very likely some network problem between your client and server, I cannot help with that, ask your network administrator for advice. This problem does not appear to be fatal as your VPN still essentially works, so if you cannot find a solution you may just have to live with it .. - App crashing when viewing log:
I have no idea what this problem is caused by and neither do the two developers that have been following this thread. It appears to be localized to your devices alone because nobody else has ever reported this problem.
There is one other thing you can try: connect the ios device to the mac to grab the console ouput during the crash. You may also be able to pull the log from the device this way.
Other than that, these problems are beyond the scope of this forum .. you may have to enlist some local expertise. Or just live with it ..
Last edited by TinCanTech on Thu May 10, 2018 11:58 am, edited 1 time in total.
-
- OpenVPN User
- Posts: 39
- Joined: Thu Apr 26, 2018 2:45 pm
Re: Authenticate/Decrypt packet error
It is possible that OpenVPN server 2.4 forces settings that conflict with your client ovpn and/or are not supported on iOS,but are supported by Windows. See my note in the other thread observing:
Code: Select all
SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Authenticate/Decrypt packet error
The VPN essentially works, so this is probably not relevant.
The problems here are very complex so reading the entire thread carefully and even trying to replicate the setup may be of use.
But for me, it is beyond my scope ..
-
- OpenVPN User
- Posts: 38
- Joined: Thu Jan 28, 2016 7:44 pm
Re: Authenticate/Decrypt packet error
THX again for your very comprehensive answer!! I asked the network admin but he has no idea what's going wrong concerning VPNs. Basically he installed the router as part of the telephone system which is VoIP based. Is it conceivable that a router (QoS? Firewall?) is causing this kind of problems?TinCanTech wrote: ↑Thu May 10, 2018 11:57 amThis is the problem as I see it:I have been informed that there will be a new iOS App soon, so that may help.
- Packet errors:
There is very likely some network problem between your client and server, I cannot help with that, ask your network administrator for advice. This problem does not appear to be fatal as your VPN still essentially works, so if you cannot find a solution you may just have to live with it ..- App crashing when viewing log:
I have no idea what this problem is caused by and neither do the two developers that have been following this thread. It appears to be localized to your devices alone because nobody else has ever reported this problem.
There is one other thing you can try: connect the ios device to the mac to grab the console ouput during the crash. You may also be able to pull the log from the device this way.
Other than that, these problems are beyond the scope of this forum .. you may have to enlist some local expertise. Or just live with it ..
The VPN essentially works so I can definitely live with it! At some point I was just a little curious about finding out what's going on...
The App crashing issue is really anoying and I really hope that the new iOS App will solve this problem! I just can't believe that I am the only one who is affected by this problem??? I mean here we are talking about the very simple task of displaying a text log file....
Anyway thanks for reading and answering my questions!! I really appreciate that!
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Authenticate/Decrypt packet error
Re: Packet errors:
Try a TCP connection, you should get NO errors or else something is very wrong ..
Somebody trying to hack your data in flight or a broken device.
I strongly urge you not to use --no-replay in production. But you could try for testing purposes ..
As for the App .. it's a mystery
Other than the advice above, you could lower --verb to 0 zero, which will only log fatal errors (and a few other odd bits of log). Perhaps there is too much data at --verb 4 .. You could also try configuring a specific app to open the log file, I don't know how that works on iOS but I presume it is possible.
Let us know if any of that helps.
It could be practically any device between you and your server.
Try a TCP connection, you should get NO errors or else something is very wrong ..
Somebody trying to hack your data in flight or a broken device.
You can also try adjusting --replay-window as I said above.
I strongly urge you not to use --no-replay in production. But you could try for testing purposes ..
As for the App .. it's a mystery
Other than the advice above, you could lower --verb to 0 zero, which will only log fatal errors (and a few other odd bits of log). Perhaps there is too much data at --verb 4 .. You could also try configuring a specific app to open the log file, I don't know how that works on iOS but I presume it is possible.
Let us know if any of that helps.
You're welcome.
-
- OpenVPN User
- Posts: 39
- Joined: Thu Apr 26, 2018 2:45 pm
Re: Authenticate/Decrypt packet error
Yes, I did indeed set up a similar client and server, but with a different configuration, and my configuration worked. That's why I think it would be interesting to see if changing the encryption parameters fixes the problem. You can see in the log that OpenVPN 2.4 selects TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384. Yet the config files contain:
Code: Select all
cipher AES-256-CBC
auth SHA256
Code: Select all
cipher AES-256-GCM
auth SHA384
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Authenticate/Decrypt packet error
You are confusing --cipher with --tls-cipher ..bbuckm wrote: ↑Thu May 10, 2018 6:12 pmYou can see in the log that OpenVPN 2.4 selects TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384. Yet the config files contain:
Code: Select all
cipher AES-256-CBC auth SHA256
Also, neither of these effect the problem of:
In this case, the VPN is established and data is being passed over it .. the bad packet ID indicates that the packet ID is incorrect. Which often indicates a network problem ..TinCanTech wrote: ↑Mon May 07, 2018 1:59 pmAuthenticate/Decrypt packet error: bad packet ID (may be a replay)
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: Authenticate/Decrypt packet error
^^^ Indeed ^^^
Was just about to write
The --cipher and --auth directives are used for the data channel.
--auth is also used for tls-auth control channel packets.
If both sides support NCP, AES-256-GCM will be negotiated, unless --ncp-disable is specified.
See manual 2.4:
https://community.openvpn.net/openvpn/w ... n24ManPage
and:
https://github.com/OpenVPN/openvpn/blob ... hanges.rst
*
Edit: I read I get/word ^^^ this ^^^ wrong, please read --tls-cipher in manual.
Was just about to write
The --cipher and --auth directives are used for the data channel.
--auth is also used for tls-auth control channel packets.
Code: Select all
Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
See manual 2.4:
https://community.openvpn.net/openvpn/w ... n24ManPage
and:
https://github.com/OpenVPN/openvpn/blob ... hanges.rst
Afaik, ^^^ that ^^^ is used for the initial TLS handshake and depends on the properties of the certificates.You can see in the log that OpenVPN 2.4 selects TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
*
Edit: I read I get/word ^^^ this ^^^ wrong, please read --tls-cipher in manual.
-
- OpenVPN User
- Posts: 38
- Joined: Thu Jan 28, 2016 7:44 pm
Re: Authenticate/Decrypt packet error
Is it save to just omit --cipher and --auth statements and let OpenVPN decide by itself?
-
- OpenVPN User
- Posts: 38
- Joined: Thu Jan 28, 2016 7:44 pm
Re: Authenticate/Decrypt packet error
PS: This is a session with --cipher and --auth commented out:
Code: Select all
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: MULTI: multi_create_instance called
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 Re-using SSL/TLS context
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto
UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu
1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 TLS: Initial packet from [AF_INET]93.221.143.162:59084, sid=a6f2298b a614bd18
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 VERIFY OK: depth=1, C=DE, ST=RLP, L=Sprendlingen, O=Praxis am Wißberg, OU=IT, CN
=OpenVPN_PAW_CA, emailAddress=paw@fenta.org
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 Validating certificate key usage
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 ++ Certificate has key usage 0080, expects 0080
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 VERIFY KU OK
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 Validating certificate extended key usage
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Clie
nt Authentication
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 VERIFY EKU OK
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 VERIFY OK: depth=0, C=DE, ST=RLP, L=Sprendlingen, O=Praxis am Wißberg, OU=IT, CN
=OpenVPN_PAW_ts, emailAddress=paw@fenta.org
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 peer info: IV_GUI_VER=net.openvpn.connect.ios_1.2.9-0
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 peer info: IV_VER=3.2
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 peer info: IV_PLAT=ios
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 peer info: IV_NCP=2
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 peer info: IV_TCPNL=1
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 peer info: IV_PROTO=2
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 peer info: IV_AUTO_SESS=1
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 peer info: IV_BS64DL=1
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 b
it RSA
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: 93.221.143.162:59084 [OpenVPN_PAW_ts] Peer Connection Initiated with [AF_INET]93.221.143.162:59084
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/93.221.143.162:59084 MULTI_sva: pool returned IPv4=10.205.76.3, IPv6=(Not enabled)
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/93.221.143.162:59084 MULTI: Learn: 10.205.76.3 -> OpenVPN_PAW_ts/93.221.143.162:59084
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/93.221.143.162:59084 MULTI: primary virtual IP for OpenVPN_PAW_ts/93.221.143.162:59084
: 10.205.76.3
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/93.221.143.162:59084 PUSH: Received control message: 'PUSH_REQUEST'
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/93.221.143.162:59084 SENT CONTROL [OpenVPN_PAW_ts]: 'PUSH_REPLY,route 192.168.193.0 25
5.255.255.0,route-gateway 10.205.76.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.205.76.3 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1)
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/93.221.143.162:59084 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/93.221.143.162:59084 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 b
it key
May 21 19:40:42 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/93.221.143.162:59084 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 b
it key
May 21 19:41:14 openvpn ovpn-OpenVPN_PAW_Server_udp[355]: OpenVPN_PAW_ts/93.221.143.162:59084 SIGTERM[soft,remote-exit] received, client-instance exiting
-
- OpenVPN User
- Posts: 38
- Joined: Thu Jan 28, 2016 7:44 pm
Re: Authenticate/Decrypt packet error
Heureka! I found it!!! We are on a totally wrong track! The problem is this at the end of my config:
statuschange.sh:
As soon as I comment out the client-connect|disconnect scripts it works as expected! As soon as I allow script execution I have the mentioned errors in the log!
Now the question is: why?!?!?!?
Code: Select all
client-connect /etc/openvpn/statuschange.sh
client-disconnect /etc/openvpn/statuschange.sh
script-security 2
Code: Select all
#!/bin/bash
pref="<b>paw-openvpn:</b>"
now=`date`
if [ "$script_type" == "client-connect" ]; then
telegram-send -g --format html "$pref $now $script_type $common_name @ $untrusted_ip via $proto_1"
elif [ "$script_type" == "client-disconnect" ]; then
dur=`echo "$time_duration" | awk '{printf("%d days(s) %02d:%02d:%02d hh:mm:ss\n",($1/60/60/24),($1/60/60%24),($1/60%60),($1%60))}'`
telegram-send -g --format html "$pref $now $script_type $common_name @ $untrusted_ip via $proto_1 (connected since $time_ascii [$dur])"
else
telegram-send -g --format html "$pref $now $script_type"
fi
exit 0
Now the question is: why?!?!?!?
- ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat
Re: Authenticate/Decrypt packet error
Would you try using
in your iOS device config file and remove entirely the "auth" directive, please?
Maybe something is bogus with NCP on the Connect App (NCP was introduced with 2.4.x)
Code: Select all
cipher AES-256-GCM
Maybe something is bogus with NCP on the Connect App (NCP was introduced with 2.4.x)