Random crashes of 2.5.1 server

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
richard52
OpenVpn Newbie
Posts: 4
Joined: Fri Apr 02, 2021 9:59 am

Random crashes of 2.5.1 server

Post by richard52 » Fri Apr 02, 2021 10:26 am

Hi all,

Im getting a random crashes of openvpn server 2.5.1, usually it crashes with "exited on signal 11" after "WARNING: Bad encapsulated packet length from peer (18245)"
Maybe these things are not related, but after this warning i'm getting "TCP: accept(10) failed: Software caused connection abort (errno=53)" in log and daemon crashes.
Maybe anybody can help me investigate this problem?


My server config and logs below:

/var/log/openvpn.log
2021-04-02 04:58:10 us=734354 MULTI: multi_create_instance called
2021-04-02 04:58:10 us=734404 Re-using SSL/TLS context
2021-04-02 04:58:10 us=734523 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-02 04:58:10 us=734541 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-02 04:58:10 us=734635 Control Channel MTU parms [ L:1624 D:1170 EF:80 EB:0 ET:0 EL:3 ]
2021-04-02 04:58:10 us=734659 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2021-04-02 04:58:10 us=734716 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
2021-04-02 04:58:10 us=734730 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
2021-04-02 04:58:10 us=734755 TCP connection established with [AF_INET]209.141.56.59:45822
2021-04-02 04:58:10 us=734770 TCPv4_SERVER link local: (not bound)
2021-04-02 04:58:10 us=734784 TCPv4_SERVER link remote: [AF_INET]209.141.56.59:45822
2021-04-02 04:58:10 us=734872 209.141.56.59:45822 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
2021-04-02 04:58:10 us=734889 209.141.56.59:45822 Connection reset, restarting [0]
2021-04-02 04:58:10 us=734901 209.141.56.59:45822 SIGUSR1[soft,connection-reset] received, client-instance restarting
2021-04-02 04:58:10 us=734951 TCP/UDP: Closing socket
2021-04-02 04:58:11 us=93278 MULTI: multi_create_instance called
2021-04-02 04:58:11 us=93316 Re-using SSL/TLS context
2021-04-02 04:58:11 us=93421 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-02 04:58:11 us=93438 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-02 04:58:11 us=93492 Control Channel MTU parms [ L:1624 D:1170 EF:80 EB:0 ET:0 EL:3 ]
2021-04-02 04:58:11 us=93512 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2021-04-02 04:58:11 us=93560 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
2021-04-02 04:58:11 us=93573 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
2021-04-02 04:58:11 us=93635 TCP: accept(10) failed: Software caused connection abort (errno=53)
/var/log/messages
Apr 2 04:58:11 vpn-ext kernel: [15774] pid 46022 (openvpn), jid 0, uid 65534: exited on signal 11

openvpn --version
OpenVPN 2.5.1 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Feb 26 2021
library versions: OpenSSL 1.1.1h-freebsd 22 Sep 2020, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
Server config

management 127.0.0.1 5281
plugin /usr/local/lib/openvpn-auth-ldap.so "/usr/local/etc/openvpn/openvpn-auth-ldap.conf"
port 81
proto tcp4
hand-window 240
dev tun5
topology subnet
verify-client-cert none
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
dh /usr/local/etc/openvpn/keys/dh2048.pem
server 172.16.1.0 255.255.255.0
push "route 192.168.91.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
username-as-common-name
client-config-dir /usr/local/etc/openvpn/rtkct
tls-auth /usr/local/etc/openvpn/keys/ta.key 0
auth SHA256
cipher AES-256-CBC
tcp-queue-limit 4096
bcast-buffers 4096
reneg-sec 36000
reneg-bytes 0
keepalive 10 120
allow-compression no
compress
comp-lzo no
push "comp-lzo no"
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
status-version 3
log-append /var/log/openvpn.log
verb 4
script-security 3
sndbuf 512000
rcvbuf 512000
push "sndbuf 512000"
push "rcvbuf 512000"



verb 7 log

Code: Select all

2021-04-02 14:13:54 us=168300 TCP connection established with [AF_INET]209.141.58.91:36152
2021-04-02 14:13:54 us=168317 TCPv4_SERVER link local: (not bound)
2021-04-02 14:13:54 us=168330 TCPv4_SERVER link remote: [AF_INET]209.141.58.91:36152
2021-04-02 14:13:54 us=168353 209.141.58.91:36152 SENT PING
2021-04-02 14:13:54 us=168409 209.141.58.91:36152 MULTI TCP: instance added: 209.141.58.91:36152
2021-04-02 14:13:54 us=168425 209.141.58.91:36152 MULTI TCP: multi_tcp_action a=TA_INITIAL p=0
2021-04-02 14:13:54 us=168436 209.141.58.91:36152 MULTI TCP: multi_tcp_dispatch a=TA_INITIAL mi=0x801601000
2021-04-02 14:13:54 us=168455 209.141.58.91:36152 MULTI TCP: multi_tcp_post TA_INITIAL -> TA_UNDEF
2021-04-02 14:13:54 us=168477 209.141.58.91:36152 MULTI TCP: multi_tcp_action a=TA_SOCKET_READ p=0
2021-04-02 14:13:54 us=168489 209.141.58.91:36152 MULTI TCP: multi_tcp_dispatch a=TA_SOCKET_READ mi=0x801601000
2021-04-02 14:13:54 us=168507 209.141.58.91:36152 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
2021-04-02 14:13:54 us=168524 209.141.58.91:36152 Connection reset, restarting [0]
2021-04-02 14:13:54 us=168536 209.141.58.91:36152 SIGUSR1[soft,connection-reset] received, client-instance restarting
2021-04-02 14:13:54 us=168547 MULTI: multi_close_instance called
2021-04-02 14:13:54 us=168562 PID packet_id_free
2021-04-02 14:13:54 us=168595 PID packet_id_free
2021-04-02 14:13:54 us=168608 PID packet_id_free
2021-04-02 14:13:54 us=168618 PID packet_id_free
2021-04-02 14:13:54 us=168638 PID packet_id_free
2021-04-02 14:13:54 us=168650 PID packet_id_free
2021-04-02 14:13:54 us=168661 PID packet_id_free
2021-04-02 14:13:54 us=168671 PID packet_id_free
2021-04-02 14:13:54 us=168686 TCP/UDP: Closing socket
2021-04-02 14:13:54 us=168719 PID packet_id_free
2021-04-02 14:13:54 us=168739 MULTI TCP: multi_tcp_post TA_SOCKET_READ -> TA_UNDEF
2021-04-02 14:13:54 us=365785 MULTI TCP: multi_tcp_action a=TA_TIMEOUT p=0
2021-04-02 14:13:54 us=365806 MULTI TCP: multi_tcp_dispatch a=TA_TIMEOUT mi=0x00000000
2021-04-02 14:13:54 us=365822 MULTI TCP: multi_tcp_post TA_TIMEOUT -> TA_UNDEF
2021-04-02 14:13:54 us=492710 MULTI TCP: multi_tcp_action a=TA_SOCKET_READ p=0
2021-04-02 14:13:54 us=492730 MULTI TCP: multi_tcp_dispatch a=TA_SOCKET_READ mi=0x8013c9400
2021-04-02 14:13:54 us=492754 av_andreev/37.145.211.176:25906 TCPv4_SERVER READ [77] from [AF_INET]37.145.211.176:25906: P_DATA_V2 kid=1 DATA len=76
2021-04-02 14:13:54 us=492769 av_andreev/37.145.211.176:25906 TLS: tls_pre_decrypt, key_id=1, IP=[AF_INET]37.145.211.176:25906
2021-04-02 14:13:54 us=492807 av_andreev/37.145.211.176:25906 PID_TEST [0] [SSL-1] [369>>>EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE] 0:3231 0:3232 t=1617362034[0] r=[-3,64,15,0,1] sl=[33,64,64,528]
2021-04-02 14:13:54 us=492828 av_andreev/37.145.211.176:25906 GET INST BY VIRT: 172.16.1.4 -> test_username/37.145.211.176:25906 via 172.16.1.4
2021-04-02 14:13:54 us=492842 MULTI TCP: multi_tcp_post TA_SOCKET_READ -> TA_TUN_WRITE
2021-04-02 14:13:54 us=492853 MULTI TCP: multi_tcp_action a=TA_TUN_WRITE p=1
2021-04-02 14:13:54 us=492864 MULTI TCP: multi_tcp_wait_lite a=TA_TUN_WRITE mi=0x8013c9400
2021-04-02 14:13:54 us=492880 MULTI TCP: multi_tcp_dispatch a=TA_TUN_WRITE mi=0x8013c9400
2021-04-02 14:13:54 us=492892 av_andreev/37.145.211.176:25906 TUN WRITE [52]
2021-04-02 14:13:54 us=492919 MULTI TCP: multi_tcp_post TA_TUN_WRITE -> TA_UNDEF
2021-04-02 14:13:54 us=536581 MULTI: multi_create_instance called
2021-04-02 14:13:54 us=536617 Re-using SSL/TLS context
2021-04-02 14:13:54 us=536722 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-02 14:13:54 us=536745 Outgoing Control Channel Authentication: HMAC KEY: d500140d c19a3615 e47d1de9 cba9620f 67661d23 e664754f 83dd742f b5fd7793
2021-04-02 14:13:54 us=536757 Outgoing Control Channel Authentication: HMAC size=32 block_size=32
2021-04-02 14:13:54 us=536772 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-02 14:13:54 us=536794 Incoming Control Channel Authentication: HMAC KEY: 2f846a76 7f8ef2b5 a5791ea5 1fbf687c 741b78d9 8fd03dc2 7a681db3 8b9650e9
2021-04-02 14:13:54 us=536805 Incoming Control Channel Authentication: HMAC size=32 block_size=32
2021-04-02 14:13:54 us=536820 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
2021-04-02 14:13:54 us=536836 PID packet_id_init seq_backtrack=64 time_backtrack=15
2021-04-02 14:13:54 us=536867 PID packet_id_init seq_backtrack=64 time_backtrack=15
2021-04-02 14:13:54 us=536883 PID packet_id_init seq_backtrack=64 time_backtrack=15
2021-04-02 14:13:54 us=536908 PID packet_id_init seq_backtrack=64 time_backtrack=15
2021-04-02 14:13:54 us=536924 Control Channel MTU parms [ L:1624 D:1170 EF:80 EB:0 ET:0 EL:3 ]
2021-04-02 14:13:54 us=536939 MTU DYNAMIC mtu=1450, flags=2, 1624 -> 1450
2021-04-02 14:13:54 us=536953 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2021-04-02 14:13:54 us=536974 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
2021-04-02 14:13:54 us=536985 calc_options_string_link_mtu: link-mtu 1624 -> 1572
2021-04-02 14:13:54 us=537017 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
2021-04-02 14:13:54 us=537029 calc_options_string_link_mtu: link-mtu 1624 -> 1572
2021-04-02 14:13:54 us=537053 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
2021-04-02 14:13:54 us=537066 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
2021-04-02 14:13:54 us=537110 TCP: accept(7) failed: Software caused connection abort (errno=53)

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8866
Joined: Fri Jun 03, 2016 1:17 pm

Re: Random crashes of 2.5.1 server

Post by TinCanTech » Fri Apr 02, 2021 12:35 pm

This is likely to be related to recent development concerning compression.

A new release 2.5.2 is scheduled for next week or so, so you can wait for that.

However, you must actually ensure that your client config file specifies --comp-lzo no as well ..
because pushing it only is simply not enough, currently.

richard52
OpenVpn Newbie
Posts: 4
Joined: Fri Apr 02, 2021 9:59 am

Re: Random crashes of 2.5.1 server

Post by richard52 » Mon Apr 05, 2021 11:22 am

Thank you for asnwer.
Is this problem exists on version 2.4.10?
I can not remove comp-lzo from all clients, im having too many clients.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8866
Joined: Fri Jun 03, 2016 1:17 pm

Re: Random crashes of 2.5.1 server

Post by TinCanTech » Mon Apr 05, 2021 2:44 pm

Please post the client config files as well.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8866
Joined: Fri Jun 03, 2016 1:17 pm

Re: Random crashes of 2.5.1 server

Post by TinCanTech » Mon Apr 05, 2021 9:19 pm

For help with your server crashing, please post a log at --verb 4 when the server crashes.

richard52
OpenVpn Newbie
Posts: 4
Joined: Fri Apr 02, 2021 9:59 am

Re: Random crashes of 2.5.1 server

Post by richard52 » Tue Apr 06, 2021 8:10 am

client
topology subnet
auth-user-pass
dev tun
proto tcp
remote vpn.somedomain.external
port 81
client
nobind
resolv-retry infinite
auth SHA256
cipher AES-256-CBC
remote-cert-tls server
comp-lzo
persist-key
persist-tun
verb 3
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>



Verb 4 log

Code: Select all

2021-04-02 04:58:10 us=734354 MULTI: multi_create_instance called
2021-04-02 04:58:10 us=734404 Re-using SSL/TLS context
2021-04-02 04:58:10 us=734523 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-02 04:58:10 us=734541 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-02 04:58:10 us=734635 Control Channel MTU parms [ L:1624 D:1170 EF:80 EB:0 ET:0 EL:3 ]
2021-04-02 04:58:10 us=734659 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2021-04-02 04:58:10 us=734716 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
2021-04-02 04:58:10 us=734730 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
2021-04-02 04:58:10 us=734755 TCP connection established with [AF_INET]209.141.56.59:45822
2021-04-02 04:58:10 us=734770 TCPv4_SERVER link local: (not bound)
2021-04-02 04:58:10 us=734784 TCPv4_SERVER link remote: [AF_INET]209.141.56.59:45822
2021-04-02 04:58:10 us=734872 209.141.56.59:45822 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
2021-04-02 04:58:10 us=734889 209.141.56.59:45822 Connection reset, restarting [0]
2021-04-02 04:58:10 us=734901 209.141.56.59:45822 SIGUSR1[soft,connection-reset] received, client-instance restarting
2021-04-02 04:58:10 us=734951 TCP/UDP: Closing socket
2021-04-02 04:58:11 us=93278 MULTI: multi_create_instance called
2021-04-02 04:58:11 us=93316 Re-using SSL/TLS context
2021-04-02 04:58:11 us=93421 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-02 04:58:11 us=93438 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-02 04:58:11 us=93492 Control Channel MTU parms [ L:1624 D:1170 EF:80 EB:0 ET:0 EL:3 ]
2021-04-02 04:58:11 us=93512 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2021-04-02 04:58:11 us=93560 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
2021-04-02 04:58:11 us=93573 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
2021-04-02 04:58:11 us=93635 TCP: accept(10) failed: Software caused connection abort (errno=53)

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8866
Joined: Fri Jun 03, 2016 1:17 pm

Re: Random crashes of 2.5.1 server

Post by TinCanTech » Tue Apr 06, 2021 1:31 pm

Because you have only posted a snippet of your log it is hard to say.
But that does not look like your server crashed, it simply dropped the connection.

richard52
OpenVpn Newbie
Posts: 4
Joined: Fri Apr 02, 2021 9:59 am

Re: Random crashes of 2.5.1 server

Post by richard52 » Wed Apr 07, 2021 12:59 pm

TinCanTech wrote:
Tue Apr 06, 2021 1:31 pm
Because you have only posted a snippet of your log it is hard to say.
But that does not look like your server crashed, it simply dropped the connection.
No, that not a snippet, that's end of the log. At same time i got at /var/log/messages that log message:

Code: Select all

Apr  7 15:08:16 vpn-ext kernel: [484379] pid 55980 (openvpn), jid 0, uid 65534: exited on signal 11
Apr  7 15:08:16 vpn-ext kernel: [484379] tun5: link state changed to DOWN
And this openvpn verb 4 log:

Code: Select all

2021-04-07 15:08:15 us=880177 MULTI: multi_create_instance called
2021-04-07 15:08:15 us=880227 Re-using SSL/TLS context
2021-04-07 15:08:15 us=880336 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-07 15:08:15 us=880355 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-07 15:08:15 us=880417 Control Channel MTU parms [ L:1624 D:1170 EF:80 EB:0 ET:0 EL:3 ]
2021-04-07 15:08:15 us=880439 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2021-04-07 15:08:15 us=880490 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
2021-04-07 15:08:15 us=880504 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
2021-04-07 15:08:15 us=880534 TCP connection established with [AF_INET]209.141.58.91:50552
2021-04-07 15:08:15 us=880557 TCPv4_SERVER link local: (not bound)
2021-04-07 15:08:15 us=880572 TCPv4_SERVER link remote: [AF_INET]209.141.58.91:50552
2021-04-07 15:08:15 us=880659 209.141.58.91:50552 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
2021-04-07 15:08:15 us=880677 209.141.58.91:50552 Connection reset, restarting [0]
2021-04-07 15:08:15 us=880690 209.141.58.91:50552 SIGUSR1[soft,connection-reset] received, client-instance restarting
2021-04-07 15:08:15 us=880736 TCP/UDP: Closing socket
2021-04-07 15:08:16 us=238761 MULTI: multi_create_instance called
2021-04-07 15:08:16 us=238804 Re-using SSL/TLS context
2021-04-07 15:08:16 us=238910 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-07 15:08:16 us=238927 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-07 15:08:16 us=238980 Control Channel MTU parms [ L:1624 D:1170 EF:80 EB:0 ET:0 EL:3 ]
2021-04-07 15:08:16 us=239001 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2021-04-07 15:08:16 us=239051 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
2021-04-07 15:08:16 us=239065 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
2021-04-07 15:08:16 us=239119 TCP: accept(7) failed: Software caused connection abort (errno=53)

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8866
Joined: Fri Jun 03, 2016 1:17 pm

Re: Random crashes of 2.5.1 server

Post by TinCanTech » Wed Apr 07, 2021 1:25 pm

richard52 wrote:
Fri Apr 02, 2021 10:26 am
OpenVPN 2.5.1 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Feb 26 2021
library versions: OpenSSL 1.1.1h-freebsd 22 Sep 2020, LZO 2.10
Is this an official version for FreeBSD12.2 or did you build it yourself ?

Also, please post your client log at --verb 4 at the time the server crashes.

cron2
Developer
Posts: 19
Joined: Tue Jan 12, 2010 8:08 pm

Re: Random crashes of 2.5.1 server

Post by cron2 » Wed Apr 07, 2021 4:09 pm

I do not think this is related to compression at all.

This looks like a timing issue with TCP connections being reset at an "untimely moment", as in "we're halfway through the TLS handshake, then the session is reset, and at cleanup, we try to clean up something that is not properly initialized yet" - or possibly something with "bad data is injected in the TCP stream", but OpenVPN is normally very careful about handling of network data.

If this can be reproduced more easily, it would be great to run openvpn in a debugger, as in

# gdb /usr/local/sbin/openvpn
(gdb) run --config /path/to/config.ovpn

and when it crashes, it will return to the GDB prompt. Then run

(gdb) where

and post the result.

Alternatively, if you can describe how to reproduce this at will, we can try to reproduce this on our FreeBSD systems.

(And no, there is nothing in 2.5.2 which would fix a SIGSEGV crash)

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8866
Joined: Fri Jun 03, 2016 1:17 pm

Re: Random crashes of 2.5.1 server

Post by TinCanTech » Wed Apr 07, 2021 6:38 pm

I notice from your three server logs that there are only two unique client IP addresses.
Do you know which client causes the crash or is it also random clients ?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8866
Joined: Fri Jun 03, 2016 1:17 pm

Re: Random crashes of 2.5.1 server

Post by TinCanTech » Thu Apr 08, 2021 2:49 pm

You have this version:
  • OpenVPN 2.5.1 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Feb 26 2021
    library versions: OpenSSL 1.1.1h-freebsd 22 Sep 2020, LZO 2.10
I get this version from ports:
  • OpenVPN 2.5.1 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 28 2021
    library versions: OpenSSL 1.1.1h-freebsd 22 Sep 2020, LZO 2.10
Try updating and let us know if the problem persists.

Post Reply