Large packets stop working when transferring big data

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
michael.uray
OpenVPN User
Posts: 16
Joined: Wed Jan 11, 2017 3:06 pm

Large packets stop working when transferring big data

Post by michael.uray » Wed Jan 11, 2017 3:54 pm

Hi guys,

maybe you can help me out with my issue here.

At first I had a MTU problem that larger packages did not go through, but I was able to fix this with "mssfix".

Now in general larger packets go through the connection (ping test size 1600), but as soon as I start transferring a bigger amount of data over this connection (e.g. VNC remote control via TCP) the maximum size of the possible packets drops down to 1406 bytes (or down to 1326 bytes on another connection).

After about one minute past the big data transfer the large packets start working again.

My connection way looks like this:
Client1 -> Server (iptables, no client-to-client) -> Client2

Server, Debian, OpenVPN 2.2.1
Server
port 1194
proto udp
dev tun
ca certs/SRV01_-_CA.crt
cert certs/SRV01_VPN1_VPN_Server.crt
key certs/SRV01_VPN1_VPN_Server.key
dh dh1024.pem
server 10.101.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
duplicate-cn
keepalive 10 60
tls-auth ta.key 0 # This file is secret
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
float
status openvpn-status.log 1
status-version 3
log-append /var/log/openvpn/server.log
verb 3
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
username-as-common-name
script-security 2
client-connect /etc/openvpn/scripts/client_connect.sh
client-disconnect /etc/openvpn/scripts/client_disconnect.sh
route 10.1.0.0 255.255.0.0
route 10.100.0.0 255.255.0.0
management 127.0.0.1 2222
mssfix
Client, Windows, OpenVPN 2.3.4
Client
client
dev tun
proto udp
remote secret.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
float
ca SRV01_-_CA.crt
cert SRV01_VPN1_VPN_Client.crt
key SRV01_VPN1_VPN_Client.key
tls-auth SRV01_VPN1_VPN_ta.key 1
ns-cert-type server
verb 3
auth-user-pass SRV01_VPN1_VPN_Auth.txt
comp-lzo
mssfix
explicit-exit-notify 3
route 0.0.0.0 0.0.0.0
route-metric 512
Large packets stop working (timeout):
Image

Large packets start working again:
Image

Have you guys any idea, where this problem could come from?

Best wishes
Michael

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3006
Joined: Fri Jun 03, 2016 1:17 pm

Re: Large packets stop working when transferring big data

Post by TinCanTech » Wed Jan 11, 2017 4:40 pm

michael.uray wrote:Server, Debian, OpenVPN 2.2.1
Built on 08-May-2013 ... is your Debian box likewise as out-of-date as openvpn ?

https://community.openvpn.net/openvpn/w ... twareRepos

michael.uray
OpenVPN User
Posts: 16
Joined: Wed Jan 11, 2017 3:06 pm

Re: Large packets stop working when transferring big data

Post by michael.uray » Wed Jan 11, 2017 6:59 pm

TinCanTech wrote:Built on 08-May-2013 ... is your Debian box likewise as out-of-date as openvpn ?
Thanks for the hint.

Debian is V 7 (Wheezy) and it is up to date.

I did update the VPN server as well as the two clients to the current OpenVPN version 2.4, but unfortunately is the problem still present.

Maybe any other ideas?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3006
Joined: Fri Jun 03, 2016 1:17 pm

Re: Large packets stop working when transferring big data

Post by TinCanTech » Wed Jan 11, 2017 8:12 pm

Unless you know details about all of the intermediate networks over which your VPN traverses, I would go back to the default values. ie: Do not mess about with MTU. See how that works.

michael.uray
OpenVPN User
Posts: 16
Joined: Wed Jan 11, 2017 3:06 pm

Re: Large packets stop working when transferring big data

Post by michael.uray » Wed Jan 11, 2017 9:41 pm

TinCanTech wrote:Unless you know details about all of the intermediate networks over which your VPN traverses, I would go back to the default values. ie: Do not mess about with MTU. See how that works.
The connections between the client and the server goes through the Internet so I actually know nothing about it.

What do you mean with "back to the default"?

The only thing what I added regarding the MTU problem was the option "mssfix".
Before that a ping with a length of 1600 was not possible at all.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3006
Joined: Fri Jun 03, 2016 1:17 pm

Re: Large packets stop working when transferring big data

Post by TinCanTech » Wed Jan 11, 2017 11:22 pm

michael.uray wrote:Before that a ping with a length of 1600 was not possible at all.
Good .. probably because you have standard MTU of 1500 .. I have no idea how you managed to force that up to 1600 ..

anybody else :?:

TiTex
OpenVPN Expert
Posts: 231
Joined: Tue Apr 12, 2011 6:22 am

Re: Large packets stop working when transferring big data

Post by TiTex » Thu Jan 12, 2017 8:36 am

No idea , i never had to mess around with mssfix,sndbuf,rcvbuf,etc

michael.uray
OpenVPN User
Posts: 16
Joined: Wed Jan 11, 2017 3:06 pm

Re: Large packets stop working when transferring big data

Post by michael.uray » Thu Jan 12, 2017 9:45 am

TinCanTech wrote:Good .. probably because you have standard MTU of 1500 .. I have no idea how you managed to force that up to 1600 ..
Just to prevent any misunderstandings:
The max. MTU size for the VPN packets and in consequence for the packets in the tunnel varies depending on the site where the client is installed.
When I am writing about a ping of 1600 bytes which is possible / not possible, then I mean that fragmenting is working or not.

Without the mssfix option a ping with a length of 1600 is not possible at all.
With the mssfix option the ping with a length of 1600 works, but it stops working for about one minute when more data gets transferred via the tunnel at the same time. - It is also not a bandwidth problem, because one byte more or less doesn't work or does work in this situation.

When a ping with 1600 goes through the tunnel then it gets fragmented for sure and I actually want to test with it if the fragmentation works properly.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3006
Joined: Fri Jun 03, 2016 1:17 pm

Re: Large packets stop working when transferring big data

Post by TinCanTech » Thu Jan 12, 2017 12:03 pm

Please post your client and server logs at --verb 4 .. leave the vpn running for a few minutes and do your pings then post the logs.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3006
Joined: Fri Jun 03, 2016 1:17 pm

Re: Large packets stop working when transferring big data

Post by TinCanTech » Thu Jan 12, 2017 12:06 pm

michael.uray wrote:client
..
route 0.0.0.0 0.0.0.0
Try using --redirect-gateway option .. which is designed to do this properly.

michael.uray
OpenVPN User
Posts: 16
Joined: Wed Jan 11, 2017 3:06 pm

Re: Large packets stop working when transferring big data

Post by michael.uray » Thu Jan 12, 2017 1:31 pm

TinCanTech wrote:
michael.uray wrote:client
..
route 0.0.0.0 0.0.0.0
Try using --redirect-gateway option .. which is designed to do this properly.
I actually do not want to use this connection as default gateway, but it is required to have a default gateway on this connection that the Windows firewall can assign it to a firewall zone. This is also the reason why the metric is set to 512.
It should not related to this problem.

FYI, this is something what is described more in the detail on the following page:
http://asktheoracle.com/blog/how-to-mak ... -firewall/
TinCanTech wrote:Please post your client and server logs at --verb 4 .. leave the vpn running for a few minutes and do your pings then post the logs.
I did a ping test (size 1600) from client1 -> server (via iptables, no client-to-client) -> client2 and opened then a VNC connection from client1 to client2 which caused the interruptions of the ping for about 1 minute.

I did it 5 times and I only got two times the message "PID_ERR replay-window backtrack occurred" on the client1.
No messages on the server and on client2, the verbose level was on 5.

When the ping with larger packages stops working on the client1, then the ping with larger packages to the client2 on the server stops at the same time.

michael.uray
OpenVPN User
Posts: 16
Joined: Wed Jan 11, 2017 3:06 pm

Re: Large packets stop working when transferring big data

Post by michael.uray » Mon Jan 16, 2017 10:50 am

Am actually using the VPN connection on the following way, where the problem with the large packets occurs:
"Client1 (Windows) -> Server (Debian, iptables, no client-to-client) -> Client2 (OpenWRT) -> Host x"

It is also possible for me to connect directly "Client1 (Windows) -> Client2 (OpenWRT) -> Host x" without the server in the middle which acts as VPN concentrator.
Client2 is in this case actually a "server".
On this way the problem does not occur and so I am wondering what could be wrong with the server in the middle (Debian 8 / Jessie, OpenVPN 2.4.0, iptables v1.4.21) or what is different with its configuration compared to the direct client1 -> client2 connection.

The following configuration is used for my "Client1 -> Client2" direct connection:
Client1 Config
client
dev tun
proto udp
remote secret.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
float
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
verb 3
Client2 Config - which is actually server
server 10.100.54.0 255.255.255.0
proto udp
dev tun
ca CA.crt
cert Server.crt
key Server.key
dh dh1024.pem
ifconfig-pool-persist /tmp/ipp.txt
keepalive 25 60
status /var/log/openvpn-status.log
push route 10.1.54.0 255.255.255.0
duplicate-cn
verb 3
Have you guys some more ideas what could be the reason for this issue?

michael.uray
OpenVPN User
Posts: 16
Joined: Wed Jan 11, 2017 3:06 pm

Re: Large packets stop working when transferring big data

Post by michael.uray » Wed Mar 15, 2017 11:36 am

I am actually still having this issue.

When I try to run the server with the "client-to-client" option then the problem is also present, means it is probably not related to iptables.
I also tried to run both Windows clients to another OpenVPN server on an OpenWRT system with almost the same client configuration and it does not happen there.

This is the comparison between both server configs:
Image

I also did run the OpenWRT server with the comp-lzo option, but it did not cause any problems.

Some more ideas what I could test to locate the problem?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3006
Joined: Fri Jun 03, 2016 1:17 pm

Re: Large packets stop working when transferring big data

Post by TinCanTech » Wed Mar 15, 2017 5:43 pm

TinCanTech wrote:
michael.uray wrote:Before that a ping with a length of 1600 was not possible at all.
Good .. probably because you have standard MTU of 1500 .. I have no idea how you managed to force that up to 1600
You cannot force an MTU of 1600 unless you control every single network between your server and client.

300000
OpenVPN User
Posts: 22
Joined: Tue May 01, 2012 9:30 pm

Re: Large packets stop working when transferring big data

Post by 300000 » Thu Mar 16, 2017 5:47 pm

you shoul try run on tcp than udp . tcp will hanle tranfer data better than udp . dont need to change anything . just try tcp first .

because tcp have the way to correct data when it tranfer so it is best way to use . udp somehow only good if server and client very close location and very good data link to work if not it is sure will mess up with corrup data

michael.uray
OpenVPN User
Posts: 16
Joined: Wed Jan 11, 2017 3:06 pm

Re: Large packets stop working when transferring big data

Post by michael.uray » Thu Apr 13, 2017 10:52 am

300000 wrote:you shoul try run on tcp than udp . tcp will hanle tranfer data better than udp . dont need to change anything . just try tcp first .
I have read on a couple sites that UDP is actually the recommended protocol for OpenVPN.
There are about 100 clients connected to this server so its unfortunately not possible to change that easily.
TinCanTech wrote:
TinCanTech wrote:
michael.uray wrote:Before that a ping with a length of 1600 was not possible at all.
Good .. probably because you have standard MTU of 1500 .. I have no idea how you managed to force that up to 1600
You cannot force an MTU of 1600 unless you control every single network between your server and client.
I understand that the package gets fragmented to the highest possible size within the tunnel.
It basically works on this way, because I am able to send larger ping packages which get fragemented. It just stops working then for some reason if I start transferring more data.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3006
Joined: Fri Jun 03, 2016 1:17 pm

Re: Large packets stop working when transferring big data

Post by TinCanTech » Thu Apr 13, 2017 11:23 am

Complete logs at --verb 4 while the errors occur.

michael.uray
OpenVPN User
Posts: 16
Joined: Wed Jan 11, 2017 3:06 pm

Re: Large packets stop working when transferring big data

Post by michael.uray » Thu Apr 13, 2017 3:14 pm

Server,
Debian Linux,
OpenVPN 2.4.1 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2017

Code: Select all

Thu Apr 13 16:23:12 2017 us=393221 Current Parameter Settings:
Thu Apr 13 16:23:12 2017 us=393230   config = '/etc/openvpn/server2.conf'
Thu Apr 13 16:23:12 2017 us=393238   mode = 1
Thu Apr 13 16:23:12 2017 us=393244   persist_config = DISABLED
Thu Apr 13 16:23:12 2017 us=393251   persist_mode = 1
Thu Apr 13 16:23:12 2017 us=393257   show_ciphers = DISABLED
Thu Apr 13 16:23:12 2017 us=393264   show_digests = DISABLED
Thu Apr 13 16:23:12 2017 us=393270   show_engines = DISABLED
Thu Apr 13 16:23:12 2017 us=393277   genkey = DISABLED
Thu Apr 13 16:23:12 2017 us=393283   key_pass_file = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393289   show_tls_ciphers = DISABLED
Thu Apr 13 16:23:12 2017 us=393296   connect_retry_max = 0
Thu Apr 13 16:23:12 2017 us=393302 Connection profiles [0]:
Thu Apr 13 16:23:12 2017 us=393309   proto = udp
Thu Apr 13 16:23:12 2017 us=393316   local = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393322   local_port = '1111'
Thu Apr 13 16:23:12 2017 us=393329   remote = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393335   remote_port = '1111'
Thu Apr 13 16:23:12 2017 us=393342   remote_float = ENABLED
Thu Apr 13 16:23:12 2017 us=393348   bind_defined = DISABLED
Thu Apr 13 16:23:12 2017 us=393354   bind_local = ENABLED
Thu Apr 13 16:23:12 2017 us=393361   bind_ipv6_only = DISABLED
Thu Apr 13 16:23:12 2017 us=393367   connect_retry_seconds = 5
Thu Apr 13 16:23:12 2017 us=393373   connect_timeout = 120
Thu Apr 13 16:23:12 2017 us=393380   socks_proxy_server = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393386   socks_proxy_port = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393393   tun_mtu = 1500
Thu Apr 13 16:23:12 2017 us=393399   tun_mtu_defined = ENABLED
Thu Apr 13 16:23:12 2017 us=393405   link_mtu = 1500
Thu Apr 13 16:23:12 2017 us=393412   link_mtu_defined = DISABLED
Thu Apr 13 16:23:12 2017 us=393418   tun_mtu_extra = 0
Thu Apr 13 16:23:12 2017 us=393425   tun_mtu_extra_defined = DISABLED
Thu Apr 13 16:23:12 2017 us=393431   mtu_discover_type = -1
Thu Apr 13 16:23:12 2017 us=393437   fragment = 0
Thu Apr 13 16:23:12 2017 us=393443   mssfix = 1450
Thu Apr 13 16:23:12 2017 us=393450   explicit_exit_notification = 0
Thu Apr 13 16:23:12 2017 us=393456 Connection profiles END
Thu Apr 13 16:23:12 2017 us=393463   remote_random = DISABLED
Thu Apr 13 16:23:12 2017 us=393469   ipchange = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393475   dev = 'tun'
Thu Apr 13 16:23:12 2017 us=393482   dev_type = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393488   dev_node = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393494   lladdr = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393501   topology = 1
Thu Apr 13 16:23:12 2017 us=393507   ifconfig_local = '10.102.0.1'
Thu Apr 13 16:23:12 2017 us=393513   ifconfig_remote_netmask = '10.102.0.2'
Thu Apr 13 16:23:12 2017 us=393520   ifconfig_noexec = DISABLED
Thu Apr 13 16:23:12 2017 us=393526   ifconfig_nowarn = DISABLED
Thu Apr 13 16:23:12 2017 us=393532   ifconfig_ipv6_local = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393539   ifconfig_ipv6_netbits = 0
Thu Apr 13 16:23:12 2017 us=393545   ifconfig_ipv6_remote = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393552   shaper = 0
Thu Apr 13 16:23:12 2017 us=393558   mtu_test = 0
Thu Apr 13 16:23:12 2017 us=393564   mlock = DISABLED
Thu Apr 13 16:23:12 2017 us=393571   keepalive_ping = 10
Thu Apr 13 16:23:12 2017 us=393577   keepalive_timeout = 60
Thu Apr 13 16:23:12 2017 us=393583   inactivity_timeout = 0
Thu Apr 13 16:23:12 2017 us=393589   ping_send_timeout = 10
Thu Apr 13 16:23:12 2017 us=393596   ping_rec_timeout = 120
Thu Apr 13 16:23:12 2017 us=393602   ping_rec_timeout_action = 2
Thu Apr 13 16:23:12 2017 us=393608   ping_timer_remote = DISABLED
Thu Apr 13 16:23:12 2017 us=393615   remap_sigusr1 = 0
Thu Apr 13 16:23:12 2017 us=393621   persist_tun = ENABLED
Thu Apr 13 16:23:12 2017 us=393627   persist_local_ip = DISABLED
Thu Apr 13 16:23:12 2017 us=393633   persist_remote_ip = DISABLED
Thu Apr 13 16:23:12 2017 us=393640   persist_key = ENABLED
Thu Apr 13 16:23:12 2017 us=393646   passtos = DISABLED
Thu Apr 13 16:23:12 2017 us=393658   resolve_retry_seconds = 1000000000
Thu Apr 13 16:23:12 2017 us=393665   resolve_in_advance = DISABLED
Thu Apr 13 16:23:12 2017 us=393672   username = 'nobody'
Thu Apr 13 16:23:12 2017 us=393678   groupname = 'nogroup'
Thu Apr 13 16:23:12 2017 us=393685   chroot_dir = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393691   cd_dir = '/etc/openvpn'
Thu Apr 13 16:23:12 2017 us=393697   writepid = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393704   up_script = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393710   down_script = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393716   down_pre = DISABLED
Thu Apr 13 16:23:12 2017 us=393722   up_restart = DISABLED
Thu Apr 13 16:23:12 2017 us=393728   up_delay = DISABLED
Thu Apr 13 16:23:12 2017 us=393735   daemon = ENABLED
Thu Apr 13 16:23:12 2017 us=393741   inetd = 0
Thu Apr 13 16:23:12 2017 us=393747   log = ENABLED
Thu Apr 13 16:23:12 2017 us=393754   suppress_timestamps = DISABLED
Thu Apr 13 16:23:12 2017 us=393760   machine_readable_output = DISABLED
Thu Apr 13 16:23:12 2017 us=393766   nice = 0
Thu Apr 13 16:23:12 2017 us=393773   verbosity = 4
Thu Apr 13 16:23:12 2017 us=393779   mute = 0
Thu Apr 13 16:23:12 2017 us=393785   gremlin = 0
Thu Apr 13 16:23:12 2017 us=393792   status_file = 'openvpn2-status.log'
Thu Apr 13 16:23:12 2017 us=393798   status_file_version = 3
Thu Apr 13 16:23:12 2017 us=393804   status_file_update_freq = 1
Thu Apr 13 16:23:12 2017 us=393811   occ = ENABLED
Thu Apr 13 16:23:12 2017 us=393817   rcvbuf = 0
Thu Apr 13 16:23:12 2017 us=393823   sndbuf = 0
Thu Apr 13 16:23:12 2017 us=393829   mark = 0
Thu Apr 13 16:23:12 2017 us=393835   sockflags = 0
Thu Apr 13 16:23:12 2017 us=393842   fast_io = DISABLED
Thu Apr 13 16:23:12 2017 us=393848   comp.alg = 2
Thu Apr 13 16:23:12 2017 us=393854   comp.flags = 1
Thu Apr 13 16:23:12 2017 us=393861   route_script = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393867   route_default_gateway = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393874   route_default_metric = 0
Thu Apr 13 16:23:12 2017 us=393880   route_noexec = DISABLED
Thu Apr 13 16:23:12 2017 us=393887   route_delay = 0
Thu Apr 13 16:23:12 2017 us=393893   route_delay_window = 30
Thu Apr 13 16:23:12 2017 us=393899   route_delay_defined = DISABLED
Thu Apr 13 16:23:12 2017 us=393905   route_nopull = DISABLED
Thu Apr 13 16:23:12 2017 us=393912   route_gateway_via_dhcp = DISABLED
Thu Apr 13 16:23:12 2017 us=393918   allow_pull_fqdn = DISABLED
Thu Apr 13 16:23:12 2017 us=393926   route 10.102.0.0/255.255.0.0/default (not set)/default (not set)
Thu Apr 13 16:23:12 2017 us=393933   management_addr = '127.0.0.1'
Thu Apr 13 16:23:12 2017 us=393939   management_port = '2221'
Thu Apr 13 16:23:12 2017 us=393946   management_user_pass = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393952   management_log_history_cache = 250
Thu Apr 13 16:23:12 2017 us=393959   management_echo_buffer_size = 100
Thu Apr 13 16:23:12 2017 us=393965   management_write_peer_info_file = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393972   management_client_user = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393978   management_client_group = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=393984   management_flags = 0
Thu Apr 13 16:23:12 2017 us=393993   plugin[0] /usr/lib/openvpn/openvpn-auth-ldap.so '[/usr/lib/openvpn/openvpn-auth-ldap.so] [/etc/openvpn/auth/auth-ldap.conf]'
Thu Apr 13 16:23:12 2017 us=394000   shared_secret_file = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=394006   key_direction = 1
Thu Apr 13 16:23:12 2017 us=394013   ciphername = 'BF-CBC'
Thu Apr 13 16:23:12 2017 us=394019   ncp_enabled = ENABLED
Thu Apr 13 16:23:12 2017 us=394025   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Thu Apr 13 16:23:12 2017 us=394032   authname = 'SHA1'
Thu Apr 13 16:23:12 2017 us=394038   prng_hash = 'SHA1'
Thu Apr 13 16:23:12 2017 us=394044   prng_nonce_secret_len = 16
Thu Apr 13 16:23:12 2017 us=394051   keysize = 0
Thu Apr 13 16:23:12 2017 us=394057   engine = DISABLED
Thu Apr 13 16:23:12 2017 us=394063   replay = ENABLED
Thu Apr 13 16:23:12 2017 us=394070   mute_replay_warnings = DISABLED
Thu Apr 13 16:23:12 2017 us=394076   replay_window = 64
Thu Apr 13 16:23:12 2017 us=394092   replay_time = 15
Thu Apr 13 16:23:12 2017 us=394099   packet_id_file = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=394105   use_iv = ENABLED
Thu Apr 13 16:23:12 2017 us=394111   test_crypto = DISABLED
Thu Apr 13 16:23:12 2017 us=394118   tls_server = ENABLED
Thu Apr 13 16:23:12 2017 us=394124   tls_client = DISABLED
Thu Apr 13 16:23:12 2017 us=394130   key_method = 2
Thu Apr 13 16:23:12 2017 us=394137   ca_file = 'certs/CTB_Automation_GmbH_-_CA.crt'
Thu Apr 13 16:23:12 2017 us=394143   ca_path = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=394150   dh_file = 'dh1024.pem'
Thu Apr 13 16:23:12 2017 us=394156   cert_file = 'certs/CTB_Automation_GmbH_VPN1_VPN_Server.crt'
Thu Apr 13 16:23:12 2017 us=394163   extra_certs_file = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=394169   priv_key_file = 'certs/CTB_Automation_GmbH_VPN1_VPN_Server.key'
Thu Apr 13 16:23:12 2017 us=394176   pkcs12_file = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=394182   cipher_list = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=394189   tls_verify = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=394195   tls_export_cert = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=394201   verify_x509_type = 0
Thu Apr 13 16:23:12 2017 us=394208   verify_x509_name = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=394214   crl_file = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=394221   ns_cert_type = 0
Thu Apr 13 16:23:12 2017 us=394227   remote_cert_ku[i] = 0
...
Thu Apr 13 16:23:12 2017 us=394318   remote_cert_ku[i] = 0
Thu Apr 13 16:23:12 2017 us=394325   remote_cert_eku = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=394331   ssl_flags = 4
Thu Apr 13 16:23:12 2017 us=394338   tls_timeout = 2
Thu Apr 13 16:23:12 2017 us=394344   renegotiate_bytes = -1
Thu Apr 13 16:23:12 2017 us=394350   renegotiate_packets = 0
Thu Apr 13 16:23:12 2017 us=394356   renegotiate_seconds = 3600
Thu Apr 13 16:23:12 2017 us=394363   handshake_window = 60
Thu Apr 13 16:23:12 2017 us=394369   transition_window = 3600
Thu Apr 13 16:23:12 2017 us=394375   single_session = DISABLED
Thu Apr 13 16:23:12 2017 us=394382   push_peer_info = DISABLED
Thu Apr 13 16:23:12 2017 us=394388   tls_exit = DISABLED
Thu Apr 13 16:23:12 2017 us=394394   tls_auth_file = 'ta.key'
Thu Apr 13 16:23:12 2017 us=394400   tls_crypt_file = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=394407   pkcs11_protected_authentication = DISABLED
...
Thu Apr 13 16:23:12 2017 us=394507   pkcs11_protected_authentication = DISABLED
Thu Apr 13 16:23:12 2017 us=394513   pkcs11_private_mode = 00000000
...
Thu Apr 13 16:23:12 2017 us=394609   pkcs11_private_mode = 00000000
Thu Apr 13 16:23:12 2017 us=394615   pkcs11_cert_private = DISABLED
...
Thu Apr 13 16:23:12 2017 us=394710   pkcs11_cert_private = DISABLED
Thu Apr 13 16:23:12 2017 us=394716   pkcs11_pin_cache_period = -1
Thu Apr 13 16:23:12 2017 us=394723   pkcs11_id = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=394729   pkcs11_id_management = DISABLED
Thu Apr 13 16:23:12 2017 us=394737   server_network = 10.102.0.0
Thu Apr 13 16:23:12 2017 us=394745   server_netmask = 255.255.0.0
Thu Apr 13 16:23:12 2017 us=394753   server_network_ipv6 = ::
Thu Apr 13 16:23:12 2017 us=394760   server_netbits_ipv6 = 0
Thu Apr 13 16:23:12 2017 us=394767   server_bridge_ip = 0.0.0.0
Thu Apr 13 16:23:12 2017 us=394774   server_bridge_netmask = 0.0.0.0
Thu Apr 13 16:23:12 2017 us=394781   server_bridge_pool_start = 0.0.0.0
Thu Apr 13 16:23:12 2017 us=394802   server_bridge_pool_end = 0.0.0.0
Thu Apr 13 16:23:12 2017 us=394809   push_entry = 'route 10.102.0.1'
Thu Apr 13 16:23:12 2017 us=394816   push_entry = 'topology net30'
Thu Apr 13 16:23:12 2017 us=394822   push_entry = 'ping 10'
Thu Apr 13 16:23:12 2017 us=394829   push_entry = 'ping-restart 60'
Thu Apr 13 16:23:12 2017 us=394835   ifconfig_pool_defined = ENABLED
Thu Apr 13 16:23:12 2017 us=394843   ifconfig_pool_start = 10.102.0.4
Thu Apr 13 16:23:12 2017 us=394851   ifconfig_pool_end = 10.102.255.251
Thu Apr 13 16:23:12 2017 us=394858   ifconfig_pool_netmask = 0.0.0.0
Thu Apr 13 16:23:12 2017 us=394865   ifconfig_pool_persist_filename = 'ipp.txt'
Thu Apr 13 16:23:12 2017 us=394871   ifconfig_pool_persist_refresh_freq = 600
Thu Apr 13 16:23:12 2017 us=394878   ifconfig_ipv6_pool_defined = DISABLED
Thu Apr 13 16:23:12 2017 us=394885   ifconfig_ipv6_pool_base = ::
Thu Apr 13 16:23:12 2017 us=394892   ifconfig_ipv6_pool_netbits = 0
Thu Apr 13 16:23:12 2017 us=394903   n_bcast_buf = 256
Thu Apr 13 16:23:12 2017 us=394911   tcp_queue_limit = 64
Thu Apr 13 16:23:12 2017 us=394917   real_hash_size = 256
Thu Apr 13 16:23:12 2017 us=394924   virtual_hash_size = 256
Thu Apr 13 16:23:12 2017 us=394930   client_connect_script = '/etc/openvpn/scripts/client_connect.sh'
Thu Apr 13 16:23:12 2017 us=394937   learn_address_script = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=394943   client_disconnect_script = '/etc/openvpn/scripts/client_disconnect.sh'
Thu Apr 13 16:23:12 2017 us=394950   client_config_dir = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=394956   ccd_exclusive = DISABLED
Thu Apr 13 16:23:12 2017 us=394963   tmp_dir = '/tmp'
Thu Apr 13 16:23:12 2017 us=394969   push_ifconfig_defined = DISABLED
Thu Apr 13 16:23:12 2017 us=394977   push_ifconfig_local = 0.0.0.0
Thu Apr 13 16:23:12 2017 us=394984   push_ifconfig_remote_netmask = 0.0.0.0
Thu Apr 13 16:23:12 2017 us=394991   push_ifconfig_ipv6_defined = DISABLED
Thu Apr 13 16:23:12 2017 us=394998   push_ifconfig_ipv6_local = ::/0
Thu Apr 13 16:23:12 2017 us=395005   push_ifconfig_ipv6_remote = ::
Thu Apr 13 16:23:12 2017 us=395011   enable_c2c = DISABLED
Thu Apr 13 16:23:12 2017 us=395018   duplicate_cn = ENABLED
Thu Apr 13 16:23:12 2017 us=395024   cf_max = 0
Thu Apr 13 16:23:12 2017 us=395031   cf_per = 0
Thu Apr 13 16:23:12 2017 us=395037   max_clients = 1024
Thu Apr 13 16:23:12 2017 us=395043   max_routes_per_client = 256
Thu Apr 13 16:23:12 2017 us=395050   auth_user_pass_verify_script = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=395056   auth_user_pass_verify_script_via_file = DISABLED
Thu Apr 13 16:23:12 2017 us=395063   auth_token_generate = DISABLED
Thu Apr 13 16:23:12 2017 us=395069   auth_token_lifetime = 0
Thu Apr 13 16:23:12 2017 us=395076   port_share_host = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=395082   port_share_port = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=395088   client = DISABLED
Thu Apr 13 16:23:12 2017 us=395095   pull = DISABLED
Thu Apr 13 16:23:12 2017 us=395101   auth_user_pass_file = '[UNDEF]'
Thu Apr 13 16:23:12 2017 us=395109 OpenVPN 2.4.1 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2017
Thu Apr 13 16:23:12 2017 us=395121 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Thu Apr 13 16:23:12 2017 us=396953 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:2221
Thu Apr 13 16:23:12 2017 us=397154 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Thu Apr 13 16:23:12 2017 us=397250 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Apr 13 16:23:12 2017 us=404908 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-auth-ldap.so '[/usr/lib/openvpn/openvpn-auth-ldap.so] [/etc/openvpn/auth/auth-ldap.conf]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT 
Thu Apr 13 16:23:12 2017 us=405351 Diffie-Hellman initialized with 1024 bit key
Thu Apr 13 16:23:12 2017 us=406379 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Thu Apr 13 16:23:12 2017 us=406409 ECDH curve secp384r1 added
Thu Apr 13 16:23:12 2017 us=406580 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 13 16:23:12 2017 us=406605 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 13 16:23:12 2017 us=406631 TLS-Auth MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Thu Apr 13 16:23:12 2017 us=409794 ROUTE_GATEWAY 151.236.8.1/255.255.255.0 IFACE=eth0 HWADDR=52:54:00:5d:0c:10
Thu Apr 13 16:23:12 2017 us=410372 TUN/TAP device tun1 opened
Thu Apr 13 16:23:12 2017 us=410394 TUN/TAP TX queue length set to 100
Thu Apr 13 16:23:12 2017 us=410410 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Apr 13 16:23:12 2017 us=410432 /sbin/ip link set dev tun1 up mtu 1500
Thu Apr 13 16:23:12 2017 us=411963 /sbin/ip addr add dev tun1 local 10.102.0.1 peer 10.102.0.2
Thu Apr 13 16:23:12 2017 us=413763 /sbin/ip route add 10.102.0.0/16 via 10.102.0.2
Thu Apr 13 16:23:12 2017 us=416567 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Thu Apr 13 16:23:12 2017 us=416968 Could not determine IPv4/IPv6 protocol. Using AF_INET
Thu Apr 13 16:23:12 2017 us=417000 Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Apr 13 16:23:12 2017 us=417021 UDPv4 link local (bound): [AF_INET][undef]:1111
Thu Apr 13 16:23:12 2017 us=417032 UDPv4 link remote: [AF_UNSPEC]
Thu Apr 13 16:23:12 2017 us=417044 GID set to nogroup
Thu Apr 13 16:23:12 2017 us=417056 UID set to nobody
Thu Apr 13 16:23:12 2017 us=417071 MULTI: multi_init called, r=256 v=256
Thu Apr 13 16:23:12 2017 us=417239 IFCONFIG POOL: base=10.102.0.4 size=16382, ipv6=0
Thu Apr 13 16:23:12 2017 us=417259 IFCONFIG POOL LIST
Thu Apr 13 16:23:12 2017 us=417323 Initialization Sequence Completed
Thu Apr 13 16:23:36 2017 us=591345 MULTI: multi_create_instance called
Thu Apr 13 16:23:36 2017 us=591407 83.65.96.213:64840 Re-using SSL/TLS context
Thu Apr 13 16:23:36 2017 us=591431 83.65.96.213:64840 LZO compression initializing
Thu Apr 13 16:23:36 2017 us=591588 83.65.96.213:64840 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Thu Apr 13 16:23:36 2017 us=591605 83.65.96.213:64840 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Thu Apr 13 16:23:36 2017 us=591651 83.65.96.213:64840 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Thu Apr 13 16:23:36 2017 us=591662 83.65.96.213:64840 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu Apr 13 16:23:36 2017 us=591705 83.65.96.213:64840 TLS: Initial packet from [AF_INET]83.65.96.213:64840, sid=7a1519cf 9a3dc1db
Thu Apr 13 16:23:36 2017 us=646232 83.65.96.213:64840 VERIFY OK: depth=3, C=AT, ST=Styria, L=Lebring, O=CTB Automation GmbH, OU=Administration, CN=CTB Automation GmbH - CA, emailAddress=nix@nix.com
Thu Apr 13 16:23:36 2017 us=646609 83.65.96.213:64840 VERIFY OK: depth=2, C=AT, ST=Styria, L=Lebring, O=CTB Automation GmbH, OU=Administration, CN=CTB Automation GmbH - VPN CA, emailAddress=nix@nix.com
Thu Apr 13 16:23:36 2017 us=646910 83.65.96.213:64840 VERIFY OK: depth=1, C=AT, ST=Styria, L=Lebring, O=CTB Automation GmbH, OU=Administration, CN=CTB Automation GmbH - VPN1 VPN CA, emailAddress=nix@nix.com
Thu Apr 13 16:23:36 2017 us=647319 83.65.96.213:64840 VERIFY OK: depth=0, C=AT, ST=Styria, L=Lebring, O=CTB Automatisierungstechnik GmbH, OU=Network Administration, CN=CTB Automation GmbH VPN1 VPN Client, emailAddress=nix@nix.com
Thu Apr 13 16:23:36 2017 us=667608 83.65.96.213:64840 peer info: IV_VER=2.4.0
Thu Apr 13 16:23:36 2017 us=667661 83.65.96.213:64840 peer info: IV_PLAT=win
Thu Apr 13 16:23:36 2017 us=667673 83.65.96.213:64840 peer info: IV_PROTO=2
Thu Apr 13 16:23:36 2017 us=667684 83.65.96.213:64840 peer info: IV_NCP=2
Thu Apr 13 16:23:36 2017 us=667694 83.65.96.213:64840 peer info: IV_LZ4=1
Thu Apr 13 16:23:36 2017 us=667704 83.65.96.213:64840 peer info: IV_LZ4v2=1
Thu Apr 13 16:23:36 2017 us=667714 83.65.96.213:64840 peer info: IV_LZO=1
Thu Apr 13 16:23:36 2017 us=667724 83.65.96.213:64840 peer info: IV_COMP_STUB=1
Thu Apr 13 16:23:36 2017 us=667735 83.65.96.213:64840 peer info: IV_COMP_STUBv2=1
Thu Apr 13 16:23:36 2017 us=667745 83.65.96.213:64840 peer info: IV_TCPNL=1
Thu Apr 13 16:23:36 2017 us=667755 83.65.96.213:64840 peer info: IV_GUI_VER=OpenVPN_GUI_11
Thu Apr 13 16:23:36 2017 us=670651 83.65.96.213:64840 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Thu Apr 13 16:23:36 2017 us=670825 83.65.96.213:64840 TLS: Username/Password authentication succeeded for username 'michael.uray' [CN SET]
Thu Apr 13 16:23:36 2017 us=682898 83.65.96.213:64840 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Thu Apr 13 16:23:36 2017 us=683095 83.65.96.213:64840 [michael.uray] Peer Connection Initiated with [AF_INET]83.65.96.213:64840
Thu Apr 13 16:23:36 2017 us=683221 michael.uray/83.65.96.213:64840 MULTI_sva: pool returned IPv4=10.102.0.6, IPv6=(Not enabled)
Thu Apr 13 16:23:36 2017 us=686408 michael.uray/83.65.96.213:64840 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0
Thu Apr 13 16:23:36 2017 us=686517 michael.uray/83.65.96.213:64840 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_c3993f4030269d9a89f09b1ac781f483.tmp
Thu Apr 13 16:23:37 2017 us=95964 michael.uray/83.65.96.213:64840 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_996cd716bcc53716ab14ff274e3ce75b.tmp
Thu Apr 13 16:23:37 2017 us=96176 michael.uray/83.65.96.213:64840 MULTI: Learn: 10.102.0.6 -> michael.uray/83.65.96.213:64840
Thu Apr 13 16:23:37 2017 us=96197 michael.uray/83.65.96.213:64840 MULTI: primary virtual IP for michael.uray/83.65.96.213:64840: 10.102.0.6
Thu Apr 13 16:23:37 2017 us=893821 michael.uray/83.65.96.213:64840 PUSH: Received control message: 'PUSH_REQUEST'
Thu Apr 13 16:23:37 2017 us=893913 michael.uray/83.65.96.213:64840 SENT CONTROL [michael.uray]: 'PUSH_REPLY,route 10.102.0.1,topology net30,ping 10,ping-restart 60,route 10.1.0.0 255.255.0.0,route 10.100.0.0 255.255.0.0,route 10.101.0.0 255.255.0.0,route 10.0.0.0 255.0.0.0,explicit-exit-notify 3,ifconfig 10.102.0.6 10.102.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Thu Apr 13 16:23:37 2017 us=893959 michael.uray/83.65.96.213:64840 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Thu Apr 13 16:23:37 2017 us=894123 michael.uray/83.65.96.213:64840 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Apr 13 16:23:37 2017 us=894144 michael.uray/83.65.96.213:64840 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Apr 13 16:23:38 2017 us=145143 michael.uray/83.65.96.213:64840 MULTI: bad source address from client [::], packet dropped
Thu Apr 13 16:23:58 2017 us=802111 MULTI: multi_create_instance called
Thu Apr 13 16:23:58 2017 us=802228 83.65.96.213:56845 Re-using SSL/TLS context
Thu Apr 13 16:23:58 2017 us=802246 83.65.96.213:56845 LZO compression initializing
Thu Apr 13 16:23:58 2017 us=802406 83.65.96.213:56845 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Thu Apr 13 16:23:58 2017 us=802423 83.65.96.213:56845 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Thu Apr 13 16:23:58 2017 us=802468 83.65.96.213:56845 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Thu Apr 13 16:23:58 2017 us=802479 83.65.96.213:56845 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu Apr 13 16:23:58 2017 us=802520 83.65.96.213:56845 TLS: Initial packet from [AF_INET]83.65.96.213:56845, sid=08399884 713d91a3
Thu Apr 13 16:23:58 2017 us=900047 83.65.96.213:56845 VERIFY OK: depth=3, C=AT, ST=Styria, L=Lebring, O=CTB Automation GmbH, OU=Administration, CN=CTB Automation GmbH - CA, emailAddress=nix@nix.com
Thu Apr 13 16:23:58 2017 us=900282 83.65.96.213:56845 VERIFY OK: depth=2, C=AT, ST=Styria, L=Lebring, O=CTB Automation GmbH, OU=Administration, CN=CTB Automation GmbH - VPN CA, emailAddress=nix@nix.com
Thu Apr 13 16:23:58 2017 us=900468 83.65.96.213:56845 VERIFY OK: depth=1, C=AT, ST=Styria, L=Lebring, O=CTB Automation GmbH, OU=Administration, CN=CTB Automation GmbH - VPN1 VPN CA, emailAddress=nix@nix.com
Thu Apr 13 16:23:58 2017 us=900966 83.65.96.213:56845 VERIFY OK: depth=0, C=AT, ST=Styria, L=Lebring, O=CTB Automatisierungstechnik GmbH, OU=Network Administration, CN=CTB Automation GmbH VPN1 VPN Client, emailAddress=nix@nix.com
Thu Apr 13 16:23:58 2017 us=916514 83.65.96.213:56845 peer info: IV_VER=2.4.0
Thu Apr 13 16:23:58 2017 us=916734 83.65.96.213:56845 peer info: IV_PLAT=win
Thu Apr 13 16:23:58 2017 us=916847 83.65.96.213:56845 peer info: IV_PROTO=2
Thu Apr 13 16:23:58 2017 us=916931 83.65.96.213:56845 peer info: IV_NCP=2
Thu Apr 13 16:23:58 2017 us=917012 83.65.96.213:56845 peer info: IV_LZ4=1
Thu Apr 13 16:23:58 2017 us=917092 83.65.96.213:56845 peer info: IV_LZ4v2=1
Thu Apr 13 16:23:58 2017 us=917172 83.65.96.213:56845 peer info: IV_LZO=1
Thu Apr 13 16:23:58 2017 us=917253 83.65.96.213:56845 peer info: IV_COMP_STUB=1
Thu Apr 13 16:23:58 2017 us=917333 83.65.96.213:56845 peer info: IV_COMP_STUBv2=1
Thu Apr 13 16:23:58 2017 us=917419 83.65.96.213:56845 peer info: IV_TCPNL=1
Thu Apr 13 16:23:58 2017 us=917480 83.65.96.213:56845 peer info: IV_GUI_VER=OpenVPN_GUI_11
Thu Apr 13 16:23:58 2017 us=919955 83.65.96.213:56845 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Thu Apr 13 16:23:58 2017 us=920097 83.65.96.213:56845 TLS: Username/Password authentication succeeded for username 'michael.uray' [CN SET]
Thu Apr 13 16:23:58 2017 us=929664 83.65.96.213:56845 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Thu Apr 13 16:23:58 2017 us=930081 83.65.96.213:56845 [michael.uray] Peer Connection Initiated with [AF_INET]83.65.96.213:56845
Thu Apr 13 16:23:58 2017 us=930209 michael.uray/83.65.96.213:56845 MULTI_sva: pool returned IPv4=10.102.0.10, IPv6=(Not enabled)
Thu Apr 13 16:23:58 2017 us=933665 michael.uray/83.65.96.213:56845 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0
Thu Apr 13 16:23:58 2017 us=933828 michael.uray/83.65.96.213:56845 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_895db1b8bf5c35781f2368f79012d2d0.tmp
Thu Apr 13 16:23:59 2017 us=320014 michael.uray/83.65.96.213:56845 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_ba677e37e807c1734e1a989f14680b25.tmp
Thu Apr 13 16:23:59 2017 us=320283 michael.uray/83.65.96.213:56845 MULTI: Learn: 10.102.0.10 -> michael.uray/83.65.96.213:56845
Thu Apr 13 16:23:59 2017 us=320304 michael.uray/83.65.96.213:56845 MULTI: primary virtual IP for michael.uray/83.65.96.213:56845: 10.102.0.10
Thu Apr 13 16:24:00 2017 us=133073 michael.uray/83.65.96.213:56845 PUSH: Received control message: 'PUSH_REQUEST'
Thu Apr 13 16:24:00 2017 us=133153 michael.uray/83.65.96.213:56845 SENT CONTROL [michael.uray]: 'PUSH_REPLY,route 10.102.0.1,topology net30,ping 10,ping-restart 60,route 10.1.0.0 255.255.0.0,route 10.100.0.0 255.255.0.0,route 10.101.0.0 255.255.0.0,route 10.0.0.0 255.0.0.0,explicit-exit-notify 3,ifconfig 10.102.0.10 10.102.0.9,peer-id 1,cipher AES-256-GCM' (status=1)
Thu Apr 13 16:24:00 2017 us=133186 michael.uray/83.65.96.213:56845 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Thu Apr 13 16:24:00 2017 us=133301 michael.uray/83.65.96.213:56845 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Apr 13 16:24:00 2017 us=133317 michael.uray/83.65.96.213:56845 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Apr 13 16:25:06 2017 us=58712 michael.uray/83.65.96.213:56845 PID_ERR replay-window backtrack occurred [1] [SSL-0] [0_01111111111111111111111111111111111111111111111111111111122222] 0:306 0:305 t=1492093506[0] r=[-3,64,15,1,1] sl=[14,64,64,272]
Thu Apr 13 16:25:06 2017 us=824656 michael.uray/83.65.96.213:56845 PID_ERR replay-window backtrack occurred [2] [SSL-0] [0__0000000000000000000000000000111111111111111111111111111111111] 0:334 0:332 t=1492093506[0] r=[-3,64,15,2,1] sl=[50,64,64,272]
Thu Apr 13 16:25:12 2017 us=568250 michael.uray/83.65.96.213:56845 PID_ERR replay-window backtrack occurred [3] [SSL-0] [0___00000000000000000000_000111111122222222222222222222222333333] 0:512 0:509 t=1492093512[0] r=[-4,64,15,3,1] sl=[0,64,64,272]
Thu Apr 13 16:28:14 2017 us=407250 michael.uray/83.65.96.213:56845 PID_ERR replay-window backtrack occurred [5] [SSL-0] [00____0000000000000000000000000000000000001111111122222233333344] 0:1470 0:1465 t=1492093694[0] r=[-1,64,15,5,1] sl=[2,64,64,272]
Thu Apr 13 16:28:27 2017 us=143259 michael.uray/83.65.96.213:56845 PID_ERR replay-window backtrack occurred [11] [SSL-0] [0______0____0001111111111122222222233333333334444444444444444445] 0:2072 0:2061 t=1492093707[0] r=[-4,64,15,11,1] sl=[40,64,64,272]
Thu Apr 13 16:28:27 2017 us=151544 michael.uray/83.65.96.213:56845 PID_ERR replay-window backtrack occurred [20] [SSL-0] [0______0______0______0000000011111111111222222222333333333344444] 0:2086 0:2066 t=1492093707[0] r=[-4,64,15,20,1] sl=[26,64,64,272]
Thu Apr 13 16:28:36 2017 us=621208 michael.uray/83.65.96.213:56845 PID_ERR replay-window backtrack occurred [22] [SSL-0] [0______0______0______0_00000000000000000000000000000000000000000] 0:2599 0:2577 t=1492093716[0] r=[-3,64,15,22,1] sl=[25,64,64,272]
Thu Apr 13 16:28:41 2017 us=427621 michael.uray/83.65.96.213:56845 PID_ERR replay-window backtrack occurred [23] [SSL-0] [0______0______0______0__0000000000011111111222222222233333333333] 0:2719 0:2696 t=1492093721[0] r=[-3,64,15,23,1] sl=[33,64,64,272]
Thu Apr 13 16:28:43 2017 us=586464 michael.uray/83.65.96.213:56845 PID_ERR replay-window backtrack occurred [24] [SSL-0] [0______0______0______0___000000000000000000001111111111111111111] 0:2846 0:2822 t=1492093723[0] r=[0,64,15,24,1] sl=[34,64,64,272]
Thu Apr 13 16:30:52 2017 us=455020 michael.uray/83.65.96.213:64840 SIGTERM[soft,remote-exit] received, client-instance exiting
Thu Apr 13 16:30:52 2017 us=457111 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_CLIENT_DISCONNECT status=0
Client 1
Windows 7, 64-bit
OpenVPN 2.4.0.0

Code: Select all

Thu Apr 13 16:23:35 2017 us=805005 Current Parameter Settings:
Thu Apr 13 16:23:35 2017 us=805005   config = 'CTB_Automation_GmbH_VPN1.ovpn'
Thu Apr 13 16:23:35 2017 us=805005   mode = 0
Thu Apr 13 16:23:35 2017 us=805005   show_ciphers = DISABLED
Thu Apr 13 16:23:35 2017 us=805005   show_digests = DISABLED
Thu Apr 13 16:23:35 2017 us=805005   show_engines = DISABLED
Thu Apr 13 16:23:35 2017 us=805005   genkey = DISABLED
Thu Apr 13 16:23:35 2017 us=805005   key_pass_file = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=805005   show_tls_ciphers = DISABLED
Thu Apr 13 16:23:35 2017 us=805005   connect_retry_max = 0
Thu Apr 13 16:23:35 2017 us=805005 Connection profiles [0]:
Thu Apr 13 16:23:35 2017 us=805005   proto = udp
Thu Apr 13 16:23:35 2017 us=805005   local = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=805005   local_port = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=805005   remote = 'at.vpn.ctb.co.at'
Thu Apr 13 16:23:35 2017 us=805005   remote_port = '1111'
Thu Apr 13 16:23:35 2017 us=805005   remote_float = ENABLED
Thu Apr 13 16:23:35 2017 us=805005   bind_defined = DISABLED
Thu Apr 13 16:23:35 2017 us=805005   bind_local = DISABLED
Thu Apr 13 16:23:35 2017 us=805005   bind_ipv6_only = DISABLED
Thu Apr 13 16:23:35 2017 us=805005   connect_retry_seconds = 5
Thu Apr 13 16:23:35 2017 us=805005   connect_timeout = 120
Thu Apr 13 16:23:35 2017 us=805005   socks_proxy_server = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=805005   socks_proxy_port = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=805005   tun_mtu = 1500
Thu Apr 13 16:23:35 2017 us=805005   tun_mtu_defined = ENABLED
Thu Apr 13 16:23:35 2017 us=805005   link_mtu = 1500
Thu Apr 13 16:23:35 2017 us=805005   link_mtu_defined = DISABLED
Thu Apr 13 16:23:35 2017 us=805005   tun_mtu_extra = 0
Thu Apr 13 16:23:35 2017 us=805005   tun_mtu_extra_defined = DISABLED
Thu Apr 13 16:23:35 2017 us=805005   mtu_discover_type = -1
Thu Apr 13 16:23:35 2017 us=805005   fragment = 0
Thu Apr 13 16:23:35 2017 us=805005   mssfix = 1450
Thu Apr 13 16:23:35 2017 us=805005   explicit_exit_notification = 3
Thu Apr 13 16:23:35 2017 us=805005 Connection profiles END
Thu Apr 13 16:23:35 2017 us=805005   remote_random = ENABLED
Thu Apr 13 16:23:35 2017 us=805005   ipchange = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=805005   dev = 'tun'
Thu Apr 13 16:23:35 2017 us=805005   dev_type = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=805005   dev_node = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=805005   lladdr = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=805005   topology = 1
Thu Apr 13 16:23:35 2017 us=805005   ifconfig_local = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=805005   ifconfig_remote_netmask = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=805005   ifconfig_noexec = DISABLED
Thu Apr 13 16:23:35 2017 us=805005   ifconfig_nowarn = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   ifconfig_ipv6_local = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=806005   ifconfig_ipv6_netbits = 0
Thu Apr 13 16:23:35 2017 us=806005   ifconfig_ipv6_remote = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=806005   shaper = 0
Thu Apr 13 16:23:35 2017 us=806005   mtu_test = 0
Thu Apr 13 16:23:35 2017 us=806005   mlock = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   keepalive_ping = 0
Thu Apr 13 16:23:35 2017 us=806005   keepalive_timeout = 0
Thu Apr 13 16:23:35 2017 us=806005   inactivity_timeout = 0
Thu Apr 13 16:23:35 2017 us=806005   ping_send_timeout = 0
Thu Apr 13 16:23:35 2017 us=806005   ping_rec_timeout = 0
Thu Apr 13 16:23:35 2017 us=806005   ping_rec_timeout_action = 0
Thu Apr 13 16:23:35 2017 us=806005   ping_timer_remote = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   remap_sigusr1 = 0
Thu Apr 13 16:23:35 2017 us=806005   persist_tun = ENABLED
Thu Apr 13 16:23:35 2017 us=806005   persist_local_ip = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   persist_remote_ip = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   persist_key = ENABLED
Thu Apr 13 16:23:35 2017 us=806005   passtos = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   resolve_retry_seconds = 1000000000
Thu Apr 13 16:23:35 2017 us=806005   resolve_in_advance = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   username = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=806005   groupname = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=806005   chroot_dir = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=806005   cd_dir = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=806005   writepid = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=806005   up_script = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=806005   down_script = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=806005   down_pre = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   up_restart = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   up_delay = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   daemon = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   inetd = 0
Thu Apr 13 16:23:35 2017 us=806005   log = ENABLED
Thu Apr 13 16:23:35 2017 us=806005   suppress_timestamps = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   machine_readable_output = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   nice = 0
Thu Apr 13 16:23:35 2017 us=806005   verbosity = 4
Thu Apr 13 16:23:35 2017 us=806005   mute = 0
Thu Apr 13 16:23:35 2017 us=806005   gremlin = 0
Thu Apr 13 16:23:35 2017 us=806005   status_file = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=806005   status_file_version = 1
Thu Apr 13 16:23:35 2017 us=806005   status_file_update_freq = 60
Thu Apr 13 16:23:35 2017 us=806005   occ = ENABLED
Thu Apr 13 16:23:35 2017 us=806005   rcvbuf = 0
Thu Apr 13 16:23:35 2017 us=806005   sndbuf = 0
Thu Apr 13 16:23:35 2017 us=806005   sockflags = 0
Thu Apr 13 16:23:35 2017 us=806005   fast_io = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   comp.alg = 2
Thu Apr 13 16:23:35 2017 us=806005   comp.flags = 1
Thu Apr 13 16:23:35 2017 us=806005   route_script = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=806005   route_default_gateway = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=806005   route_default_metric = 512
Thu Apr 13 16:23:35 2017 us=806005   route_noexec = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   route_delay = 5
Thu Apr 13 16:23:35 2017 us=806005   route_delay_window = 30
Thu Apr 13 16:23:35 2017 us=806005   route_delay_defined = ENABLED
Thu Apr 13 16:23:35 2017 us=806005   route_nopull = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   route_gateway_via_dhcp = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   allow_pull_fqdn = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   route 0.0.0.0/0.0.0.0/default (not set)/default (not set)
Thu Apr 13 16:23:35 2017 us=806005   management_addr = '127.0.0.1'
Thu Apr 13 16:23:35 2017 us=806005   management_port = '25344'
Thu Apr 13 16:23:35 2017 us=806005   management_user_pass = 'stdin'
Thu Apr 13 16:23:35 2017 us=806005   management_log_history_cache = 250
Thu Apr 13 16:23:35 2017 us=806005   management_echo_buffer_size = 100
Thu Apr 13 16:23:35 2017 us=806005   management_write_peer_info_file = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=806005   management_client_user = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=806005   management_client_group = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=806005   management_flags = 6
Thu Apr 13 16:23:35 2017 us=806005   shared_secret_file = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=806005   key_direction = 2
Thu Apr 13 16:23:35 2017 us=806005   ciphername = 'BF-CBC'
Thu Apr 13 16:23:35 2017 us=806005   ncp_enabled = ENABLED
Thu Apr 13 16:23:35 2017 us=806005   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Thu Apr 13 16:23:35 2017 us=806005   authname = 'SHA1'
Thu Apr 13 16:23:35 2017 us=806005   prng_hash = 'SHA1'
Thu Apr 13 16:23:35 2017 us=806005   prng_nonce_secret_len = 16
Thu Apr 13 16:23:35 2017 us=806005   keysize = 0
Thu Apr 13 16:23:35 2017 us=806005   engine = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   replay = ENABLED
Thu Apr 13 16:23:35 2017 us=806005   mute_replay_warnings = DISABLED
Thu Apr 13 16:23:35 2017 us=806005   replay_window = 64
Thu Apr 13 16:23:35 2017 us=806005   replay_time = 15
Thu Apr 13 16:23:35 2017 us=806005   packet_id_file = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   use_iv = ENABLED
Thu Apr 13 16:23:35 2017 us=807005   test_crypto = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   tls_server = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   tls_client = ENABLED
Thu Apr 13 16:23:35 2017 us=807005   key_method = 2
Thu Apr 13 16:23:35 2017 us=807005   ca_file = 'CTB_Automation_GmbH_-_CA.crt'
Thu Apr 13 16:23:35 2017 us=807005   ca_path = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   dh_file = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   cert_file = 'CTB_Automation_GmbH_VPN1_VPN_Client.crt'
Thu Apr 13 16:23:35 2017 us=807005   extra_certs_file = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   priv_key_file = 'CTB_Automation_GmbH_VPN1_VPN_Client.key'
Thu Apr 13 16:23:35 2017 us=807005   pkcs12_file = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   cryptoapi_cert = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   cipher_list = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   tls_verify = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   tls_export_cert = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   verify_x509_type = 0
Thu Apr 13 16:23:35 2017 us=807005   verify_x509_name = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   crl_file = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   ns_cert_type = 1
Thu Apr 13 16:23:35 2017 us=807005   remote_cert_ku[i] = 0
Thu Apr 13 16:23:35 2017 us=807005   remote_cert_ku[i] = 0
Thu Apr 13 16:23:35 2017 us=807005   remote_cert_ku[i] = 0
Thu Apr 13 16:23:35 2017 us=807005   remote_cert_ku[i] = 0
Thu Apr 13 16:23:35 2017 us=807005   remote_cert_ku[i] = 0
Thu Apr 13 16:23:35 2017 us=807005   remote_cert_ku[i] = 0
Thu Apr 13 16:23:35 2017 us=807005   remote_cert_ku[i] = 0
Thu Apr 13 16:23:35 2017 us=807005   remote_cert_ku[i] = 0
Thu Apr 13 16:23:35 2017 us=807005   remote_cert_ku[i] = 0
Thu Apr 13 16:23:35 2017 us=807005   remote_cert_ku[i] = 0
Thu Apr 13 16:23:35 2017 us=807005   remote_cert_ku[i] = 0
Thu Apr 13 16:23:35 2017 us=807005   remote_cert_ku[i] = 0
Thu Apr 13 16:23:35 2017 us=807005   remote_cert_ku[i] = 0
Thu Apr 13 16:23:35 2017 us=807005   remote_cert_ku[i] = 0
Thu Apr 13 16:23:35 2017 us=807005   remote_cert_ku[i] = 0
Thu Apr 13 16:23:35 2017 us=807005   remote_cert_ku[i] = 0
Thu Apr 13 16:23:35 2017 us=807005   remote_cert_eku = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   ssl_flags = 0
Thu Apr 13 16:23:35 2017 us=807005   tls_timeout = 2
Thu Apr 13 16:23:35 2017 us=807005   renegotiate_bytes = -1
Thu Apr 13 16:23:35 2017 us=807005   renegotiate_packets = 0
Thu Apr 13 16:23:35 2017 us=807005   renegotiate_seconds = 3600
Thu Apr 13 16:23:35 2017 us=807005   handshake_window = 60
Thu Apr 13 16:23:35 2017 us=807005   transition_window = 3600
Thu Apr 13 16:23:35 2017 us=807005   single_session = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   push_peer_info = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   tls_exit = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   tls_auth_file = 'CTB_Automation_GmbH_VPN1_VPN_ta.key'
Thu Apr 13 16:23:35 2017 us=807005   tls_crypt_file = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_protected_authentication = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_protected_authentication = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_protected_authentication = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_protected_authentication = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_protected_authentication = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_protected_authentication = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_protected_authentication = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_protected_authentication = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_protected_authentication = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_protected_authentication = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_protected_authentication = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_protected_authentication = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_protected_authentication = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_protected_authentication = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_protected_authentication = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_protected_authentication = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_private_mode = 00000000
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_private_mode = 00000000
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_private_mode = 00000000
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_private_mode = 00000000
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_private_mode = 00000000
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_private_mode = 00000000
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_private_mode = 00000000
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_private_mode = 00000000
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_private_mode = 00000000
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_private_mode = 00000000
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_private_mode = 00000000
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_private_mode = 00000000
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_private_mode = 00000000
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_private_mode = 00000000
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_private_mode = 00000000
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_private_mode = 00000000
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_cert_private = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_cert_private = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_cert_private = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_cert_private = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_cert_private = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_cert_private = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_cert_private = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_cert_private = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_cert_private = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_cert_private = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_cert_private = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_cert_private = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_cert_private = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_cert_private = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_cert_private = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_cert_private = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_pin_cache_period = -1
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_id = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   pkcs11_id_management = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   server_network = 0.0.0.0
Thu Apr 13 16:23:35 2017 us=807005   server_netmask = 0.0.0.0
Thu Apr 13 16:23:35 2017 us=807005   server_network_ipv6 = ::
Thu Apr 13 16:23:35 2017 us=807005   server_netbits_ipv6 = 0
Thu Apr 13 16:23:35 2017 us=807005   server_bridge_ip = 0.0.0.0
Thu Apr 13 16:23:35 2017 us=807005   server_bridge_netmask = 0.0.0.0
Thu Apr 13 16:23:35 2017 us=807005   server_bridge_pool_start = 0.0.0.0
Thu Apr 13 16:23:35 2017 us=807005   server_bridge_pool_end = 0.0.0.0
Thu Apr 13 16:23:35 2017 us=807005   ifconfig_pool_defined = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   ifconfig_pool_start = 0.0.0.0
Thu Apr 13 16:23:35 2017 us=807005   ifconfig_pool_end = 0.0.0.0
Thu Apr 13 16:23:35 2017 us=807005   ifconfig_pool_netmask = 0.0.0.0
Thu Apr 13 16:23:35 2017 us=807005   ifconfig_pool_persist_filename = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   ifconfig_pool_persist_refresh_freq = 600
Thu Apr 13 16:23:35 2017 us=807005   ifconfig_ipv6_pool_defined = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   ifconfig_ipv6_pool_base = ::
Thu Apr 13 16:23:35 2017 us=807005   ifconfig_ipv6_pool_netbits = 0
Thu Apr 13 16:23:35 2017 us=807005   n_bcast_buf = 256
Thu Apr 13 16:23:35 2017 us=807005   tcp_queue_limit = 64
Thu Apr 13 16:23:35 2017 us=807005   real_hash_size = 256
Thu Apr 13 16:23:35 2017 us=807005   virtual_hash_size = 256
Thu Apr 13 16:23:35 2017 us=807005   client_connect_script = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   learn_address_script = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   client_disconnect_script = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   client_config_dir = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=807005   ccd_exclusive = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   tmp_dir = 'C:\Users\MICHAE~1.URA\AppData\Local\Temp\'
Thu Apr 13 16:23:35 2017 us=807005   push_ifconfig_defined = DISABLED
Thu Apr 13 16:23:35 2017 us=807005   push_ifconfig_local = 0.0.0.0
Thu Apr 13 16:23:35 2017 us=808005   push_ifconfig_remote_netmask = 0.0.0.0
Thu Apr 13 16:23:35 2017 us=808005   push_ifconfig_ipv6_defined = DISABLED
Thu Apr 13 16:23:35 2017 us=808005   push_ifconfig_ipv6_local = ::/0
Thu Apr 13 16:23:35 2017 us=808005   push_ifconfig_ipv6_remote = ::
Thu Apr 13 16:23:35 2017 us=808005   enable_c2c = DISABLED
Thu Apr 13 16:23:35 2017 us=808005   duplicate_cn = DISABLED
Thu Apr 13 16:23:35 2017 us=808005   cf_max = 0
Thu Apr 13 16:23:35 2017 us=808005   cf_per = 0
Thu Apr 13 16:23:35 2017 us=808005   max_clients = 1024
Thu Apr 13 16:23:35 2017 us=808005   max_routes_per_client = 256
Thu Apr 13 16:23:35 2017 us=808005   auth_user_pass_verify_script = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=808005   auth_user_pass_verify_script_via_file = DISABLED
Thu Apr 13 16:23:35 2017 us=808005   auth_token_generate = DISABLED
Thu Apr 13 16:23:35 2017 us=808005   auth_token_lifetime = 0
Thu Apr 13 16:23:35 2017 us=808005   client = ENABLED
Thu Apr 13 16:23:35 2017 us=808005   pull = ENABLED
Thu Apr 13 16:23:35 2017 us=808005   auth_user_pass_file = 'CTB_Automation_GmbH_VPN1_VPN_Auth.txt'
Thu Apr 13 16:23:35 2017 us=808005   show_net_up = DISABLED
Thu Apr 13 16:23:35 2017 us=808005   route_method = 3
Thu Apr 13 16:23:35 2017 us=808005   block_outside_dns = DISABLED
Thu Apr 13 16:23:35 2017 us=808005   ip_win32_defined = DISABLED
Thu Apr 13 16:23:35 2017 us=808005   ip_win32_type = 3
Thu Apr 13 16:23:35 2017 us=808005   dhcp_masq_offset = 0
Thu Apr 13 16:23:35 2017 us=808005   dhcp_lease_time = 31536000
Thu Apr 13 16:23:35 2017 us=808005   tap_sleep = 0
Thu Apr 13 16:23:35 2017 us=808005   dhcp_options = DISABLED
Thu Apr 13 16:23:35 2017 us=808005   dhcp_renew = DISABLED
Thu Apr 13 16:23:35 2017 us=808005   dhcp_pre_release = DISABLED
Thu Apr 13 16:23:35 2017 us=808005   dhcp_release = DISABLED
Thu Apr 13 16:23:35 2017 us=808005   domain = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=808005   netbios_scope = '[UNDEF]'
Thu Apr 13 16:23:35 2017 us=808005   netbios_node_type = 0
Thu Apr 13 16:23:35 2017 us=808005   disable_nbt = DISABLED
Thu Apr 13 16:23:35 2017 us=808005 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 27 2016
Thu Apr 13 16:23:35 2017 us=808005 Windows version 6.1 (Windows 7) 64bit
Thu Apr 13 16:23:35 2017 us=808005 library versions: OpenSSL 1.0.2i  22 Sep 2016, LZO 2.09
Enter Management Password:
Thu Apr 13 16:23:35 2017 us=809005 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25344
Thu Apr 13 16:23:35 2017 us=809005 Need hold release from management interface, waiting...
Thu Apr 13 16:23:36 2017 us=295956 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25344
Thu Apr 13 16:23:36 2017 us=395946 MANAGEMENT: CMD 'state on'
Thu Apr 13 16:23:36 2017 us=395946 MANAGEMENT: CMD 'log all on'
Thu Apr 13 16:23:36 2017 us=439941 MANAGEMENT: CMD 'hold off'
Thu Apr 13 16:23:36 2017 us=440941 MANAGEMENT: CMD 'hold release'
Thu Apr 13 16:23:36 2017 us=570928 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 13 16:23:36 2017 us=570928 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 13 16:23:36 2017 us=570928 LZO compression initializing
Thu Apr 13 16:23:36 2017 us=570928 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Thu Apr 13 16:23:36 2017 us=570928 MANAGEMENT: >STATE:1492093416,RESOLVE,,,,,,
Thu Apr 13 16:23:36 2017 us=576928 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Thu Apr 13 16:23:36 2017 us=576928 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu Apr 13 16:23:36 2017 us=576928 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Thu Apr 13 16:23:36 2017 us=576928 TCP/UDP: Preserving recently used remote address: [AF_INET]151.236.8.117:1111
Thu Apr 13 16:23:36 2017 us=576928 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Apr 13 16:23:36 2017 us=576928 UDP link local: (not bound)
Thu Apr 13 16:23:36 2017 us=576928 UDP link remote: [AF_INET]151.236.8.117:1111
Thu Apr 13 16:23:36 2017 us=576928 MANAGEMENT: >STATE:1492093416,WAIT,,,,,,
Thu Apr 13 16:23:36 2017 us=591926 MANAGEMENT: >STATE:1492093416,AUTH,,,,,,
Thu Apr 13 16:23:36 2017 us=591926 TLS: Initial packet from [AF_INET]151.236.8.117:1111, sid=50e592ca ff4c5224
Thu Apr 13 16:23:36 2017 us=591926 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Apr 13 16:23:36 2017 us=618924 VERIFY OK: depth=3, C=AT, ST=Styria, L=Lebring, O=CTB Automation GmbH, OU=Administration, CN=CTB Automation GmbH - CA, emailAddress=nix@nix.com
Thu Apr 13 16:23:36 2017 us=618924 VERIFY OK: depth=2, C=AT, ST=Styria, L=Lebring, O=CTB Automation GmbH, OU=Administration, CN=CTB Automation GmbH - VPN CA, emailAddress=nix@nix.com
Thu Apr 13 16:23:36 2017 us=618924 VERIFY OK: depth=1, C=AT, ST=Styria, L=Lebring, O=CTB Automation GmbH, OU=Administration, CN=CTB Automation GmbH - VPN1 VPN CA, emailAddress=nix@nix.com
Thu Apr 13 16:23:36 2017 us=618924 VERIFY OK: nsCertType=SERVER
Thu Apr 13 16:23:36 2017 us=618924 VERIFY OK: depth=0, C=AT, ST=Styria, L=Lebring, O=CTB Automation GmbH, OU=Administration, CN=CTB Automation GmbH VPN1 VPN Server, emailAddress=nix@nix.com
Thu Apr 13 16:23:36 2017 us=668919 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Thu Apr 13 16:23:36 2017 us=668919 [CTB Automation GmbH VPN1 VPN Server] Peer Connection Initiated with [AF_INET]151.236.8.117:1111
Thu Apr 13 16:23:37 2017 us=878798 MANAGEMENT: >STATE:1492093417,GET_CONFIG,,,,,,
Thu Apr 13 16:23:37 2017 us=878798 SENT CONTROL [CTB Automation GmbH VPN1 VPN Server]: 'PUSH_REQUEST' (status=1)
Thu Apr 13 16:23:37 2017 us=888797 PUSH: Received control message: 'PUSH_REPLY,route 10.102.0.1,topology net30,ping 10,ping-restart 60,route 10.1.0.0 255.255.0.0,route 10.100.0.0 255.255.0.0,route 10.101.0.0 255.255.0.0,route 10.0.0.0 255.0.0.0,explicit-exit-notify 3,ifconfig 10.102.0.6 10.102.0.5,peer-id 0,cipher AES-256-GCM'
Thu Apr 13 16:23:37 2017 us=888797 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:9 is ignored by previous <connection> blocks 
Thu Apr 13 16:23:37 2017 us=888797 OPTIONS IMPORT: timers and/or timeouts modified
Thu Apr 13 16:23:37 2017 us=888797 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Apr 13 16:23:37 2017 us=888797 OPTIONS IMPORT: --ifconfig/up options modified
Thu Apr 13 16:23:37 2017 us=888797 OPTIONS IMPORT: route options modified
Thu Apr 13 16:23:37 2017 us=888797 OPTIONS IMPORT: peer-id set
Thu Apr 13 16:23:37 2017 us=888797 OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Apr 13 16:23:37 2017 us=888797 OPTIONS IMPORT: data channel crypto options modified
Thu Apr 13 16:23:37 2017 us=888797 Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
Thu Apr 13 16:23:37 2017 us=888797 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Apr 13 16:23:37 2017 us=888797 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Apr 13 16:23:37 2017 us=888797 interactive service msg_channel=412
Thu Apr 13 16:23:37 2017 us=890796 ROUTE_GATEWAY 192.168.0.254/255.255.252.0 I=11 HWADDR=9c:b6:54:f7:71:3d
Thu Apr 13 16:23:37 2017 us=890796 open_tun
Thu Apr 13 16:23:37 2017 us=891796 TAP-WIN32 device [OpenVPN 1] opened: \\.\Global\{6E451786-AC15-4FEE-9ED3-B1836B3AEA50}.tap
Thu Apr 13 16:23:37 2017 us=891796 TAP-Windows Driver Version 9.21 
Thu Apr 13 16:23:37 2017 us=891796 TAP-Windows MTU=1500
Thu Apr 13 16:23:37 2017 us=891796 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.102.0.6/255.255.255.252 on interface {6E451786-AC15-4FEE-9ED3-B1836B3AEA50} [DHCP-serv: 10.102.0.5, lease-time: 31536000]
Thu Apr 13 16:23:37 2017 us=892796 Successful ARP Flush on interface [12] {6E451786-AC15-4FEE-9ED3-B1836B3AEA50}
Thu Apr 13 16:23:37 2017 us=896796 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Apr 13 16:23:37 2017 us=896796 MANAGEMENT: >STATE:1492093417,ASSIGN_IP,,10.102.0.6,,,,
Thu Apr 13 16:23:42 2017 us=131912 TEST ROUTES: 6/6 succeeded len=6 ret=1 a=0 u/d=up
Thu Apr 13 16:23:42 2017 us=131912 MANAGEMENT: >STATE:1492093422,ADD_ROUTES,,,,,,
Thu Apr 13 16:23:42 2017 us=131912 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 10.102.0.5 METRIC 512
Thu Apr 13 16:23:42 2017 us=132912 Route addition via service succeeded
Thu Apr 13 16:23:42 2017 us=132912 C:\Windows\system32\route.exe ADD 10.102.0.1 MASK 255.255.255.255 10.102.0.5 METRIC 512
Thu Apr 13 16:23:42 2017 us=133912 Route addition via service succeeded
Thu Apr 13 16:23:42 2017 us=133912 C:\Windows\system32\route.exe ADD 10.1.0.0 MASK 255.255.0.0 10.102.0.5 METRIC 512
Thu Apr 13 16:23:42 2017 us=135912 Route addition via service succeeded
Thu Apr 13 16:23:42 2017 us=135912 C:\Windows\system32\route.exe ADD 10.100.0.0 MASK 255.255.0.0 10.102.0.5 METRIC 512
Thu Apr 13 16:23:42 2017 us=136913 Route addition via service succeeded
Thu Apr 13 16:23:42 2017 us=136913 C:\Windows\system32\route.exe ADD 10.101.0.0 MASK 255.255.0.0 10.102.0.5 METRIC 512
Thu Apr 13 16:23:42 2017 us=137913 Route addition via service succeeded
Thu Apr 13 16:23:42 2017 us=137913 C:\Windows\system32\route.exe ADD 10.0.0.0 MASK 255.0.0.0 10.102.0.5 METRIC 512
Thu Apr 13 16:23:42 2017 us=138913 Route addition via service succeeded
Thu Apr 13 16:23:42 2017 us=138913 Initialization Sequence Completed
Thu Apr 13 16:23:42 2017 us=138913 MANAGEMENT: >STATE:1492093422,CONNECTED,SUCCESS,10.102.0.6,151.236.8.117,1111,,
Thu Apr 13 16:28:37 2017 us=335429 PID_ERR replay-window backtrack occurred [2] [SSL-0] [00_0000000000000111111111111111111111111111111111111111111111111] 0:2823 0:2821 t=1492093717[0] r=[-4,64,15,2,1] sl=[57,64,64,528]
Thu Apr 13 16:28:45 2017 us=356231 PID_ERR replay-window backtrack occurred [3] [SSL-0] [000_000000000000000000000000000000000111111111111111111111111111] 0:3157 0:3154 t=1492093725[0] r=[-2,64,15,3,1] sl=[43,64,64,528]
Thu Apr 13 16:30:52 2017 us=450940 SIGTERM received, sending exit notification to peer
Client 2
Windows 7, 64-bit
OpenVPN 2.4.0.0

Code: Select all

max. size of this post exceeded, nothing was shown after the connection process.
Two ping tests from client1 to client2, both connected to (via) the server.
One with 30 byte packets and another one with 1600 bytes.
Both ping tests where working without problems.

Then I opened up an UltraVNC connection from client1 to client2 and at the same moment the 1600 byte ping stopped working for about one minute.
The 30 byte ping nor the UltraVNC connection was affected by this problem, just the 1600 byte ping, what means to me that there is suddenly a problem with the fragmentation.

The "replay-window backtrack occurred" message occurred exactly when the ping with 1600 bytes stopped working.
This time I had also a 1600 bytes ping running from the server to client2, which also stopped at the same time for about 1 minute.
There on the server was the following message shown once from the ping command: "From 10.102.0.10 icmp_seq=29 Frag reassembly time exceeded"

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3006
Joined: Fri Jun 03, 2016 1:17 pm

Re: Large packets stop working when transferring big data

Post by TinCanTech » Thu Apr 13, 2017 3:48 pm

michael.uray wrote:There are about 100 clients connected to this server so its unfortunately not possible to change that easily
I suggest you schedule some down time in order to investigate your problem client.

MTU problems are network problems not openvpn problems. It is possible to customise openvpn to work around these issues but the problem is still present in the underlying network and that is the area to focus on (That is assuming you do in fact have an MTU problem, it could just be that your server is over worked or some other device is dodgy, like a router or even a cable connection).
michael.uray wrote:The only thing what I added regarding the MTU problem was the option "mssfix". Before that a ping with a length of 1600 was not possible at all
What you actually added makes absolutely no difference because --mssfix default value is 1450 and you have not specified any value in your configs.

You could use --mtu-test and see the results.

michael.uray
OpenVPN User
Posts: 16
Joined: Wed Jan 11, 2017 3:06 pm

Re: Large packets stop working when transferring big data

Post by michael.uray » Thu Apr 13, 2017 4:32 pm

TinCanTech wrote:
michael.uray wrote:There are about 100 clients connected to this server so its unfortunately not possible to change that easily
I suggest you schedule some down time in order to investigate your problem client.

MTU problems are network problems not openvpn problems. It is possible to customise openvpn to work around these issues but the problem is still present in the underlying network and that is the area to focus on (That is assuming you do in fact have an MTU problem, it could just be that your server is over worked or some other device is dodgy, like a router or even a cable connection).
michael.uray wrote:The only thing what I added regarding the MTU problem was the option "mssfix". Before that a ping with a length of 1600 was not possible at all
What you actually added makes absolutely no difference because --mssfix default value is 1450 and you have not specified any value in your configs.

You could use --mtu-test and see the results.
For my last test I did start an additional server process with a separate config and log file on the same server. So no other clients had influence to it.
I did run the two clients on our company network so both are connected via the same Internet line to the server.
A ping to our server via the Internet over this line is possible up to 1472 bytes. Higher packets get not fragmented, it just stops working.
This means to me that larger packages through must get fragmented somewhere in or before the tunnel and I think there must be somewhere the problem when it stop working.

On this last test the mssfix option was not set, but larger pings where still possible.
Maybe mssfix has an effect when the MTU size on the Internet connection is below a certain level what may have been on my test before?

I did test it in the meanwhile the tunnel also with TCP and the problem does not occur there, means it is related to UDP.

Post Reply