Lost connection after login

[vicn1222]

Hi

My OpenVPN version is 2.4.11 under CentOS 8.

I am having trouble to finger out the error.

I myself can login and use the server without any error. I don't lose my connection.

However, my oversea brother can login, but after just a few while, his connection is lost with error. He didn't have this problem before.

I restart the OpenVPN, reboot the server. It doesn't fix the error. My brother also uninstall OpenVPN Connect from his iPhone and reinstall it, re-import client.ovpn. The error continues.

Because it is iPhone, update-resolv.sh probably never runs because it only allows importing client.ovpn, even though it is in the client.ovpn.

It used to work nicely for both of us.

Please help.

Many thanks.

Below is my server.conf

View OriginalServer Config

## GENERAL ##

# TCP or UDP, port 1194, tunneling
mode server
proto udp
port 1194
dev tun

## KEY, CERTS AND NETWORK CONFIGURATION ##
# Identity
ca ca.crt
# Public key
cert server.crt
# Private key
key server.key
# Symmetric encryption
dh dh.pem
# Improve security (DDOS, port flooding...)
# 0 for the server, 1 for the client
tls-auth ta.key 0
# Encryption protocol
cipher AES-256-CBC

# Network
# Subnetwork, the server will be the 10.8.0.1 and clients will take the other ips
server 10.8.0.0 255.255.255.0

# Redirect all IP network traffic originating on client machines to pass through the OpenVPN server
push "redirect-gateway def1"

# Alternatives DNS (FDN)
push "dhcp-option DNS 80.67.169.12"
push "dhcp-option DNS 80.67.169.40"

# (OpenDNS)
# push "dhcp-option DNS 208.67.222.222"
# push "dhcp-option DNS 208.67.220.220"

# (Google)
# push "dhcp-option DNS 8.8.8.8"
# push "dhcp-option DNS 8.8.4.4"

# Ping every 10 seconds and if after 120 seconds the client doesn't respond we disconnect
keepalive 10 120
# Regenerate key each 5 hours (disconnect the client)
reneg-sec 18000

## SECURITY ##

# Downgrade privileges of the daemon
user nobody
group nobody

# Persist keys (because we are nobody, so we couldn't read them again)
persist-key
# Don't close and re open TUN/TAP device
persist-tun
# Enable compression
comp-lzo

## LOG ##

# Verbosity
# 3/4 for a normal utilisation
verb 3
# Max 20 messages of the same category
mute 20
# Log gile where we put the clients status
status openvpn-status.log
# Log file
log-append /var/log/openvpn.log
# Configuration directory of the clients
client-config-dir ccd

## PASS ##

# Allow running external scripts with password in ENV variables
script-security 3

# Use the authenticated username as the common name, rather than the common name from the client cert
username-as-common-name
# Client certificate is not required
verify-client-cert none
# Use the connection script when a user wants to login
# auth-user-pass-verify scripts/login.sh via-env
auth-user-pass-verify "/usr/bin/php /home/www/domains/l3vpn3/openvpn/scripts/login.php" via-env
# Maximum of clients
max-clients 50
# Run this scripts when the client connects/disconnects
# client-connect scripts/connect.sh
# client-disconnect scripts/disconnect.sh

client-connect "/usr/bin/php /home/www/domains/l3vpn3/openvpn/scripts/connect.php"
client-disconnect "/usr/bin/php /home/www/domains/l3vpn3/openvpn/scripts/disconnect.php"

# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1

Below is my client.ovpn

View OriginalClient Config

client
dev tun
proto udp
remote xxx.xxx.xxx.xx 1194
resolv-retry infinite
cipher AES-256-CBC
redirect-gateway

# Keys
# Identity
key-direction 1
remote-cert-tls server
auth-user-pass
auth-nocache

# Security
nobind
persist-key
persist-tun
comp-lzo
verb 3

# DNS
script-security 2
up ./update-resolv.sh
down ./update-resolv.sh

# Proxy ?
# http-proxy cache.univ.fr 3128
<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>

<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END OpenVPN Static key V1-----
</tls-auth>

Below is the log output

Code: Select all

59.61.122.206:52784 TLS: Username/Password authentication succeeded for username 'roger' [CN SET]
59.61.122.206:52784 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
59.61.122.206:52784 [roger] Peer Connection Initiated with [AF_INET]59.61.122.206:52784
roger/59.61.122.206:52784 MULTI_sva: pool returned IPv4=10.8.0.10, IPv6=(Not enabled)
roger/59.61.122.206:52784 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_cae5c04d9f0bf82ff76e72233ec44a.tmp
roger/59.61.122.206:52784 MULTI: Learn: 10.8.0.10 -> roger/59.61.122.206:52784
roger/59.61.122.206:52784 MULTI: primary virtual IP for roger/59.61.122.206:52784: 10.8.0.10
roger/59.61.122.206:52784 PUSH: Received control message: 'PUSH_REQUEST'
roger/59.61.122.206:52784 SENT CONTROL [roger]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 80.67.169.12,dhcp-option DNS 80.67.169.40,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9,peer-id 3,cipher AES-256-GCM' (status=1)
roger/59.61.122.206:52784 Data Channel: using negotiated cipher 'AES-256-GCM'
roger/59.61.122.206:52784 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
roger/59.61.122.206:52784 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
roger/59.61.122.206:52784 SIGTERM[soft,remote-exit] received, client-instance exiting
59.61.122.206:56200 TLS: Initial packet from [AF_INET]59.61.122.206:56200, sid=02a86c5e 17e80491
59.61.122.206:56200 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626149586) Mon Jul 12 23:13:06 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
59.61.122.206:56200 TLS Error: incoming packet authentication failed from [AF_INET]59.61.122.206:56200
59.61.122.206:56200 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626149586) Mon Jul 12 23:13:06 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
59.61.122.206:56200 TLS Error: incoming packet authentication failed from [AF_INET]59.61.122.206:56200
59.61.122.206:56200 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626149586) Mon Jul 12 23:13:06 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
59.61.122.206:56200 TLS Error: incoming packet authentication failed from [AF_INET]59.61.122.206:56200
59.61.122.206:56200 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626149586) Mon Jul 12 23:13:06 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
59.61.122.206:56200 TLS Error: incoming packet authentication failed from [AF_INET]59.61.122.206:56200
59.61.122.206:56200 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626149586) Mon Jul 12 23:13:06 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
59.61.122.206:56200 TLS Error: incoming packet authentication failed from [AF_INET]59.61.122.206:56200
59.61.122.206:56200 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626149586) Mon Jul 12 23:13:06 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
59.61.122.206:56200 TLS Error: incoming packet authentication failed from [AF_INET]59.61.122.206:56200
59.61.122.206:49501 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
59.61.122.206:49501 TLS Error: TLS handshake failed

[TinCanTech]

How did you setup your VPN Server ?

Did you use a script (Like this: https://github.com/angristan/openvpn-install) or did you set it up yourself ?

[vicn1222]

How did you setup your VPN Server ?

Did you use a script (Like this: https://github.com/angristan/openvpn-install) or did you set it up yourself ?

I set up using https://github.com/Chocobozzz/OpenVPN-Admin

It has been working.

I noticed script-security is different between client and server config (2 & 3).

But I just can't understand why I have no problem, my brother keeps losing his connection...

I notice his session crashes before losing connection

Code: Select all

roger/59.61.122.206:52784 SIGTERM[soft,remote-exit] received, client-instance exiting

[TinCanTech]

I noticed script-security is different between client and server config (2 & 3).

That is correct, leave it as it is.

You could try adding this to your server config:

Code: Select all

push "explicit-exit-notify 2"

Or maybe change from --tls-auth to --tls-crypt ..

There are no time-stamps in your server log, so how long can your brother connect for ?

Is it minutes or only seconds ?

[vicn1222]

I noticed script-security is different between client and server config (2 & 3).

That is correct, leave it as it is.

You could try adding this to your server config:

Code: Select all

push "explicit-exit-notify 2"

Or maybe change from --tls-auth to --tls-crypt ..

There are no time-stamps in your server log, so how long can your brother connect for ?

Is it minutes or only seconds ?

I will do those changes as suggested and will report back how it goes.

Thank you!

[vicn1222]

Same error. I can connect. He can't. Can it be DNS problem?

Below is log when he attempts to connect

Code: Select all

Tue Jul 13 20:10:29 2021 59.61.122.194:61254 TLS: Initial packet from [AF_INET]59.61.122.194:61254, sid=869d4e34 fc6deb11
Tue Jul 13 20:10:30 2021 59.61.122.194:61254 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626225029) Tue Jul 13 20:10:29 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jul 13 20:10:30 2021 59.61.122.194:61254 TLS Error: incoming packet authentication failed from [AF_INET]59.61.122.194:61254
Tue Jul 13 20:10:31 2021 59.61.122.194:61254 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626225029) Tue Jul 13 20:10:29 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jul 13 20:10:31 2021 59.61.122.194:61254 TLS Error: incoming packet authentication failed from [AF_INET]59.61.122.194:61254
Tue Jul 13 20:10:32 2021 59.61.122.194:61254 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626225029) Tue Jul 13 20:10:29 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jul 13 20:10:32 2021 59.61.122.194:61254 TLS Error: incoming packet authentication failed from [AF_INET]59.61.122.194:61254
Tue Jul 13 20:10:33 2021 59.61.122.194:61254 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626225029) Tue Jul 13 20:10:29 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jul 13 20:10:33 2021 59.61.122.194:61254 TLS Error: incoming packet authentication failed from [AF_INET]59.61.122.194:61254
Tue Jul 13 20:10:34 2021 59.61.122.194:61254 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626225029) Tue Jul 13 20:10:29 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jul 13 20:10:34 2021 59.61.122.194:61254 TLS Error: incoming packet authentication failed from [AF_INET]59.61.122.194:61254
Tue Jul 13 20:10:36 2021 59.61.122.194:61254 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626225029) Tue Jul 13 20:10:29 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jul 13 20:10:36 2021 59.61.122.194:61254 TLS Error: incoming packet authentication failed from [AF_INET]59.61.122.194:61254
Tue Jul 13 20:10:37 2021 59.61.122.194:61254 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626225029) Tue Jul 13 20:10:29 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jul 13 20:10:37 2021 59.61.122.194:61254 TLS Error: incoming packet authentication failed from [AF_INET]59.61.122.194:61254
Tue Jul 13 20:10:38 2021 59.61.122.194:61254 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626225029) Tue Jul 13 20:10:29 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jul 13 20:10:38 2021 59.61.122.194:61254 TLS Error: incoming packet authentication failed from [AF_INET]59.61.122.194:61254
Tue Jul 13 20:10:39 2021 59.61.122.194:61254 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626225029) Tue Jul 13 20:10:29 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jul 13 20:10:39 2021 59.61.122.194:61254 TLS Error: incoming packet authentication failed from [AF_INET]59.61.122.194:61254
Tue Jul 13 20:10:40 2021 59.61.122.194:51240 TLS: Initial packet from [AF_INET]59.61.122.194:51240, sid=77a82e23 91f6ea7b
Tue Jul 13 20:10:41 2021 59.61.122.194:51240 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626225040) Tue Jul 13 20:10:40 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jul 13 20:10:41 2021 59.61.122.194:51240 TLS Error: incoming packet authentication failed from [AF_INET]59.61.122.194:51240
Tue Jul 13 20:10:42 2021 59.61.122.194:51240 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626225040) Tue Jul 13 20:10:40 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jul 13 20:10:42 2021 59.61.122.194:51240 TLS Error: incoming packet authentication failed from [AF_INET]59.61.122.194:51240
Tue Jul 13 20:10:43 2021 59.61.122.194:51240 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626225040) Tue Jul 13 20:10:40 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Jul 13 20:10:43 2021 59.61.122.194:51240 TLS Error: incoming packet authentication failed from [AF_INET]59.61.122.194:51240
Tue Jul 13 20:10:44 2021 59.61.122.194:51240 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1626225040) Tue Jul 13 20:10:40 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
[/code[

[vicn1222]

Hi,

My server is CentOS 8, with openvpn-2.4.11-1.el8.x86_64 installed using https://github.com/angristan/openvpn-install

Under UDP mode, I can connect to the openvpn server, but my oversea brother can't. He tries in iPhone and Windows 10, none of the devices can connect.

I switch to TCP mode, we both can connect (all devices). But it is slow.

Relevant ports in my server are open:

Code: Select all

  services: http https openvpn ssh
  ports: 143/tcp 587/tcp 25/tcp 443/udp 1194/udp 1194/tcp

Below is server config:

View OriginalServer Config

port 1194
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 75.75.75.75"
push "dhcp-option DNS 75.75.75.76"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_IsebB3EgQgEDCAXW.crt
key server_IsebB3EgQgEDCAXW.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

Below is client.ovpn

View OriginalClient Config

client
proto udp
explicit-exit-notify
remote xx.xxx.xxx.xxx 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_IsebB3EgQgEDCAXW name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
**************
</ca>
<cert>
**************
</cert>
<key>
**************
</key>
<tls-crypt>
**************
</tls-crypt>

Below is my server log when my brother try to connect under UDP mode. Please help. I want to use UDP for performance reason. Many thanks

Code: Select all

Wed Jul 14 06:17:07 2021 xx.xx.xxx.xxx:53436 TLS: Initial packet from [AF_INET6]::ffff:xx.xx.xxx.xxx:53436, sid=b3b35736 914651ee
Wed Jul 14 06:18:07 2021 xx.xx.xxx.xxx:53436 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jul 14 06:18:07 2021 xx.xx.xxx.xxx:53436 TLS Error: TLS handshake failed
Wed Jul 14 06:18:07 2021 xx.xx.xxx.xxx:53436 SIGUSR1[soft,tls-error] received, client-instance restarting
Wed Jul 14 06:18:12 2021 xx.xx.xxx.xxx:35973 TLS: Initial packet from [AF_INET6]::ffff:xx.xx.xxx.xxx:35973, sid=507910b8 c1e96640
Wed Jul 14 06:18:53 2021 xx.xx.xxx.xxx:49750 TLS: Initial packet from [AF_INET6]::ffff:xx.xx.xxx.xxx:49750, sid=34189c27 b652f30f
Wed Jul 14 06:19:12 2021 xx.xx.xxx.xxx:35973 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jul 14 06:19:12 2021 xx.xx.xxx.xxx:35973 TLS Error: TLS handshake failed
Wed Jul 14 06:19:12 2021 xx.xx.xxx.xxx:35973 SIGUSR1[soft,tls-error] received, client-instance restarting
Wed Jul 14 06:19:53 2021 xx.xx.xxx.xxx:49750 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jul 14 06:19:53 2021 xx.xx.xxx.xxx:49750 TLS Error: TLS handshake failed
Wed Jul 14 06:19:53 2021 xx.xx.xxx.xxx:49750 SIGUSR1[soft,tls-error] received, client-instance restarting
Wed Jul 14 06:19:58 2021 xx.xx.xxx.xxx:51860 TLS: Initial packet from [AF_INET6]::ffff:xx.xx.xxx.xxx:51860, sid=1bfdf8ab 166559f6
Wed Jul 14 06:20:58 2021 xx.xx.xxx.xxx:51860 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jul 14 06:20:58 2021 xx.xx.xxx.xxx:51860 TLS Error: TLS handshake failed
Wed Jul 14 06:20:58 2021 xx.xx.xxx.xxx:51860 SIGUSR1[soft,tls-error] received, client-instance restarting
Wed Jul 14 06:21:03 2021 xx.xx.xxx.xxx:36097 TLS: Initial packet from [AF_INET6]::ffff:xx.xx.xxx.xxx:36097, sid=9b2a7f23 95c7cc14
Wed Jul 14 06:22:03 2021 xx.xx.xxx.xxx:36097 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jul 14 06:22:03 2021 xx.xx.xxx.xxx:36097 TLS Error: TLS handshake failed
Wed Jul 14 06:22:03 2021 xx.xx.xxx.xxx:36097 SIGUSR1[soft,tls-error] received, client-instance restarting
Wed Jul 14 06:22:08 2021 xx.xx.xxx.xxx:36231 TLS: Initial packet from [AF_INET6]::ffff:xx.xx.xxx.xxx:36231, sid=7fc70525 c22333d5

I set up openvpn on another machine with udp, it gives different errors when he attempted to connect as below:

Code: Select all

Wed Jul 14 10:38:16 2021 xx.xx.xxx.xxx:64949 TLS: Initial packet from [AF_INET]xx.xx.xxx.xxx:64949, sid=b1ff25ad 937ab417
Wed Jul 14 10:38:17 2021 xx.xx.xxx.xxx:64949 VERIFY OK: depth=1, CN=cn_pbKOOtROLPDLxGQQ
Wed Jul 14 10:38:17 2021 xx.xx.xxx.xxx:64949 VERIFY OK: depth=0, CN=client
Wed Jul 14 10:38:17 2021 xx.xx.xxx.xxx:64949 peer info: IV_VER=3.git::58b92569
Wed Jul 14 10:38:17 2021 xx.xx.xxx.xxx:64949 peer info: IV_PLAT=ios
Wed Jul 14 10:38:17 2021 xx.xx.xxx.xxx:64949 peer info: IV_NCP=2
Wed Jul 14 10:38:17 2021 xx.xx.xxx.xxx:64949 peer info: IV_TCPNL=1
Wed Jul 14 10:38:17 2021 xx.xx.xxx.xxx:64949 peer info: IV_PROTO=2
Wed Jul 14 10:38:17 2021 xx.xx.xxx.xxx:64949 peer info: IV_IPv6=1
Wed Jul 14 10:38:17 2021 xx.xx.xxx.xxx:64949 peer info: IV_AUTO_SESS=1
Wed Jul 14 10:38:17 2021 xx.xx.xxx.xxx:64949 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
Wed Jul 14 10:38:17 2021 xx.xx.xxx.xxx:64949 peer info: IV_SSO=openurl
Wed Jul 14 10:38:17 2021 xx.xx.xxx.xxx:64949 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1521'
Wed Jul 14 10:38:18 2021 xx.xx.xxx.xxx:64949 tls-crypt unwrap error: bad packet ID (may be a replay): [ #5 / time = (1626277096) Wed Jul 14 10:38:16 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Jul 14 10:38:18 2021 xx.xx.xxx.xxx:64949 tls-crypt unwrap error: packet replay
Wed Jul 14 10:38:18 2021 xx.xx.xxx.xxx:64949 TLS Error: tls-crypt unwrapping failed from [AF_INET]xx.xx.xxx.xxx:64949
Wed Jul 14 10:38:19 2021 xx.xx.xxx.xxx:64949 tls-crypt unwrap error: bad packet ID (may be a replay): [ #5 / time = (1626277096) Wed Jul 14 10:38:16 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Jul 14 10:38:19 2021 xx.xx.xxx.xxx:64949 tls-crypt unwrap error: packet replay
Wed Jul 14 10:38:19 2021 xx.xx.xxx.xxx:64949 TLS Error: tls-crypt unwrapping failed from [AF_INET]xx.xx.xxx.xxx:64949
Wed Jul 14 10:38:19 2021 xx.xx.xxx.xxx:64949 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
Wed Jul 14 10:38:19 2021 xx.xx.xxx.xxx:64949 [client] Peer Connection Initiated with [AF_INET]xx.xx.xxx.xxx:64949
Wed Jul 14 10:38:19 2021 MULTI: new connection by client 'client' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Wed Jul 14 10:38:19 2021 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Wed Jul 14 10:38:19 2021 MULTI: Learn: 10.8.0.2 -> client/xx.xx.xxx.xxx:64949
Wed Jul 14 10:38:19 2021 MULTI: primary virtual IP for client/xx.xx.xxx.xxx:64949: 10.8.0.2
Wed Jul 14 10:38:20 2021 client/xx.xx.xxx.xxx:64949 tls-crypt unwrap error: bad packet ID (may be a replay): [ #5 / time = (1626277096) Wed Jul 14 10:38:16 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Jul 14 10:38:20 2021 client/xx.xx.xxx.xxx:64949 tls-crypt unwrap error: packet replay
Wed Jul 14 10:38:20 2021 client/xx.xx.xxx.xxx:64949 TLS Error: tls-crypt unwrapping failed from [AF_INET]xx.xx.xxx.xxx:64949
Wed Jul 14 10:38:21 2021 client/xx.xx.xxx.xxx:64949 tls-crypt unwrap error: bad packet ID (may be a replay): [ #5 / time = (1626277096) Wed Jul 14 10:38:16 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Jul 14 10:38:21 2021 client/xx.xx.xxx.xxx:64949 tls-crypt unwrap error: packet replay
Wed Jul 14 10:38:21 2021 client/xx.xx.xxx.xxx:64949 TLS Error: tls-crypt unwrapping failed from [AF_INET]xx.xx.xxx.xxx:64949
Wed Jul 14 10:38:22 2021 client/xx.xx.xxx.xxx:64949 tls-crypt unwrap error: bad packet ID (may be a replay): [ #5 / time = (1626277096) Wed Jul 14 10:38:16 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Jul 14 10:38:22 2021 client/xx.xx.xxx.xxx:64949 tls-crypt unwrap error: packet replay
Wed Jul 14 10:38:22 2021 client/xx.xx.xxx.xxx:64949 TLS Error: tls-crypt unwrapping failed from [AF_INET]xx.xx.xxx.xxx:64949
Wed Jul 14 10:38:23 2021 client/xx.xx.xxx.xxx:64949 tls-crypt unwrap error: bad packet ID (may be a replay): [ #5 / time = (1626277096) Wed Jul 14 10:38:16 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Jul 14 10:38:23 2021 client/xx.xx.xxx.xxx:64949 tls-crypt unwrap error: packet replay
Wed Jul 14 10:38:23 2021 client/xx.xx.xxx.xxx:64949 TLS Error: tls-crypt unwrapping failed from [AF_INET]xx.xx.xxx.xxx:64949
Wed Jul 14 10:38:24 2021 client/xx.xx.xxx.xxx:64949 tls-crypt unwrap error: bad packet ID (may be a replay): [ #5 / time = (1626277096) Wed Jul 14 10:38:16 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Jul 14 10:38:24 2021 client/xx.xx.xxx.xxx:64949 tls-crypt unwrap error: packet replay
Wed Jul 14 10:38:24 2021 client/xx.xx.xxx.xxx:64949 TLS Error: tls-crypt unwrapping failed from [AF_INET]xx.xx.xxx.xxx:64949
Wed Jul 14 10:38:25 2021 client/xx.xx.xxx.xxx:64949 tls-crypt unwrap error: bad packet ID (may be a replay): [ #5 / time = (1626277096) Wed Jul 14 10:38:16 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Jul 14 10:38:25 2021 client/xx.xx.xxx.xxx:64949 tls-crypt unwrap error: packet replay

[TinCanTech]

By the look of it, you are having vicious network problems which are caused by the network which your brother is connecting from or passing through to get to your server.

You may find that you cannot resolve these problems ..

However, at the cost of some security, you can try this in your server config:

Code: Select all

replay-window 128 30

You can also try it in your brother's Win10 PC but I doubt it will work in his iPhone.

Note: In future, please don't start a new thread for your already existing problem or it will be deleted as a duplicate.

* Moving this back to original thread *

[vicn1222]

By the look of it, you are having vicious network problems which are caused by the network which your brother is connecting from or passing through to get to your server.

You may find that you cannot resolve these problems ..

However, at the cost of some security, you can try this in your server config:

Code: Select all

replay-window 128 30

You can also try it in your brother's Win10 PC but I doubt it will work in his iPhone.

Thanks.

If his network is having problems, why TCP works for him, but UDP doesn't?

When setting up openvpn, it gives many options to choose DNS, Can changing DNS solve the problem. Thank you.

Sorry for starting a new thread.

[TinCanTech]

why TCP works for him, but UDP doesn't?

Because they are two different protocols.

Can changing DNS solve the problem

Not this problem.

What country is your brother connecting from ?

Sorry for starting a new thread

Sure

[vicn1222]

What country is your brother connecting from ?

China

[TinCanTech]

You cannot connect to a VPN from inside China to outside China without permission from the "Government" ..

So either get permission or give up.

May be try TOR network ..

[TinCanTech]

Your VPN Only Hope is to try using Easy-TLS to generate TLS-Crypt-V2 keys.

[vicn1222]

You cannot connect to a VPN from inside China to outside China without permission from the "Government" ..

So either get permission or give up.

May be try TOR network ..

People do use VPN there, as long as they don't make it public, or only a few friends use it.

He was able to connect in UDP mode with fast speed for past 6 months since I initially set it up, I made some changes two days ago, and screwed it. I reverted back the original settings, still not working.

The log clearly indicated his devices attempt to connect, just can't create hand-shake. Something must be mis-matched to fail the handshake...

Is there a way to print to a file what messages he send to me that cause the failed handshake?

I can do "ddd" to debug if there is a way... Thank you.

[TinCanTech]

People do use VPN there, as long as they don't make it public, or only a few friends use it.

Nobody knows what rules they use and so we cannot say why you have problems.

I made some changes two days ago, and screwed it. I reverted back the original settings, still not working.

This is another problem ..

The log clearly indicated his devices attempt to connect, just can't create hand-shake. Something must be mis-matched to fail the handshake...

That is probably the case .. but could also be some form of Man-In-The-Middle attack ..

The best thing you can try is to setup your VPN from scratch with your preferred script.

And then switch to TLS-Crypt-V2 keys using Easy-TLS

If you are competent then that should be fairly easy.

Steps:

• Run your script to setup Openvpn
• Install Easy-TLS into your Easy-RSA folder
• Use Easy-TLS to create TLS-Crypt-V2 keys and inline files and also a script for your server

[vicn1222]

• Run your script to setup Openvpn
• Install Easy-TLS into your Easy-RSA folder
• Use Easy-TLS to create TLS-Crypt-V2 keys and inline files and also a script for your server

Try to install the Easy-TLS, but can't follow the instruction. Is there a script for fool like me that I can run like openvpn-install.sh and all done automatically for me?
I have very little experience on generating certificate...

Many thanks

[TinCanTech]

Fools like you are not going to be able to beat the GFWoC .. try harder !

[vicn1222]

Now I am getting exactly same error as my brother.

I reinstall entire CentOS 8, then install openvpn using https://github.com/angristan/openvpn-install, all inputs are using the default values.

When I connect my iPhone under WIFI, I am getting tls-crypt error as below. However, when I turn off iPhone WIFI, using cellular data, it connects without error. Nothing was changed in my WIFI. I reboot my iPhone, reinstall OpenVPN Connect, same error. What could possibly causes this?

Here is server.conf

View OriginalServer Conf

port 1194
proto udp6
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 94.140.14.14"
push "dhcp-option DNS 94.140.15.15"
push "redirect-gateway def1 bypass-dhcp"
server-ipv6 fd42:42:42:42::/112
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_H7zBKFwNkR2wUiN7.crt
key server_H7zBKFwNkR2wUiN7.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

tun-mtu 1500
script-security 3
log-append /var/log/openvpn.log

View OriginalClient Conf

client
proto udp
explicit-exit-notify
remote xx.xxx.xxx.xxx 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_H7zBKFwNkR2wUiN7 name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3

tun-mtu 1500

<ca>
********************
</ca>
<cert>
********************
</cert>
<key>
********************
</key>
<tls-crypt>
********************
</tls-crypt>

Code: Select all

10.1.10.132:53080 TLS: Initial packet from [AF_INET6]::ffff:10.1.10.132:53080, sid=7d817dc1 28eff8ea
10.1.10.132:53080 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1626411317) Thu Jul 15 23:55:17 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
10.1.10.132:53080 tls-crypt unwrap error: packet replay
10.1.10.132:53080 TLS Error: tls-crypt unwrapping failed from [AF_INET6]::ffff:10.1.10.132:53080
10.1.10.132:53080 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1626411317) Thu Jul 15 23:55:17 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
10.1.10.132:53080 tls-crypt unwrap error: packet replay
10.1.10.132:53080 TLS Error: tls-crypt unwrapping failed from [AF_INET6]::ffff:10.1.10.132:53080
10.1.10.132:53080 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1626411317) Thu Jul 15 23:55:17 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
10.1.10.132:53080 tls-crypt unwrap error: packet replay
10.1.10.132:53080 TLS Error: tls-crypt unwrapping failed from [AF_INET6]::ffff:10.1.10.132:53080
10.1.10.132:53080 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1626411317) Thu Jul 15 23:55:17 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
10.1.10.132:53080 tls-crypt unwrap error: packet replay

[TinCanTech]

Make sure your client uses the new client config from the script you just ran.

[divya]

facing similar issue
Sat Jul 24 04:57:09 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jul 24 04:57:09 2021 TLS Error: TLS handshake failed
Can someone help?