Im getting a random crashes of openvpn server 2.5.1, usually it crashes with "exited on signal 11" after "WARNING: Bad encapsulated packet length from peer (18245)"
Maybe these things are not related, but after this warning i'm getting "TCP: accept(10) failed: Software caused connection abort (errno=53)" in log and daemon crashes.
Maybe anybody can help me investigate this problem?
My server config and logs below:
/var/log/openvpn.log
/var/log/messages2021-04-02 04:58:10 us=734354 MULTI: multi_create_instance called
2021-04-02 04:58:10 us=734404 Re-using SSL/TLS context
2021-04-02 04:58:10 us=734523 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-02 04:58:10 us=734541 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-02 04:58:10 us=734635 Control Channel MTU parms [ L:1624 D:1170 EF:80 EB:0 ET:0 EL:3 ]
2021-04-02 04:58:10 us=734659 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2021-04-02 04:58:10 us=734716 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
2021-04-02 04:58:10 us=734730 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
2021-04-02 04:58:10 us=734755 TCP connection established with [AF_INET]209.141.56.59:45822
2021-04-02 04:58:10 us=734770 TCPv4_SERVER link local: (not bound)
2021-04-02 04:58:10 us=734784 TCPv4_SERVER link remote: [AF_INET]209.141.56.59:45822
2021-04-02 04:58:10 us=734872 209.141.56.59:45822 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
2021-04-02 04:58:10 us=734889 209.141.56.59:45822 Connection reset, restarting [0]
2021-04-02 04:58:10 us=734901 209.141.56.59:45822 SIGUSR1[soft,connection-reset] received, client-instance restarting
2021-04-02 04:58:10 us=734951 TCP/UDP: Closing socket
2021-04-02 04:58:11 us=93278 MULTI: multi_create_instance called
2021-04-02 04:58:11 us=93316 Re-using SSL/TLS context
2021-04-02 04:58:11 us=93421 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-02 04:58:11 us=93438 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-02 04:58:11 us=93492 Control Channel MTU parms [ L:1624 D:1170 EF:80 EB:0 ET:0 EL:3 ]
2021-04-02 04:58:11 us=93512 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2021-04-02 04:58:11 us=93560 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
2021-04-02 04:58:11 us=93573 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
2021-04-02 04:58:11 us=93635 TCP: accept(10) failed: Software caused connection abort (errno=53)
Apr 2 04:58:11 vpn-ext kernel: [15774] pid 46022 (openvpn), jid 0, uid 65534: exited on signal 11
openvpn --version
OpenVPN 2.5.1 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Feb 26 2021
library versions: OpenSSL 1.1.1h-freebsd 22 Sep 2020, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
management 127.0.0.1 5281
plugin /usr/local/lib/openvpn-auth-ldap.so "/usr/local/etc/openvpn/openvpn-auth-ldap.conf"
port 81
proto tcp4
hand-window 240
dev tun5
topology subnet
verify-client-cert none
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
dh /usr/local/etc/openvpn/keys/dh2048.pem
server 172.16.1.0 255.255.255.0
push "route 192.168.91.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
username-as-common-name
client-config-dir /usr/local/etc/openvpn/rtkct
tls-auth /usr/local/etc/openvpn/keys/ta.key 0
auth SHA256
cipher AES-256-CBC
tcp-queue-limit 4096
bcast-buffers 4096
reneg-sec 36000
reneg-bytes 0
keepalive 10 120
allow-compression no
compress
comp-lzo no
push "comp-lzo no"
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
status-version 3
log-append /var/log/openvpn.log
verb 4
script-security 3
sndbuf 512000
rcvbuf 512000
push "sndbuf 512000"
push "rcvbuf 512000"
verb 7 log
Code: Select all
2021-04-02 14:13:54 us=168300 TCP connection established with [AF_INET]209.141.58.91:36152
2021-04-02 14:13:54 us=168317 TCPv4_SERVER link local: (not bound)
2021-04-02 14:13:54 us=168330 TCPv4_SERVER link remote: [AF_INET]209.141.58.91:36152
2021-04-02 14:13:54 us=168353 209.141.58.91:36152 SENT PING
2021-04-02 14:13:54 us=168409 209.141.58.91:36152 MULTI TCP: instance added: 209.141.58.91:36152
2021-04-02 14:13:54 us=168425 209.141.58.91:36152 MULTI TCP: multi_tcp_action a=TA_INITIAL p=0
2021-04-02 14:13:54 us=168436 209.141.58.91:36152 MULTI TCP: multi_tcp_dispatch a=TA_INITIAL mi=0x801601000
2021-04-02 14:13:54 us=168455 209.141.58.91:36152 MULTI TCP: multi_tcp_post TA_INITIAL -> TA_UNDEF
2021-04-02 14:13:54 us=168477 209.141.58.91:36152 MULTI TCP: multi_tcp_action a=TA_SOCKET_READ p=0
2021-04-02 14:13:54 us=168489 209.141.58.91:36152 MULTI TCP: multi_tcp_dispatch a=TA_SOCKET_READ mi=0x801601000
2021-04-02 14:13:54 us=168507 209.141.58.91:36152 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
2021-04-02 14:13:54 us=168524 209.141.58.91:36152 Connection reset, restarting [0]
2021-04-02 14:13:54 us=168536 209.141.58.91:36152 SIGUSR1[soft,connection-reset] received, client-instance restarting
2021-04-02 14:13:54 us=168547 MULTI: multi_close_instance called
2021-04-02 14:13:54 us=168562 PID packet_id_free
2021-04-02 14:13:54 us=168595 PID packet_id_free
2021-04-02 14:13:54 us=168608 PID packet_id_free
2021-04-02 14:13:54 us=168618 PID packet_id_free
2021-04-02 14:13:54 us=168638 PID packet_id_free
2021-04-02 14:13:54 us=168650 PID packet_id_free
2021-04-02 14:13:54 us=168661 PID packet_id_free
2021-04-02 14:13:54 us=168671 PID packet_id_free
2021-04-02 14:13:54 us=168686 TCP/UDP: Closing socket
2021-04-02 14:13:54 us=168719 PID packet_id_free
2021-04-02 14:13:54 us=168739 MULTI TCP: multi_tcp_post TA_SOCKET_READ -> TA_UNDEF
2021-04-02 14:13:54 us=365785 MULTI TCP: multi_tcp_action a=TA_TIMEOUT p=0
2021-04-02 14:13:54 us=365806 MULTI TCP: multi_tcp_dispatch a=TA_TIMEOUT mi=0x00000000
2021-04-02 14:13:54 us=365822 MULTI TCP: multi_tcp_post TA_TIMEOUT -> TA_UNDEF
2021-04-02 14:13:54 us=492710 MULTI TCP: multi_tcp_action a=TA_SOCKET_READ p=0
2021-04-02 14:13:54 us=492730 MULTI TCP: multi_tcp_dispatch a=TA_SOCKET_READ mi=0x8013c9400
2021-04-02 14:13:54 us=492754 av_andreev/37.145.211.176:25906 TCPv4_SERVER READ [77] from [AF_INET]37.145.211.176:25906: P_DATA_V2 kid=1 DATA len=76
2021-04-02 14:13:54 us=492769 av_andreev/37.145.211.176:25906 TLS: tls_pre_decrypt, key_id=1, IP=[AF_INET]37.145.211.176:25906
2021-04-02 14:13:54 us=492807 av_andreev/37.145.211.176:25906 PID_TEST [0] [SSL-1] [369>>>EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE] 0:3231 0:3232 t=1617362034[0] r=[-3,64,15,0,1] sl=[33,64,64,528]
2021-04-02 14:13:54 us=492828 av_andreev/37.145.211.176:25906 GET INST BY VIRT: 172.16.1.4 -> test_username/37.145.211.176:25906 via 172.16.1.4
2021-04-02 14:13:54 us=492842 MULTI TCP: multi_tcp_post TA_SOCKET_READ -> TA_TUN_WRITE
2021-04-02 14:13:54 us=492853 MULTI TCP: multi_tcp_action a=TA_TUN_WRITE p=1
2021-04-02 14:13:54 us=492864 MULTI TCP: multi_tcp_wait_lite a=TA_TUN_WRITE mi=0x8013c9400
2021-04-02 14:13:54 us=492880 MULTI TCP: multi_tcp_dispatch a=TA_TUN_WRITE mi=0x8013c9400
2021-04-02 14:13:54 us=492892 av_andreev/37.145.211.176:25906 TUN WRITE [52]
2021-04-02 14:13:54 us=492919 MULTI TCP: multi_tcp_post TA_TUN_WRITE -> TA_UNDEF
2021-04-02 14:13:54 us=536581 MULTI: multi_create_instance called
2021-04-02 14:13:54 us=536617 Re-using SSL/TLS context
2021-04-02 14:13:54 us=536722 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-02 14:13:54 us=536745 Outgoing Control Channel Authentication: HMAC KEY: d500140d c19a3615 e47d1de9 cba9620f 67661d23 e664754f 83dd742f b5fd7793
2021-04-02 14:13:54 us=536757 Outgoing Control Channel Authentication: HMAC size=32 block_size=32
2021-04-02 14:13:54 us=536772 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-04-02 14:13:54 us=536794 Incoming Control Channel Authentication: HMAC KEY: 2f846a76 7f8ef2b5 a5791ea5 1fbf687c 741b78d9 8fd03dc2 7a681db3 8b9650e9
2021-04-02 14:13:54 us=536805 Incoming Control Channel Authentication: HMAC size=32 block_size=32
2021-04-02 14:13:54 us=536820 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
2021-04-02 14:13:54 us=536836 PID packet_id_init seq_backtrack=64 time_backtrack=15
2021-04-02 14:13:54 us=536867 PID packet_id_init seq_backtrack=64 time_backtrack=15
2021-04-02 14:13:54 us=536883 PID packet_id_init seq_backtrack=64 time_backtrack=15
2021-04-02 14:13:54 us=536908 PID packet_id_init seq_backtrack=64 time_backtrack=15
2021-04-02 14:13:54 us=536924 Control Channel MTU parms [ L:1624 D:1170 EF:80 EB:0 ET:0 EL:3 ]
2021-04-02 14:13:54 us=536939 MTU DYNAMIC mtu=1450, flags=2, 1624 -> 1450
2021-04-02 14:13:54 us=536953 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2021-04-02 14:13:54 us=536974 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
2021-04-02 14:13:54 us=536985 calc_options_string_link_mtu: link-mtu 1624 -> 1572
2021-04-02 14:13:54 us=537017 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
2021-04-02 14:13:54 us=537029 calc_options_string_link_mtu: link-mtu 1624 -> 1572
2021-04-02 14:13:54 us=537053 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
2021-04-02 14:13:54 us=537066 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
2021-04-02 14:13:54 us=537110 TCP: accept(7) failed: Software caused connection abort (errno=53)