OpenVPN Support Forum

Hi @ all,

i have a very special use for my VPN connection, i want to use Steam In-Home Streaming via VPN. My first attempt to do such a config was successfull but has some problems, and i hope someone here is able to help. Im from germany so there are some comments in my config file that are in german, please ask if there is anything i should translate.

Server configuration:

# Zertifikate
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\VPNServer.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\VPNServer.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"

# Server und Netzwerk
local 192.168.178.28 #LAN-Adresse des Servers
port 1194
proto udp
dev tap
server 192.168.10.0 255.255.255.0 #Subnetz
ifconfig-pool-persist ipp.txt
comp-lzo
persist-key
persist-tun
keepalive 10 120
auth none
cipher none
no-replay

# Log
status "C:\\Program Files\\OpenVPN\\log\\openvpn-status.log"
log "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
log-append "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
verb 3


Client configuration:

# Zertifikate
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\VPNClient.crt"
key "C:\\Program Files\\OpenVPN\\config\\VPNClient.key"

# Client-Setup
client
dev tap
proto udp
remote XXXX.XXXX.XXXX (for security reasons i leave this blank in my post) 1194 #Hostname anpassen
resolv-retry infinite
nobind
persist-key
persist-tun
route-metric 512
route 0.0.0.0 0.0.0.0
comp-lzo
verb 3
auth none
cipher none
no-replay


Connection:

Serverside: 100 Mbit/s down, 42 Mbit/s up

Clientside: 150 Mbit/s down, 30 Mbit/s up


I need to maximize the Performance so i used "auth none" and "cipher none" next thing i wanted to use is "no-replay" without the "no-replay" option the streaming starts but freezes after a short time, respectivly when the traffic is going up. With the "no-replay" option i cant connect to my server at all, it stops then with the following error:

Client log:

Wed Jan 11 14:42:44 2017 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 27 2016
Wed Jan 11 14:42:44 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Jan 11 14:42:44 2017 library versions: OpenSSL 1.0.2i 22 Sep 2016, LZO 2.09
Enter Management Password:
Wed Jan 11 14:42:44 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed Jan 11 14:42:44 2017 Need hold release from management interface, waiting...
Wed Jan 11 14:42:45 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed Jan 11 14:42:45 2017 MANAGEMENT: CMD 'state on'
Wed Jan 11 14:42:45 2017 MANAGEMENT: CMD 'log all on'
Wed Jan 11 14:42:45 2017 MANAGEMENT: CMD 'hold off'
Wed Jan 11 14:42:45 2017 MANAGEMENT: CMD 'hold release'
Wed Jan 11 14:42:45 2017 WARNING: You have disabled Replay Protection (--no-replay) which may make OpenVPN less secure
Wed Jan 11 14:42:45 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Jan 11 14:42:45 2017 ******* WARNING *******: null cipher specified, no encryption will be used
Wed Jan 11 14:42:45 2017 ******* WARNING *******: null MAC specified, no authentication will be used
Wed Jan 11 14:42:45 2017 MANAGEMENT: >STATE:1484142165,RESOLVE,,,,,,
Wed Jan 11 14:42:45 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
Wed Jan 11 14:42:45 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Jan 11 14:42:45 2017 UDP link local: (not bound)
Wed Jan 11 14:42:45 2017 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Wed Jan 11 14:42:45 2017 MANAGEMENT: >STATE:1484142165,WAIT,,,,,,
Wed Jan 11 14:42:45 2017 MANAGEMENT: >STATE:1484142165,AUTH,,,,,,
Wed Jan 11 14:42:45 2017 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=84e93f31 5c804aca
Wed Jan 11 14:42:45 2017 VERIFY OK: depth=1, C=DE, ST=Hessen, L=Darmstadt, O=HomeOffice, OU=Office, CN=VPNServer, name=VPNServer, emailAddress=manueltheis1987@gmail.com
Wed Jan 11 14:42:45 2017 VERIFY OK: depth=0, C=DE, ST=Hessen, L=Darmstadt, O=HomeOffice, OU=Office, CN=VPNServer, name=VPNServer, emailAddress=manueltheis1987@gmail.com
Wed Jan 11 14:42:45 2017 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1534', remote='link-mtu 1538'
Wed Jan 11 14:42:45 2017 WARNING: 'no-replay' is present in local config but missing in remote config, local='no-replay'
Wed Jan 11 14:42:45 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Wed Jan 11 14:42:45 2017 [VPNServer] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
Wed Jan 11 14:42:46 2017 MANAGEMENT: >STATE:1484142166,GET_CONFIG,,,,,,
Wed Jan 11 14:42:46 2017 SENT CONTROL [VPNServer]: 'PUSH_REQUEST' (status=1)
Wed Jan 11 14:42:46 2017 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.10.1,ping 10,ping-restart 120,ifconfig 192.168.10.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Jan 11 14:42:46 2017 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jan 11 14:42:46 2017 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jan 11 14:42:46 2017 OPTIONS IMPORT: route-related options modified
Wed Jan 11 14:42:46 2017 OPTIONS IMPORT: peer-id set
Wed Jan 11 14:42:46 2017 OPTIONS IMPORT: adjusting link_mtu to 1657
Wed Jan 11 14:42:46 2017 OPTIONS IMPORT: data channel crypto options modified
Wed Jan 11 14:42:46 2017 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jan 11 14:42:46 2017 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jan 11 14:42:46 2017 interactive service msg_channel=764
Wed Jan 11 14:42:46 2017 ROUTE_GATEWAY 192.168.8.1/255.255.255.0 I=14 HWADDR=0c:5b:8f:27:9a:64
Wed Jan 11 14:42:46 2017 open_tun
Wed Jan 11 14:42:46 2017 TAP-WIN32 device [Ethernet 6] opened: \\.\Global\{B40318CE-CD86-4BB4-A3DB-AF319799D9AB}.tap
Wed Jan 11 14:42:46 2017 TAP-Windows Driver Version 9.21
Wed Jan 11 14:42:46 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.10.2/255.255.255.0 on interface {B40318CE-CD86-4BB4-A3DB-AF319799D9AB} [DHCP-serv: 192.168.10.0, lease-time: 31536000]
Wed Jan 11 14:42:46 2017 Successful ARP Flush on interface [20] {B40318CE-CD86-4BB4-A3DB-AF319799D9AB}
Wed Jan 11 14:42:46 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jan 11 14:42:46 2017 MANAGEMENT: >STATE:1484142166,ASSIGN_IP,,192.168.10.2,,,,
Wed Jan 11 14:42:46 2017 MANAGEMENT: Client disconnected
Wed Jan 11 14:42:46 2017 Assertion failed at crypto.c:81 (packet_id_initialized(&opt->packet_id))
Wed Jan 11 14:42:46 2017 Exiting due to fatal error
Wed Jan 11 14:42:46 2017 Closing TUN/TAP interface

If i leave the "no-replay" option out of my config i get the following error: "Wed Jan 11 14:45:37 2017 AEAD Decrypt error: bad packet ID (may be a replay): [ #3715 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings"

Maybe someone has a hint for me.

THX

mtheis1987 wrote:I need to maximize the Performance so i used "auth none" and "cipher none"

Now that you have updated to 2.4 you are using --ncp-ciphers by default, shown here:

mtheis1987 wrote:Wed Jan 11 14:42:46 2017 OPTIONS IMPORT: data channel crypto options modified
Wed Jan 11 14:42:46 2017 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jan 11 14:42:46 2017 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key

If security is not a concern for you then you can also disable that feature with --ncp-disable

See https://community.openvpn.net/openvpn/w ... n24ManPage for details.

Try that and feedback your results.

If i do that the connection works but my connection becomes public, and with that it wont be able to do streaming in any way. I even cant ping my server anymore with a public connection.

EDIT: It has to do something with the no-replay function, as soon as i enable that my Connection becomes public. Any suggestions?

mtheis1987 wrote:If i do that the connection works but my connection becomes public

Before you updated to 2.4 your connection was "public" .. So I do not understand your concern.

Initially you had disabled ALL security over the data channel with --cipher none

The problem you are having with replay warnings may be due to saturating your connection with the data you are streaming over a network that does not give you that much bandwidth (one which is out of your control)

Sry, i think i explained it wrong, what i meant was:

The state of my OpenVPN TAP device, if i dont use "no-replay" my connection in the Network and Sharing Center is marked as "private connection" if i enable The "no-replay" Option The state of the Ethernet Connection switches to "public" and that want allow me to even ping my Server.

I found out that this happens when you dont specify a default gateway.

But there is a default gateway specified in my config, correct me if im wrong.

mtheis1987 wrote:# Client-Setup
...
route-metric 512
route 0.0.0.0 0.0.0.0

Try removing this and using --redirect-gateway option .. which is designed specifically to this better.

Tried that but still no luck. Tried other suggestgions as well, like setting the network location via powershell or regedit, but still no luck. With "no-replay" my connections switches from private to public and i cant get streaming to work at all.

mtheis1987 wrote:my connections switches from private to public and i cant get streaming to work

Private vs Public are Windows Firewall Zones and different rules are automatically applied by windows. You need to check what your Windows Firewall is up to. The quickest way to verify that is to disable Windows Firewall.

Checked that, switched Firewall off and disabled Firewall service on both ends. Still dont work.

You are trying to run a completely unprotected VPN by using these options:
(Which must also be set on both sides; server and client)

• --cipher none
  --auth none
  --no-replay
  --ncp-cipher none

Therefore, as you have no protection, anything could happen ..

For testing purposes, setup a normal VPN and see what results you get.

If i set up a normal VPN Connection is fine, streaming starts, but freezes after a short time with the above mentioned failure:

"Wed Jan 11 14:45:37 2017 AEAD Decrypt error: bad packet ID (may be a replay): [ #3715 ] -- see the man page entry for --no-replay and --replay window for more info or silence this warning with --mute-replay-warnings"

In the meantime i tried to disable the comp-lzo option by addin "comp-lzo no", now my stream works and looks like it is stable. I will run more tests and write down my results here.

Anyway, thank you for your patience with this "unconventional" VPN setup. I know that this isnt the purpose a VPN is made for but until Steam allows streaming over the internet this is my only chance to get Steams "In-Home Streaming" to work over long distances.

Thanks for letting us know how you have apparently resolved the problem