TCP works, UDP fails with TLS Error: Unroutable control packet

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
takigama
OpenVpn Newbie
Posts: 1
Joined: Fri Feb 09, 2024 5:30 am

TCP works, UDP fails with TLS Error: Unroutable control packet

Post by takigama » Fri Feb 09, 2024 10:36 am

Hi All,

Got an issue that I just cant seem to solve.

I was spinning up a simple test server (username/password based) on alpine 3.19 (on linode) and it all appeared to work. But after moving it to a new server (also alpine 3.19) that was more locally hosted, i started getting this when my client was trying to connect (mikrotik router OS 7.13):

2024-02-09 05:41:49 xxxx:64390 TLS Error: Unroutable control packet received from [AF_INET]xxxx:64390 (si=3 op=P_CONTROL_V1)
2024-02-09 05:41:49 xxxx:64390 TLS Error: Unroutable control packet received from [AF_INET]xxxx:64390 (si=3 op=P_ACK_V1)
2024-02-09 05:41:50 xxxx:64390 TLS Error: Unroutable control packet received from [AF_INET]xxxx:64390 (si=3 op=P_CONTROL_V1)
2024-02-09 05:41:51 xxxx:64390 TLS Error: Unroutable control packet received from [AF_INET]xxxx:64390 (si=3 op=P_CONTROL_V1)


The server config is quite simple (though its rather modified from its original):
server config


ca /etc/openvpn/ca.pem
cert /etc/openvpn/cert.pem
key /etc/openvpn/key.pem
dh /etc/openvpn/dhparam.pem


port 31194
#daemon
proto udp
#proto tcp-server
dev tun
server 10.255.255.0 255.255.255.0
keepalive 10 120
cipher AES-256-CBC
data-ciphers AES-256-CBC
auth SHA256
topology subnet
mode server
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
verify-client-cert none
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so login
#tun-mtu 1500
verb 3


I've tried all the normal things one would try (time is in sync, i've re-generated the ca and cert a couple of times, changed ciphers, etc) and spent quite a while trying to debug the issue, including going thru every search result I can find.

After a while I decided to move it back to linode to see if it was something specific to linode that was making it work and i still get the error.

Finally i switched from UDP to TCP and it comes up just fine but i just cant seem to see why? anyone have any suggestions? It wouldnt supprise me greatly that it comes back to a mikrotik problem as they do modify their openvpn client a bit, but given it did work fine initially im currently assuming thats not the issue. From the mikrotik's side it believes its not getting a response to its initial handshake.

Code: Select all

localhost:/etc/openvpn# openvpn server.conf 
2024-02-09 05:51:03 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2024-02-09 05:51:03 WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
2024-02-09 05:51:03 WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional may accept clients which do not present a certificate
2024-02-09 05:51:03 OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-02-09 05:51:03 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024-02-09 05:51:03 PLUGIN AUTH-PAM: BACKGROUND: initialization succeeded
2024-02-09 05:51:03 PLUGIN AUTH-PAM: initialization succeeded (fg)
2024-02-09 05:51:03 PLUGIN_INIT: POST /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY 
2024-02-09 05:51:03 Diffie-Hellman initialized with 1024 bit key
2024-02-09 05:51:03 ROUTE_GATEWAY xxxx/255.255.255.0 IFACE=eth0 HWADDR=xxxx
2024-02-09 05:51:03 TUN/TAP device tun0 opened
2024-02-09 05:51:03 /sbin/ip link set dev tun0 up mtu 1500
2024-02-09 05:51:03 /sbin/ip link set dev tun0 up
2024-02-09 05:51:03 /sbin/ip addr add dev tun0 local 10.255.255.1 peer 10.255.255.2
2024-02-09 05:51:03 /sbin/ip route add 10.255.255.0/24 via 10.255.255.2
2024-02-09 05:51:03 Could not determine IPv4/IPv6 protocol. Using AF_INET
2024-02-09 05:51:03 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-02-09 05:51:03 UDPv4 link local (bound): [AF_INET][undef]:31194
2024-02-09 05:51:03 UDPv4 link remote: [AF_UNSPEC]
2024-02-09 05:51:03 GID set to nogroup
2024-02-09 05:51:03 UID set to nobody
2024-02-09 05:51:03 MULTI: multi_init called, r=256 v=256
2024-02-09 05:51:03 IFCONFIG POOL IPv4: base=10.255.255.4 size=62
2024-02-09 05:51:03 Initialization Sequence Completed
2024-02-09 05:51:09 xxxx:6580 TLS Error: Unroutable control packet received from [AF_INET]xxxx:6580 (si=3 op=P_CONTROL_V1)
2024-02-09 05:51:09 xxxx:6580 TLS Error: Unroutable control packet received from [AF_INET]xxxx:6580 (si=3 op=P_ACK_V1)
2024-02-09 05:51:10 xxxx:6580 TLS Error: Unroutable control packet received from [AF_INET]xxxx:6580 (si=3 op=P_CONTROL_V1)
2024-02-09 05:51:11 xxxx:6580 TLS Error: Unroutable control packet received from [AF_INET]xxxx:6580 (si=3 op=P_CONTROL_V1)
2024-02-09 05:51:12 xxxx:6580 TLS Error: Unroutable control packet received from [AF_INET]xxxx:6580 (si=3 op=P_CONTROL_V1)
2024-02-09 05:51:13 xxxx:6580 TLS Error: Unroutable control packet received from [AF_INET]xxxx:6580 (si=3 op=P_CONTROL_V1)
^C
2024-02-09 05:51:14 event_wait : Interrupted system call (fd=-1,code=4)
2024-02-09 05:51:14 /sbin/ip route del 10.255.255.0/24
RTNETLINK answers: Operation not permitted
2024-02-09 05:51:14 ERROR: Linux route delete command failed: external program exited with error status: 2
2024-02-09 05:51:14 ERROR: Linux route delete command failed
2024-02-09 05:51:14 Closing TUN/TAP interface
2024-02-09 05:51:14 /sbin/ip addr del dev tun0 local 10.255.255.1 peer 10.255.255.2
RTNETLINK answers: Operation not permitted
2024-02-09 05:51:14 Linux ip addr del failed: external program exited with error status: 2
2024-02-09 05:51:14 PLUGIN_CLOSE: /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
2024-02-09 05:51:14 SIGINT[hard,] received, process exiting


localhost:/etc/openvpn# openvpn --version
OpenVPN 2.6.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push='no' enable_comp_stub='no' enable_crypto_ofb_cfb='yes' enable_dco='no' enable_dco_arg='auto' enable_debug='yes' enable_dlopen='unknown' enable_dlopen_self='unknown' enable_dlopen_self_static='unknown' enable_fast_install='needless' enable_fragment='yes' enable_iproute2='yes' enable_libtool_lock='yes' enable_lz4='yes' enable_lzo='yes' enable_management='yes' enable_pam_dlopen='no' enable_pedantic='no' enable_pkcs11='no' enable_plugin_auth_pam='yes' enable_plugin_down_root='yes' enable_plugins='yes' enable_port_share='yes' enable_selinux='no' enable_shared='yes' enable_shared_with_static_runtimes='no' enable_small='no' enable_static='yes' enable_strict='no' enable_strict_options='no' enable_systemd='no' enable_werror='no' enable_win32_dll='yes' enable_wolfssl_options_h='yes' enable_x509_alt_username='yes' with_aix_soname='aix' with_crypto_library='openssl' with_gnu_ld='yes' with_mem_check='no' with_openssl_engine='auto' with_sysroot='no'
Top
Post Reply

Return to “Configuration”