I'm looking for help with a very unpleasant problem that results in a non-working tunnel.
First, we run OPNsense on a VMware host. The clients and servers involved are, as far as we know, all fully patched. This applies to the operating systems and hardware drivers as well as the software.
On the platform we have multiple instances and hundreds of users working from home every day.
However, there is a small group of about 10 users who cannot use openVPN. They keep getting the error: tls-crypt unwrap error: bad packet ID. And the tunnel don't come up.
What we have tried:
User A fails to connect on Notebook1, so he tries to connect on Notebook2 and it works. But it doesn't work on Notebook3 either.
User B has the same error on NB4. Deleting the user profile on this Windows notebook, rebooting and logging in again with the same user doesn't help. Therefore the problem might not be related to the user profile. After reinstalling the machine from scrath and logging in again with the same user, the error occurs again. So the problem is not related to the machine? But what else?
We've tried some values for "replay-window". That doesn't change anything.
The exact same configuration workes for several hundred other users.
I would really appreciate some help as we don't know how to find the root cause and fix it.
client config
verb 4
dev tun
persist-tun
persist-key
client
resolv-retry infinite
reneg-sec 43200
remote %vpn-gateway% 10020 udp
lport 0
verify-x509-name "C=DE, ST=state, L=town, O=company, OU=IT, CN=%vpn-gateway%, emailAddress=info@company.com" subject
remote-cert-tls server
cryptoapicert "SUBJ:username@company.com"
auth-user-pass
auth-nocache
block-outside-dns
<ca>
>> C e r t s
</ca>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xXxXxX
-----END OpenVPN Static key V1-----
</tls-crypt>
dev tun
persist-tun
persist-key
client
resolv-retry infinite
reneg-sec 43200
remote %vpn-gateway% 10020 udp
lport 0
verify-x509-name "C=DE, ST=state, L=town, O=company, OU=IT, CN=%vpn-gateway%, emailAddress=info@company.com" subject
remote-cert-tls server
cryptoapicert "SUBJ:username@company.com"
auth-user-pass
auth-nocache
block-outside-dns
<ca>
>> C e r t s
</ca>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xXxXxX
-----END OpenVPN Static key V1-----
</tls-crypt>
This block shows up 5 time and then the client asks for the username/password again:
Code: Select all
2024-02-22 13:35:51 us=718000 PID_ERR replay-window backtrack occurred [4] [TLS_WRAP-0] [000000] 1708605351:6 1708605351:2 t=1708605351[0] r=[0,16,15,4,1] sl=[10,6,16,144]
2024-02-22 13:35:51 us=718000 PID_ERR replay [4] [TLS_WRAP-0] [000000] 1708605351:6 1708605351:2 t=1708605351[0] r=[0,16,15,4,1] sl=[10,6,16,144]
2024-02-22 13:35:51 us=718000 tls-crypt unwrap error: bad packet ID (may be a replay): [ #2 / time = (1708605351) 2024-02-22 13:35:51 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
2024-02-22 13:35:51 us=718000 tls-crypt unwrap error: packet replay
2024-02-22 13:35:51 us=718000 TLS Error: tls-crypt unwrapping failed from [AF_INET]$server.ip:10020