Authenticate/Decrypt packet error: bad packet ID (may be a replay) in UDP mode
Posted: Tue Mar 05, 2024 2:42 pm
Dear All,
We are using openVPN several years ago with a growing number of clients. Right now, around ~30-40 clients.
We want to transfer to UDP protocol, we were only using TCP mode because our major vendor (Mikrotik) did not support UDP mode before.
I have configured a second openvpn server instance on different port, different subnet, changed it to udp mode. Clients can connect and traffic is basically working.
In the logs I can see a lot of warning about bad packet ID:
This happens randomly on almost every client, but the traffic works.
However, randomly 1-2 hour one of the clients (not one, but always 1 of all the clients, randomly) starts to spam the same log message rapidly:
The counter is increasing rapidly. This happens until the ping-timer is over and the server disconnects the connection. During this time, the client is not reachable. I don't think it is about the quality of the connection because it happens randomly, with clients having great connection.
Also, right now the TCP VPN client is configured on some clients as well (next to the UDP client, with different settings / subnet) and it still works even the UDP client is not reachable.
Server config:
port 8194
proto udp
dev tun
ca ca.crt
cert vps-m02.crt
key vps-m02.key
dh dh.pem
topology subnet
server 172.16.8.0 255.255.248.0 nopool
management 0.0.0.0 7506
ifconfig-pool 172.16.15.1 172.16.15.254
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
route 10.0.0.0 255.255.0.0
route 10.1.0.0 255.255.255.252
push "route 10.0.0.0 255.255.0.0 172.16.8.1 10"
push "route 10.1.0.2 255.255.255.255 172.16.8.3"
keepalive 10 60
data-ciphers AES-256-CBC
auth SHA1
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn-udp.log
verb 1
explicit-exit-notify 0
crl-verify crl.pem
We are using openVPN several years ago with a growing number of clients. Right now, around ~30-40 clients.
We want to transfer to UDP protocol, we were only using TCP mode because our major vendor (Mikrotik) did not support UDP mode before.
I have configured a second openvpn server instance on different port, different subnet, changed it to udp mode. Clients can connect and traffic is basically working.
In the logs I can see a lot of warning about bad packet ID:
Code: Select all
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3939 ]
However, randomly 1-2 hour one of the clients (not one, but always 1 of all the clients, randomly) starts to spam the same log message rapidly:
Code: Select all
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3939 ]
Also, right now the TCP VPN client is configured on some clients as well (next to the UDP client, with different settings / subnet) and it still works even the UDP client is not reachable.
Server config:
Server config
port 8194
proto udp
dev tun
ca ca.crt
cert vps-m02.crt
key vps-m02.key
dh dh.pem
topology subnet
server 172.16.8.0 255.255.248.0 nopool
management 0.0.0.0 7506
ifconfig-pool 172.16.15.1 172.16.15.254
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
route 10.0.0.0 255.255.0.0
route 10.1.0.0 255.255.255.252
push "route 10.0.0.0 255.255.0.0 172.16.8.1 10"
push "route 10.1.0.2 255.255.255.255 172.16.8.3"
keepalive 10 60
data-ciphers AES-256-CBC
auth SHA1
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn-udp.log
verb 1
explicit-exit-notify 0
crl-verify crl.pem