Posted: Sun Aug 14, 2022 5:12 Post subject: [SOLVED]OpenVPN succeeds on Android fails on Win11
I am using the OpenVPN Connect app on both Android and Windows 11 with the same profile.
It works fine on Android but fails to connect on Windows.
On Android: OpenVPN Connect 3.3.0
On Win11: OpenVPN Connect 3.3.6
I don't think it's a firewall issue, since the problem persists even when Windows firewall is turned off.
The dd-wrt log shows:
Code:
Aug 14 00:25:30 myrouter daemon.notice openvpn[1225]: 192.168.1.2:57215 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Aug 14 00:25:30 myrouter daemon.notice openvpn[1225]: 192.168.1.2:57215 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Aug 14 00:25:30 myrouter daemon.notice openvpn[1225]: 192.168.1.2:57215 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Aug 14 00:25:30 myrouter daemon.notice openvpn[1225]: 192.168.1.2:57215 NOTE: --mute triggered...
Aug 14 00:25:30 myrouter daemon.notice openvpn[1225]: 192.168.1.2:57215 1 variation(s) on previous 3 message(s) suppressed by --mute
Aug 14 00:25:30 myrouter daemon.warn openvpn[1225]: 192.168.1.2:57215 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Aug 14 00:25:30 myrouter daemon.notice openvpn[1225]: 192.168.1.2:57215 TLS: Initial packet from [AF_INET]192.168.1.2:57215, sid=dec08bfe 356809ba
Aug 14 00:25:31 myrouter daemon.err openvpn[1225]: 192.168.1.2:57215 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1660451130) 2022-08-14 00:25:30 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warn
Aug 14 00:25:31 myrouter daemon.err openvpn[1225]: 192.168.1.2:57215 tls-crypt unwrap error: packet replay
Aug 14 00:25:31 myrouter daemon.err openvpn[1225]: 192.168.1.2:57215 TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.1.2:57215
Aug 14 00:25:32 myrouter daemon.err openvpn[1225]: 192.168.1.2:57215 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1660451130) 2022-08-14 00:25:30 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warn
Aug 14 00:25:32 myrouter daemon.err openvpn[1225]: 192.168.1.2:57215 tls-crypt unwrap error: packet replay
Aug 14 00:25:32 myrouter daemon.err openvpn[1225]: 192.168.1.2:57215 TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.1.2:57215
...
⏎[Aug 14, 2022, 24:42:23] Connecting to [kosowsky.us]:1194 (146.115.145.129) via UDPv4
⏎[Aug 14, 2022, 24:42:33] Server poll timeout, trying next remote entry...
If I remove the tls key from both client and server, I get the following error on the dd-wrt server:
Code:
20220814 01:00:02 192.168.1.170:41922 TLS: Initial packet from [AF_INET]192.168.1.170:41922 sid=790490bf 73125d5c
20220814 01:00:02 N 192.168.1.170:45054 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20220814 01:00:02 N 192.168.1.170:45054 TLS Error: TLS handshake failed
20220814 01:00:02 192.168.1.170:45054 SIGUSR1[soft tls-error] received client-instance restarting
20220814 01:00:02 W 192.168.1.2:61016 WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400)
My profile is:
Code:
client
dev tun
proto udp4
remote mydomain.com 1194
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4 #Verbosity
float
tun-mtu 1400 #Lowered default can be commented to let OpenVPN decide
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC
vpn server/client is used from outside your WAN to reach your LAN. _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
A lot of answers (also of your earlier postings) can be found in the guides,
I actually did read through 4 documents:
DDWRT OpenVPN Server Setup guide v24
DDWRT VPN troubleshooting guide v44
DDWRT OpenVPN Client setup guide v18
DDWRT VPN and DNS 1.2
Quote:
sometimes it helps reading them
And sometimes reading (and following) the documents *causes* the very problems in the post
Specifically, I followed the recommendation in the DDWRT OpenVPN Server Setup guide v24 (see circled below) and that ended up being WRONG and one of the cited possible CAUSES of the problem in my first posting. (And the second issue was due to the fact that it was highly not obvious that setting compression to disabled is NOT the same as setting it to None). Of course, it all makes sense in retrospect but not to a new user
Quote:
First item in the troubleshooting guide see attachment
When you test from inside you have a routing problem the control channel establishing the connection uses the WAN but there is also an internal route directly to the server.
Yes. I know (and read) that "you cannot test from inside the network". But I was on the guest network which by design and by firewall rules is isolated from the server which sits on the primary LAN. So, that's why even AFTER reading the guides, I was surprised that I couldn't access the VPN running on my LAN from the isolated Guest Network which I would think was *OUTSIDE* my LAN.
So still would like to know why the VPN doesn't see the guest network as a separate (i.e. OUTSIDE) network?
Guest network is still within your LAN. _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!