Posted: Wed Oct 14, 2020 13:31 Post subject: VPN Dropping Connections
Hi
I am new to VPN and DD-WRT. I followed a string on URLs to this final one which to my eye looks to be relevant to me, I just want to confirm that what I am doing is correct - maybe this will help someone in the future.
So I have a VPN which has connection drop outs every few minutes. This could be the Broadband but I never get problems streaming music or TV.
I use Linksys WRT1900ACS, VPN is fully operational as OpenVPN but the connection drops, a lot. I have it setup with DigitalOcean privately. Log is below.
Code:
Clientlog:
19700101 01:00:37 I TCP/UDP: Preserving recently used remote address: [AF_INET]134.209.190.50:1194
19700101 01:00:37 Socket Buffers: R=[180224->180224] S=[180224->180224]
19700101 01:00:37 I UDPv4 link local: (not bound)
19700101 01:00:37 I UDPv4 link remote: [AF_INET]134.209.190.50:1194
19700101 01:00:37 TLS: Initial packet from [AF_INET]134.209.190.50:1194 sid=b05a41e4 a744564a
19700101 01:00:37 N VERIFY ERROR: depth=1 error=certificate is not yet valid: CN=vpn.gethosted.online
19700101 01:00:37 N OpenSSL: error:1416F086:lib(20):func(367):reason(134)
19700101 01:00:37 N TLS_ERROR: BIO read tls_read_plaintext error
19700101 01:00:37 NOTE: --mute triggered...
19700101 01:00:37 2 variation(s) on previous 3 message(s) suppressed by --mute
19700101 01:00:37 I SIGUSR1[soft tls-error] received process restarting
19700101 01:00:37 Restart pause 5 second(s)
20201012 16:51:07 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20201012 16:51:07 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20201012 16:51:07 I TCP/UDP: Preserving recently used remote address: [AF_INET]134.209.190.50:1194
20201012 16:51:07 Socket Buffers: R=[180224->180224] S=[180224->180224]
20201012 16:51:07 I UDPv4 link local: (not bound)
20201012 16:51:07 I UDPv4 link remote: [AF_INET]134.209.190.50:1194
20201012 16:51:07 TLS: Initial packet from [AF_INET]134.209.190.50:1194 sid=47c70992 462f5da3
20201012 16:51:07 VERIFY OK: depth=1 CN=vpn.gethosted.online
20201012 16:51:07 VERIFY OK: depth=0 CN=vpn.gethosted.online
20201012 16:51:07 NOTE: --mute triggered...
20201012 16:51:07 1 variation(s) on previous 3 message(s) suppressed by --mute
20201012 16:51:07 I [vpn.gethosted.online] Peer Connection Initiated with [AF_INET]134.209.190.50:1194
20201012 16:51:08 SENT CONTROL [vpn.gethosted.online]: 'PUSH_REQUEST' (status=1)
20201012 16:51:08 PUSH: Received control message: 'PUSH_REPLY route-gateway 10.8.0.1 topology subnet ping 10 ping-restart 120 ifconfig 10.8.0.4 255.255.255.0 peer-id 1 cipher AES-256-GCM'
20201012 16:51:08 OPTIONS IMPORT: timers and/or timeouts modified
20201012 16:51:08 NOTE: --mute triggered...
20201012 16:51:08 5 variation(s) on previous 3 message(s) suppressed by --mute
20201012 16:51:08 Data Channel: using negotiated cipher 'AES-256-GCM'
20201012 16:51:08 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20201012 16:51:08 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20201012 16:51:08 I TUN/TAP device tun1 opened
20201012 16:51:08 TUN/TAP TX queue length set to 100
20201012 16:51:08 I /sbin/ifconfig tun1 10.8.0.4 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
20201012 16:51:08 /sbin/route add -net 134.209.190.50 netmask 255.255.255.255 gw 192.168.2.1
20201012 16:51:08 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20201012 16:51:08 I Initialization Sequence Completed
20201012 17:51:06 VERIFY OK: depth=1 CN=vpn.gethosted.online
20201012 17:51:06 VERIFY OK: depth=0 CN=vpn.gethosted.online
20201012 17:51:07 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20201012 17:51:07 NOTE: --mute triggered...
20201012 20:12:03 13 variation(s) on previous 3 message(s) suppressed by --mute
20201012 20:12:03 N AEAD Decrypt error: bad packet ID (may be a replay): [ #443068 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201012 20:12:03 N AEAD Decrypt error: bad packet ID (may be a replay): [ #443069 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201012 20:12:03 N AEAD Decrypt error: bad packet ID (may be a replay): [ #443070 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201012 20:12:03 NOTE: --mute triggered...
20201012 20:51:06 3 variation(s) on previous 3 message(s) suppressed by --mute
20201012 20:51:06 TLS: tls_process: killed expiring key
20201012 20:51:06 VERIFY OK: depth=1 CN=vpn.gethosted.online
20201012 20:51:06 VERIFY OK: depth=0 CN=vpn.gethosted.online
20201012 20:51:07 NOTE: --mute triggered...
20201012 20:58:50 3 variation(s) on previous 3 message(s) suppressed by --mute
20201012 20:58:50 N AEAD Decrypt error: bad packet ID (may be a replay): [ #167006 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201012 21:51:06 TLS: tls_process: killed expiring key
20201012 21:51:06 VERIFY OK: depth=1 CN=vpn.gethosted.online
20201012 21:51:06 VERIFY OK: depth=0 CN=vpn.gethosted.online
20201012 21:51:07 NOTE: --mute triggered...
20201014 15:50:12 238 variation(s) on previous 3 message(s) suppressed by --mute
20201014 15:50:12 N AEAD Decrypt error: bad packet ID (may be a replay): [ #793544 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201014 15:50:12 N AEAD Decrypt error: bad packet ID (may be a replay): [ #793545 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201014 15:50:12 N AEAD Decrypt error: bad packet ID (may be a replay): [ #793546 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201014 15:50:12 NOTE: --mute triggered...
20201014 15:51:42 16 variation(s) on previous 3 message(s) suppressed by --mute
20201014 15:51:42 VERIFY OK: depth=1 CN=vpn.gethosted.online
20201014 15:51:42 VERIFY OK: depth=0 CN=vpn.gethosted.online
20201014 15:51:42 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20201014 15:51:42 NOTE: --mute triggered...
20201014 15:52:04 2 variation(s) on previous 3 message(s) suppressed by --mute
20201014 15:52:04 N AEAD Decrypt error: bad packet ID (may be a replay): [ #1176406 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201014 15:52:04 N AEAD Decrypt error: bad packet ID (may be a replay): [ #1176407 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201014 15:52:04 N AEAD Decrypt error: bad packet ID (may be a replay): [ #1176408 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201014 15:52:04 NOTE: --mute triggered...
20201014 16:51:42 1822 variation(s) on previous 3 message(s) suppressed by --mute
20201014 16:51:42 VERIFY OK: depth=1 CN=vpn.gethosted.online
20201014 16:51:42 VERIFY OK: depth=0 CN=vpn.gethosted.online
20201014 16:51:42 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20201014 16:51:42 NOTE: --mute triggered...
20201014 16:57:44 2 variation(s) on previous 3 message(s) suppressed by --mute
20201014 16:57:44 N AEAD Decrypt error: bad packet ID (may be a replay): [ #595735 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201014 16:57:44 N AEAD Decrypt error: bad packet ID (may be a replay): [ #595736 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
20201014 17:51:42 TLS: soft reset sec=0 bytes=3815823151/-1 pkts=4524914/0
20201014 17:51:42 VERIFY OK: depth=1 CN=vpn.gethosted.online
20201014 17:51:42 VERIFY OK: depth=0 CN=vpn.gethosted.online
20201014 17:51:42 NOTE: --mute triggered...
20201014 18:49:27 3 variation(s) on previous 3 message(s) suppressed by --mute
20201014 18:49:27 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201014 18:49:27 D MANAGEMENT: CMD 'state'
20201014 18:49:27 MANAGEMENT: Client disconnected
20201014 18:49:27 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201014 18:49:27 D MANAGEMENT: CMD 'state'
20201014 18:49:27 MANAGEMENT: Client disconnected
20201014 18:49:27 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201014 18:49:27 D MANAGEMENT: CMD 'state'
20201014 18:49:27 MANAGEMENT: Client disconnected
20201014 18:49:27 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201014 18:49:27 D MANAGEMENT: CMD 'status 2'
20201014 18:49:27 MANAGEMENT: Client disconnected
20201014 18:49:27 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201014 18:49:27 D MANAGEMENT: CMD 'log 500'
19700101 01:00:00
So I now have ddwrt-vpn-pbr-watchdog-05.sh running on my router, via "sh /tmp/root/watchdog.sh &" but connection drops still occurring. Can anybody help?
So where do I start diagnosing? The watchdog script could of worked but when I left computer on overnight it disconnected - so not a good start. Hopefully there is some way to see more logs?
Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
Posted: Thu Oct 15, 2020 16:29 Post subject:
I saw two problems , an occasional AEAD decrypt error which if not too many does not hurt and a problem when renegotiating the session key.
Regarding the AEAD decrypt error (this is from the OpenVPN server troubleshooting guide):
Code:
When you receive this error it has to do with using the new GCM ciphers (AES-128-GCM is the one advised), be sure that both client and server use the new ciphers (only available starting with OpenVPN 2.4). Depending on setup add the following to the Additional Config or configuration file of client:
ncp-disable
If your setup is OK and you still are seeing this error then an occasional warning should not pose a problem, it happens when using UDP and packets are lost/or mangled and resend under way.
Otherwise it could signify an MTU problem so see the MTU size Problems section or other network problem.
It happens only when using UDP so consider using TCP or use the old cipher: AES-256-CBC.
The renegotiating problem is strange but it happens and some providers want you to stop renegotiating (which is a bit of a security problem)
As a test you can add to the additional config:
Code:
reneg-sec 0
The default is 3600 (one hour)
If this is the problem consider setting it to one day and boot the router in off hours (it will renegotiate after 24 hours)
This is the sort of thing that could be the problem. Anyway, in the meantime I need my VPN working after trying to flash the router I have been unable to connect.
I am getting:
Code:
20201016 00:02:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201016 00:02:24 D MANAGEMENT: CMD 'state'
20201016 00:02:24 MANAGEMENT: Client disconnected
20201016 00:02:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201016 00:02:24 D MANAGEMENT: CMD 'state'
20201016 00:02:24 MANAGEMENT: Client disconnected
20201016 00:02:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201016 00:02:24 D MANAGEMENT: CMD 'state'
20201016 00:02:24 MANAGEMENT: Client disconnected
20201016 00:02:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201016 00:02:24 D MANAGEMENT: CMD 'status 2'
20201016 00:02:24 MANAGEMENT: Client disconnected
20201016 00:02:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20201016 00:02:24 D MANAGEMENT: CMD 'log 500'
and so on. This can be the entire log screen if I keep at it.
Any advice appreciated. Thanks for your contribution.