Errors with OpoenVPN, CRL, AEAD

skogs

@Logical-Big7835
I'd start by reducing the MTU. Each time you wrap something in a tunnel one needs to reduce the MTU appropriately else each step along the way it will fragment.

Just for giggles (plain side) reduce to something ridiculous like 1000 and see if it still tags this error.

Increase up until you see errors due to fragmentation.

A professional would simply do the math. I'm a dope though and I like to try things.

A Former User

@skogs
I experimented with settings in vpn field (VPN>OpenVPN>Clients>Edit), nothing helped.
Now it is:
tun-mtu 1470;
tun-mtu-extra 32;
mssfix 1430;
reneg-sec 0;
remote-cert-tls server;

but still same errors. Do i need this additional settings at all?

I have ISP modem in bridge mode > protectli 4Wc with installed PFsense > router with default settings just for WiFi. (in asus router WAN MTU is 1500).

I tried ping
ping -D -v -s 1500 -c 1 www.example.com and 1472 was largest amount with ping. Anyway it didnt help with errors.

PS: am I exposing my IP during errors in first message? Looks like pfsense reconnect to vpn same sec

Guys if you wrriting to do something - please tell me where it is located in PFSENSE

THANK YOU

stephenw10

Is this just a temporary error during re-connections? It does reconnect?

Antibiotic

@Logical-Big7835 said in Errors with OpoenVPN, CRL, AEAD:

--mute-replay-warnings

The answer in log, set this in advanced options and message will disappear, you can try to use Wireguard as well instead OpenVpn. If you ofc not fallen in love with OpenVpn. if you're using UDP, retransmissions are common

Antibiotic

@Logical-Big7835 said in Errors with OpoenVPN, CRL, AEAD:

. During this hardening

Can you pls tell, how do you hardening?

Antibiotic

@Logical-Big7835 said in Errors with OpoenVPN, CRL, AEAD:

AEAD Decrypt error: bad packet ID

Generally, you can ignore this message, if it only happens once in a while.

If you get a lot of problems with it then it usually indicates some network problem.
You can use --replay-window to adjust OpenVPN replay protection.

A Former User

@stephenw10
It is happening all day and night.
This error AEAD Decrypt error: bad packet ID (may be a replay): 200 times in minute with pause 20-100 minutes.

This error:
Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=0, unable to get certificate CRL: CN=node-us-155.protonvpn.net
Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=1, unable to get certificate CRL: C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=2, unable to get certificate CRL: C=CH, O=Proton Technologies AG, OU=ProtonVPN, CN=ProtonVPN Root CA
every every 40-100 minutes. But as I see it fails to verify and than verify in the same second.
It does reconnect and I use internet without issues and always with VPN`s IP address.

A Former User

@Antibiotic
Thank you. I`d prefer to stay on OpenVPN because it is well known and without any vulnarabilities. Yes I am using UDP. Is this error is not error at all? If I set --mute-replay-warnings it will mute error but it will not solve it? Also can you tell something about my first error which is

Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=0, unable to get certificate CRL: CN=node-us-155.protonvpn.net
Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=1, unable to get certificate CRL: C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=2, unable to get certificate CRL: C=CH, O=Proton Technologies AG, OU=ProtonVPN, CN=ProtonVPN Root CA
Do i need to worry about that?

A Former User

@Antibiotic
Hardening: VPN, NextDNC, adjust network to work only with VPN, set up pfblockerng with DNSBL and IP lists.
It is happening pretty often, if we are talking about AEAD Decrypt error: every 20-100 minutes, I dont know it depends on what. I can sleep and do not use internet and error will still exist or I can use internet during the day and error will also appears.

A Former User

@Antibiotic
what kind of network problem? how can I indicate and solve it? AED decrypt error almost every hour. Do you know what happeping underhood during this error?

skogs

@Log1cal-Big7935 Certificate Revocation List download errors are pretty meaningless. The system is downloading a list of revoked certs, so that it can cut connection if the other end gets revoked for some reason. Sometimes the list itself is very large and doesn't download fast enough to be considered valid. Eventually it does download, that's when the error disappears. See this all the time with large active directory environments on VPN connection.

Antibiotic

@Log1cal-Big7935 please check carefully this settings for proton , I think somewhere incorrect
Cryptographic Settings

Use a TLS Key: Checked
Automatically generate a TLS Key: Unchecked
TLS Key: Paste in the OpenVPN Static key from the OpenVPN configuration file (see Step 1)
TLS Key Usage Mode: TLS Encryption and Authentication
TLS keydir direction: Use default direction
Peer Certificate Authority: Proton AG (or the descriptive name you used in Step 2)
Peer Certificate Revocation List: Leave unchanged
Client Certificate: None (Username and/or Password required)
Data Encryption Negotiation: Checked
Data Encryption Algorithms: AES-256-GCM, CHACHA20-POLY1305
Fallback Data Encryption Algorithm: AES-256-GCM
Auth digest algorithm: SHA256 (256-bit)
Hardware Crypto: Whether this is supported depends on your device. If it is supported, it must first be enabled by going to System → Advanced → Miscellaneous. If in doubt, select No hardware crypto acceleration.
Server Certificate Key Usage Validation: Checked

Antibiotic

@Log1cal-Big7935 A "replay attack" is when the same packet arrives more than once, also packets which arrive "out of order" .. and a few other scenarios ..

This is common when using proto UDP, which is the nature of UDP and why UDP is faster than TCP in the context of the VPN protocol.

Generally, this happens most when your VPN connection is maxing out your line speed and can be ignored.

A Former User

@skogs Thats mean my 2 errors (AEAD and 22437 VERIFY WARNING) are not dangerous? Everything works fine, just noticed this errors and thought that it can expose IP. If I leave it as it is, nothing wrong with my network?

A Former User

@Antibiotic absolutely this settings. As far as I understood even if I leave this as it is now - nothing dangerous for my network? Do I need to do something to prevent IP leak or even with this erros I am good?
PS thank you for your answers

stephenw10

Probably not if it does reconnect OK.

Antibiotic

@Log1cal-Big7935 just mute them