Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Errors with OpoenVPN, CRL, AEAD

    Scheduled Pinned Locked Moved General pfSense Questions
    18 Posts 5 Posters 1.5k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ? Offline
      A Former User @stephenw10
      last edited by

      @stephenw10
      It is happening all day and night.
      This error AEAD Decrypt error: bad packet ID (may be a replay): 200 times in minute with pause 20-100 minutes.

      This error:
      Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=0, unable to get certificate CRL: CN=node-us-155.protonvpn.net
      Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=1, unable to get certificate CRL: C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
      Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=2, unable to get certificate CRL: C=CH, O=Proton Technologies AG, OU=ProtonVPN, CN=ProtonVPN Root CA
      every every 40-100 minutes. But as I see it fails to verify and than verify in the same second.
      It does reconnect and I use internet without issues and always with VPN`s IP address.

      1 Reply Last reply Reply Quote 1
      • ? Offline
        A Former User @Antibiotic
        last edited by

        @Antibiotic
        Thank you. I`d prefer to stay on OpenVPN because it is well known and without any vulnarabilities. Yes I am using UDP. Is this error is not error at all? If I set --mute-replay-warnings it will mute error but it will not solve it? Also can you tell something about my first error which is

        Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=0, unable to get certificate CRL: CN=node-us-155.protonvpn.net
        Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=1, unable to get certificate CRL: C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
        Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=2, unable to get certificate CRL: C=CH, O=Proton Technologies AG, OU=ProtonVPN, CN=ProtonVPN Root CA
        Do i need to worry about that?

        S A 2 Replies Last reply Reply Quote 0
        • ? Offline
          A Former User @Antibiotic
          last edited by

          @Antibiotic
          Hardening: VPN, NextDNC, adjust network to work only with VPN, set up pfblockerng with DNSBL and IP lists.
          It is happening pretty often, if we are talking about AEAD Decrypt error: every 20-100 minutes, I dont know it depends on what. I can sleep and do not use internet and error will still exist or I can use internet during the day and error will also appears.

          1 Reply Last reply Reply Quote 0
          • ? Offline
            A Former User @Antibiotic
            last edited by

            @Antibiotic
            what kind of network problem? how can I indicate and solve it? AED decrypt error almost every hour. Do you know what happeping underhood during this error?

            A 1 Reply Last reply Reply Quote 0
            • S Offline
              skogs @Guest
              last edited by

              @Log1cal-Big7935 Certificate Revocation List download errors are pretty meaningless. The system is downloading a list of revoked certs, so that it can cut connection if the other end gets revoked for some reason. Sometimes the list itself is very large and doesn't download fast enough to be considered valid. Eventually it does download, that's when the error disappears. See this all the time with large active directory environments on VPN connection.

              ? 1 Reply Last reply Reply Quote 0
              • A Offline
                Antibiotic @Guest
                last edited by

                @Log1cal-Big7935 please check carefully this settings for proton , I think somewhere incorrect
                Cryptographic Settings

                Use a TLS Key: Checked
                Automatically generate a TLS Key: Unchecked
                TLS Key: Paste in the OpenVPN Static key from the OpenVPN configuration file (see Step 1)
                TLS Key Usage Mode: TLS Encryption and Authentication
                TLS keydir direction: Use default direction
                Peer Certificate Authority: Proton AG (or the descriptive name you used in Step 2)
                Peer Certificate Revocation List: Leave unchanged
                Client Certificate: None (Username and/or Password required)
                Data Encryption Negotiation: Checked
                Data Encryption Algorithms: AES-256-GCM, CHACHA20-POLY1305
                Fallback Data Encryption Algorithm: AES-256-GCM
                Auth digest algorithm: SHA256 (256-bit)
                Hardware Crypto: Whether this is supported depends on your device. If it is supported, it must first be enabled by going to System → Advanced → Miscellaneous. If in doubt, select No hardware crypto acceleration.
                Server Certificate Key Usage Validation: Checked

                pfSense plus 24.11 on Topton mini PC
                CPU: Intel N100
                NIC: Intel i-226v 4 pcs
                RAM : 16 GB DDR5
                Disk: 128 GB NVMe
                Brgds, Archi

                ? 1 Reply Last reply Reply Quote 0
                • A Offline
                  Antibiotic @Guest
                  last edited by

                  @Log1cal-Big7935 A "replay attack" is when the same packet arrives more than once, also packets which arrive "out of order" .. and a few other scenarios ..

                  This is common when using proto UDP, which is the nature of UDP and why UDP is faster than TCP in the context of the VPN protocol.

                  Generally, this happens most when your VPN connection is maxing out your line speed and can be ignored.

                  pfSense plus 24.11 on Topton mini PC
                  CPU: Intel N100
                  NIC: Intel i-226v 4 pcs
                  RAM : 16 GB DDR5
                  Disk: 128 GB NVMe
                  Brgds, Archi

                  1 Reply Last reply Reply Quote 0
                  • ? Offline
                    A Former User @skogs
                    last edited by

                    @skogs Thats mean my 2 errors (AEAD and 22437 VERIFY WARNING) are not dangerous? Everything works fine, just noticed this errors and thought that it can expose IP. If I leave it as it is, nothing wrong with my network?

                    A 1 Reply Last reply Reply Quote 0
                    • ? Offline
                      A Former User @Antibiotic
                      last edited by

                      @Antibiotic absolutely this settings. As far as I understood even if I leave this as it is now - nothing dangerous for my network? Do I need to do something to prevent IP leak or even with this erros I am good?
                      PS thank you for your answers

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        Probably not if it does reconnect OK.

                        1 Reply Last reply Reply Quote 0
                        • A Offline
                          Antibiotic @Guest
                          last edited by

                          @Log1cal-Big7935 just mute them

                          pfSense plus 24.11 on Topton mini PC
                          CPU: Intel N100
                          NIC: Intel i-226v 4 pcs
                          RAM : 16 GB DDR5
                          Disk: 128 GB NVMe
                          Brgds, Archi

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.