Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    SG 2220 with PIA strong 256 bit openvpn encryption errors

    OpenVPN
    2
    6
    649
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bcruze last edited by

      I have been using PIA service for about a year and a few months.  the past few weeks i have been getting several interruptions of service and it leaves my home connection down until i restart the open vpn services.    here are the openvpn logs on the device:

      am i actually connection at 256bit ?  the below seems to think no.  are these a reason for concern?

      WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'

      WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'

      WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'

      WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'

      here are the settings suggested by PIA a year ago:

      You may want to try the strong encryption (more info below):

      Router VPN setups are by nature considerably slower than computer based ones, due to the encryption that secure VPN services utilizes. Routers typically lack the hardware capability to process the encryption in real-time, causing connection lag.

      For example, you may be using a router that's considered a fairly good router by today's standards. However, even with a 700mhz processor, and 256mb of RAM, those are specs you might have seen on a high-end Windows 98/ low-end WinXP computer, 10-15 years ago. Basically, it's trying to run modern technology on hardware that can barely support it.

      The only reason one should use a router based VPN setup is (a) to connect devices that do not support VPN installation (TVs, gaming consoles, etc.) or (b) to connect more than 5 devices simultaneously. If you are concerned with speed, you should avoid using a router VPN setup.

      That said, I can suggest trying to tweak your MTU setting a bit; typically, if you lower it slightly, it makes it easier for the router to handle it, and in fact increases your speeds. Try reducing your MTU to around 1400 or so (pretty much any level between 1350 -1450), and hopefully it will help.

      Next, please try using the following ports and protocols for your OpenVPN client:

      UDP 1198
      TCP 502

      Please ensure the Certificate Authority field contains the ca.rsa.2048.crt certificate file from here: Download Certificate

      However, if you're using the strong encryption settings "AES-256-CBC SHA256" please try the following ports and protocols for your OpenVPN client:

      UDP 1197
      TCP 501

      For strong encryption, please ensure the Certificate Authority field contains the ca.rsa.4096.crt file from here: Download Certificate

      Finally, try using an IP instead of a hostname in the Server Address field, to avoid any DNS resolution issues, which can help speed up the connection somewhat. To obtain an IP address from our servers, please open Command Prompt or a Terminal Window and type:

      ping (hostname of server you want IPs for. A list of our servers can be found here: https://www.privateinternetaccess.com/pages/network/)

      and hit enter. You should get an IP address for the hostname you put in.

      A reboot of the router may necessary to activate any changes made in your router settings.

      1 Reply Last reply Reply Quote 0
      • B
        bcruze last edited by

        to update anyone that uses PIA reading this.  their Senior support engineer replied and basically said to use the instructions on the website.    they are currently working on updating their setup material.    didn't give an ETA

        i've changed back to the original directions and so far no issues, but its only been 24 hours \…

        WOW i just checked the openvpn logs:

        i still ge

        t Dec 9 07:14:01 openvpn 14802 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
        Dec 9 07:14:01 openvpn 14802 WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'

        AND all of this

        Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897349 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897350 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897351 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897352 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897353 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897354 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897355 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897356 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897357 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897358 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897359 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897360 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897361 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897362 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:02 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1897363 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915146 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915147 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915148 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915149 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915150 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915151 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915152 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915153 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915154 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915155 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915156 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915157 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915158 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915159 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915160 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915161 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915162 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915163 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915164 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915165 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915166 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915167 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915168 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915169 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915170 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915171 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915172 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915173 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915174 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915175 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915176 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915177 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915178 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915179 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Dec 8 21:13:10 openvpn 28477 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1915180 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

        1 Reply Last reply Reply Quote 0
        • B
          bcruze last edited by

          for anyone that cares.  i have been able to read online and pretty much fix this my self by doing the following:

          1.  i moved away from the  servers CLOSEST to me.  it had the most servers available but they are clearly overloaded OR configured wrong.
          2.  i added
          a.  comp-lzo
          b.  auth sha256    since i am connecting to the openvpn strong server
          c. cipher aes-256-cbc      since i am connecting to the openvpn strong server

          to my configuration and it has gotten rid of the MTU and all the warnings about it connecting to the old cipher.

          night and day difference.    the main key is reading the configuration files provided and mimicking it to your configuration in the client.

          i have a 100Mb down 10up spectrum account.  and on a good server i can get 90Mb down and 10Mb up consistently

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            All of that is selectable in the gui. I suggest doing it there.

            comp-lzo: adaptive is the default setting. comp-lzo adaptive is enabled by choosing Compression: Enabled with adaptive compression

            auth sha256: Auth digest algorithm: SHA256

            cipher aes-256-cbc: Encryption Algorithm: AES-256-CBC

            An example reason for using the GUI is that the comp-lzo directive is actually deprecated, to be replaced by the compress and comp-noadapt directives. Your configuration will automatically be updated when the OpenVPN functionality is updated with these changes. That will not be the case with custom options. They are blindly added to the configuration.

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • B
              bcruze last edited by

              i understand what you are saying about the GUI.  and they were chosen.. in the openvpn log i would get these:

              WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'

              WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'

              WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'

              now that i have added them as i posted i get :

              Jan 8 15:02:01 openvpn 21720 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
              Jan 8 15:02:01 openvpn 21720 Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
              Jan 8 15:02:01 openvpn 21720 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
              Jan 8 15:02:01 openvpn 21720 Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication

              those never showed up in the log before until i manually added as its shown in the openvpn config file by PIA

              just my experience,  PIA has been updating quite a bit i have read as well

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                Well if you set yours to AES-256-CBC and the remote wants blowfish, I don't know what adding the exact same configuration option manually is going to change.

                But if it works for you, great.

                Chattanooga, Tennessee, USA
                The pfSense Book is free of charge!
                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post