OpenVPN with 2 clients results in disconnect for both

LaUs3r

Hi,

I have a strange problem which I cannot sort out.
My OpenVPN server on pfSense is running fine when I only connect a single client. As soon as a second client is connected, none of them can get traffic through anymore. the connection to the OpenVPN server nevertheless is kept up (at least that's what the gui says, no ping anymore).

For each device I created a dedicated user in the pfSense user management with their own certificate.
I use the OpenVPN client export utility to get the config for 1 windows client and 1 android client.

Rico

Did you specify a CSO for each User?
Any special in the OpenVPN server log when the second User connects?

-Rico

LaUs3r

@Rico

No, there's no CSO defined.
Actually to be more precise: I don't get an active disconnect, but as soon as I connect with one device, the network adapter of the other seems to be disabled/freeze/stuck. Especially on my windows PC with an OpenVPN-Client, it takes 1-2 minutes for the virtual adapter to perform the "disconnect" /unfreeze.

What I see now in the logs is a Authenticate/Decrypt packet error which I have no clue where it comes from

Here are the logs:

Feb 27 17:00:57 	openvpn 	27800 	MY_OpenVPN/xx.xxx.225.201:61703 MULTI_sva: pool returned IPv4=10.0.8.2, IPv6=(Not enabled)
Feb 27 17:00:56 	openvpn 		user 'MY_OpenVPN' authenticated
Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 [MY_OpenVPN] Peer Connection Initiated with [AF_INET]xx.xxx.225.201:61703
Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_GUI_VER=OpenVPN_GUI_11
Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_TCPNL=1
Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_COMP_STUBv2=1
Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_COMP_STUB=1
Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_LZO=1
Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_LZ4v2=1
Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_LZ4=1
Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_NCP=2
Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_PROTO=2
Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_PLAT=win
Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_VER=2.4.7
Feb 27 17:00:18 	openvpn 	27800 	MY_OpenVPN/xx.xxx.225.201:61703 [MY_OpenVPN] Inactivity timeout (--ping-restart), restarting
Feb 27 17:00:09 	openvpn 	58140 	Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #70926101 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Feb 27 17:00:09 	openvpn 	58140 	Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #70926100 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Feb 27 17:00:09 	openvpn 	58140 	Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #70926099 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Feb 27 17:00:09 	openvpn 	58140 	Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #70926098 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Feb 27 16:57:48 	openvpn 	27800 	MYMobile_OpenVPN/aa.bb.85.83:39551 MULTI_sva: pool returned IPv4=10.0.8.3, IPv6=(Not enabled)
Feb 27 16:57:47 	openvpn 		user 'MYMobile_OpenVPN' authenticated
Feb 27 16:57:47 	openvpn 	27800 	aa.bb.85.83:39551 [MYMobile_OpenVPN] Peer Connection Initiated with [AF_INET]aa.bb.85.83:39551
Feb 27 16:57:47 	openvpn 	27800 	aa.bb.85.83:39551 peer info: IV_PROTO=2
Feb 27 16:57:47 	openvpn 	27800 	aa.bb.85.83:39551 peer info: IV_TCPNL=1
Feb 27 16:57:47 	openvpn 	27800 	aa.bb.85.83:39551 peer info: IV_NCP=2
Feb 27 16:57:47 	openvpn 	27800 	aa.bb.85.83:39551 peer info: IV_PLAT=android
Feb 27 16:57:47 	openvpn 	27800 	aa.bb.85.83:39551 peer info: IV_VER=3.git::728733ae:Release
Feb 27 16:57:47 	openvpn 	27800 	aa.bb.85.83:39551 peer info: IV_GUI_VER=OC30Android 

Rico

Authenticate/Decrypt packet error: bad packet ID (may be a replay)

can be caused by majority of problems. Could be a general network connectivity problem, bad time (check time settings for your server + clients, they must be sync), wrong MTU size, and so on.
I would not expect the Authenticate/Decrypt packet error caused by a second client connecting. Are you sure your clients each have a unique Cert?
Do you see this every time after the second client connecting? No matter which one connects first or second?
With only one client connected either Win or Android you never see Authenticate/Decrypt packet error in the Log?

-Rico

PedroBelliato

@LaUs3r

He managed to solve the problem

I have the same problem

LaUs3r

@PedroBelliato , no I still have the issue.
But to be honest, I currently have other topics I'm focusing on..so I did not continue investigating.
Nevertheless, my next steps would be to completely setup the open on server on the pfsense from scratch.

Did you did a clean setup already?

noplan

blank is 1 connection
set it to n+1 eg --> 2 users results in 3

safed me some troubels

LaUs3r

@noplan said in OpenVPN with 2 clients results in disconnect for both:

blank is 1 connection
set it to n+1 eg --> 2 users results in 3

safed me some troubels

what I found out quickly that only my Windows clients gets disconnected while the Android client still works. very strange. Maybe I need to reinstall my Windows OpenVPN client. But I currently don't have access to this machine.