OpenVPN with 2 clients results in disconnect for both



  • Hi,

    I have a strange problem which I cannot sort out.
    My OpenVPN server on pfSense is running fine when I only connect a single client. As soon as a second client is connected, none of them can get traffic through anymore. the connection to the OpenVPN server nevertheless is kept up (at least that's what the gui says, no ping anymore).

    For each device I created a dedicated user in the pfSense user management with their own certificate.
    I use the OpenVPN client export utility to get the config for 1 windows client and 1 android client.

    1.JPG

    2.JPG

    3.JPG

    4.JPG


  • LAYER 8 Rebel Alliance

    Did you specify a CSO for each User?
    Any special in the OpenVPN server log when the second User connects?

    -Rico



  • @Rico

    No, there's no CSO defined.
    Actually to be more precise: I don't get an active disconnect, but as soon as I connect with one device, the network adapter of the other seems to be disabled/freeze/stuck. Especially on my windows PC with an OpenVPN-Client, it takes 1-2 minutes for the virtual adapter to perform the "disconnect" /unfreeze.

    What I see now in the logs is a Authenticate/Decrypt packet error which I have no clue where it comes from

    Here are the logs:

    Feb 27 17:00:57 	openvpn 	27800 	MY_OpenVPN/xx.xxx.225.201:61703 MULTI_sva: pool returned IPv4=10.0.8.2, IPv6=(Not enabled)
    Feb 27 17:00:56 	openvpn 		user 'MY_OpenVPN' authenticated
    Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 [MY_OpenVPN] Peer Connection Initiated with [AF_INET]xx.xxx.225.201:61703
    Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_GUI_VER=OpenVPN_GUI_11
    Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_TCPNL=1
    Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_COMP_STUBv2=1
    Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_COMP_STUB=1
    Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_LZO=1
    Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_LZ4v2=1
    Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_LZ4=1
    Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_NCP=2
    Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_PROTO=2
    Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_PLAT=win
    Feb 27 17:00:56 	openvpn 	27800 	xx.yyy.225.201:61703 peer info: IV_VER=2.4.7
    Feb 27 17:00:18 	openvpn 	27800 	MY_OpenVPN/xx.xxx.225.201:61703 [MY_OpenVPN] Inactivity timeout (--ping-restart), restarting
    Feb 27 17:00:09 	openvpn 	58140 	Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #70926101 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Feb 27 17:00:09 	openvpn 	58140 	Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #70926100 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Feb 27 17:00:09 	openvpn 	58140 	Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #70926099 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Feb 27 17:00:09 	openvpn 	58140 	Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #70926098 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Feb 27 16:57:48 	openvpn 	27800 	MYMobile_OpenVPN/aa.bb.85.83:39551 MULTI_sva: pool returned IPv4=10.0.8.3, IPv6=(Not enabled)
    Feb 27 16:57:47 	openvpn 		user 'MYMobile_OpenVPN' authenticated
    Feb 27 16:57:47 	openvpn 	27800 	aa.bb.85.83:39551 [MYMobile_OpenVPN] Peer Connection Initiated with [AF_INET]aa.bb.85.83:39551
    Feb 27 16:57:47 	openvpn 	27800 	aa.bb.85.83:39551 peer info: IV_PROTO=2
    Feb 27 16:57:47 	openvpn 	27800 	aa.bb.85.83:39551 peer info: IV_TCPNL=1
    Feb 27 16:57:47 	openvpn 	27800 	aa.bb.85.83:39551 peer info: IV_NCP=2
    Feb 27 16:57:47 	openvpn 	27800 	aa.bb.85.83:39551 peer info: IV_PLAT=android
    Feb 27 16:57:47 	openvpn 	27800 	aa.bb.85.83:39551 peer info: IV_VER=3.git::728733ae:Release
    Feb 27 16:57:47 	openvpn 	27800 	aa.bb.85.83:39551 peer info: IV_GUI_VER=OC30Android 
    

  • LAYER 8 Rebel Alliance

    Authenticate/Decrypt packet error: bad packet ID (may be a replay)
    

    can be caused by majority of problems. Could be a general network connectivity problem, bad time (check time settings for your server + clients, they must be sync), wrong MTU size, and so on.
    I would not expect the Authenticate/Decrypt packet error caused by a second client connecting. Are you sure your clients each have a unique Cert?
    Do you see this every time after the second client connecting? No matter which one connects first or second?
    With only one client connected either Win or Android you never see Authenticate/Decrypt packet error in the Log?

    -Rico



  • @LaUs3r

    He managed to solve the problem

    I have the same problem



  • @PedroBelliato , no I still have the issue.
    But to be honest, I currently have other topics I'm focusing on..so I did not continue investigating.
    Nevertheless, my next steps would be to completely setup the open on server on the pfsense from scratch.

    Did you did a clean setup already?



  • b2940529-119b-459d-b1f8-00194735d382-grafik.png

    blank is 1 connection
    set it to n+1 eg --> 2 users results in 3

    safed me some troubels



  • @noplan said in OpenVPN with 2 clients results in disconnect for both:

    b2940529-119b-459d-b1f8-00194735d382-grafik.png

    blank is 1 connection
    set it to n+1 eg --> 2 users results in 3

    safed me some troubels

    what I found out quickly that only my Windows clients gets disconnected while the Android client still works. very strange. Maybe I need to reinstall my Windows OpenVPN client. But I currently don't have access to this machine.


Log in to reply