OpenVPN Error: TLS Error: Unroutable control packet received from

MeCJay12 · Jul 12, 2021, 3:31 PM

Cross-posting to Synology forum

Hello! I have a Synology DS220j on the latest DSN release. It connects back to my pfSense OpenVPN server for management. For whatever reason, in the last couple weeks, the VPN connections is practically unusable (I'll get very brief sessions of functionally, but lots of disconnect/reconnects and dropped packets). I continually receive the top error with the bottom two sprinkled in:

TLS Error: Unroutable control packet received from [AF_INET]24.x.x.x:42257 (si=3 op=P_CONTROL_V1)
TLS Error: TLS handshake failed
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

I have the server config attached below but the main things I have tried are: rebooting everything, changing the server type from P2P to remote access, syncing both devices to time.google.com with NTP, and adding reneg-sec 36000 to the server config/reneg-sec 0 to client (client config below). Thanks in advance.

To note about my setup, the pfSense instance running the OpenVPN is an HA cluster and the cluster is running behind someone else's NAT (WAN cluster IP is 192.168.1.2). This OpenVPN server is the 4th server on the same cluster. Each server uses a different port starting with 1194 and counting up. All the servers are UDP4 TUN, share one CA/VPN server cert, and all but one are P2P.

Server Config:

dev ovpns5
verb 1
dev-type tun
dev-node /dev/tun5
writepid /var/run/openvpn_server5.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.1.2
tls-server
ifconfig 192.168.255.221 192.168.255.222
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'RAVPN-Cert' 1"
lport 1197
management /var/etc/openvpn/server5/sock unix
max-clients 10
push "route 192.168.0.0 255.255.0.0"
capath /var/etc/openvpn/server5/ca
cert /var/etc/openvpn/server5/cert
key /var/etc/openvpn/server5/key
dh /etc/dh-parameters.2048
data-ciphers AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-128-CBC
allow-compression asym
sndbuf 262144
rcvbuf 262144
reneg-sec 36000

Client Config:

dev tun
proto udp
persist-tun
persist-key
cipher AES-128-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote vpn.<domain> 1197
setenv opt block-outside-dns
lport 0
verify-x509-name "RAVPN-Cert" name
remote-cert-tls server
explicit-exit-notify
ifconfig 192.168.255.222 192.168.255.221
reneg-sec 0

<ca>
<cert>
<key>

johnchem.umass.edu · Jan 19, 2023, 1:49 PM

I'm getting the same thing with this scenario, but I haven't seen any comments or other posts with ideas or solutions. @MeCJay12 , were you able to resolve this?

Does anyone else have any ideas? Thannks.

MeCJay12 · Jan 19, 2023, 2:27 PM

@johnchem-umass-edu I think it might have had something to do with config corruption. I factory reset my pfSense install and rebuilt the config from the ground up and that seemed to fix it.

johnchem.umass.edu · Jan 19, 2023, 2:40 PM

@mecjay12
Thanks for this. Are you referring to a re-install of the OpenVPN server or of the pfSense box?

MeCJay12 · Jan 19, 2023, 2:42 PM

@johnchem-umass-edu the entire pfSense box

johnchem.umass.edu · Jan 19, 2023, 2:44 PM

@mecjay12
Thanks for getting back to me.