Errors with OpoenVPN, CRL, AEAD

Logical-Big7835

Hi guys.

I have spent 1 month hardening my home network, so long because I am not in IT, just regular user. Fall in love with PFSENSE possibilities and pfblockerng. During this hardening I had some errors and problems but I was able to fix it. But now I have some errors which I CANT fix without you (I spent 2 weeks trying to fix it).
I have PfSense 2.7.2 (installed on Protectli Vault FW4C) with installed OpenVPN (ProtonVPN UDP), some NAT, rules, DNS resolver and using NextDNS.
My main goal with VPN in pfsense is do not leak my real IP address and internet should works only with VPN. I route all my traffic through VPN (LAN, OPT1 and OPT2).
PROBLEM: VPN works prety good but I have some errors in system logs and my and I am worry that something is not working as it should

FIRST ERROR: I have 3 different Proton VPN servers for each port (LAN, OPT1 and OPT2) and this is happening with each port and server (random drops, not all together at the same time). VPN working fine but am I leaking my IP during this errors? and how to solve it?

My advanced configuration is:
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
reneg-sec 0;
remote-cert-tls server;

Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=0, unable to get certificate CRL: CN=node-us-155.protonvpn.net
Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=1, unable to get certificate CRL: C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=2, unable to get certificate CRL: C=CH, O=Proton Technologies AG, OU=ProtonVPN, CN=ProtonVPN Root CA
Nov 28 01:46:32 openvpn 22437 VERIFY OK: depth=2, C=CH, O=Proton Technologies AG, OU=ProtonVPN, CN=ProtonVPN Root CA
Nov 28 01:46:32 openvpn 22437 VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Nov 28 01:46:32 openvpn 22437 VERIFY KU OK
Nov 28 01:46:32 openvpn 22437 Validating certificate extended key usage
Nov 28 01:46:32 openvpn 22437 ++ Certificate has EKU (str) 1.3.6.1.5.5.8.2.2, expects TLS Web Server Authentication
Nov 28 01:46:32 openvpn 22437 ++ Certificate has EKU (oid) 1.3.6.1.5.5.8.2.2, expects TLS Web Server Authentication
Nov 28 01:46:32 openvpn 22437 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Nov 28 01:46:32 openvpn 22437 VERIFY EKU OK
Nov 28 01:46:32 openvpn 22437 VERIFY OK: depth=0, CN=node-us-155.protonvpn.net
Nov 28 01:46:32 openvpn 22437 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519

SECOND ERROR:
Nov 28 01:27:11 openvpn 66163 AEAD Decrypt error: bad packet ID (may be a replay): [ #45140 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Nov 28 01:27:11 openvpn 66163 AEAD Decrypt error: bad packet ID (may be a replay): [ #45141 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Nov 28 01:27:11 openvpn 66163 AEAD Decrypt error: bad packet ID (may be a replay): [ #45142 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

THIRD ERROR:
Nov 28 17:23:16 openvpn 34585 MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Nov 28 17:23:16 openvpn 34585 MANAGEMENT: CMD 'state 1'
Nov 28 17:23:16 openvpn 34585 MANAGEMENT: CMD 'status 2'
Nov 28 17:23:16 openvpn 34585 MANAGEMENT: Client disconnected
Nov 28 17:23:16 openvpn 47176 MANAGEMENT: Client connected from /var/etc/openvpn/client2/sock
Nov 28 17:23:16 openvpn 47176 MANAGEMENT: CMD 'state 1'
Nov 28 17:23:16 openvpn 47176 MANAGEMENT: CMD 'status 2'
Nov 28 17:23:16 openvpn 47176 MANAGEMENT: Client disconnected
Nov 28 17:23:16 openvpn 60318 MANAGEMENT: Client connected from /var/etc/openvpn/client3/sock
Nov 28 17:23:16 openvpn 60318 MANAGEMENT: CMD 'state 1'
Nov 28 17:23:16 openvpn 60318 MANAGEMENT: CMD 'status 2'
Nov 28 17:23:16 openvpn 60318 MANAGEMENT: Client disconnected
Nov 28 17:23:16 openvpn 34585 MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
Nov 28 17:23:16 openvpn 34585 MANAGEMENT: CMD 'state 1'
Nov 28 17:23:16 openvpn 34585 MANAGEMENT: CMD 'status 2'
Nov 28 17:23:16 openvpn 34585 MANAGEMENT: Client disconnected
Nov 28 17:23:16 openvpn 47176 MANAGEMENT: Client connected from /var/etc/openvpn/client2/sock
Nov 28 17:23:16 openvpn 47176 MANAGEMENT: CMD 'state 1'
Nov 28 17:23:16 openvpn 47176 MANAGEMENT: CMD 'status 2'
Nov 28 17:23:16 openvpn 47176 MANAGEMENT: Client disconnected
Nov 28 17:23:16 openvpn 60318 MANAGEMENT: Client connected from /var/etc/openvpn/client3/sock
Nov 28 17:23:16 openvpn 60318 MANAGEMENT: CMD 'state 1'
Nov 28 17:23:16 openvpn 60318 MANAGEMENT: CMD 'status 2'
Nov 28 17:23:16 openvpn 60318 MANAGEMENT: Client disconnected

THANK YOU VERY MUCH IN ADVANCE

skogs

@Logical-Big7835
I'd start by reducing the MTU. Each time you wrap something in a tunnel one needs to reduce the MTU appropriately else each step along the way it will fragment.

Just for giggles (plain side) reduce to something ridiculous like 1000 and see if it still tags this error.

Increase up until you see errors due to fragmentation.

A professional would simply do the math. I'm a dope though and I like to try things.

A Former User

@skogs
I experimented with settings in vpn field (VPN>OpenVPN>Clients>Edit), nothing helped.
Now it is:
tun-mtu 1470;
tun-mtu-extra 32;
mssfix 1430;
reneg-sec 0;
remote-cert-tls server;

but still same errors. Do i need this additional settings at all?

I have ISP modem in bridge mode > protectli 4Wc with installed PFsense > router with default settings just for WiFi. (in asus router WAN MTU is 1500).

I tried ping
ping -D -v -s 1500 -c 1 www.example.com and 1472 was largest amount with ping. Anyway it didnt help with errors.

PS: am I exposing my IP during errors in first message? Looks like pfsense reconnect to vpn same sec

Guys if you wrriting to do something - please tell me where it is located in PFSENSE

THANK YOU

stephenw10

Is this just a temporary error during re-connections? It does reconnect?

Antibiotic

@Logical-Big7835 said in Errors with OpoenVPN, CRL, AEAD:

--mute-replay-warnings

The answer in log, set this in advanced options and message will disappear, you can try to use Wireguard as well instead OpenVpn. If you ofc not fallen in love with OpenVpn. if you're using UDP, retransmissions are common

Antibiotic

@Logical-Big7835 said in Errors with OpoenVPN, CRL, AEAD:

. During this hardening

Can you pls tell, how do you hardening?

Antibiotic

@Logical-Big7835 said in Errors with OpoenVPN, CRL, AEAD:

AEAD Decrypt error: bad packet ID

Generally, you can ignore this message, if it only happens once in a while.

If you get a lot of problems with it then it usually indicates some network problem.
You can use --replay-window to adjust OpenVPN replay protection.

A Former User

@stephenw10
It is happening all day and night.
This error AEAD Decrypt error: bad packet ID (may be a replay): 200 times in minute with pause 20-100 minutes.

This error:
Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=0, unable to get certificate CRL: CN=node-us-155.protonvpn.net
Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=1, unable to get certificate CRL: C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=2, unable to get certificate CRL: C=CH, O=Proton Technologies AG, OU=ProtonVPN, CN=ProtonVPN Root CA
every every 40-100 minutes. But as I see it fails to verify and than verify in the same second.
It does reconnect and I use internet without issues and always with VPN`s IP address.

A Former User

@Antibiotic
Thank you. I`d prefer to stay on OpenVPN because it is well known and without any vulnarabilities. Yes I am using UDP. Is this error is not error at all? If I set --mute-replay-warnings it will mute error but it will not solve it? Also can you tell something about my first error which is

Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=0, unable to get certificate CRL: CN=node-us-155.protonvpn.net
Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=1, unable to get certificate CRL: C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Nov 28 01:46:32 openvpn 22437 VERIFY WARNING: depth=2, unable to get certificate CRL: C=CH, O=Proton Technologies AG, OU=ProtonVPN, CN=ProtonVPN Root CA
Do i need to worry about that?

A Former User

@Antibiotic
Hardening: VPN, NextDNC, adjust network to work only with VPN, set up pfblockerng with DNSBL and IP lists.
It is happening pretty often, if we are talking about AEAD Decrypt error: every 20-100 minutes, I dont know it depends on what. I can sleep and do not use internet and error will still exist or I can use internet during the day and error will also appears.

A Former User

@Antibiotic
what kind of network problem? how can I indicate and solve it? AED decrypt error almost every hour. Do you know what happeping underhood during this error?

skogs

@Log1cal-Big7935 Certificate Revocation List download errors are pretty meaningless. The system is downloading a list of revoked certs, so that it can cut connection if the other end gets revoked for some reason. Sometimes the list itself is very large and doesn't download fast enough to be considered valid. Eventually it does download, that's when the error disappears. See this all the time with large active directory environments on VPN connection.

Antibiotic

@Log1cal-Big7935 please check carefully this settings for proton , I think somewhere incorrect
Cryptographic Settings

Use a TLS Key: Checked
Automatically generate a TLS Key: Unchecked
TLS Key: Paste in the OpenVPN Static key from the OpenVPN configuration file (see Step 1)
TLS Key Usage Mode: TLS Encryption and Authentication
TLS keydir direction: Use default direction
Peer Certificate Authority: Proton AG (or the descriptive name you used in Step 2)
Peer Certificate Revocation List: Leave unchanged
Client Certificate: None (Username and/or Password required)
Data Encryption Negotiation: Checked
Data Encryption Algorithms: AES-256-GCM, CHACHA20-POLY1305
Fallback Data Encryption Algorithm: AES-256-GCM
Auth digest algorithm: SHA256 (256-bit)
Hardware Crypto: Whether this is supported depends on your device. If it is supported, it must first be enabled by going to System → Advanced → Miscellaneous. If in doubt, select No hardware crypto acceleration.
Server Certificate Key Usage Validation: Checked

Antibiotic

@Log1cal-Big7935 A "replay attack" is when the same packet arrives more than once, also packets which arrive "out of order" .. and a few other scenarios ..

This is common when using proto UDP, which is the nature of UDP and why UDP is faster than TCP in the context of the VPN protocol.

Generally, this happens most when your VPN connection is maxing out your line speed and can be ignored.

A Former User

@skogs Thats mean my 2 errors (AEAD and 22437 VERIFY WARNING) are not dangerous? Everything works fine, just noticed this errors and thought that it can expose IP. If I leave it as it is, nothing wrong with my network?

A Former User

@Antibiotic absolutely this settings. As far as I understood even if I leave this as it is now - nothing dangerous for my network? Do I need to do something to prevent IP leak or even with this erros I am good?
PS thank you for your answers

stephenw10

Probably not if it does reconnect OK.

Antibiotic

@Log1cal-Big7935 just mute them