Observed differences between openvpn on RC1 and RC3

  • Hi all,

    Last day I tested an upgrade from RC1 to RC3 on our current setup (hub and spoke openvpn network with many remote offices and 1 HQ, some have failsafe setups, other have multiple gateways… a bit of everything  :) )

    It seemed that openvpn on RC3 isn't honoring push routes on the server to the clients anymore. I had to put the information on every client to get it working.

    Also the connection was unable to get to the remote network (not even those I normally push), but the 2 networks on each end of the connection. I was still able to ping both ends of the internal openvpn network, but not further then that. Changing the tunnel from peer to peer PKI to shared key solved that problem.  ???

    After changing to shared key the far away connections (+100 ms roundtrip) were not stable anymore. Every time the connection went down I saw the message below.

    Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #57210 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

    Eventually I went back to RC1 on the server and things were back to normal. Has anyone seen this behavior too?


  • Rebel Alliance Developer Netgate

    That could only happen if you had an improper setup, like a site-to-site setup using a /30 which doesn't use the server directive, so it can't push routes. Use a larger tunnel network and it will work as you expect.

Log in to reply