Unable to connect most of the time via WAN to OpenVPN.



  • So I've been having this issue with my OpenVPN server for some time and its driving me insane to the point I suspect something funny is going on with my ISP or my mobile data provider…

    Problem: I cannot 95% of the time connect to my OpenVPN server from my iPhone using LTE using the OpenVPN connect app, I can however connect 100% of the time via WIFI on the LAN.

    I believe my openvpn config is sound as I can connect via wifi, I also believe port forwarding is sound as I can connect sometimes.

    Tonight I after many attempts (not changing anything, just trying to connect, I managed to connect) here is the log from the OpenVPN app.

    Note

    2014-11-24 23:23:46 Session invalidated: KEV_NEGOTIATE_ERROR

    2014-11-24 23:22:46 ----- OpenVPN Start -----
    OpenVPN core 3.0 ios arm64 64-bit
    2014-11-24 23:22:46 UNUSED OPTIONS
    0 [persist-tun] 
    1 [persist-key] 
    4 [tls-client] 
    7 [lport] [0] 
    
    2014-11-24 23:22:46 EVENT: RESOLVE
    2014-11-24 23:22:46 LZO-ASYM init swap=0 asym=0
    2014-11-24 23:22:46 Contacting nn.nn.nn.nn:30000 via UDP
    2014-11-24 23:22:46 EVENT: WAIT
    2014-11-24 23:22:46 SetTunnelSocket returned 1
    2014-11-24 23:22:46 Connecting to nn.nn.nn.nn:30000 (nn.nn.nn.nn) via UDPv4
    2014-11-24 23:22:47 EVENT: CONNECTING
    2014-11-24 23:22:47 Tunnel Options:V4,dev-type tun,link-mtu 1566,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA224,keysize 256,tls-auth,key-method 2,tls-client
    2014-11-24 23:22:47 Creds: Username/Password
    2014-11-24 23:22:47 Peer Info:
    IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
    IV_VER=3.0
    IV_PLAT=ios
    IV_NCP=1
    IV_LZO=1
    
    2014-11-24 23:23:19 VERIFY OK: depth=1
    cert. version    : 3
    serial number    : 00
    issuer name      : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=internavpnserver2l-ca
    subject name      : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=internavpnserver2l-ca
    issued  on        : 2014-11-21 05:08:32
    expires on        : 2024-11-18 05:08:32
    signed using      : RSA with SHA-256
    RSA key size      : 2048 bits
    basic constraints : CA=true
    
    2014-11-24 23:23:19 VERIFY OK: depth=0
    cert. version    : 3
    serial number    : 01
    issuer name      : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=internavpnserver2l-ca
    subject name      : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=VPNServer2
    issued  on        : 2014-11-21 05:10:55
    expires on        : 2024-11-18 05:10:55
    signed using      : RSA with SHA-256
    RSA key size      : 2048 bits
    basic constraints : CA=false
    cert. type        : SSL Server
    key usage        : Digital Signature, Key Encipherment
    ext key usage    : TLS Web Server Authentication
    
    2014-11-24 23:23:46 Session invalidated: KEV_NEGOTIATE_ERROR
    2014-11-24 23:23:46 Client terminated, restarting in 2...
    2014-11-24 23:23:46 EVENT: CONNECTION_TIMEOUT [ERR]
    2014-11-24 23:23:46 EVENT: DISCONNECTED
    2014-11-24 23:23:46 Raw stats on disconnect:
      BYTES_IN : 6552
      BYTES_OUT : 13694
      PACKETS_IN : 45
      PACKETS_OUT : 53
      HANDSHAKE_TIMEOUT : 1
      CONNECTION_TIMEOUT : 1
    2014-11-24 23:23:46 Performance stats on disconnect:
      CPU usage (microseconds): 1351246
      Network bytes per CPU second: 14983
      Tunnel bytes per CPU second: 0
    2014-11-24 23:23:46 EVENT: DISCONNECT_PENDING
    2014-11-24 23:23:46 ----- OpenVPN Stop -----
    

    Then suddenly able to connect..

    2014-11-24 23:24:28 ----- OpenVPN Start -----
    OpenVPN core 3.0 ios arm64 64-bit
    2014-11-24 23:24:28 UNUSED OPTIONS
    0 [persist-tun] 
    1 [persist-key] 
    4 [tls-client] 
    7 [lport] [0] 
    
    2014-11-24 23:24:28 EVENT: RESOLVE
    2014-11-24 23:24:28 LZO-ASYM init swap=0 asym=0
    2014-11-24 23:24:28 Contacting nn.nn.nn.nn:30000 via UDP
    2014-11-24 23:24:28 EVENT: WAIT
    2014-11-24 23:24:28 SetTunnelSocket returned 1
    2014-11-24 23:24:28 Connecting to nn.nn.nn.nn:30000 (nn.nn.nn.nn) via UDPv4
    2014-11-24 23:24:28 EVENT: CONNECTING
    2014-11-24 23:24:28 Tunnel Options:V4,dev-type tun,link-mtu 1566,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA224,keysize 256,tls-auth,key-method 2,tls-client
    2014-11-24 23:24:28 Creds: Username/Password
    2014-11-24 23:24:28 Peer Info:
    IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
    IV_VER=3.0
    IV_PLAT=ios
    IV_NCP=1
    IV_LZO=1
    
    2014-11-24 23:24:46 VERIFY OK: depth=1
    cert. version    : 3
    serial number    : 00
    issuer name      : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=internavpnserver2l-ca
    subject name      : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=internavpnserver2l-ca
    issued  on        : 2014-11-21 05:08:32
    expires on        : 2024-11-18 05:08:32
    signed using      : RSA with SHA-256
    RSA key size      : 2048 bits
    basic constraints : CA=true
    
    2014-11-24 23:24:46 VERIFY OK: depth=0
    cert. version    : 3
    serial number    : 01
    issuer name      : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=internavpnserver2l-ca
    subject name      : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=VPNServer2
    issued  on        : 2014-11-21 05:10:55
    expires on        : 2024-11-18 05:10:55
    signed using      : RSA with SHA-256
    RSA key size      : 2048 bits
    basic constraints : CA=false
    cert. type        : SSL Server
    key usage        : Digital Signature, Key Encipherment
    ext key usage    : TLS Web Server Authentication
    
    2014-11-24 23:25:23 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
    2014-11-24 23:25:23 Session is ACTIVE
    2014-11-24 23:25:23 EVENT: GET_CONFIG
    2014-11-24 23:25:23 Sending PUSH_REQUEST to server...
    2014-11-24 23:25:24 Sending PUSH_REQUEST to server...
    2014-11-24 23:25:26 Sending PUSH_REQUEST to server...
    2014-11-24 23:25:26 OPTIONS:
    0 [route] [172.16.30.0] [255.255.255.0] 
    1 [route] [192.168.1.1] [255.255.255.0] 
    2 [dhcp-option] [DNS] [192.168.1.1] 
    3 [redirect-gateway] [def1] 
    4 [route] [192.168.30.0] [255.255.255.0] 
    5 [topology] [net30] 
    6 [ping] [10] 
    7 [ping-restart] [60] 
    8 [ifconfig] [192.168.30.6] [192.168.30.5] 
    
    2014-11-24 23:25:26 LZO-ASYM init swap=0 asym=0
    2014-11-24 23:25:26 EVENT: ASSIGN_IP
    2014-11-24 23:25:26 Error parsing IPv4 route: [route] [192.168.1.1] [255.255.255.0]  : tun_prop_error: route is not canonical
    2014-11-24 23:25:26 TunPersist: saving tun context:
    Session Name: nn.nn.nn.nn
    Remote Address: nn.nn.nn.nn
    Tunnel Addresses:
      192.168.30.6/30 -> 192.168.30.5 [net30]
    Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 IPv4 ]
    Block IPv6: no
    Add Routes:
    Exclude Routes:
    DNS Servers:
      192.168.1.1
    Search Domains:
    
    2014-11-24 23:25:26 Connected via tun
    2014-11-24 23:25:26 EVENT: CONNECTED *user*@nn.nn.nn.nn:30000 (nn.nn.nn.nn) via /UDPv4 on tun/192.168.30.6/
    2014-11-24 23:25:26 NET Internet:ReachableViaWWAN/WR t----l-
    2014-11-24 23:25:26 NET WiFi:NotReachable/WR t------
    2014-11-24 23:25:26 SetStatus Connected
    

    When it does finally connect I see lots of the following, it when times out after a short period of time.

    Nov 24 23:25:59	openvpn[50007]: *user*/nn.nnn.nn.nn:28034 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:28034
    Nov 24 23:25:59	openvpn[50007]: *user*/nn.nnn.nn.nn:28034 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1416889468) Mon Nov 24 23:24:28 2014 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Nov 24 23:25:57	openvpn[50007]: *user*/nn.nnn.nn.nn:28034 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:28034
    Nov 24 23:25:57	openvpn[50007]: *user*/nn.nnn.nn.nn:28034 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1416889468) Mon Nov 24 23:24:28 2014 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Nov 24 23:25:55	openvpn[50007]: *user*/nn.nnn.nn.nn:28034 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:28034
    Nov 24 23:25:55	openvpn[50007]: *user*/nn.nnn.nn.nn:28034 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1416889468) Mon Nov 24 23:24:28 2014 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Nov 24 23:25:53	openvpn[50007]: *user*/nn.nnn.nn.nn:28034 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:28034
    Nov 24 23:25:53	openvpn[50007]: *user*/nn.nnn.nn.nn:28034 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1416889468) Mon Nov 24 23:24:28 2014 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Nov 24 23:25:51	openvpn[50007]: *user*/nn.nnn.nn.nn:28034 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:28034
    
    Nov 24 23:50:27	openvpn[50007]: nn.nnn.nn.nn:40898 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Nov 24 23:50:24	openvpn[50007]: nn.nnn.nn.nn:40898 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:40898
    Nov 24 23:50:24	openvpn[50007]: nn.nnn.nn.nn:40898 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2 / time = (1416890967) Mon Nov 24 23:49:27 2014 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Nov 24 23:50:22	openvpn[50007]: nn.nnn.nn.nn:40898 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:40898
    

    Currently only able to access via VPN but once I'm within the LAN I'll post configs but based on the fact it works flawlessly on the LAN I am to think its not the config.

    Any ideas on how to resolve?

    I'm using 2.2 BETA after upgrading from stable after thinking that may help. Guess it might have made it worse.