Unable to connect most of the time via WAN to OpenVPN.
-
So I've been having this issue with my OpenVPN server for some time and its driving me insane to the point I suspect something funny is going on with my ISP or my mobile data provider…
Problem: I cannot 95% of the time connect to my OpenVPN server from my iPhone using LTE using the OpenVPN connect app, I can however connect 100% of the time via WIFI on the LAN.
I believe my openvpn config is sound as I can connect via wifi, I also believe port forwarding is sound as I can connect sometimes.
Tonight I after many attempts (not changing anything, just trying to connect, I managed to connect) here is the log from the OpenVPN app.
Note
2014-11-24 23:23:46 Session invalidated: KEV_NEGOTIATE_ERROR
2014-11-24 23:22:46 ----- OpenVPN Start ----- OpenVPN core 3.0 ios arm64 64-bit 2014-11-24 23:22:46 UNUSED OPTIONS 0 [persist-tun] 1 [persist-key] 4 [tls-client] 7 [lport] [0] 2014-11-24 23:22:46 EVENT: RESOLVE 2014-11-24 23:22:46 LZO-ASYM init swap=0 asym=0 2014-11-24 23:22:46 Contacting nn.nn.nn.nn:30000 via UDP 2014-11-24 23:22:46 EVENT: WAIT 2014-11-24 23:22:46 SetTunnelSocket returned 1 2014-11-24 23:22:46 Connecting to nn.nn.nn.nn:30000 (nn.nn.nn.nn) via UDPv4 2014-11-24 23:22:47 EVENT: CONNECTING 2014-11-24 23:22:47 Tunnel Options:V4,dev-type tun,link-mtu 1566,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA224,keysize 256,tls-auth,key-method 2,tls-client 2014-11-24 23:22:47 Creds: Username/Password 2014-11-24 23:22:47 Peer Info: IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177 IV_VER=3.0 IV_PLAT=ios IV_NCP=1 IV_LZO=1 2014-11-24 23:23:19 VERIFY OK: depth=1 cert. version : 3 serial number : 00 issuer name : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=internavpnserver2l-ca subject name : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=internavpnserver2l-ca issued on : 2014-11-21 05:08:32 expires on : 2024-11-18 05:08:32 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true 2014-11-24 23:23:19 VERIFY OK: depth=0 cert. version : 3 serial number : 01 issuer name : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=internavpnserver2l-ca subject name : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=VPNServer2 issued on : 2014-11-21 05:10:55 expires on : 2024-11-18 05:10:55 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=false cert. type : SSL Server key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication 2014-11-24 23:23:46 Session invalidated: KEV_NEGOTIATE_ERROR 2014-11-24 23:23:46 Client terminated, restarting in 2... 2014-11-24 23:23:46 EVENT: CONNECTION_TIMEOUT [ERR] 2014-11-24 23:23:46 EVENT: DISCONNECTED 2014-11-24 23:23:46 Raw stats on disconnect: BYTES_IN : 6552 BYTES_OUT : 13694 PACKETS_IN : 45 PACKETS_OUT : 53 HANDSHAKE_TIMEOUT : 1 CONNECTION_TIMEOUT : 1 2014-11-24 23:23:46 Performance stats on disconnect: CPU usage (microseconds): 1351246 Network bytes per CPU second: 14983 Tunnel bytes per CPU second: 0 2014-11-24 23:23:46 EVENT: DISCONNECT_PENDING 2014-11-24 23:23:46 ----- OpenVPN Stop -----
Then suddenly able to connect..
2014-11-24 23:24:28 ----- OpenVPN Start ----- OpenVPN core 3.0 ios arm64 64-bit 2014-11-24 23:24:28 UNUSED OPTIONS 0 [persist-tun] 1 [persist-key] 4 [tls-client] 7 [lport] [0] 2014-11-24 23:24:28 EVENT: RESOLVE 2014-11-24 23:24:28 LZO-ASYM init swap=0 asym=0 2014-11-24 23:24:28 Contacting nn.nn.nn.nn:30000 via UDP 2014-11-24 23:24:28 EVENT: WAIT 2014-11-24 23:24:28 SetTunnelSocket returned 1 2014-11-24 23:24:28 Connecting to nn.nn.nn.nn:30000 (nn.nn.nn.nn) via UDPv4 2014-11-24 23:24:28 EVENT: CONNECTING 2014-11-24 23:24:28 Tunnel Options:V4,dev-type tun,link-mtu 1566,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA224,keysize 256,tls-auth,key-method 2,tls-client 2014-11-24 23:24:28 Creds: Username/Password 2014-11-24 23:24:28 Peer Info: IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177 IV_VER=3.0 IV_PLAT=ios IV_NCP=1 IV_LZO=1 2014-11-24 23:24:46 VERIFY OK: depth=1 cert. version : 3 serial number : 00 issuer name : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=internavpnserver2l-ca subject name : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=internavpnserver2l-ca issued on : 2014-11-21 05:08:32 expires on : 2024-11-18 05:08:32 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true 2014-11-24 23:24:46 VERIFY OK: depth=0 cert. version : 3 serial number : 01 issuer name : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=internavpnserver2l-ca subject name : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=VPNServer2 issued on : 2014-11-21 05:10:55 expires on : 2024-11-18 05:10:55 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=false cert. type : SSL Server key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication 2014-11-24 23:25:23 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-AES-256-CBC-SHA 2014-11-24 23:25:23 Session is ACTIVE 2014-11-24 23:25:23 EVENT: GET_CONFIG 2014-11-24 23:25:23 Sending PUSH_REQUEST to server... 2014-11-24 23:25:24 Sending PUSH_REQUEST to server... 2014-11-24 23:25:26 Sending PUSH_REQUEST to server... 2014-11-24 23:25:26 OPTIONS: 0 [route] [172.16.30.0] [255.255.255.0] 1 [route] [192.168.1.1] [255.255.255.0] 2 [dhcp-option] [DNS] [192.168.1.1] 3 [redirect-gateway] [def1] 4 [route] [192.168.30.0] [255.255.255.0] 5 [topology] [net30] 6 [ping] [10] 7 [ping-restart] [60] 8 [ifconfig] [192.168.30.6] [192.168.30.5] 2014-11-24 23:25:26 LZO-ASYM init swap=0 asym=0 2014-11-24 23:25:26 EVENT: ASSIGN_IP 2014-11-24 23:25:26 Error parsing IPv4 route: [route] [192.168.1.1] [255.255.255.0] : tun_prop_error: route is not canonical 2014-11-24 23:25:26 TunPersist: saving tun context: Session Name: nn.nn.nn.nn Remote Address: nn.nn.nn.nn Tunnel Addresses: 192.168.30.6/30 -> 192.168.30.5 [net30] Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 IPv4 ] Block IPv6: no Add Routes: Exclude Routes: DNS Servers: 192.168.1.1 Search Domains: 2014-11-24 23:25:26 Connected via tun 2014-11-24 23:25:26 EVENT: CONNECTED *user*@nn.nn.nn.nn:30000 (nn.nn.nn.nn) via /UDPv4 on tun/192.168.30.6/ 2014-11-24 23:25:26 NET Internet:ReachableViaWWAN/WR t----l- 2014-11-24 23:25:26 NET WiFi:NotReachable/WR t------ 2014-11-24 23:25:26 SetStatus Connected
When it does finally connect I see lots of the following, it when times out after a short period of time.
Nov 24 23:25:59 openvpn[50007]: *user*/nn.nnn.nn.nn:28034 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:28034 Nov 24 23:25:59 openvpn[50007]: *user*/nn.nnn.nn.nn:28034 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1416889468) Mon Nov 24 23:24:28 2014 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Nov 24 23:25:57 openvpn[50007]: *user*/nn.nnn.nn.nn:28034 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:28034 Nov 24 23:25:57 openvpn[50007]: *user*/nn.nnn.nn.nn:28034 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1416889468) Mon Nov 24 23:24:28 2014 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Nov 24 23:25:55 openvpn[50007]: *user*/nn.nnn.nn.nn:28034 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:28034 Nov 24 23:25:55 openvpn[50007]: *user*/nn.nnn.nn.nn:28034 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1416889468) Mon Nov 24 23:24:28 2014 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Nov 24 23:25:53 openvpn[50007]: *user*/nn.nnn.nn.nn:28034 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:28034 Nov 24 23:25:53 openvpn[50007]: *user*/nn.nnn.nn.nn:28034 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1416889468) Mon Nov 24 23:24:28 2014 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Nov 24 23:25:51 openvpn[50007]: *user*/nn.nnn.nn.nn:28034 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:28034
Nov 24 23:50:27 openvpn[50007]: nn.nnn.nn.nn:40898 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Nov 24 23:50:24 openvpn[50007]: nn.nnn.nn.nn:40898 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:40898 Nov 24 23:50:24 openvpn[50007]: nn.nnn.nn.nn:40898 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2 / time = (1416890967) Mon Nov 24 23:49:27 2014 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Nov 24 23:50:22 openvpn[50007]: nn.nnn.nn.nn:40898 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:40898
Currently only able to access via VPN but once I'm within the LAN I'll post configs but based on the fact it works flawlessly on the LAN I am to think its not the config.
Any ideas on how to resolve?
I'm using 2.2 BETA after upgrading from stable after thinking that may help. Guess it might have made it worse.