Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to connect most of the time via WAN to OpenVPN.

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q
      Qu3uk
      last edited by

      So I've been having this issue with my OpenVPN server for some time and its driving me insane to the point I suspect something funny is going on with my ISP or my mobile data provider…

      Problem: I cannot 95% of the time connect to my OpenVPN server from my iPhone using LTE using the OpenVPN connect app, I can however connect 100% of the time via WIFI on the LAN.

      I believe my openvpn config is sound as I can connect via wifi, I also believe port forwarding is sound as I can connect sometimes.

      Tonight I after many attempts (not changing anything, just trying to connect, I managed to connect) here is the log from the OpenVPN app.

      Note

      2014-11-24 23:23:46 Session invalidated: KEV_NEGOTIATE_ERROR

      2014-11-24 23:22:46 ----- OpenVPN Start -----
      OpenVPN core 3.0 ios arm64 64-bit
      2014-11-24 23:22:46 UNUSED OPTIONS
      0 [persist-tun] 
      1 [persist-key] 
      4 [tls-client] 
      7 [lport] [0] 
      
      2014-11-24 23:22:46 EVENT: RESOLVE
      2014-11-24 23:22:46 LZO-ASYM init swap=0 asym=0
      2014-11-24 23:22:46 Contacting nn.nn.nn.nn:30000 via UDP
      2014-11-24 23:22:46 EVENT: WAIT
      2014-11-24 23:22:46 SetTunnelSocket returned 1
      2014-11-24 23:22:46 Connecting to nn.nn.nn.nn:30000 (nn.nn.nn.nn) via UDPv4
      2014-11-24 23:22:47 EVENT: CONNECTING
      2014-11-24 23:22:47 Tunnel Options:V4,dev-type tun,link-mtu 1566,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA224,keysize 256,tls-auth,key-method 2,tls-client
      2014-11-24 23:22:47 Creds: Username/Password
      2014-11-24 23:22:47 Peer Info:
      IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
      IV_VER=3.0
      IV_PLAT=ios
      IV_NCP=1
      IV_LZO=1
      
      2014-11-24 23:23:19 VERIFY OK: depth=1
      cert. version    : 3
      serial number    : 00
      issuer name      : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=internavpnserver2l-ca
      subject name      : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=internavpnserver2l-ca
      issued  on        : 2014-11-21 05:08:32
      expires on        : 2024-11-18 05:08:32
      signed using      : RSA with SHA-256
      RSA key size      : 2048 bits
      basic constraints : CA=true
      
      2014-11-24 23:23:19 VERIFY OK: depth=0
      cert. version    : 3
      serial number    : 01
      issuer name      : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=internavpnserver2l-ca
      subject name      : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=VPNServer2
      issued  on        : 2014-11-21 05:10:55
      expires on        : 2024-11-18 05:10:55
      signed using      : RSA with SHA-256
      RSA key size      : 2048 bits
      basic constraints : CA=false
      cert. type        : SSL Server
      key usage        : Digital Signature, Key Encipherment
      ext key usage    : TLS Web Server Authentication
      
      2014-11-24 23:23:46 Session invalidated: KEV_NEGOTIATE_ERROR
      2014-11-24 23:23:46 Client terminated, restarting in 2...
      2014-11-24 23:23:46 EVENT: CONNECTION_TIMEOUT [ERR]
      2014-11-24 23:23:46 EVENT: DISCONNECTED
      2014-11-24 23:23:46 Raw stats on disconnect:
        BYTES_IN : 6552
        BYTES_OUT : 13694
        PACKETS_IN : 45
        PACKETS_OUT : 53
        HANDSHAKE_TIMEOUT : 1
        CONNECTION_TIMEOUT : 1
      2014-11-24 23:23:46 Performance stats on disconnect:
        CPU usage (microseconds): 1351246
        Network bytes per CPU second: 14983
        Tunnel bytes per CPU second: 0
      2014-11-24 23:23:46 EVENT: DISCONNECT_PENDING
      2014-11-24 23:23:46 ----- OpenVPN Stop -----
      

      Then suddenly able to connect..

      2014-11-24 23:24:28 ----- OpenVPN Start -----
      OpenVPN core 3.0 ios arm64 64-bit
      2014-11-24 23:24:28 UNUSED OPTIONS
      0 [persist-tun] 
      1 [persist-key] 
      4 [tls-client] 
      7 [lport] [0] 
      
      2014-11-24 23:24:28 EVENT: RESOLVE
      2014-11-24 23:24:28 LZO-ASYM init swap=0 asym=0
      2014-11-24 23:24:28 Contacting nn.nn.nn.nn:30000 via UDP
      2014-11-24 23:24:28 EVENT: WAIT
      2014-11-24 23:24:28 SetTunnelSocket returned 1
      2014-11-24 23:24:28 Connecting to nn.nn.nn.nn:30000 (nn.nn.nn.nn) via UDPv4
      2014-11-24 23:24:28 EVENT: CONNECTING
      2014-11-24 23:24:28 Tunnel Options:V4,dev-type tun,link-mtu 1566,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA224,keysize 256,tls-auth,key-method 2,tls-client
      2014-11-24 23:24:28 Creds: Username/Password
      2014-11-24 23:24:28 Peer Info:
      IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
      IV_VER=3.0
      IV_PLAT=ios
      IV_NCP=1
      IV_LZO=1
      
      2014-11-24 23:24:46 VERIFY OK: depth=1
      cert. version    : 3
      serial number    : 00
      issuer name      : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=internavpnserver2l-ca
      subject name      : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=internavpnserver2l-ca
      issued  on        : 2014-11-21 05:08:32
      expires on        : 2024-11-18 05:08:32
      signed using      : RSA with SHA-256
      RSA key size      : 2048 bits
      basic constraints : CA=true
      
      2014-11-24 23:24:46 VERIFY OK: depth=0
      cert. version    : 3
      serial number    : 01
      issuer name      : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=internavpnserver2l-ca
      subject name      : C=US, ST=NY, L=New York, O=*user*, emailAddress=*email*, CN=VPNServer2
      issued  on        : 2014-11-21 05:10:55
      expires on        : 2024-11-18 05:10:55
      signed using      : RSA with SHA-256
      RSA key size      : 2048 bits
      basic constraints : CA=false
      cert. type        : SSL Server
      key usage        : Digital Signature, Key Encipherment
      ext key usage    : TLS Web Server Authentication
      
      2014-11-24 23:25:23 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
      2014-11-24 23:25:23 Session is ACTIVE
      2014-11-24 23:25:23 EVENT: GET_CONFIG
      2014-11-24 23:25:23 Sending PUSH_REQUEST to server...
      2014-11-24 23:25:24 Sending PUSH_REQUEST to server...
      2014-11-24 23:25:26 Sending PUSH_REQUEST to server...
      2014-11-24 23:25:26 OPTIONS:
      0 [route] [172.16.30.0] [255.255.255.0] 
      1 [route] [192.168.1.1] [255.255.255.0] 
      2 [dhcp-option] [DNS] [192.168.1.1] 
      3 [redirect-gateway] [def1] 
      4 [route] [192.168.30.0] [255.255.255.0] 
      5 [topology] [net30] 
      6 [ping] [10] 
      7 [ping-restart] [60] 
      8 [ifconfig] [192.168.30.6] [192.168.30.5] 
      
      2014-11-24 23:25:26 LZO-ASYM init swap=0 asym=0
      2014-11-24 23:25:26 EVENT: ASSIGN_IP
      2014-11-24 23:25:26 Error parsing IPv4 route: [route] [192.168.1.1] [255.255.255.0]  : tun_prop_error: route is not canonical
      2014-11-24 23:25:26 TunPersist: saving tun context:
      Session Name: nn.nn.nn.nn
      Remote Address: nn.nn.nn.nn
      Tunnel Addresses:
        192.168.30.6/30 -> 192.168.30.5 [net30]
      Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 IPv4 ]
      Block IPv6: no
      Add Routes:
      Exclude Routes:
      DNS Servers:
        192.168.1.1
      Search Domains:
      
      2014-11-24 23:25:26 Connected via tun
      2014-11-24 23:25:26 EVENT: CONNECTED *user*@nn.nn.nn.nn:30000 (nn.nn.nn.nn) via /UDPv4 on tun/192.168.30.6/
      2014-11-24 23:25:26 NET Internet:ReachableViaWWAN/WR t----l-
      2014-11-24 23:25:26 NET WiFi:NotReachable/WR t------
      2014-11-24 23:25:26 SetStatus Connected
      

      When it does finally connect I see lots of the following, it when times out after a short period of time.

      Nov 24 23:25:59	openvpn[50007]: *user*/nn.nnn.nn.nn:28034 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:28034
      Nov 24 23:25:59	openvpn[50007]: *user*/nn.nnn.nn.nn:28034 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1416889468) Mon Nov 24 23:24:28 2014 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Nov 24 23:25:57	openvpn[50007]: *user*/nn.nnn.nn.nn:28034 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:28034
      Nov 24 23:25:57	openvpn[50007]: *user*/nn.nnn.nn.nn:28034 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1416889468) Mon Nov 24 23:24:28 2014 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Nov 24 23:25:55	openvpn[50007]: *user*/nn.nnn.nn.nn:28034 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:28034
      Nov 24 23:25:55	openvpn[50007]: *user*/nn.nnn.nn.nn:28034 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1416889468) Mon Nov 24 23:24:28 2014 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Nov 24 23:25:53	openvpn[50007]: *user*/nn.nnn.nn.nn:28034 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:28034
      Nov 24 23:25:53	openvpn[50007]: *user*/nn.nnn.nn.nn:28034 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #51 / time = (1416889468) Mon Nov 24 23:24:28 2014 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Nov 24 23:25:51	openvpn[50007]: *user*/nn.nnn.nn.nn:28034 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:28034
      
      Nov 24 23:50:27	openvpn[50007]: nn.nnn.nn.nn:40898 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Nov 24 23:50:24	openvpn[50007]: nn.nnn.nn.nn:40898 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:40898
      Nov 24 23:50:24	openvpn[50007]: nn.nnn.nn.nn:40898 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2 / time = (1416890967) Mon Nov 24 23:49:27 2014 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Nov 24 23:50:22	openvpn[50007]: nn.nnn.nn.nn:40898 TLS Error: incoming packet authentication failed from [AF_INET]nn.nnn.nn.nn:40898
      

      Currently only able to access via VPN but once I'm within the LAN I'll post configs but based on the fact it works flawlessly on the LAN I am to think its not the config.

      Any ideas on how to resolve?

      I'm using 2.2 BETA after upgrading from stable after thinking that may help. Guess it might have made it worse.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.