Topic: OpenVPN Authenticate/Decrypt packet error: bad packet ID on TCP, not UDP?? :(

[devnullius]

I got the following message from a VPN provider I like very much... I hope somebody here has some pointers for us?

This is for a client of theirs:

Oh, Devvie, quick question, if I may dare to take advantage of your experience again...
Have you ever got the "Authenticate/Decrypt packet error: bad packet ID (may be a replay)" error, but with tcp, not with udp? This is a bit odd and couldn't replicate it, so after digging a bit, all the cases seem to have been on udp, so it's a bit of a dead end. But still digging...

Regards

I have no experience to speak of in this, so ... Before I even google, thought I'd share this Q with SCF community too

After they read my leads, they had this to add:

P.S.I read, a lot of new stuff there, that we'll keep me and the customer busy for a while! He is in a university residence so tcp is the only open port he can use, he connects smoothly, he can browse, but the problem shows and he gets disconnected when downloading files. So I suspect the ISP packet fragmentation. For the rest of the questions, still waiting on the customer. I didn't know whether to jump in the forum or give you personally the info )

Devvie

[devnullius]

I'll edit some links / questions / things to check here...

Q: are you using the same TLS-AUTH key in both server and client?
---
Q: is every server you try failing? Or just some nodes/countries/servers?
---
Q: uninformed question by me: "replay failed" sounds to me like a time-stamp error? Are both client and server using same date & time?
---
I: I was also thinking of cable errors... Or wrongly placed cables (upload port vs LAN port: something ppl might mix up at home). So I found this quote:

The logs show that either duplicate packets are being received or packets are arriving out of correct order. Seeing the last lines of the logs ("Replay-window backtrack occurred") the second option is more probable. If the problem was born only recently, maybe it is just a temporary peering issue between our servers and your ISP. Rarely it may also be a symptom of a defective Ethernet cable or network card, router issues or WiFi problems. Please try connections to VPN servers' TCP ports to mitigate the problem and also test different servers. Finally, just in case, if you have the chance, try to replace momentarily cable and router and if possible also the computer. Change only one item at a time to determine if the problem is in the hardware.

(https://airvpn.org/topic/3773-pls-help-strange-logs/#entry3775)
---
I: for the paranoid: quote:

A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator (of course not in our case!!!) or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution. OpenVPN will reject correctly the fraudulent packets and no injection is possible. However the attack, if well organized, will slow down considerably your VPN connections. If your problem occurs on EVERY Air server, then it's extremely unlikely that you are the target of a replay attack, UNLESS your adversary has the ability to monitor your own ISP line.

However, the "Authenticate/Decrypt packet error: bad packet ID (may be a replay)" log entries do really suggest a replay attack against you even before the connection to our servers. If this an attack, then the adversary is not attacking our servers in general, he/she is attacking you specifically.

(https://airvpn.org/topic/3773-pls-help-strange-logs/#entry3784)

Which also leads to this new Q: replay parameters for high latency links and compromising security: https://openvpn.net/archive/openvpn-users/2004-09/msg00068.html
---
My Q: have you taken the computer (and LAN cable) to your neighbours? Use it with their ISP and get a new IP address for the internet. See what's going on there. Install OpenVPN with your credentials / .conf files on another computer in your home. Same results?
---
My Q: are we really really sure there is no malware?? See my article here http://scforum.info/index.php?topic=8202.msg20873#msg20873, scroll down to "== Manual Intervention =="-section.
And if that isn't enough, we also have this article http://scforum.info/index.php/topic,8412.0.html ;-)
---
Q: normally, this problem is seen with UDP only, not TCP. With UDP I've read it could lead to a high CPU usage. What is the CPU doing on this client computer? Spiking too? https://airvpn.org/topic/14376-authenticatedecrypt-packet-error-warnings-with-p2p-traffic/#entry28299
---
I: can't believe we'll solve it with this, but for completeness... I couldn't ignore it

Fix: Edit the config files.

Launch OpenVPN. Do not connect to any server. Select a server and select edit config.
Add the the following lines at the bottom:

dhcp-option DISABLE-NBT
dhcp-option DISABLE-NBT

SAVE. Then now connect.

That’s it!

I also have experienced this problem, and now, I do not have any problem connecting to any VPN’s anymore.
http://askhideki.com/fixing-vpn-on-globe-tattoo-broadband-connectivity-issues/

(https://uwnthesis.wordpress.com/2012/12/01/openvpn-config-file-how-to-understand-it-visually/#comment-788)
---
I: our problem, also unsolved: http://sourceforge.net/p/openvpn/mailman/message/13219342/
---
Q: packet fragmentation problem with ISP?  It could be just a momentary line problem, go on checking in the next hours or even days. As a generic suggestion, if your system is connected via WiFi, try to get the strongest signal. If it is connected via Ethernet, try to replace the cable. (https://airvpn.org/topic/14094-weird-log-entries/ - also talks about real attack scenarios and packet injection by ISP)
---
I: you could try to "Increase the MTU to 1.000 in openvpn" (https://airvpn.org/topic/14094-weird-log-entries/#entry27445)
A: You can't change MTU size on the client size only (this size must match on both parties), so that's not an option. You can however operate with "mssfix" (for TCP wrapped in the tunnel) and/or "fragment" (for UDP) directives to handle MTU size problems.
S?!: You won't believe it but IT FINALLY WORKED :-D I just tried with "mssfix 1400"
MTU check tools: http://www.letmecheck.it/mtu-test.php, http://www.tp-link.us/FAQ-190.html, http://strongvpn.com/mtu_ping_test.html
---
S: Not really our problem: Random connection drop: I haven't had one iota of a problem with this connection. It seems using the NDIS5 driver has solved the issue entirely (https://forums.openvpn.net/topic18118-15.html)
---
I:

Change the settings to use Blowfish instead of AES and it will likely work fine. Routers use slightly different means to achieve AES from what the PIA servers expect. (The same is true of the normal OpenVPN client on a PC as opposed to the PIA client.)

*Edit* And if you set your MTU to higher than 1500, set it to 1450 or so and see if that helps as well. Most systems cannot handle packets larger than 1500 and OpenVPN and several other things will expand packets beyond that quite often. The log says it is over 1500 so i should be changed anyway since this results in packet fragmentation that can and will break the connection.

(https://www.privateinternetaccess.com/forum/discussion/comment/33843/#Comment_33843)
---
For now, my inspiration (and time) is up... https://www.google.nl/search?q=Authenticate%2FDecrypt+packet+error+for+TCP+packets+(UDP+works+just+fine)&oq=Authenticate%2FDecrypt+packet+error+for+TCP+packets+(UDP+works+just+fine)&aqs=chrome..69i57j69i58.472j0j9&sourceid=chrome&es_sm=122&ie=UTF-8#q=Authenticate/Decrypt+packet+error+for+TCP+packets+(UDP+works+just+fine)&safe=off&tbs=qdr:y
---
POST-EDIT: and of course... The classic, always ignored but OH SO IMPORTANT! Do an elevated cmd prompt and chkdsk c: /f /v /x /r followed with a reboot to thoroughly check your Windows hard drive. Classic HDDs will be offline for 2 to 5 hours... So plan it at night. Also install Acronis Drive Monitor for quick overview of any NTFS errors Windows has detected (during operating OR during offline scan). Should be totally unrelated, but caching data to a corrupt memory device (hdd/RAM) really can lead to STRANGE things. One of the first symptoms in the old days of bad volume bitmap was... Unable to connect to wifi or even LAN. Looked unrelated too, but I fixed many many many internet connections with just a scan for file system errors... So... Check it before going to bed
---


Please let us know your thoughts!

And... Peace!!

Devnullius

[devnullius]

I also repeated the question here: https://twitter.com/devnullius/status/688052572251406336

[devnullius]

New Google query and the results I think might inspire a solution 

https://www.google.nl/search?q=openvpn+downloading+files+crashes+the+connection+bad+packet+ID+(may+be+a+replay)&oq=openvpn+downloading+files+crashes+the+connection+bad+packet+ID+(may+be+a+replay)&aqs=chrome..69i57.247j0j9&sourceid=chrome&es_sm=122&ie=UTF-8#q=openvpn+downloading+files+crashes+the+connection+bad+packet+ID+(may+be+a+replay)&safe=off&start=10

---
S: From the openvpn client logs, "WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'", fix here: https://forums.openvpn.net/topic15588.html
---
I:

oh man, plz help me understanding this, my routing knowledge is little to no... thx!

p.s. when i finally got this, I want to address the constant "Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #961 ] " errors i get, already tried fragment 1300 mssfix but doesnt seem to help, although netalyzr said my mtu is 1376 and before that options it said that i cant send or receive fragmented packets. I suspect my provider messes with the udp packets..

(http://serverfault.com/questions/647388/openvpn-packet-loss-troubles)
---
Q: Is the client using Windows 10? Got an unresolved problem here https://airvpn.org/topic/15006-windows-10-disconnection-problems/.
---
I: I often see OpenVPN problems mentioned with NL nodes... Should be a coincidence, but just in case... I mention it
---
I: Here, the problem is solved from switching from UDP to TCP. We already are on TCP. BUT their possible conclusion (DPI) is here, once again (https://airvpn.org/topic/14520-airvpn-client-makes-my-modem-restart/).
---
I:

I'd say it's Talktalk poisoning the link somehow. If PIA want help tracking it down, I'm more than happy to Wireshark it.

(https://www.privateinternetaccess.com/forum/discussion/comment/18851/#Comment_18851)

i tried to disable / enable internet connections while VPN is ON and it fixed the issue.
I used this command
cmd /c wmic path win32_networkadapter where NetConnectionID="Local Area Connection" call disable && wmic path win32_networkadapter where NetConnectionID="Local Area Connection" call enable

---
I: I'm giving up again https://www.google.nl/search?q=packet+replay+rules+on+TCP&oq=packet+replay+rules+on+TCP&aqs=chrome..69i57.489j0j9&sourceid=chrome&es_sm=122&ie=UTF-8


/Devvie drops mic and walks away... BED!

;p

[jheysen]

It might be a faulty boder gateway on the connection path, if so, it should be solved on its own. I dunno if there your ISP has public info on the connection between different IXs. Here in Chile we can see some graphs because they are requeried by law.
Last but not least, is the client behind NAT?

[devnullius]

It might be a faulty border gateway on the connection path, if so, it should be solved on its own. I dunno if his ISP has public info on the connection between different IXs. Here in Chile we can see some graphs because they are required by law.
Last but not least, is the client behind NAT?

Thanks old friend: I showed them your reply Got an example of those IX graphs???  And how do you mean... "Should be solved on its own"?

I'll keep you guys updated if we get it solved... Support-Laura really likes what we are doing. And I like the fact that this VPN goes above and beyond regular service. No default replies from them! I had 65Mb speeds to NY (from NL)... All that for <30$ lifetime!! Makes up for all those garbage lifetime subscriptions I have... Up to Laura though to expose the name of the game ;-)

xx

Devvie


POST-EDIT: IX Graphs... https://stats.ams-ix.net/index.html I asked for these years ago! I only got laughed at or wasn't understood, at all. Now it seems it has been here all those years... I wish there was a real map from NL / EU / UK / US with an overview of bottlenecks... What I dreamed of all those years ago, when I still was a young flower XD

[Samker]

I have no idea at the moment... 

[devnullius]

I ain't gonna tell them about your reply then ;p

[jheysen]

Here you have an example from my ISP
http://vtr.com/ispvtr/ (It's in spanish, but chrome's autotranslator should help)

With resolve on it own, I mean that the affected AS operator should repair or replace the faulty Border Gateway Router, so there's nothing to do from the user and VPN side.
Still, if the user is behind NAT, it could be a NAT problem.

[devnullius]

Still, if the user is behind NAT, it could be a NAT problem.

What would you look for, when NAT troubles arise? Is it packet fragmentation?

And from: https://www.quora.com/How-do-I-find-out-if-my-ISP-has-put-me-behind-a-NAT

If your WAN IP is:
10.x.x.x
172.16.x.x => 172.32.x.x
192.168.x.x
Then you are NAT'd. This is private IP Address space, as defined in RFC 1918.