I have an openvpn server (Ubuntu 18.04 LTS with openvpn 2.4.4) running on the internet. In my home network I use several clients to connect to this server.
- Android based mobile phone with OpenVPN client via 4G network or WiFi
- iPad with OpenVPN client using WiFi
- Linux based laptop on ethernet network connection using openvpn 2.4.4. client
- openvpn on the OpenWRT router
The router is a LinkSYS WRT1200-AC running 19.07.1. The laptop is connected via cable to it.
When using the clients No 1. and 2. over WiFi connected to the openWRT router, I get a lot of replay error messages on the server side about bad packets and replay problems, the VPN connections is thus not really working. Client No. 3 and 4. are working without problems.
Error message(s) on server side:
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1581955005) Mon Feb 17 16:56:45 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
TLS Error: incoming packet authentication failed from [AF_INET] Authenticate/Decrypt packet error: bad packet ID (may be a replay): [#2 / time = (1581953548) Mon Feb 17 16:32:28 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
In the manpage of openvpn it is mentioned that it could be a false alarm on the WiFi
--mute-replay-warnings
Silence the output of replay warnings, which are a common false alarm on WiFi
networks. This option preserves the security of the replay protection code with‐
out the verbosity associated with warnings about duplicate packets.
so I did some further investigation on the WiFi connections.
- Android client: Using WiFi connection over the OpenWRT router produces TLS error and lot of replay messages. Finally the client will not connect but timeout. Disabling the WiFi and using the 4G connection connects within seconds and runs stable.
- iPad client: Using WiFi connection over OpenWRT router produces TLS error and lot of replay. Client will connect after a while, but connection is not really useful. Enabling the WiFi Hotspot on the mobile phone and connecting with this WiFi is working much better.
- The ethernet client connects and works without problems
I also read the articles in the OpenWRT an openvpn forum on the compress parameter and made sure that both sides use:
compress lz4
and the stable connections can be ping'ed to the server and between each other.
As explained above, same client with same configuration over OpenWRT WiFi is having bad connection with errors and replay, with e.g. 4G it works OK.
It doesn't make a difference if the WiFi connection 5G or 2G is used.
So from the above tests I assume, there is some problem in the WiFi configuration that only occurs using a VPN tunnel, that does not occur using 4G network or cable connections for some reason. "Regular" WiFi connections without the VPN also work fine.
The openvpn configuration is this
client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote XX.XX.XX.XX 1195
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
compress lz4
auth SHA512
cipher AES-256-CBC
key-direction 1
verb 3
<ca> # Certs and keys not shown
Below is the network settings:
cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5e:ab56:30b3::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.10'
list dns '192.168.0.6'
option gateway '192.168.0.1'
config interface 'wan'
option ifname 'eth1.2'
option proto 'none'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'none'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option htmode 'VHT80'
option country 'CN'
option legacy_rates '1'
option channel '149'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option macaddr 'XX'
option ssid 'wlan**'
option encryption 'psk2'
option key '**'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option htmode 'HT20'
option country 'CN'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option macaddr '*******'
option key '********'
option ssid 'wlan**-2G'
option encryption 'psk2'
iw list
Wiphy phy1
max # scan SSIDs: 4
max scan IEs length: 2242 bytes
max # sched scan SSIDs: 0
max # match sets: 0
max # scan plans: 1
max scan plan interval: -1
max scan plan iterations: 0
Retry short limit: 7
Retry long limit: 4
Coverage class: 0 (up to 0m)
Device supports AP-side u-APSD.
Device supports T-DLS.
Available Antennas: TX 0 RX 0
Supported interface modes:
* managed
* AP
* AP/VLAN
* monitor
* mesh point
Band 1:
Capabilities: 0x106f
RX LDPC
HT20/HT40
SM Power Save disabled
RX HT20 SGI
RX HT40 SGI
No RX STBC
Max AMSDU length: 3839 bytes
DSSS/CCK HT40
Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
Minimum RX AMPDU time spacing: 4 usec (0x05)
HT TX/RX MCS rate indexes supported: 0-15, 32
VHT Capabilities (0x33813930):
Max MPDU length: 3895
Supported Channel Width: neither 160 nor 80+80
RX LDPC
short GI (80 MHz)
SU Beamformer
SU Beamformee
RX antenna pattern consistency
TX antenna pattern consistency
VHT RX MCS set:
1 streams: MCS 0-9
2 streams: MCS 0-9
3 streams: not supported
4 streams: not supported
5 streams: not supported
6 streams: not supported
7 streams: not supported
8 streams: not supported
VHT RX highest supported: 0 Mbps
VHT TX MCS set:
1 streams: MCS 0-9
2 streams: MCS 0-9
3 streams: not supported
4 streams: not supported
5 streams: not supported
6 streams: not supported
7 streams: not supported
8 streams: not supported
VHT TX highest supported: 0 Mbps
Frequencies:
* 2412 MHz [1] (20.0 dBm)
* 2417 MHz [2] (20.0 dBm)
* 2422 MHz [3] (20.0 dBm)
* 2427 MHz [4] (20.0 dBm)
* 2432 MHz [5] (20.0 dBm)
* 2437 MHz [6] (20.0 dBm)
* 2442 MHz [7] (20.0 dBm)
* 2447 MHz [8] (20.0 dBm)
* 2452 MHz [9] (20.0 dBm)
* 2457 MHz [10] (20.0 dBm)
* 2462 MHz [11] (20.0 dBm)
* 2467 MHz [12] (20.0 dBm)
* 2472 MHz [13] (20.0 dBm)
* 2484 MHz [14] (disabled)
valid interface combinations:
* #{ AP } <= 16, #{ mesh point } <= 1, #{ managed } <= 1,
total <= 16, #channels <= 1, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz, 160 MHz }
HT Capability overrides:
* MCS: ff ff ff ff ff ff ff ff ff ff
* maximum A-MSDU length
* supported channel width
* short GI for 40 MHz
* max A-MPDU length exponent
* min MPDU start spacing
Supported extended features:
* [ RRM ]: RRM
* [ CONTROL_PORT_OVER_NL80211 ]: control port over nl80211
Wiphy phy0
max # scan SSIDs: 4
max scan IEs length: 2247 bytes
max # sched scan SSIDs: 0
max # match sets: 0
max # scan plans: 1
max scan plan interval: -1
max scan plan iterations: 0
Retry short limit: 7
Retry long limit: 4
Coverage class: 0 (up to 0m)
Device supports AP-side u-APSD.
Device supports T-DLS.
Available Antennas: TX 0 RX 0
Supported interface modes:
* managed
* AP
* AP/VLAN
* monitor
* mesh point
Band 2:
Capabilities: 0x106f
RX LDPC
HT20/HT40
SM Power Save disabled
RX HT20 SGI
RX HT40 SGI
No RX STBC
Max AMSDU length: 3839 bytes
DSSS/CCK HT40
Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
Minimum RX AMPDU time spacing: 4 usec (0x05)
HT TX/RX MCS rate indexes supported: 0-15, 32
VHT Capabilities (0x33813930):
Max MPDU length: 3895
Supported Channel Width: neither 160 nor 80+80
RX LDPC
short GI (80 MHz)
SU Beamformer
SU Beamformee
RX antenna pattern consistency
TX antenna pattern consistency
VHT RX MCS set:
1 streams: MCS 0-9
2 streams: MCS 0-9
3 streams: not supported
4 streams: not supported
5 streams: not supported
6 streams: not supported
7 streams: not supported
8 streams: not supported
VHT RX highest supported: 0 Mbps
VHT TX MCS set:
1 streams: MCS 0-9
2 streams: MCS 0-9
3 streams: not supported
4 streams: not supported
5 streams: not supported
6 streams: not supported
7 streams: not supported
8 streams: not supported
VHT TX highest supported: 0 Mbps
Frequencies:
* 5180 MHz [36] (23.0 dBm)
* 5200 MHz [40] (23.0 dBm)
* 5220 MHz [44] (23.0 dBm)
* 5240 MHz [48] (23.0 dBm)
* 5260 MHz [52] (23.0 dBm) (radar detection)
* 5280 MHz [56] (23.0 dBm) (radar detection)
* 5300 MHz [60] (23.0 dBm) (radar detection)
* 5320 MHz [64] (23.0 dBm) (radar detection)
* 5500 MHz [100] (disabled)
* 5520 MHz [104] (disabled)
* 5540 MHz [108] (disabled)
* 5560 MHz [112] (disabled)
* 5580 MHz [116] (disabled)
* 5600 MHz [120] (disabled)
* 5620 MHz [124] (disabled)
* 5640 MHz [128] (disabled)
* 5660 MHz [132] (disabled)
* 5680 MHz [136] (disabled)
* 5700 MHz [140] (disabled)
* 5720 MHz [144] (disabled)
* 5745 MHz [149] (30.0 dBm)
* 5765 MHz [153] (30.0 dBm)
* 5785 MHz [157] (30.0 dBm)
* 5805 MHz [161] (30.0 dBm)
valid interface combinations:
* #{ AP } <= 16, #{ mesh point } <= 1, #{ managed } <= 1,
total <= 16, #channels <= 1, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz, 160 MHz }
HT Capability overrides:
* MCS: ff ff ff ff ff ff ff ff ff ff
* maximum A-MSDU length
* supported channel width
* short GI for 40 MHz
* max A-MPDU length exponent
* min MPDU start spacing
Supported extended features:
* [ RRM ]: RRM
* [ CONTROL_PORT_OVER_NL80211 ]: control port over nl80211