OpenVPN packets are changed when passing NAT
I have set up OpenVPN (2.6.10) on a Linux server and configured a client on the other side of our router. I forward port 1195 on the router to 1194 (the standard OpenVPN port) on the Linux server, and UDP packets from the client reach the openvpn service; however, I see the following errors in the server log:
Authenticate/Decrypt packet error: packet HMAC authentication failed
TLS Error: incoming packet authentication failed from [AF_INET]80.76.58.95:43399
Authenticate/Decrypt packet error: packet HMAC authentication failed
TLS Error: incoming packet authentication failed from [AF_INET]80.76.58.95:43399
Authenticate/Decrypt packet error: packet HMAC authentication failed
TLS Error: incoming packet authentication failed from [AF_INET]80.76.58.95:43399
Tracing the UDP packets with tcpdump both on the client and the server, I see the packets the reach the server, are corrupted
# cat zorn.txt
No. Time Source Destination Protocol Length Info
1 0.000000 80.76.58.95 192.168.50.111 OpenVPN 96 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2[Malformed Packet]
Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Tp-LinkT_56:25:fc (28:ee:52:56:25:fc), Dst: ASRockIn_c0:b6:03 (a8:a1:59:c0:b6:03)
Internet Protocol Version 4, Src: 80.76.58.95, Dst: 192.168.50.111
User Datagram Protocol, Src Port: 43500, Dst Port: 1194
OpenVPN Protocol
[Malformed Packet: OpenVPN]
...
Which settings on the router could have that effect?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
hi @Clive_A
Thanks for your reply. I've now got a little more time to dive into this subject, and I have tested the this on our LAN - it still fails to connect, so the problem doesn't seem to be on the router as I thought. It does, in fact look very odd, the packets I see with tcpdump on the client don't seem to be related to what is received on the NIC on the server, as read by nc -u -l -p 1194 -n -o nc.data, but I'll have to look more into whether I understand this correctly.
However, to answer your questions:
The router in the diagram is ER7206 (v1)
I don't know what the IP address 80.76.58.95 is; I can't find it anywhere on our net or on the router. It isn't the external address, certainly.
I will pursue this with the OpenVPN team - thank you for pointing me towards testing it on the LAN, I hadn't thought of that.
- Copy Link
- Report Inappropriate Content
Hi @j4nd3r53n
Thanks for posting in our business forum.
1. A malformed packet does not mean a problem unless you can list a problem with symptoms. I used to see malformed packets in Wireshark but it always stands for a problem.
2. Diagram. What do you mean by this line?
j4nd3r53n wrote
I have set up OpenVPN (2.6.10) on a Linux server and configured a client on the other side of our router. I forward port 1195 on the router to 1194 (the standard OpenVPN port) on the Linux server, and UDP packets from the client reach the openvpn service; however, I see the following errors in the server log:
- Copy Link
- Report Inappropriate Content
Hi @Clive_A, to answer your points,
- The problem, as shown by the extract from the OpenVPN log, is that HMAC authentication fails, which means the OpenVPN client can't establish a session with the server.
- A diagram - like this?
So, like in all VPNs, a client computer outside the LAN seeks to establish a private network session, which allows it to communicate with other systems on the LAN. This particular router has its own OpenVPN service, but for various reasons I want to use a different service, which I have configured on the Server. I have created a NAT rule on the router, to forward port 1195 (since the OpenVPN service on the router is currently use 1194) to port 1194 on the Server. When the client connection starts, it sends a UDP packet with the HMAC authentication info, and when that arrives on the Server, it has been changed and is no longer valid, so the authentication fails, as shown in the log.
I can see this in the following net trace, created with tcpdump:
From client:
No. Time Source Destination Protocol Length Info
1 0.000000 192.168.1.213 x.x.x.x UDP 96 57360 → 1195 Len=54
Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: LCFCHefe_fa:ee:43 (6c:24:08:fa:ee:43), Dst: BelkinIn_76:b9:20 (80:69:1a:76:b9:20)
Internet Protocol Version 4, Src: 192.168.1.213, Dst: 94.176.208.177
User Datagram Protocol, Src Port: 57360, Dst Port: 1195
Data (54 bytes)
0000 [Edited hex dump]
0010 [Edited hex dump]
0020 [Edited hex dump]
0030 [Edited hex dump]
From server:
No. Time Source Destination Protocol Length Info
1 0.000000 x.x.x.x 192.168.50.111 OpenVPN 96 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2[Malformed Packet]
Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Tp-LinkT_56:25:fc (28:ee:52:56:25:fc), Dst: ASRockIn_c0:b6:03 (a8:a1:59:c0:b6:03)
Internet Protocol Version 4, Src: 80.76.58.95, Dst: 192.168.50.111
User Datagram Protocol, Src Port: 43500, Dst Port: 1194
Something has happened on the way, and as far as I can see, this must happen in the router - ChatGPT makes some suggestions that seem plausible, but I haven't been able to find any settings on the router (using the omada interface) that match - it lists VPN Passthrough, ALG settings, MTU settings and UDP timeout, as well as QoS as potential things to look at. As I said, I haven't found any settings that would appear to touch on NAT and OpenVPN.
- Copy Link
- Report Inappropriate Content
Hi @j4nd3r53n
Thanks for posting in our business forum.
j4nd3r53n wrote
Hi @Clive_A, to answer your points,
- The problem, as shown by the extract from the OpenVPN log, is that HMAC authentication fails, which means the OpenVPN client can't establish a session with the server.
- A diagram - like this?
So, like in all VPNs, a client computer outside the LAN seeks to establish a private network session, which allows it to communicate with other systems on the LAN. This particular router has its own OpenVPN service, but for various reasons I want to use a different service, which I have configured on the Server. I have created a NAT rule on the router, to forward port 1195 (since the OpenVPN service on the router is currently use 1194) to port 1194 on the Server. When the client connection starts, it sends a UDP packet with the HMAC authentication info, and when that arrives on the Server, it has been changed and is no longer valid, so the authentication fails, as shown in the log.
I can see this in the following net trace, created with tcpdump:
From client:
No. Time Source Destination Protocol Length Info
1 0.000000 192.168.1.213 x.x.x.x UDP 96 57360 → 1195 Len=54Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: LCFCHefe_fa:ee:43 (6c:24:08:fa:ee:43), Dst: BelkinIn_76:b9:20 (80:69:1a:76:b9:20)
Internet Protocol Version 4, Src: 192.168.1.213, Dst: 94.176.208.177
User Datagram Protocol, Src Port: 57360, Dst Port: 1195
Data (54 bytes)0000 [Edited hex dump]
0010 [Edited hex dump]
0020 [Edited hex dump]
0030 [Edited hex dump]
From server:
No. Time Source Destination Protocol Length Info
1 0.000000 x.x.x.x 192.168.50.111 OpenVPN 96 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2[Malformed Packet]Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Tp-LinkT_56:25:fc (28:ee:52:56:25:fc), Dst: ASRockIn_c0:b6:03 (a8:a1:59:c0:b6:03)
Internet Protocol Version 4, Src: 80.76.58.95, Dst: 192.168.50.111
User Datagram Protocol, Src Port: 43500, Dst Port: 1194
Something has happened on the way, and as far as I can see, this must happen in the router - ChatGPT makes some suggestions that seem plausible, but I haven't been able to find any settings on the router (using the omada interface) that match - it lists VPN Passthrough, ALG settings, MTU settings and UDP timeout, as well as QoS as potential things to look at. As I said, I haven't found any settings that would appear to touch on NAT and OpenVPN.
Forget about the GPT recommendations. They don't relate to the issue.
The IPs and ports are not the same. The diagram explains the basic stuff but it does not reflect the IPs and ports.
The router in the diagram is the ER7206?
What's this IP? 80.76.58.95
WAN Interface on the router, screenshot it and what's the IP address of it?
Since you set up the VPN server, have you tested in the LAN that you could make a connection to your server 192.168.50.111? Locally, test the OVPN connectivity.
P.S.
I was messaged by the dev that we did not replicate what you described in our lab environment.
We require the following information:
1. OVPN server and client config for the purpose of reviewing if there is any error.
2. A backup of your router.
Do not upload your backup. Please prepare that and message me back. I will create a ticket for to follow up your case.
- Copy Link
- Report Inappropriate Content
hi @Clive_A
Thanks for your reply. I've now got a little more time to dive into this subject, and I have tested the this on our LAN - it still fails to connect, so the problem doesn't seem to be on the router as I thought. It does, in fact look very odd, the packets I see with tcpdump on the client don't seem to be related to what is received on the NIC on the server, as read by nc -u -l -p 1194 -n -o nc.data, but I'll have to look more into whether I understand this correctly.
However, to answer your questions:
The router in the diagram is ER7206 (v1)
I don't know what the IP address 80.76.58.95 is; I can't find it anywhere on our net or on the router. It isn't the external address, certainly.
I will pursue this with the OpenVPN team - thank you for pointing me towards testing it on the LAN, I hadn't thought of that.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 261
Replies: 4
Voters 0
No one has voted for it yet.