FS#34055 - [openvpn] Decryption error in 2.3.0-2 TCP mode with multiple active TCP connections inside VPN

Attached to Project: Arch Linux
Opened by Dark (Dark) - Wednesday, 27 February 2013, 19:44 GMT
Last edited by Thomas Bächler (brain0) - Tuesday, 11 February 2014, 21:51 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Thomas Bächler (brain0)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:
Not quite sure what changed in the -2 update, but I can no longer download more than one file at a time over OpenVPN in TCP mode (firewall prevents UDP mode) without getting a decryption error message on the client (happens regardless of client version, 2.2.2 or 2.3.0).

I cannot triple check that the error came about from the 2.3.0-1 to 2.3.0-2 update (as opposed to 2.2.2 to 2.3.0), as I cannot find a copy of the -1 package anywhere and it seems to have disappeared from my pacman cache, but I am 95% certain that it did.

Currently downgraded to 2.2.2-2, which is working perfectly. No config changes, and both client versions work.


Client error that appears is as follows:

Wed Feb 27 19:38:00 2013 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1318 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Feb 27 19:38:00 2013 Fatal decryption error (process_incoming_link), restarting
Wed Feb 27 19:38:00 2013 SIGUSR1[soft,decryption-error] received, process restarting


Server log has the following around the same time:

Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Connection reset by peer (code=104)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32)
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 Connection reset, restarting [0]
Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 SIGUSR1[soft,connection-reset] received, client-instance restarting


Steps to reproduce:
Connect to OpenVPN 2.3.0-2 server in TCP mode with all traffic routed through it, and start downloading 2 or more files at once using HTTP. Error will occur within 30 seconds.

Can also be triggered at random (eg during web browsing or ssh sessions), doesn't specifically have to be simultaneous HTTP downloads.
This task depends upon

Closed by  Thomas Bächler (brain0)
Tuesday, 11 February 2014, 21:51 GMT
Reason for closing:  Fixed
Additional comments about closing:  OpenVPN 2.3.1 supposedly fixed this bug.
Comment by Christian Hesse (eworm) - Tuesday, 12 March 2013, 14:03 GMT
Return value of mbuf_len() wrong - it's returning a length value, not
a yes/no value - so when the queue length approached 65 (full!), it
still only returned "1", leading to MBUF overflow later on. Change
from "bool" to "unsigned int", misbehaviour gone...

Fix is in git:
http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn;a=commitdiff_plain;h=0eb398501fab9c016b9b6008682c43873c4a6188

Please apply and update package. Thanks!
Comment by Dark (Dark) - Thursday, 14 March 2013, 19:14 GMT
Would that fix be in openvpn-git in AUR? Because I just tried it and instead of throwing 'Authenticate/Decrypt packet error: bad packet ID' on the client, the link just dies silently.
Comment by Christian Hesse (eworm) - Thursday, 14 March 2013, 19:25 GMT
It should, yes. As long as you built the package after the patch was applied. Check for one of these:

commit 0eb398501fab9c016b9b6008682c43873c4a6188 (master)
commit 80b4b1e740de60a7f94132ac4bebcd9474fbe182 (release/2.3)

The merge happened on Tuesday, March 12th.
Comment by Kristian (klausenbusk) - Wednesday, 20 March 2013, 16:49 GMT
Can confirm that "commit 0eb398501fab9c016b9b6008682c43873c4a6188" seems to fix it, attached PKGBUILD which patch openvpn..
(application/x-gzip)    openvpn-2.3.0-3.src.tar.gz (2.2 KiB)
Comment by Christian Hesse (eworm) - Tuesday, 26 March 2013, 07:30 GMT
Any chance to get an updated package here?
Comment by Christian Hesse (eworm) - Wednesday, 27 March 2013, 18:58 GMT
I just flagged openvpn out-of-date for version 2.3.1. This should fix the problem automatically.

Loading...