FS#34055 - [openvpn] Decryption error in 2.3.0-2 TCP mode with multiple active TCP connections inside VPN
Attached to Project:
Arch Linux
Opened by Dark (Dark) - Wednesday, 27 February 2013, 19:44 GMT
Last edited by Thomas Bächler (brain0) - Tuesday, 11 February 2014, 21:51 GMT
Opened by Dark (Dark) - Wednesday, 27 February 2013, 19:44 GMT
Last edited by Thomas Bächler (brain0) - Tuesday, 11 February 2014, 21:51 GMT
|
Details
Description:
Not quite sure what changed in the -2 update, but I can no longer download more than one file at a time over OpenVPN in TCP mode (firewall prevents UDP mode) without getting a decryption error message on the client (happens regardless of client version, 2.2.2 or 2.3.0). I cannot triple check that the error came about from the 2.3.0-1 to 2.3.0-2 update (as opposed to 2.2.2 to 2.3.0), as I cannot find a copy of the -1 package anywhere and it seems to have disappeared from my pacman cache, but I am 95% certain that it did. Currently downgraded to 2.2.2-2, which is working perfectly. No config changes, and both client versions work. Client error that appears is as follows: Wed Feb 27 19:38:00 2013 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1318 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Wed Feb 27 19:38:00 2013 Fatal decryption error (process_incoming_link), restarting Wed Feb 27 19:38:00 2013 SIGUSR1[soft,decryption-error] received, process restarting Server log has the following around the same time: Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Connection reset by peer (code=104) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 write TCPv4_SERVER: Broken pipe (code=32) Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 Connection reset, restarting [0] Wed Feb 27 19:37:59 2013 bogs/194.80.104.51:56100 SIGUSR1[soft,connection-reset] received, client-instance restarting Steps to reproduce: Connect to OpenVPN 2.3.0-2 server in TCP mode with all traffic routed through it, and start downloading 2 or more files at once using HTTP. Error will occur within 30 seconds. Can also be triggered at random (eg during web browsing or ssh sessions), doesn't specifically have to be simultaneous HTTP downloads. |
This task depends upon
Closed by Thomas Bächler (brain0)
Tuesday, 11 February 2014, 21:51 GMT
Reason for closing: Fixed
Additional comments about closing: OpenVPN 2.3.1 supposedly fixed this bug.
Tuesday, 11 February 2014, 21:51 GMT
Reason for closing: Fixed
Additional comments about closing: OpenVPN 2.3.1 supposedly fixed this bug.
a yes/no value - so when the queue length approached 65 (full!), it
still only returned "1", leading to MBUF overflow later on. Change
from "bool" to "unsigned int", misbehaviour gone...
Fix is in git:
http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn;a=commitdiff_plain;h=0eb398501fab9c016b9b6008682c43873c4a6188
Please apply and update package. Thanks!
commit 0eb398501fab9c016b9b6008682c43873c4a6188 (master)
commit 80b4b1e740de60a7f94132ac4bebcd9474fbe182 (release/2.3)
The merge happened on Tuesday, March 12th.