OpenVPN server error : Authenticate/Decrypt packet error: bad packet ID (may be a replay)

Hello,

So I am trying to configure an OpenVPN server on my pfSense 2.6 with TLS and user auth (with certificate).

When trying to connect with OpenVPN connect, I get the following error message on the client “External Certificate Signing Failed” and on the server “Authenticate/Decrypt packet error: bad packet ID (may be a replay)” (full log below).

When I disable TLS, and just leave the user authentication, everything works fine and I can connect to my private network.

I checked countless times the TLS key and other settings on the client and server side but I cannot figure out what is wrong.

Server Log :

Feb 19 17:32:18 	openvpn 	99406 	MANAGEMENT: Client disconnected
Feb 19 17:32:18 	openvpn 	99406 	MANAGEMENT: CMD 'quit'
Feb 19 17:32:18 	openvpn 	99406 	MANAGEMENT: CMD 'status 2'
Feb 19 17:32:17 	openvpn 	99406 	MANAGEMENT: Client connected from /var/etc/openvpn/server5/sock
Feb 19 17:31:58 	openvpn 	99406 	MANAGEMENT: Client disconnected
Feb 19 17:31:58 	openvpn 	99406 	MANAGEMENT: CMD 'status 2'
Feb 19 17:31:58 	openvpn 	99406 	MANAGEMENT: Client connected from /var/etc/openvpn/server5/sock
Feb 19 17:31:16 	openvpn 	99406 	MANAGEMENT: Client disconnected
Feb 19 17:31:16 	openvpn 	99406 	MANAGEMENT: CMD 'quit'
Feb 19 17:31:16 	openvpn 	99406 	MANAGEMENT: CMD 'status 2'
Feb 19 17:31:16 	openvpn 	99406 	MANAGEMENT: Client connected from /var/etc/openvpn/server5/sock
Feb 19 17:30:36 	openvpn 	99406 	80.215.217.186:10153 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 19 17:30:36 	openvpn 	99406 	80.215.217.186:10153 TLS Error: TLS handshake failed
Feb 19 17:30:36 	openvpn 	99406 	80.215.217.186:10153 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 19 17:30:14 	openvpn 	99406 	MANAGEMENT: Client disconnected
Feb 19 17:30:14 	openvpn 	99406 	MANAGEMENT: CMD 'quit'
Feb 19 17:30:14 	openvpn 	99406 	MANAGEMENT: CMD 'status 2'
Feb 19 17:30:14 	openvpn 	99406 	MANAGEMENT: Client connected from /var/etc/openvpn/server5/sock
Feb 19 17:29:36 	openvpn 	99406 	80.215.217.186:10153 TLS Error: incoming packet authentication failed from [AF_INET]80.215.217.186:10153
Feb 19 17:29:36 	openvpn 	99406 	80.215.217.186:10153 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1676824173) 2023-02-19 17:29:33 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Feb 19 17:29:36 	openvpn 	99406 	80.215.217.186:10153 TLS: Initial packet from [AF_INET]80.215.217.186:10153, sid=762168a8 6a7c9ef0
Feb 19 17:29:36 	openvpn 	99406 	80.215.217.186:10153 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 19 17:29:36 	openvpn 	99406 	80.215.217.186:10153 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 19 17:29:12 	openvpn 	99406 	MANAGEMENT: Client disconnected
Feb 19 17:29:12 	openvpn 	99406 	MANAGEMENT: CMD 'quit'
Feb 19 17:29:12 	openvpn 	99406 	MANAGEMENT: CMD 'status 2'
Feb 19 17:29:12 	openvpn 	99406 	MANAGEMENT: Client connected from /var/etc/openvpn/server5/sock
Feb 19 17:28:10 	openvpn 	99406 	MANAGEMENT: Client disconnected
Feb 19 17:28:10 	openvpn 	99406 	MANAGEMENT: CMD 'quit'
Feb 19 17:28:10 	openvpn 	99406 	MANAGEMENT: CMD 'status 2'
Feb 19 17:28:10 	openvpn 	99406 	MANAGEMENT: Client connected from /var/etc/openvpn/server5/sock
Feb 19 17:27:08 	openvpn 	99406 	MANAGEMENT: Client disconnected
Feb 19 17:27:08 	openvpn 	99406 	MANAGEMENT: CMD 'quit'
Feb 19 17:27:08 	openvpn 	99406 	MANAGEMENT: CMD 'status 2'
Feb 19 17:27:08 	openvpn 	99406 	MANAGEMENT: Client connected from /var/etc/openvpn/server5/sock
Feb 19 17:26:06 	openvpn 	99406 	MANAGEMENT: Client disconnected
Feb 19 17:26:06 	openvpn 	99406 	MANAGEMENT: CMD 'quit'
Feb 19 17:26:06 	openvpn 	99406 	MANAGEMENT: CMD 'status 2'
Feb 19 17:26:06 	openvpn 	99406 	MANAGEMENT: Client connected from /var/etc/openvpn/server5/sock
Feb 19 17:25:15 	openvpn 	99406 	80.215.217.186:10227 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 19 17:25:15 	openvpn 	99406 	80.215.217.186:10227 TLS Error: TLS handshake failed
Feb 19 17:25:15 	openvpn 	99406 	80.215.217.186:10227 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 19 17:25:04 	openvpn 	99406 	MANAGEMENT: Client disconnected
Feb 19 17:25:04 	openvpn 	99406 	MANAGEMENT: CMD 'quit'
Feb 19 17:25:04 	openvpn 	99406 	MANAGEMENT: CMD 'status 2'
Feb 19 17:25:04 	openvpn 	99406 	MANAGEMENT: Client connected from /var/etc/openvpn/server5/sock
Feb 19 17:24:15 	openvpn 	99406 	80.215.217.186:10227 TLS: Initial packet from [AF_INET]80.215.217.186:10227, sid=9ef0977c 201fa03d
Feb 19 17:24:15 	openvpn 	99406 	80.215.217.186:10227 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 19 17:24:15 	openvpn 	99406 	80.215.217.186:10227 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 19 17:24:02 	openvpn 	99406 	MANAGEMENT: Client disconnected
Feb 19 17:24:02 	openvpn 	99406 	MANAGEMENT: CMD 'quit'
Feb 19 17:24:02 	openvpn 	99406 	MANAGEMENT: CMD 'status 2'
Feb 19 17:24:02 	openvpn 	99406 	MANAGEMENT: Client connected from /var/etc/openvpn/server5/sock
Feb 19 17:23:00 	openvpn 	99406 	MANAGEMENT: Client disconnected
Feb 19 17:23:00 	openvpn 	99406 	MANAGEMENT: CMD 'quit'
Feb 19 17:23:00 	openvpn 	99406 	MANAGEMENT: CMD 'status 2'
Feb 19 17:23:00 	openvpn 	99406 	MANAGEMENT: Client connected from /var/etc/openvpn/server5/sock
Feb 19 17:21:58 	openvpn 	99406 	MANAGEMENT: Client disconnected
Feb 19 17:21:58 	openvpn 	99406 	MANAGEMENT: CMD 'quit'
Feb 19 17:21:58 	openvpn 	99406 	MANAGEMENT: CMD 'status 2'
Feb 19 17:21:58 	openvpn 	99406 	MANAGEMENT: Client connected from /var/etc/openvpn/server5/sock
Feb 19 17:21:45 	openvpn 	99406 	Initialization Sequence Completed
Feb 19 17:21:45 	openvpn 	99406 	IFCONFIG POOL IPv4: base=10.111.10.2 size=252
Feb 19 17:21:45 	openvpn 	99406 	MULTI: multi_init called, r=256 v=256
Feb 19 17:21:45 	openvpn 	99406 	UDPv4 link remote: [AF_UNSPEC]
Feb 19 17:21:45 	openvpn 	99406 	UDPv4 link local (bound): [AF_INET]192.168.120.97:1194
Feb 19 17:21:45 	openvpn 	99406 	Socket Buffers: R=[42080->42080] S=[57344->57344]
Feb 19 17:21:45 	openvpn 	99406 	/usr/local/sbin/ovpn-linkup ovpns5 1500 1621 10.111.10.1 255.255.255.0 init
Feb 19 17:21:45 	openvpn 	99406 	/sbin/route add -net 10.111.10.0 10.111.10.2 255.255.255.0
Feb 19 17:21:45 	openvpn 	99406 	/sbin/ifconfig ovpns5 10.111.10.1 10.111.10.2 mtu 1500 netmask 255.255.255.0 up
Feb 19 17:21:45 	openvpn 	99406 	TUN/TAP device /dev/tun5 opened
Feb 19 17:21:45 	openvpn 	99406 	TUN/TAP device ovpns5 exists previously, keep at program end
Feb 19 17:21:45 	openvpn 	99406 	Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 19 17:21:45 	openvpn 	99406 	Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 19 17:21:45 	openvpn 	99406 	WARNING: experimental option --capath /var/etc/openvpn/server5/ca
Feb 19 17:21:45 	openvpn 	99406 	Diffie-Hellman initialized with 4096 bit key
Feb 19 17:21:45 	openvpn 	99406 	Initializing OpenSSL support for engine 'rdrand'
Feb 19 17:21:45 	openvpn 	99406 	PLUGIN_INIT: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so '[/usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so] [/usr/local/sbin/ovpn_auth_verify_async] [user] [TG9jYWwgRGF0YWJhc2U=] [false] [server5] [1194]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Feb 19 17:21:45 	openvpn 	99406 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 19 17:21:45 	openvpn 	99406 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server5/sock 

Client config :

persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote xxxxxxxx 1194 udp4
nobind
#verify-x509-name "test_vpn" name
auth-user-pass
ca pfsense-CA.cer
tls-auth pfSense-soho-UDP4-1194-tls.key 1
remote-cert-tls server
explicit-exit-notify

Thanks for your help.

Possible you need to tweak MTU? Try 1400 or 1460? TLS handshake failing seems to be your actual issue.

Thanks for your input. Should I change this on the WAN interface? Wouldn’t that impact all other type of connection?

Here’s an article that I think might help you understand the approach and shows you were to find the settings.

Thanks!
Tried again today, and it seems MTU is just one part of the problem. So I lowered the MTU value and now I’m just left with the message “External signing certificate failed” client side and a timeout server side.
Surprisingly, if the cert and key of the user are embedded in the config file everything works fine, but if I import the p12 or try using the cert from a yubikey I get this error message.

I think that’s expected. If you used a self-signed certificate from pfsense, it is the root authority and your computer will not trust it. The openvpn client does not rely on your system certs or their chains to validate the cert, so the problem does not affect openvpn. If you want to use a system certificate instead, you will need to have that system trust your pfsense as a root authority.

Thank you very much for your input. I will check that out. I didn’t think there would be a verification on that side.
Otherwise I have a personal X509 certificate issued by Globalsign but I suppose it wouldn’t work either as the user certificate has to be issued by the server certificate correct ?

Turns out it wasn’t caused by a certificate trust issue but by the type of certificate. It seems it doesn’t really like ECDSA certificates.
Tried with a RSA one and it seems to work fine.

Awesome - glad you got it sorted!