Authenticate/Decrypt packet error: bad packet

Redback813

I'm running a openvpn on router with Firmware: DD-WRT v3.0-r30465M kongac (08/23/16), since I have little issue since solving a great many issue over the last year, this one is different. It different because I seem to be getting a lot of Authenticate/Decrypt packet error: bad packet ID. I have read there can be two main cause the first is a Server wide attack and a second been a more personal attack.

 P.S I borrowed this section from Airvpn forum.

 A replay attack is a form of network attack in which a valid data transmission 

is maliciously or fraudulently repeated or delayed. This is carried out either 

by the originator (of course not in our case!!!) or by an adversary who intercepts 

the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution. 

 OpenVPN will reject correctly the fraudulent packets and no injection is possible. However the attack, if well organised, will slow down considerably your VPN connections. 

If your problem occurs on EVERY Air server, then it's extremely unlikely that you are the target of a replay attack, UNLESS your adversary has the ability to monitor your own ISP line.However, the "Authenticate/Decrypt packet error: bad packet ID (may be a replay)" log entries do really suggest a replay attack against you even before the connection to our servers. If this an attack, then the adversary is not attacking our servers in general, he/she is attacking you specifically.

 About the "Replay-window backtrack occurred", this is the consequence of the problem. OpenVPN writes in the log this event. Please read here. Although it is not 100% sure, it might mitigate your problem without having to use TCP:http://openvpn.net/archive/openvpn-users/2004-09/msg00068.html

It is not sure that the above will improve your connectivity for online gaming, you will have to test various parameters. But it is sure that it may lower your security if you are under attack.

 The risk is forcing OpenVPN to accept fraudulent packets as valid packets. The directive to set the n parameter is replay-window in your .ovpn configuration file.

See the OpenVPN manual:Quote--replay-window n [t] Use a replay protection sliding-window of size n and a time window of t seconds. 

By default n is 64 (the IPSec default) and t is 15 seconds.

This option is only relevant in UDP mode, i.e. when either --proto udp is specified, or no --proto option is specified. When OpenVPN tunnels IP packets over UDP, there is the possibility that packets might be dropped or delivered out of order. Because OpenVPN, like IPSec, is emulating the physical network layer, it will accept an out-of-order packet sequence, and will deliver such packets in the same order they were received to the TCP/IP protocol stack, provided they satisfy several constraints.

 (a) The packet cannot be a replay (unless --no-replay is specified, which disables replay protection altogether).

 (B) If a packet arrives out of order, it will only be accepted if the difference between 

its sequence number and the highest sequence number received so far is less than n.© 

 If a packet arrives out of order, it will only be accepted if it arrives no later than t seconds after any packet containing a higher sequence number. 

 If you are using a network link with a large pipeline (meaning that the product of bandwidth and latency is high), you may want to use a larger value for n. 

Satellite links in particular often require this.

If you run OpenVPN at --verb 4, you will see the message "Replay-window backtrack occurred [x]" every time the maximum sequence number backtrack seen thus far increases. 

 This can be used to calibrate n.There is some controversy on the appropriate method of handling packet reordering at the security layer.Namely, to what extent should the security layer protect the encapsulated protocol from attacks which masquerade as the kinds of normal packet loss and reordering that occur over IP networks? The IPSec and OpenVPN approach is to allow packet reordering within a certain fixed sequence number window.

 OpenVPN adds to the IPSec model by limiting the window size in time as well as sequence space.

 OpenVPN also adds TCP transport as an option (not offered by IPSec) in which case OpenVPN can adopt a very strict attitude towards message deletion and reordering: Don't allow it. 

Since TCP guarantees reliability, any packet loss or reordering event can be assumed to be an attack.

In this sense, it could be argued that TCP tunnel transport is preferred when tunnelling non-IP or UDP application protocols which might be vulnerable to a message deletion or reordering attack which falls within the normal operational parameters of IP networks.

So I would make the statement that one should never tunnel a non-IP protocol or UDP application protocol over UDP, if the protocol might be vulnerable to a message deletion or reordering attack that falls within the normal operating parameters of what is to be expected from the physical IP layer.

Log::

Client: CONNECTED SUCCESS

Local Address: 10.69.10.6 

Remote Address: 10.69.10.5 

Status

VPN Client Stats

TUN/TAP read bytes 952802630

TUN/TAP write bytes 2147483647

TCP/UDP read bytes 2147483647

TCP/UDP write bytes 1773728976

Auth read bytes         2147483647

pre-compress bytes    0

post-compress bytes 0

pre-decompress bytes 0

post-decompress bytes 0

Log

Clientlog: 

20161118 09:43:15 I OpenVPN 2.3.11 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Aug 23 2016 

20161118 09:43:15 I library versions: OpenSSL 1.0.2h 3 May 2016 LZO 2.09 

20161118 09:43:15 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible 

20161118 09:43:15 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 

20161118 09:43:15 I UDPv4 link local: [undef] 

20161118 09:43:15 I UDPv4 link remote: [AF_INET]107.152.98.165:1198 

20161118 09:43:16 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1558' remote='link-mtu 1542' 

20161118 09:43:16 W WARNING: 'cipher' is used inconsistently local='cipher AES-128-CBC' remote='cipher BF-CBC' 

20161118 09:43:16 I [5a778fd870387b58c2ef242e5139696a] Peer Connection Initiated with [AF_INET]107.152.98.165:1198 

20161118 09:43:18 I TUN/TAP device tun1 opened 

20161118 09:43:18 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0 

20161118 09:43:18 I /sbin/ifconfig tun1 10.69.10.6 pointopoint 10.69.10.5 mtu 1500 

20161118 09:43:18 I Initialisation Sequence Completed 

20161118 10:52:50 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2382953 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 10:52:50 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2382954 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 10:52:50 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2382955 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 10:52:50 NOTE: --mute triggered... 

20161118 11:00:38 16 variation(s) on previous 3 message(s) suppressed by --mute 

20161118 11:00:38 N write UDPv4: Message too large (code=90) 

20161118 11:00:38 N write UDPv4: Message too large (code=90) 

20161118 11:00:38 N write UDPv4: Message too large (code=90) 

20161118 11:00:40 NOTE: --mute triggered... 

20161118 11:01:48 4 variation(s) on previous 3 message(s) suppressed by --mute 

20161118 11:01:48 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2784264 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 11:01:48 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2784267 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 11:01:48 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2784268 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 11:01:48 NOTE: --mute triggered... 

20161118 11:02:57 46 variation(s) on previous 3 message(s) suppressed by --mute 

20161118 11:02:57 N write UDPv4: Message too large (code=90) 

20161118 11:02:58 N write UDPv4: Message too large (code=90) 

20161118 11:03:01 N write UDPv4: Message too large (code=90) 

20161118 11:03:02 NOTE: --mute triggered... 

20161118 11:04:42 9 variation(s) on previous 3 message(s) suppressed by --mute 

20161118 11:04:42 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2928941 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 11:04:42 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2928942 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 11:05:45 N write UDPv4: Message too large (code=90) 

20161118 11:05:46 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2982350 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 11:05:46 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2982351 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 11:05:46 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2982352 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 11:05:46 NOTE: --mute triggered... 

20161118 11:05:48 5 variation(s) on previous 3 message(s) suppressed by --mute 

20161118 11:05:48 N write UDPv4: Message too large (code=90) 

20161118 11:05:50 N write UDPv4: Message too large (code=90) 

20161118 11:05:51 N write UDPv4: Message too large (code=90) 

20161118 11:05:51 NOTE: --mute triggered... 

20161118 11:07:25 8 variation(s) on previous 3 message(s) suppressed by --mute 

20161118 11:07:25 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3065324 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 11:07:25 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3065325 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 11:07:25 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3065326 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 11:07:25 NOTE: --mute triggered... 

20161118 11:18:49 217 variation(s) on previous 3 message(s) suppressed by --mute 

20161118 11:18:49 N write UDPv4: Message too large (code=90) 

20161118 11:18:50 N write UDPv4: Message too large (code=90) 

20161118 11:18:52 N write UDPv4: Message too large (code=90) 

20161118 11:18:56 NOTE: --mute triggered... 

20161118 11:25:25 39 variation(s) on previous 3 message(s) suppressed by --mute 

20161118 11:25:25 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3921917 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 11:25:25 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3921918 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 11:25:25 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3921919 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 11:25:25 NOTE: --mute triggered... 

20161118 11:29:21 19 variation(s) on previous 3 message(s) suppressed by --mute 

20161118 11:29:21 N write UDPv4: Message too large (code=90) 

20161118 11:29:22 N write UDPv4: Message too large (code=90) 

20161118 11:29:24 N write UDPv4: Message too large (code=90) 

20161118 11:29:25 NOTE: --mute triggered... 

19700101 01:00:00 

ca /tmp/openvpncl/ca.crt management 127.0.0.1 16 management-log-cache 100 verb 3 mute 3 syslog writepid /var/run/openvpncl.pid client resolv-retry infinite nobind persist-key persist-tun script-security 2 dev tun1 proto udp cipher aes-128-cbc auth sha1 auth-user-pass /tmp/openvpncl/credentials remote us-california.privateinternetaccess.com 1198 comp-lzo adaptive tun-mtu 1500 mtu-disc yes fast-io tun-ipv6 persist-key persist-tun tls-client remote-cert-tls server verb 1 #disable-occ auth-nocache reneg-sec 0

Firmware: DD-WRT v3.0-r30465M kongac (08/23/16)

Which issue am I facing ?

PiaVipper

Redback813 said:

Which issue am I facing ?

You tell us - what's your problem, exactly?

Buzzed_Lightyear

@PiaVipper

The problem he's facing is that he's getting an Authenticate/Decrypt error. Specifically, the error he is getting is "bad packet ID". This is usually the result of an injection or replay attack by a hacker.

@Redback813

If I were you, I'd take this directly to Technical Support. They're probably going to want to know this if one of their servers is being attacked. Immediately open a ticket by clicking this link here:

https://helpdesk.privateinternetaccess.com/hc/en-us

Open a new support request by clicking the "Submit a Request" button in the upper right hand corner.

Max-P

20161118 11:18:49 N write UDPv4: Message too large (code=90) 

20161118 11:18:50 N write UDPv4: Message too large (code=90) 

20161118 11:18:52 N write UDPv4: Message too large (code=90) 

20161118 11:18:56 NOTE: --mute triggered... 

20161118 11:25:25 39 variation(s) on previous 3 message(s) suppressed by --mute 

20161118 11:25:25 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3921917 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 11:25:25 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3921918 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 11:25:25 N Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3921919 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 

20161118 11:25:25 NOTE: --mute triggered... 

20161118 11:29:21 19 variation(s) on previous 3 message(s) suppressed by --mute 

These two errors are most likely related to eachother. What seems to be happening is that packets are too large and doesn't fit your internet connection, and are therefore dropped. As a result of this, packets that the PIA server will also be fragmented, resulting in the packet not matching the signature and thus causing this error.

Try adding "mssfix 1300" to your configuration and restart the VPN, see if that helps with it. This should make it so OpenVPN reports the size of the tunnel being only 1300 bytes instead of 1500, so applications send smaller packets.

bnetse

I have the same error.

Im running Tomato 1.28.0000 -140 K26ARM USB VPN on a Netgear R7000.

Everything was sweet until I configured the VPN.

My log is a constant stream of:

May 17 11:58:10 Router daemon.err openvpn[4856]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #45392 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
May 17 11:58:16 Router daemon.err openvpn[4856]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #45393 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
May 17 11:58:16 Router daemon.err openvpn[4856]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #45394 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

I tried the above "mssfix 1300" without success.

Does anyone else have any ideas or should I also just go straight to tech support?