Bad compression stub decompression header byte
I'm setting up a docker container for the first time and everything seems to be going great except getting openVPN working with PIA. Specifically it's this container image https://hub.docker.com/r/h1f0x/rtorrent-rutorrent-openvpn
The container is running and I can navigate the ruTorrent GUI no problem. I haven't added any torrents to the client. Network function appears to be fine when the OpenVPN client.conf isn't present. When I did set up client.conf and vpn.auth initially I was getting an authentication error in the openvpn.log until I added the following lines to the config file
The container is running and I can navigate the ruTorrent GUI no problem. I haven't added any torrents to the client. Network function appears to be fine when the OpenVPN client.conf isn't present. When I did set up client.conf and vpn.auth initially I was getting an authentication error in the openvpn.log until I added the following lines to the config file
auth-nocache
pull-filter ignore "auth-token"
If those flags shouldn't be necessary LMK. After adding those lines I'm still getting what appears to be some kind of failed connection loop regarding compression?
The following entries appear to be relevant:
and finally
SIGUSR1[soft,ping-restart] received, process restarting
More complete log here
I made sure I downloaded the OpenVPN 2.4 config file and made a few changes as follows
If those flags shouldn't be necessary LMK. After adding those lines I'm still getting what appears to be some kind of failed connection loop regarding compression?
The following entries appear to be relevant:
Bad compression stub decompression header byte: 34
Bad compression stub decompression header byte: 253
Then dozens of this entry
Authenticate/Decrypt packet error: bad packet ID (may be a replay):Then dozens of this entry
and finally
SIGUSR1[soft,ping-restart] received, process restarting
More complete log here
WARNING: file '/config/vpn/vpn.auth' is group or others accessible
OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! $
TCP/UDP: Preserving recently used remote address: [AF_INET]172.83.40.106:1198
UDP link local: (not bound)
UDP link remote: [AF_INET]172.83.40.106:1198
[5e46ade801ab1b9766c19394f94cc8b1] Peer Connection Initiated with [AF_INET]172.83.40.106:1198
******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! $
TUN/TAP device tun0 opened
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 local 10.70.10.10 peer 10.70.10.9
/usr/bin/up.sh tun0 1500 1525 10.70.10.10 10.70.10.9 init
Initialization Sequence Completed
Bad compression stub decompression header byte: 34
Bad compression stub decompression header byte: 253
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #4243525401 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #720706143 ] -- see the man page entry for --no-replay and --replay-window for more info or silence $
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #124668924 ] -- see the man page entry for --no-replay and --replay-window for more info or silence $
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3291231853 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3209973897 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3866437408 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #4210362644 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3834957214 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3773488224 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2102376070 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3816038692 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2471859636 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1289166477 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1131687246 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2374922800 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1080031410 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #635308182 ] -- see the man page entry for --no-replay and --replay-window for more info or silence $
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3748519453 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1423800989 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2776875854 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1532040005 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1798927006 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Bad compression stub decompression header byte: 234
[5e46ade801ab1b9766c19394f94cc8b1] Inactivity timeout (--ping-restart), restarting
SIGUSR1[soft,ping-restart] received, process restarting
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
TCP/UDP: Preserving recently used remote address: [AF_INET]172.83.40.106:1198
UDP link local: (not bound)
UDP link remote: [AF_INET]172.83.40.106:1198
[5e46ade801ab1b9766c19394f94cc8b1] Peer Connection Initiated with [AF_INET]172.83.40.106:1198
******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! $
Preserving previous TUN/TAP instance: tun0
NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
/sbin/ip addr del dev tun0 local 10.70.10.10 peer 10.70.10.9
/usr/bin/down.sh tun0 1500 1526 10.70.10.10 10.70.10.9 init
TUN/TAP device tun0 opened
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 local 10.8.10.6 peer 10.8.10.5
/usr/bin/up.sh tun0 1500 1526 10.8.10.6 10.8.10.5 init
Initialization Sequence Completed
Bad compression stub decompression header byte: 21
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1891223326 ] -- see the man page entry for --no-replay and --replay-window for more info or silence$
Bad compression stub decompression header byte: 135
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2208848209 ] I made sure I downloaded the OpenVPN 2.4 config file and made a few changes as follows
The first time I observed the error loop the "compress" flag was present in the client.conf exactly as it is in the download template but no algorithm flag was set. I removed the compress flag altogether, yet the error loop remains. I appreciate your guidance in figuring this out.
Comments
Decrease the global connections under 200 in your client and add this to your config:
mssfix 1350
You can go up to 1450 on this btw.
throttle.max_uploads.global.set = 200
Also I set mssfix 1350 in OpenVPN's config file.
Unfortunately no dice. I also tried mssfix 1450. No dice with that either. The logs appear pretty much unchanged in that up to a half dozen Bad compression stub decompression will present and up to a couple dozen Authenticate/Decrypt packet error: bad packet ID and finally the SIGUSR1[soft,ping-restart] received, process restarting. I think my credentials are authenticating fine and I'm pulling an IP from PIA's servers fine. I figure it's just something with the MTU and UDP etc as you indicate.
Let me know if you'd like me to change the verbosity log level or what's next to tweak. I greatly appreciate your help.
Truncated UDP Log After Changes
EDIT:
I just switched to a PIA TCP config. Doing so the MTU stuff like Bad compression stub AND Authenticate/Decrypt packet error are no longer logged. Yet, I'm running into Connection reset, restarting [0] after the Initialization Sequence Completes. I'll get back to UDP after I sort out what appears to be a bigger problem. Any ideas?
I've been logged on as root in the hopes of successfully testing this out and was going to harden it once everything's working. Yet, I've heard counter intuitively some things fail when logged in as root under Linux. Maybe OpenVPN is one such example?
Latest log with TCP config
ACTUAL TCP CONFIG (certs present in real config...omitted for shorter forum post)
This means that you have no encryption selected. You will need to add a line to your .ovpn config file
cipher aes-128-gcm
When connecting to the PIA servers, all information needs to come from the same line of the table located at : https://www.privateinternetaccess.com/helpdesk/kb/articles/which-encryption-auth-settings-should-i-use-for-ports-on-your-gateways-2. (AES-128-GCM can be substituted for AES-128-CBC. GCM is a more efficient cipher than CBC, and will provide an equal amount of security, but is less processor intensive.
Yes, I did have encryption disabled since I have a minuscule CPU that also lacks the AES NI instruction set. Though I've used PIA without encryption with the PIA proprietary client has seemed to function fine, I went ahead and added back aes-128-gcm in the event that PIA has the no encryption option disabled server side with OpenVPN??
Unfortunately the ill behavior persists.
I also tried Toronto and observe the same behavior.
Let me know if you'd like me to change the verbosity log level or what to try next. I greatly appreciate your help.
Per this thread I'm guessing I've boned this by not opening the chosen UDP or TCP ports specified in the oVPN config.
https://ubuntuforums.org/archive/index.php/t-1543367.html
In my case TCP 502 or UDP 1198. I'm new to CentOS and Docker. I'm imagining that I have to "publish" (open) the ports in Docker and also in the CentOS docker container. Heck I may even have to open the ports in the Debian host OS that Docker is running on. LMK if I have the right idea and thanks a million for your patience.