Hi @j4nd3r53n 

Thanks for posting in our business forum.

1. A malformed packet does not mean a problem unless you can list a problem with symptoms. I used to see malformed packets in Wireshark but it always stands for a problem.

2. Diagram. What do you mean by this line?

j4nd3r53n wrote

I have set up OpenVPN (2.6.10) on a Linux server and configured a client on the other side of our router. I forward port 1195 on the router to 1194 (the standard OpenVPN port) on the Linux server, and UDP packets from the client reach the openvpn service; however, I see the following errors in the server log:

 Hi @Clive_A, to answer your points,

1. The problem, as shown by the extract from the OpenVPN log, is that HMAC authentication fails, which means the OpenVPN client can't establish a session with the server.
2. A diagram - like this?

So, like in all VPNs, a client computer outside the LAN seeks to establish a private network session, which allows it to communicate with other systems on the LAN. This particular router has its own OpenVPN service, but for various reasons I want to use a different service, which I have configured on the Server. I have created a NAT rule on the router, to forward port 1195 (since the OpenVPN service on the router is currently use 1194) to port 1194 on the Server. When the client connection starts, it sends a UDP packet with the HMAC authentication info, and when that arrives on the Server, it has been changed and is no longer valid, so the authentication fails, as shown in the log.

I can see this in the following net trace, created with tcpdump:

From client:

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000       192.168.1.213         x.x.x.x               UDP      96     57360 → 1195 Len=54

Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: LCFCHefe_fa:ee:43 (6c:24:08:fa:ee:43), Dst: BelkinIn_76:b9:20 (80:69:1a:76:b9:20)
Internet Protocol Version 4, Src: 192.168.1.213, Dst: 94.176.208.177
User Datagram Protocol, Src Port: 57360, Dst Port: 1195
Data (54 bytes)

0000  [Edited hex dump]
0010  [Edited hex dump]
0020  [Edited hex dump]
0030  [Edited hex dump]

From server:

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000       x.x.x.x               192.168.50.111        OpenVPN  96     MessageType: P_CONTROL_HARD_RESET_CLIENT_V2[Malformed Packet]

Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Tp-LinkT_56:25:fc (28:ee:52:56:25:fc), Dst: ASRockIn_c0:b6:03 (a8:a1:59:c0:b6:03)
Internet Protocol Version 4, Src: 80.76.58.95, Dst: 192.168.50.111
User Datagram Protocol, Src Port: 43500, Dst Port: 1194
 

Something has happened on the way, and as far as I can see, this must happen in the router - ChatGPT makes some suggestions that seem plausible, but I haven't been able to find any settings on the router (using the omada interface) that match - it lists VPN Passthrough, ALG settings, MTU settings and UDP timeout, as well as QoS as potential things to look at. As I said, I haven't found any settings that would appear to touch on NAT and OpenVPN.

Hi @j4nd3r53n 

Thanks for posting in our business forum.

j4nd3r53n wrote

 Hi @Clive_A, to answer your points,

 

1. The problem, as shown by the extract from the OpenVPN log, is that HMAC authentication fails, which means the OpenVPN client can't establish a session with the server.
2. A diagram - like this?

So, like in all VPNs, a client computer outside the LAN seeks to establish a private network session, which allows it to communicate with other systems on the LAN. This particular router has its own OpenVPN service, but for various reasons I want to use a different service, which I have configured on the Server. I have created a NAT rule on the router, to forward port 1195 (since the OpenVPN service on the router is currently use 1194) to port 1194 on the Server. When the client connection starts, it sends a UDP packet with the HMAC authentication info, and when that arrives on the Server, it has been changed and is no longer valid, so the authentication fails, as shown in the log.

 

I can see this in the following net trace, created with tcpdump:

 

From client:

 

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000       192.168.1.213         x.x.x.x               UDP      96     57360 → 1195 Len=54

Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: LCFCHefe_fa:ee:43 (6c:24:08:fa:ee:43), Dst: BelkinIn_76:b9:20 (80:69:1a:76:b9:20)
Internet Protocol Version 4, Src: 192.168.1.213, Dst: 94.176.208.177
User Datagram Protocol, Src Port: 57360, Dst Port: 1195
Data (54 bytes)

0000  [Edited hex dump]
0010  [Edited hex dump]
0020  [Edited hex dump]
0030  [Edited hex dump]

 

From server:

 

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000       x.x.x.x               192.168.50.111        OpenVPN  96     MessageType: P_CONTROL_HARD_RESET_CLIENT_V2[Malformed Packet]

Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Tp-LinkT_56:25:fc (28:ee:52:56:25:fc), Dst: ASRockIn_c0:b6:03 (a8:a1:59:c0:b6:03)
Internet Protocol Version 4, Src: 80.76.58.95, Dst: 192.168.50.111
User Datagram Protocol, Src Port: 43500, Dst Port: 1194
 

Something has happened on the way, and as far as I can see, this must happen in the router - ChatGPT makes some suggestions that seem plausible, but I haven't been able to find any settings on the router (using the omada interface) that match - it lists VPN Passthrough, ALG settings, MTU settings and UDP timeout, as well as QoS as potential things to look at. As I said, I haven't found any settings that would appear to touch on NAT and OpenVPN.

Forget about the GPT recommendations. They don't relate to the issue.

The IPs and ports are not the same. The diagram explains the basic stuff but it does not reflect the IPs and ports.

The router in the diagram is the ER7206?

What's this IP? 80.76.58.95

WAN Interface on the router, screenshot it and what's the IP address of it?

Since you set up the VPN server, have you tested in the LAN that you could make a connection to your server 192.168.50.111? Locally, test the OVPN connectivity.

P.S.

I was messaged by the dev that we did not replicate what you described in our lab environment.

We require the following information:

1. OVPN server and client config for the purpose of reviewing if there is any error.

2. A backup of your router. 

Do not upload your backup. Please prepare that and message me back. I will create a ticket for to follow up your case.