OpenVPN packets are changed when passing NAT

OpenVPN packets are changed when passing NAT

OpenVPN packets are changed when passing NAT
OpenVPN packets are changed when passing NAT
a week ago - last edited Friday
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.4.1 Build 20240117 Rel.57421

I have set up OpenVPN (2.6.10) on a Linux server and configured a client on the other side of our router. I forward port 1195 on the router to 1194 (the standard OpenVPN port) on the Linux server, and UDP packets from the client reach the openvpn service; however, I see the following errors in the server log:

 

Authenticate/Decrypt packet error: packet HMAC authentication failed
TLS Error: incoming packet authentication failed from [AF_INET]80.76.58.95:43399
Authenticate/Decrypt packet error: packet HMAC authentication failed
TLS Error: incoming packet authentication failed from [AF_INET]80.76.58.95:43399
Authenticate/Decrypt packet error: packet HMAC authentication failed
TLS Error: incoming packet authentication failed from [AF_INET]80.76.58.95:43399

 

Tracing the UDP packets with tcpdump both on the client and the server, I see the packets the reach the server, are corrupted

 

# cat zorn.txt
No.     Time           Source                Destination           Protocol Length Info
      1 0.000000       80.76.58.95           192.168.50.111        OpenVPN  96     MessageType: P_CONTROL_HARD_RESET_CLIENT_V2[Malformed Packet]

Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Tp-LinkT_56:25:fc (28:ee:52:56:25:fc), Dst: ASRockIn_c0:b6:03 (a8:a1:59:c0:b6:03)
Internet Protocol Version 4, Src: 80.76.58.95, Dst: 192.168.50.111
User Datagram Protocol, Src Port: 43500, Dst Port: 1194
OpenVPN Protocol
[Malformed Packet: OpenVPN]

...

 

Which settings on the router could have that effect?

  0      
  0      
#1
Options
1 Accepted Solution
Re:OpenVPN packets are changed when passing NAT-Solution
Thursday - last edited Friday

hi @Clive_A 

 

Thanks for your reply. I've now got a little more time to dive into this subject, and I have tested the this on our LAN - it still fails to connect, so the problem doesn't seem to be on the router as I thought. It does, in fact look very odd, the packets I see with tcpdump on the client don't seem to be related to what is received on the NIC on the server, as read by nc -u -l -p 1194 -n -o nc.data, but I'll have to look more into whether I understand this correctly.

 

However, to answer your questions:

 

The router in the diagram is ER7206 (v1)

I don't know what the IP address 80.76.58.95 is; I can't find it anywhere on our net or on the router. It isn't the external address, certainly.

 

I will pursue this with the OpenVPN team - thank you for pointing me towards testing it on the LAN, I hadn't thought of that.

Recommended Solution
  1  
  1  
#5
Options
4 Reply
Re:OpenVPN packets are changed when passing NAT
a week ago

Hi @j4nd3r53n 

Thanks for posting in our business forum.

1. A malformed packet does not mean a problem unless you can list a problem with symptoms. I used to see malformed packets in Wireshark but it always stands for a problem.

2. Diagram. What do you mean by this line?

j4nd3r53n wrote

I have set up OpenVPN (2.6.10) on a Linux server and configured a client on the other side of our router. I forward port 1195 on the router to 1194 (the standard OpenVPN port) on the Linux server, and UDP packets from the client reach the openvpn service; however, I see the following errors in the server log:

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#2
Options
Re:OpenVPN packets are changed when passing NAT
a week ago

 Hi @Clive_A, to answer your points,

 

  1. The problem, as shown by the extract from the OpenVPN log, is that HMAC authentication fails, which means the OpenVPN client can't establish a session with the server.
  2. A diagram - like this?

So, like in all VPNs, a client computer outside the LAN seeks to establish a private network session, which allows it to communicate with other systems on the LAN. This particular router has its own OpenVPN service, but for various reasons I want to use a different service, which I have configured on the Server. I have created a NAT rule on the router, to forward port 1195 (since the OpenVPN service on the router is currently use 1194) to port 1194 on the Server. When the client connection starts, it sends a UDP packet with the HMAC authentication info, and when that arrives on the Server, it has been changed and is no longer valid, so the authentication fails, as shown in the log.

 

I can see this in the following net trace, created with tcpdump:

 

From client:

 

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000       192.168.1.213         x.x.x.x               UDP      96     57360 → 1195 Len=54

Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: LCFCHefe_fa:ee:43 (6c:24:08:fa:ee:43), Dst: BelkinIn_76:b9:20 (80:69:1a:76:b9:20)
Internet Protocol Version 4, Src: 192.168.1.213, Dst: 94.176.208.177
User Datagram Protocol, Src Port: 57360, Dst Port: 1195
Data (54 bytes)

0000  [Edited hex dump]
0010  [Edited hex dump]
0020  [Edited hex dump]
0030  [Edited hex dump]

 

From server:

 

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000       x.x.x.x               192.168.50.111        OpenVPN  96     MessageType: P_CONTROL_HARD_RESET_CLIENT_V2[Malformed Packet]

Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Tp-LinkT_56:25:fc (28:ee:52:56:25:fc), Dst: ASRockIn_c0:b6:03 (a8:a1:59:c0:b6:03)
Internet Protocol Version 4, Src: 80.76.58.95, Dst: 192.168.50.111
User Datagram Protocol, Src Port: 43500, Dst Port: 1194
 

Something has happened on the way, and as far as I can see, this must happen in the router - ChatGPT makes some suggestions that seem plausible, but I haven't been able to find any settings on the router (using the omada interface) that match - it lists VPN Passthrough, ALG settings, MTU settings and UDP timeout, as well as QoS as potential things to look at. As I said, I haven't found any settings that would appear to touch on NAT and OpenVPN.

  0  
  0  
#3
Options
Re:OpenVPN packets are changed when passing NAT
Thursday - last edited Thursday

Hi @j4nd3r53n 

Thanks for posting in our business forum.

j4nd3r53n wrote

 Hi @Clive_A, to answer your points,

 

  1. The problem, as shown by the extract from the OpenVPN log, is that HMAC authentication fails, which means the OpenVPN client can't establish a session with the server.
  2. A diagram - like this?

So, like in all VPNs, a client computer outside the LAN seeks to establish a private network session, which allows it to communicate with other systems on the LAN. This particular router has its own OpenVPN service, but for various reasons I want to use a different service, which I have configured on the Server. I have created a NAT rule on the router, to forward port 1195 (since the OpenVPN service on the router is currently use 1194) to port 1194 on the Server. When the client connection starts, it sends a UDP packet with the HMAC authentication info, and when that arrives on the Server, it has been changed and is no longer valid, so the authentication fails, as shown in the log.

 

I can see this in the following net trace, created with tcpdump:

 

From client:

 

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000       192.168.1.213         x.x.x.x               UDP      96     57360 → 1195 Len=54

Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: LCFCHefe_fa:ee:43 (6c:24:08:fa:ee:43), Dst: BelkinIn_76:b9:20 (80:69:1a:76:b9:20)
Internet Protocol Version 4, Src: 192.168.1.213, Dst: 94.176.208.177
User Datagram Protocol, Src Port: 57360, Dst Port: 1195
Data (54 bytes)

0000  [Edited hex dump]
0010  [Edited hex dump]
0020  [Edited hex dump]
0030  [Edited hex dump]

 

From server:

 

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000       x.x.x.x               192.168.50.111        OpenVPN  96     MessageType: P_CONTROL_HARD_RESET_CLIENT_V2[Malformed Packet]

Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Tp-LinkT_56:25:fc (28:ee:52:56:25:fc), Dst: ASRockIn_c0:b6:03 (a8:a1:59:c0:b6:03)
Internet Protocol Version 4, Src: 80.76.58.95, Dst: 192.168.50.111
User Datagram Protocol, Src Port: 43500, Dst Port: 1194
 

Something has happened on the way, and as far as I can see, this must happen in the router - ChatGPT makes some suggestions that seem plausible, but I haven't been able to find any settings on the router (using the omada interface) that match - it lists VPN Passthrough, ALG settings, MTU settings and UDP timeout, as well as QoS as potential things to look at. As I said, I haven't found any settings that would appear to touch on NAT and OpenVPN.

Forget about the GPT recommendations. They don't relate to the issue.

 

The IPs and ports are not the same. The diagram explains the basic stuff but it does not reflect the IPs and ports.

The router in the diagram is the ER7206?

What's this IP? 80.76.58.95

WAN Interface on the router, screenshot it and what's the IP address of it?

 

Since you set up the VPN server, have you tested in the LAN that you could make a connection to your server 192.168.50.111? Locally, test the OVPN connectivity.

 

P.S.

I was messaged by the dev that we did not replicate what you described in our lab environment.

We require the following information:

1. OVPN server and client config for the purpose of reviewing if there is any error.

2. A backup of your router. 

 

Do not upload your backup. Please prepare that and message me back. I will create a ticket for to follow up your case.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#4
Options
Re:OpenVPN packets are changed when passing NAT-Solution
Thursday - last edited Friday

hi @Clive_A 

 

Thanks for your reply. I've now got a little more time to dive into this subject, and I have tested the this on our LAN - it still fails to connect, so the problem doesn't seem to be on the router as I thought. It does, in fact look very odd, the packets I see with tcpdump on the client don't seem to be related to what is received on the NIC on the server, as read by nc -u -l -p 1194 -n -o nc.data, but I'll have to look more into whether I understand this correctly.

 

However, to answer your questions:

 

The router in the diagram is ER7206 (v1)

I don't know what the IP address 80.76.58.95 is; I can't find it anywhere on our net or on the router. It isn't the external address, certainly.

 

I will pursue this with the OpenVPN team - thank you for pointing me towards testing it on the LAN, I hadn't thought of that.

Recommended Solution
  1  
  1  
#5
Options