OpenVPN packets are changed when passing NAT
I have set up OpenVPN (2.6.10) on a Linux server and configured a client on the other side of our router. I forward port 1195 on the router to 1194 (the standard OpenVPN port) on the Linux server, and UDP packets from the client reach the openvpn service; however, I see the following errors in the server log:
Authenticate/Decrypt packet error: packet HMAC authentication failed
TLS Error: incoming packet authentication failed from [AF_INET]80.76.58.95:43399
Authenticate/Decrypt packet error: packet HMAC authentication failed
TLS Error: incoming packet authentication failed from [AF_INET]80.76.58.95:43399
Authenticate/Decrypt packet error: packet HMAC authentication failed
TLS Error: incoming packet authentication failed from [AF_INET]80.76.58.95:43399
Tracing the UDP packets with tcpdump both on the client and the server, I see the packets the reach the server, are corrupted
# cat zorn.txt
No. Time Source Destination Protocol Length Info
1 0.000000 80.76.58.95 192.168.50.111 OpenVPN 96 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2[Malformed Packet]
Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Tp-LinkT_56:25:fc (28:ee:52:56:25:fc), Dst: ASRockIn_c0:b6:03 (a8:a1:59:c0:b6:03)
Internet Protocol Version 4, Src: 80.76.58.95, Dst: 192.168.50.111
User Datagram Protocol, Src Port: 43500, Dst Port: 1194
OpenVPN Protocol
[Malformed Packet: OpenVPN]
...
Which settings on the router could have that effect?
Hi @Clive_A, to answer your points,
- The problem, as shown by the extract from the OpenVPN log, is that HMAC authentication fails, which means the OpenVPN client can't establish a session with the server.
- A diagram - like this?
So, like in all VPNs, a client computer outside the LAN seeks to establish a private network session, which allows it to communicate with other systems on the LAN. This particular router has its own OpenVPN service, but for various reasons I want to use a different service, which I have configured on the Server. I have created a NAT rule on the router, to forward port 1195 (since the OpenVPN service on the router is currently use 1194) to port 1194 on the Server. When the client connection starts, it sends a UDP packet with the HMAC authentication info, and when that arrives on the Server, it has been changed and is no longer valid, so the authentication fails, as shown in the log.
I can see this in the following net trace, created with tcpdump:
From client:
No. Time Source Destination Protocol Length Info
1 0.000000 192.168.1.213 x.x.x.x UDP 96 57360 → 1195 Len=54
Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: LCFCHefe_fa:ee:43 (6c:24:08:fa:ee:43), Dst: BelkinIn_76:b9:20 (80:69:1a:76:b9:20)
Internet Protocol Version 4, Src: 192.168.1.213, Dst: 94.176.208.177
User Datagram Protocol, Src Port: 57360, Dst Port: 1195
Data (54 bytes)
0000 [Edited hex dump]
0010 [Edited hex dump]
0020 [Edited hex dump]
0030 [Edited hex dump]
From server:
No. Time Source Destination Protocol Length Info
1 0.000000 x.x.x.x 192.168.50.111 OpenVPN 96 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2[Malformed Packet]
Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Tp-LinkT_56:25:fc (28:ee:52:56:25:fc), Dst: ASRockIn_c0:b6:03 (a8:a1:59:c0:b6:03)
Internet Protocol Version 4, Src: 80.76.58.95, Dst: 192.168.50.111
User Datagram Protocol, Src Port: 43500, Dst Port: 1194
Something has happened on the way, and as far as I can see, this must happen in the router - ChatGPT makes some suggestions that seem plausible, but I haven't been able to find any settings on the router (using the omada interface) that match - it lists VPN Passthrough, ALG settings, MTU settings and UDP timeout, as well as QoS as potential things to look at. As I said, I haven't found any settings that would appear to touch on NAT and OpenVPN.
Hi @j4nd3r53n
Thanks for posting in our business forum.
j4nd3r53n wrote
Hi @Clive_A, to answer your points,
- The problem, as shown by the extract from the OpenVPN log, is that HMAC authentication fails, which means the OpenVPN client can't establish a session with the server.
- A diagram - like this?
So, like in all VPNs, a client computer outside the LAN seeks to establish a private network session, which allows it to communicate with other systems on the LAN. This particular router has its own OpenVPN service, but for various reasons I want to use a different service, which I have configured on the Server. I have created a NAT rule on the router, to forward port 1195 (since the OpenVPN service on the router is currently use 1194) to port 1194 on the Server. When the client connection starts, it sends a UDP packet with the HMAC authentication info, and when that arrives on the Server, it has been changed and is no longer valid, so the authentication fails, as shown in the log.
I can see this in the following net trace, created with tcpdump:
From client:
No. Time Source Destination Protocol Length Info
1 0.000000 192.168.1.213 x.x.x.x UDP 96 57360 → 1195 Len=54Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: LCFCHefe_fa:ee:43 (6c:24:08:fa:ee:43), Dst: BelkinIn_76:b9:20 (80:69:1a:76:b9:20)
Internet Protocol Version 4, Src: 192.168.1.213, Dst: 94.176.208.177
User Datagram Protocol, Src Port: 57360, Dst Port: 1195
Data (54 bytes)0000 [Edited hex dump]
0010 [Edited hex dump]
0020 [Edited hex dump]
0030 [Edited hex dump]
From server:
No. Time Source Destination Protocol Length Info
1 0.000000 x.x.x.x 192.168.50.111 OpenVPN 96 MessageType: P_CONTROL_HARD_RESET_CLIENT_V2[Malformed Packet]Frame 1: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Tp-LinkT_56:25:fc (28:ee:52:56:25:fc), Dst: ASRockIn_c0:b6:03 (a8:a1:59:c0:b6:03)
Internet Protocol Version 4, Src: 80.76.58.95, Dst: 192.168.50.111
User Datagram Protocol, Src Port: 43500, Dst Port: 1194
Something has happened on the way, and as far as I can see, this must happen in the router - ChatGPT makes some suggestions that seem plausible, but I haven't been able to find any settings on the router (using the omada interface) that match - it lists VPN Passthrough, ALG settings, MTU settings and UDP timeout, as well as QoS as potential things to look at. As I said, I haven't found any settings that would appear to touch on NAT and OpenVPN.
Forget about the GPT recommendations. They don't relate to the issue.
The IPs and ports are not the same. The diagram explains the basic stuff but it does not reflect the IPs and ports.
The router in the diagram is the ER7206?
What's this IP? 80.76.58.95
WAN Interface on the router, screenshot it and what's the IP address of it?
Since you set up the VPN server, have you tested in the LAN that you could make a connection to your server 192.168.50.111? Locally, test the OVPN connectivity.
P.S.
I was messaged by the dev that we did not replicate what you described in our lab environment.
We require the following information:
1. OVPN server and client config for the purpose of reviewing if there is any error.
2. A backup of your router.
Do not upload your backup. Please prepare that and message me back. I will create a ticket for to follow up your case.