I realize this question has been asked on this mailing list countless times, I think the difference here is I just want to gain a better understanding as to whats happening 'under the hood' as I track this problem to its source.
From the logs, I get lots of: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #19084 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings In fact, I get so many messages that if unwatched it fills up the disk on my VPS. Now, connectivity is fine, the tunnel is used for commercial purposes, is quite stable and I can download a Debian iso at around 3mbits/sec. It's just while I'm downloading happily, my syslog is getting spammed to death with this message. The server is run by StrongVPN, so settings like fragment, mssfix etc are provided by them. I have other StrongVPN tunnels that use the same settings with no bad packet messages, so in this case I'm sure the config is fine. My research into the problem, mostly points to 2 places. Duplicate packets, often caused by wireless networks and out of order packets. Now from this server I can rule out wireless because it's VPS to VPS. And I don't think the packets are out of order, because I don't get any replay-backtrack messages. In the meantime, I've moved this connection out of production so I can experiment with configs and tcpdumps. So can anyone suggest where to look next? Thanks a lot! My config: remote <REDACTED> key-direction 1 client dev tun0 resolv-retry infinite nobind persist-key persist-tun ;http-proxy-retry ;http-proxy <REDACTED> 80 verb 3 ;replay-window 64 20 -- this is from my own experimentation reneg-sec 86400 echo <REDACTED> tun-mtu 1500 route-method exe route-delay 2 ;redirect-gateway def1 comp-lzo no explicit-exit-notify 2 fragment 1390 mssfix 1390 hand-window 30 <ca> <REDACTED> </ca> <key> <REDACTED> </key> <cert> <REDACTED> </cert> <tls-auth> <REDACTED> </tls-auth> route-noexec script-security 2 up /etc/openvpn/up.sh -- This script just sets up policy routing in Linux because the tunnel is not the default gw down /etc/openvpn/down.sh ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
