Re: openvpn: "Authenticate/Decrypt packet error: bad packet ID", link-mtu=1472 consequences

From: avemilia <avemilia protonmail com>
To: "networkmanager-list gnome org" <networkmanager-list gnome org>
Subject: Re: openvpn: "Authenticate/Decrypt packet error: bad packet ID", link-mtu=1472 consequences
Date: Wed, 27 Mar 2019 18:56:20 +0000

Sorry, I have assumed that the VPN tunnel is up with this link-mtu setting, but
in reality it is not.

Now I have spotted in the journal:

<warn>  [...] vpn-connection[...]: VPN connection: failed to connect: 'property “link-mtu” invalid or not 
supported'


So, instead I am looking for a working configuration to eliminate the "bad
packet ID" errors.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, March 27, 2019 7:28 PM, avemilia via networkmanager-list <networkmanager-list gnome org> wrote:

Hello list,

openSUSE Tumbleweed (KDE Plasma)
NetworkManager-1.16.0-1.1.x86_64
NetworkManager-openvpn-1.8.10-1.1.x86_64

with this openvpn configuration:

[vpn]
auth=<redacted>
ca=<redacted>
cipher=<redacted>
comp-lzo=adaptive
connection-type=password
float=no
mssfix=no
password-flags=1
port=<redacted>
proto-tcp=no
remote=<redacted>
remote-random=no
tun-ipv6=no
username=<redacted>
service-type=org.freedesktop.NetworkManager.openvpn


I get many

Authenticate/Decrypt packet error: bad packet ID ...


messages in the journal.

I am not a networking expert, so I googled around
(https://hamy.io/post/0003/optimizing-openvpn-throughput/) and added

link-mtu=1472


to the above, and the "bad packet ID" messages were gone (all is tested via
connecting to twitch.tv in a browser).

However, now the journal contains

((src/devices/nm-device.c:11965)): assertion '<dropped>' failed
((src/devices/nm-device.c:1478)): assertion '<dropped>' failed
((src/devices/nm-device.c:11965)): assertion '<dropped>' failed
((src/devices/nm-device.c:1478)): assertion '<dropped>' failed


and the nm kde applet shows a greyed out icon with a red cross.

I feel like the assertions should not fail. I also feel like the applet should
correctly show that the connection is established.

That was one thing (or more like two things). Whether it's a reportable bug(s)
or not is not known to me. Now, about how to fix things right now.

From what I see in the nm GUI configurator if I press 'Advanced' on the openvpn
connection, it has no support for link-mtu. It has support for tun-mtu. It also
doesn't have support for mssfix other than 'yes' or 'no', while the openvpn(8)
says the user can set mssfix to a value.

Maybe I can try some combination of tun-mtu, fragment, boolean-only mssfix and
other things that the GUI configurator can chew, and show me a 'nice' icon?

networkmanager-list mailing list
networkmanager-list gnome org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

References:
- openvpn: "Authenticate/Decrypt packet error: bad packet ID", link-mtu=1472 consequences
  - From: avemilia

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]