TLS Errors and AEAD Decrypt errors

Got a problem with Viscosity or need help? Ask here!

miknyb

Posts: 11
Joined: Fri Dec 18, 2020 10:55 pm

Post by miknyb » Fri Dec 18, 2020 11:14 pm
When I upgraded my computer with new motherboard (Asus ROG Z490) and the new Intel I225 chip I started to get strange errors from Viscosity and sometimes the VPN tunnels works and sometime is does not. I cannot start the tunnel at all at sometimes too. If I run Hypervisor with a Ubuntu going throug the samt ethernet controller it works like a charm.

The errors from the log is:
==================
dec 18 12:44:18 : AEAD Decrypt error: cipher final failed
dec 18 12:44:18 : TLS Error: Unroutable control packet received from [AF_INET]xx.xx.xx.xx:1194 (si=3 op=P_ACK_V1)
dec 18 12:44:21 : AEAD Decrypt error: cipher final failed
dec 18 12:44:21 : TLS Error: client->client or server->server connection attempted from [AF_INET]xx.xx.xx.xx:1194
dec 18 12:44:22 : AEAD Decrypt error: cipher final failed
dec 18 12:44:22 : TLS Error: local/remote TLS keys are out of sync: [AF_INET]xx.xx.xx.xx:1194 [3]
dec 18 12:53:49 : TLS Error: Unroutable control packet received from [AF_INET]xx.xx.xx.xx:1194 (si=3 op=P_CONTROL_SOFT_RESET_V1)

Client config:
=========
client
dev tun
proto udp
remote server 1194
remote server 1194
remote server 1194
cipher AES-256-CBC
auth SHA256
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verb 5
key-direction 1
tls-client

<ca>
-----BEGIN CERTIFICATE-----
-----END PRIVATE KEY-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>


Server Config
==========
proto udp
port 1194
dev tun
topology subnet
server xx.xx.xx.xx 255.255.0.0
ifconfig-pool-persist ipp.txt
route xx.xx.xx.xx 255.255.0.0
route xx.xx.xx.xx 255.255.0.0

# Push routes for all clients
push "route xx.xx.xx.xx 255.255.255.0 xx.xx.xx.xx"

ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/server.crt
key /etc/openvpn/pki/private/server.key
dh /etc/openvpn/keys/dh2048.pem
tls-auth /etc/openvpn/keys/ta.key 0
crl-verify /etc/openvpn/pki/crl.pem
cipher AES-256-CBC
auth SHA256
verb 3
client-config-dir /etc/openvpn/server/clients
persist-key
persist-tun
keepalive 10 60
user openvpn
group openvpn
daemon
log-append /var/log/openvpn.log
syslog
explicit-exit-notify 1
management localhost 7504
script-security 2

Client Config on Server:
========================
push "route 172.18.0.0 255.255.0.0"
push "route xx.xx.xx.xx 255.255.255.255"
push "dhcp-option DNS 10.211.1.94"
push "dhcp-option DNS 10.211.1.244"
push "dhcp-option DOMAIN dns-domain-1"
push "dhcp-option DOMAIN dns-domain-2"
push "dhcp-option DOMAIN dns-domain-3"

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Mon Dec 21, 2020 10:59 am
Hi miknyb,

As you have only posted a snippet on your log I'm afraid we can't provide anything specific, however I can give you a few general reasons why this might occur.

The error, unintuitively, means essentially that the control packet that was received is an OpenVPN packet, however it does not belong to the connection it was received on. This can mean any of the following in the most common cases:

- If you have multiple VPN connections active, you may have a routing issue which is causing packets to be sent the wrong way
- You have multiple VPN connections active on the same subnet which are causing some cross talk locally
- Your time and date on either the server or local PC is wrong
- You have imported the wrong tls-auth file for the connection
- A disruption in traffic has caused the server to timeout your connection, but the client has not acknowledged it yet due to misconfigured

If this is happening after a reconnect or ping-restart, please try disabling persist-tun and persist-key while troubleshooting.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

miknyb

Posts: 11
Joined: Fri Dec 18, 2020 10:55 pm

Post by miknyb » Thu Jan 07, 2021 8:11 pm
Hi

I will attach a complete log here.
In this log, I get a connection, but when I start using the connection, everything takes a very long time.
For example when I access a resource with chrome browser, it can take up to 5 minutes before I even see that it starts loading content, and even then the content is from time to time mangled.

Sometimes it works, and sometimes it does not, and sometimes I do not get a connection at all.

I do not have any othter VPN running in my computer.
If I start up a OpenVPN connection in my PC I get the same errors.
If I start up a OpenVPN connection in a HyperV Ubuntu inside my PC, it WORKS.

Strange.

/Regards
Mikael
Attachments
000int-miknyb (Cray-4) Log.txt
(74.76 KiB) Downloaded 487 times

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Fri Jan 08, 2021 11:00 am
Hi Mikael,

Could you please post a copy of your route table and ipconfig -all after connecting as well?

To do this, open a command prompt and type in the following commands one after another:
route print
ipconfig -all

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

miknyb

Posts: 11
Joined: Fri Dec 18, 2020 10:55 pm

Post by miknyb » Fri Jan 08, 2021 7:18 pm
Windows IP Configuration

Host Name . . . . . . . . . . . . : Cray-4
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : bahnhof.se
vpn.entiros.io
private.entiros.io
idm.entiros.io

Unknown adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect
Physical Address. . . . . . . . . : 00-FF-0C-A1-4F-9E
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : bahnhof.se
Description . . . . . . . . . . . : Intel(R) Ethernet Controller (2) I225-V
Physical Address. . . . . . . . . : 3C-7C-3F-D4-C1-56
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.242(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Lease Obtained. . . . . . . . . . : den 8 januari 2021 09:13:40
Lease Expires . . . . . . . . . . : den 9 januari 2021 09:17:10
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 127.56.49.53
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter 000int-miknyb (Cray-4):

Connection-specific DNS Suffix . : vpn.entiros.io
Description . . . . . . . . . . . : Viscosity Virtual Adapter V9.1
Physical Address. . . . . . . . . : 00-FF-D1-E8-E2-55
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.234.0.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : den 8 januari 2021 09:17:13
Lease Expires . . . . . . . . . . : den 8 januari 2022 09:17:12
Default Gateway . . . . . . . . . : 10.234.0.1
DHCP Server . . . . . . . . . . . : 10.234.0.254
DNS Servers . . . . . . . . . . . : 127.56.49.53
NetBIOS over Tcpip. . . . . . . . : Enabled
Connection-specific DNS Suffix Search List :
vpn.entiros.io
private.entiros.io
idm.entiros.io

Ethernet adapter Npcap Loopback Adapter:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Npcap Loopback Adapter
Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::e5d3:11af:5af4:92c9%6(Preferred)
Autoconfiguration IPv4 Address. . : 169.254.146.201(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 805437516
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-27-55-5D-85-3C-7C-3F-D4-C1-56
DNS Servers . . . . . . . . . . . : fd53:7061:726b:4c61:6273:5669:7344:4e53
127.56.49.53
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter vEthernet (Internet):

Connection-specific DNS Suffix . : bahnhof.se
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
Physical Address. . . . . . . . . : 3C-7C-3F-D4-C1-56
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::f9ac:6384:88e6:9442%24(Preferred)
Autoconfiguration IPv4 Address. . : 169.254.148.66(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 305953855
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-27-55-5D-85-3C-7C-3F-D4-C1-56
DNS Servers . . . . . . . . . . . : fd53:7061:726b:4c61:6273:5669:7344:4e53
127.56.49.53
NetBIOS over Tcpip. . . . . . . . : Enabled
Connection-specific DNS Suffix Search List :
bahnhof.se

Ethernet adapter vEthernet (Default Switch):

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
Physical Address. . . . . . . . . : 00-15-5D-40-3F-A5
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b838:6e5d:3235:9cf2%25(Preferred)
IPv4 Address. . . . . . . . . . . : 172.18.137.225(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 419435869
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-27-55-5D-85-3C-7C-3F-D4-C1-56
DNS Servers . . . . . . . . . . . : fd53:7061:726b:4c61:6273:5669:7344:4e53
127.56.49.53
NetBIOS over Tcpip. . . . . . . . : Enabled

miknyb

Posts: 11
Joined: Fri Dec 18, 2020 10:55 pm

Post by miknyb » Fri Jan 08, 2021 7:18 pm
===========================================================================
Interface List
3...00 ff 0c a1 4f 9e ......TAP-Windows Adapter V9 for OpenVPN Connect
5...3c 7c 3f d4 c1 56 ......Intel(R) Ethernet Controller (2) I225-V
22...00 ff d1 e8 e2 55 ......Viscosity Virtual Adapter V9.1
6...02 00 4c 4f 4f 50 ......Npcap Loopback Adapter
24...3c 7c 3f d4 c1 56 ......Hyper-V Virtual Ethernet Adapter #2
1...........................Software Loopback Interface 1
25...00 15 5d 40 3f a5 ......Hyper-V Virtual Ethernet Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.242 25
0.0.0.0 0.0.0.0 10.234.0.1 10.234.0.11 1024
10.211.0.0 255.255.0.0 10.234.0.1 10.234.0.11 50
10.212.0.0 255.255.0.0 10.234.0.1 10.234.0.11 50
10.230.0.0 255.255.255.0 10.234.0.1 10.234.0.11 50
10.232.0.0 255.255.0.0 10.234.0.1 10.234.0.11 50
10.234.0.0 255.255.0.0 10.234.0.1 10.234.0.11 50
10.234.0.0 255.255.255.0 On-link 10.234.0.11 281
10.234.0.11 255.255.255.255 On-link 10.234.0.11 281
10.234.0.255 255.255.255.255 On-link 10.234.0.11 281
10.240.0.0 255.255.0.0 10.234.0.1 10.234.0.11 50
10.250.0.0 255.255.0.0 10.234.0.1 10.234.0.11 50
34.253.189.17 255.255.255.255 10.234.0.1 10.234.0.11 50
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.56.49.53 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
169.254.0.0 255.255.0.0 On-link 169.254.146.201 281
169.254.0.0 255.255.0.0 On-link 169.254.148.66 281
169.254.146.201 255.255.255.255 On-link 169.254.146.201 281
169.254.148.66 255.255.255.255 On-link 169.254.148.66 281
169.254.255.255 255.255.255.255 On-link 169.254.146.201 281
169.254.255.255 255.255.255.255 On-link 169.254.148.66 281
172.18.0.0 255.255.0.0 10.234.0.1 10.234.0.11 50
172.18.137.224 255.255.255.240 On-link 172.18.137.225 5256
172.18.137.225 255.255.255.255 On-link 172.18.137.225 5256
172.18.137.239 255.255.255.255 On-link 172.18.137.225 5256
192.168.0.0 255.255.0.0 On-link 192.168.1.242 281
192.168.1.242 255.255.255.255 On-link 192.168.1.242 281
192.168.255.255 255.255.255.255 On-link 192.168.1.242 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 169.254.148.66 281
224.0.0.0 240.0.0.0 On-link 169.254.146.201 281
224.0.0.0 240.0.0.0 On-link 192.168.1.242 281
224.0.0.0 240.0.0.0 On-link 10.234.0.11 281
224.0.0.0 240.0.0.0 On-link 172.18.137.225 5256
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 169.254.148.66 281
255.255.255.255 255.255.255.255 On-link 169.254.146.201 281
255.255.255.255 255.255.255.255 On-link 192.168.1.242 281
255.255.255.255 255.255.255.255 On-link 10.234.0.11 281
255.255.255.255 255.255.255.255 On-link 172.18.137.225 5256
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
1 331 fd53:7061:726b:4c61:6273:5669:7344:4e53/128
On-link
24 281 fe80::/64 On-link
6 281 fe80::/64 On-link
25 5256 fe80::/64 On-link
25 5256 fe80::b838:6e5d:3235:9cf2/128
On-link
6 281 fe80::e5d3:11af:5af4:92c9/128
On-link
24 281 fe80::f9ac:6384:88e6:9442/128
On-link
1 331 ff00::/8 On-link
24 281 ff00::/8 On-link
6 281 ff00::/8 On-link
25 5256 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Fri Jan 08, 2021 7:36 pm
Hi Mikael,

Two things stick out:

1. Npcap is known to interfere with VPN connections if not configured correctly. Please try uninstalling it, cold booting your PC, and seeing if the problem persists.

2. One of your vEthernet switches appears to be misconfigured. What is interesting is when Viscosity first connects it is not picking it up, however the interface is switching states post connect at some point because Viscosity does pick it up as another DNS route, however it doesn't flow any traffic. It's very possible this misconfigured vEthernet switch is causing issues here, please try removing this and see if it helps if removing Npcap does not.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

miknyb

Posts: 11
Joined: Fri Dec 18, 2020 10:55 pm

Post by miknyb » Fri Jan 08, 2021 8:18 pm
The 2 vEthernet switches is created from my Hyper-V environment, and all internet connections from that env. is working like a charm. The connection that is named (Internet) is the one running OpenVPN from a Ubuntu instance and the other (default) is the default created one from Hyper-V

I do not think that Viscosity is using those adapters as I have configured Viscosity to use single network adapter for all connections.

I could not remove the nPcap adapter. Don't know why?

miknyb

Posts: 11
Joined: Fri Dec 18, 2020 10:55 pm

Post by miknyb » Tue Jan 12, 2021 2:52 am
I have removed the nPcap device and disabled all other devices too, but I have the same error as before.

Can it have something to do with the problem Intel has with it's Intel Network I225 chip as described here: https://community.intel.com/t5/Ethernet ... -p/1189493

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Tue Jan 12, 2021 9:55 am
Hi Mikael,

It is possible, though unlikely. It is more likely to be one of the issues mentioned in my original reply.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
18 posts Page 1 of 2