search

haugene / docker-transmission-openvpn

Docker container running Transmission torrent client with WebUI over an OpenVPN tunnel
GNU General Public License v3.0
4.09k stars 1.2k forks source link

many AEAD Decrypt error bad packet ID errors #574

Closed ilovett closed 5 years ago

ilovett commented 6 years ago

All of a sudden I've started to get many off the following errors for about 10 minutes and then the service crashes and stops responding:

Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22239 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22240 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22241 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22242 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22245 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22248 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22249 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22251 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22255 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22258 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22259 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22264 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22266 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22270 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22286 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22335 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22346 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22349 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22362 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22373 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22374 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22375 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22386 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22387 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22433 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug  8 22:17:35 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #22437 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

Nothing changed on my end at all except rebooting my pi. It was working great before and now I can't get this error to go away.

ilovett commented 6 years ago

Here is startup log with some info redacted

Using OpenVPN provider: NORDVPN
Starting OpenVPN using config XXX
Setting OPENVPN credentials...
adding route to local network 192.168.1.0/24 via 172.17.0.1 dev eth0
Wed Aug  8 22:16:54 2018 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Wed Aug  8 22:16:54 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Wed Aug  8 22:16:54 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Aug  8 22:16:54 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Aug  8 22:16:54 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Aug  8 22:16:54 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]185.153.179.35:1194
Wed Aug  8 22:16:54 2018 Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Aug  8 22:16:54 2018 UDP link local: (not bound)
Wed Aug  8 22:16:54 2018 UDP link remote: [AF_INET]185.153.179.35:1194
Wed Aug  8 22:16:54 2018 TLS: Initial packet from [AF_INET]185.153.179.35:1194, sid=e8a95e34 78fe7064
Wed Aug  8 22:16:54 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Aug  8 22:16:54 2018 VERIFY OK: depth=1, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=XXX.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
Wed Aug  8 22:16:54 2018 Validating certificate key usage
Wed Aug  8 22:16:54 2018 ++ Certificate has key usage  00a0, expects 00a0
Wed Aug  8 22:16:54 2018 VERIFY KU OK
Wed Aug  8 22:16:54 2018 Validating certificate extended key usage
Wed Aug  8 22:16:54 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Aug  8 22:16:54 2018 VERIFY EKU OK
Wed Aug  8 22:16:54 2018 VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=XXX.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
Wed Aug  8 22:16:54 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Aug  8 22:16:54 2018 [XXX.nordvpn.com] Peer Connection Initiated with [AF_INET]185.153.179.35:1194
Wed Aug  8 22:16:55 2018 SENT CONTROL [XXX.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Wed Aug  8 22:16:55 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.246 255.255.255.0,peer-id 26,cipher AES-256-GCM'
Wed Aug  8 22:16:55 2018 OPTIONS IMPORT: timers and/or timeouts modified
Wed Aug  8 22:16:55 2018 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Wed Aug  8 22:16:55 2018 Socket Buffers: R=[163840->327680] S=[163840->327680]
Wed Aug  8 22:16:55 2018 OPTIONS IMPORT: --ifconfig/up options modified
Wed Aug  8 22:16:55 2018 OPTIONS IMPORT: route options modified
Wed Aug  8 22:16:55 2018 OPTIONS IMPORT: route-related options modified
Wed Aug  8 22:16:55 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Aug  8 22:16:55 2018 OPTIONS IMPORT: peer-id set
Wed Aug  8 22:16:55 2018 OPTIONS IMPORT: adjusting link_mtu to 1657
Wed Aug  8 22:16:55 2018 OPTIONS IMPORT: data channel crypto options modified
Wed Aug  8 22:16:55 2018 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Aug  8 22:16:55 2018 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Aug  8 22:16:55 2018 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:02
Wed Aug  8 22:16:55 2018 TUN/TAP device tun0 opened
Wed Aug  8 22:16:55 2018 TUN/TAP TX queue length set to 100
Wed Aug  8 22:16:55 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Aug  8 22:16:55 2018 /sbin/ip link set dev tun0 up mtu 1500
Wed Aug  8 22:16:55 2018 /sbin/ip addr add dev tun0 10.8.8.246/24 broadcast 10.8.8.255
Wed Aug  8 22:16:55 2018 /etc/openvpn/tunnelUp.sh tun0 1500 1585 10.8.8.246 255.255.255.0 init
Up script executed with tun0 1500 1585 10.8.8.246 255.255.255.0 init
Updating TRANSMISSION_BIND_ADDRESS_IPV4 to the ip of tun0 : 10.8.8.246
Generating transmission settings.json from env variables
sed'ing True to true

-------------------------------------
Transmission will run as
-------------------------------------
User name:   root
User uid:    0
User gid:    0
-------------------------------------

STARTING TRANSMISSION
NO PORT UPDATER FOR THIS PROVIDER
Transmission startup script complete.
niXta1 commented 6 years ago

Try with another VPN server.

dcrdev commented 6 years ago

I've also started getting these - also with nordvpn

mbach04 commented 6 years ago

Having same issue with Nordvpn as well. Also, the crash appears to be memory related. The container memory usage just steadily grows until there's nothing more available at which time it crashes.

haugene commented 6 years ago

Linking to #257 for future reference. Anyone had luck with changing MTU size? This warning should probably have a section in the README as it is a recurring issue. Then it would be nice to have a recommended MTU size, and the mute-replay-warnings option as proposed solutions?

On a sidenote, the README is getting very large. #362 is up for grabs ;)

niXta1 commented 6 years ago

NordVPN running fine here... I do get ahead messages though.

dcrdev commented 6 years ago

Yeah it's working for me too , I'm just getting these messages spamming the journal.

niXta1 commented 6 years ago

--mssfix 1475 seems to have fixed the spam in the log for me...

PlqnK commented 6 years ago

Anyone had luck with changing MTU size?

As I said in #257 yes I've fixed the problem by playing with the mssfix value.

Then it would be nice to have a recommended MTU size, and the mute-replay-warnings option as proposed solutions?

I agree, I'm pretty sure any value below 1500 will fix the problem but I will need to do some testing first to be sure and I don't really have the time for now :-/

ilovett commented 6 years ago

I tried a few --mssfix values with no luck -- but not sure I tried 1475.

For now I've just switched to TCP

ilovett commented 6 years ago

Does mounting /etc/localtime work as expected for armhf?

rrd911 commented 6 years ago

I did some tests on my instance and the MTU 1390 seems to work for PureVPN

Tests performed from within the transmission-openvpn docker instance to get to 1390 MTU

ping -M do -s "mtu# less than 1500" -c 1 yahoo.com

ping yahoo.com

PING yahoo.com (98.138.219.232) 56(84) bytes of data. 64 bytes from media-router-fp2.prod1.media.vip.ne1.yahoo.com (98.138.219.232): icmp_seq=1 ttl=51 time=277 ms 64 bytes from media-router-fp2.prod1.media.vip.ne1.yahoo.com (98.138.219.232): icmp_seq=2 ttl=51 time=273 ms ^C --- yahoo.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 273.655/275.817/277.980/2.225 ms

ping -M do -s 1440 -c 1 yahoo.com

PING yahoo.com (98.137.246.8) 1440(1468) bytes of data.

--- yahoo.com ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms

ping -M do -s 1470 -c 1 yahoo.com

PING yahoo.com (98.138.219.231) 1470(1498) bytes of data.

--- yahoo.com ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms

ping -M do -s 1460 -c 1 yahoo.com

PING yahoo.com (72.30.35.10) 1460(1488) bytes of data.

--- yahoo.com ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms

ping -M do -s 1410 -c 1 yahoo.com

PING yahoo.com (72.30.35.10) 1410(1438) bytes of data.

--- yahoo.com ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms

ping -M do -s 1400 -c 1 yahoo.com

PING yahoo.com (98.138.219.231) 1400(1428) bytes of data.

--- yahoo.com ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms

ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq state UNKNOWN mode DEFAULT group default qlen 100 link/none 964: eth0@if965: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default link/ether 02:42:ac:12:00:0e brd ff:ff:ff:ff:ff:ff link-netnsid 0

ping -M do -s 1360 -c 1 yahoo.com

PING yahoo.com (72.30.35.9) 1360(1388) bytes of data. 1368 bytes from media-router-fp1.prod1.media.vip.bf1.yahoo.com (72.30.35.9): icmp_seq=1 ttl=52 time=255 ms

--- yahoo.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 255.104/255.104/255.104/0.000 ms

ping -M do -s 1370 -c 1 yahoo.com

PING yahoo.com (72.30.35.9) 1370(1398) bytes of data. 1378 bytes from media-router-fp1.prod1.media.vip.bf1.yahoo.com (72.30.35.9): icmp_seq=1 ttl=52 time=269 ms

--- yahoo.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 269.745/269.745/269.745/0.000 ms

ping -M do -s 1380 -c 1 yahoo.com

PING yahoo.com (98.138.219.232) 1380(1408) bytes of data. 1388 bytes from media-router-fp2.prod1.media.vip.ne1.yahoo.com (98.138.219.232): icmp_seq=1 ttl=51 time=287 ms

--- yahoo.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 287.594/287.594/287.594/0.000 ms

ping -M do -s 1390 -c 1 yahoo.com

PING yahoo.com (98.138.219.231) 1390(1418) bytes of data. 1398 bytes from media-router-fp1.prod1.media.vip.ne1.yahoo.com (98.138.219.231): icmp_seq=1 ttl=51 time=284 ms

--- yahoo.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 284.787/284.787/284.787/0.000 ms

ping -M do -s 1396 -c 1 yahoo.com

PING yahoo.com (98.138.219.231) 1396(1424) bytes of data.

--- yahoo.com ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms

ping -M do -s 1392 -c 1 yahoo.com

PING yahoo.com (98.137.246.7) 1392(1420) bytes of data. ^[[A --- yahoo.com ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms

ping -M do -s 1391 -c 1 yahoo.com

PING yahoo.com (72.30.35.10) 1391(1419) bytes of data.

--- yahoo.com ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms

ping -M do -s 1390 -c 1 yahoo.com

PING yahoo.com (98.137.246.7) 1390(1418) bytes of data. 1398 bytes from media-router-fp1.prod1.media.vip.gq1.yahoo.com (98.137.246.7): icmp_seq=1 ttl=50 time=319 ms

--- yahoo.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 319.547/319.547/319.547/0.000 ms

ilovett commented 5 years ago

After some time with this issue I've noticed that docker doesn't map all protocols when mapping ports... by default, it only maps TCP... I've now mapped both TCP & UDP, and also ensured my router forwards BOTH TCP & UDP on 9091...

docker run -d \
  ...
  -p 9091:9091/tcp \
  -p 9091:9091/udp \

This appears to have been the issue on my end!

niXta1 commented 5 years ago

After some more testing: --mssfix 1452 is optimal for NordVPN.