[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re-using SSL/TLS context: Bad encapsulated packet length

  • Subject: [Openvpn-users] Re-using SSL/TLS context: Bad encapsulated packet length
  • From: "Johnny Flash" <mopsko@xxxxxxxxx>
  • Date: Wed, 4 Apr 2007 23:56:09 +0200

Hi everybody,

I'm using an OpenVPN-Server behind a NAT-Box to connect to my home-LAN
when I'm away with my notebook. So far everything works fine. To be
able to connect even when I'm in very restrictive environments (read:
work, internet-cafe) I do a forwading of TCP port 80 to port 1194 from
my NAT-router to the vpn-server. This works alomst as expected. I get
those strange errors every few minutes in the log and I wonder what
they mean:

Wed Apr  4 23:39:21 2007 Re-using SSL/TLS context
Wed Apr  4 23:39:21 2007 LZO compression initialized
Wed Apr  4 23:39:21 2007 TCP connection established with <WAN-IP>:52824
Wed Apr  4 23:39:21 2007 TCPv4_SERVER link local: [undef]
Wed Apr  4 23:39:21 2007 TCPv4_SERVER link remote: <WAN-IP>:52824
Wed Apr  4 23:39:21 2007 <WAN-IP>:52824 WARNING: Bad encapsulated
packet length from peer
 (18245), which must be > 0 and <= 1592 -- please ensure that
--tun-mtu or --link-mtu is equ
al on both peers -- this condition could also indicate a possible
active attack on the TCP l
ink -- [Attemping restart...]
Wed Apr  4 23:39:21 2007 <WAN-IP>:52824 Connection reset, restarting [0]

Rarely I see the same with remote IPs different from my own <WAN-IP>
and I first thought this might be search-bots trying to connect to a
non-existent webserver. Seeing my own <WAN-IP> there puzzles me,
especially because this happens without ever having tried to connect
to the vpn (eg. after a restart). Is this normal behaviour and if so,
what exactly is going on there? Any help would be very much
appreciated. In case it is of any help, here's my server-conf:

port 1194
proto tcp
dev tap0
ca /etc/openvpn/newvpn/ca.crt
cert /etc/openvpn/newvpn/server.crt
key /etc/openvpn/newvpn/server.key
dh /etc/openvpn/newvpn/dh2048.pem
ifconfig-pool-persist /etc/openvpn/newvpn/ipp.txt
keepalive 10 45
tls-auth /etc/openvpn/newvpn/ta.key 0
cipher AES-128-CBC
max-clients 10
user nobody
group nogroup
status          /var/log/openvpn/openvpn-status.log
log-append      /var/log/openvpn/openvpn.log
verb 1
mute 20

Linux 2.6.15-28-686 #1 SMP PREEMPT Thu Feb 1 16:14:07 UTC 2007 i686 GNU/Linux
OpenVPN 2.0.6 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 10 2006

Please let me know if you need more information, I will gladly post it here :-)
Thanks in advance,

OpenVPN mailing lists