What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ovpn-server1 Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627

nick_max

nick_max

Occasional Visitor
Hi,

I have a recent issue linked to an OperVPN server installed on ASUS AC88U router with Merlin firmware 384.7_2.
I have configured this new router from scratch, including the OpenVPN server.

The problem is that my syslog is flooded by hundreds of messages, at few seconds interval, like the one below:

Nov 27 13:16:18 ovpn-server1[16255]: TCP connection established with [AF_INET6]::ffff:192.168.1.2:9509
Nov 27 13:16:18 ovpn-server1[16255]: 192.168.1.2 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ens
ure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Nov 27 13:16:18 ovpn-server1[16255]: 192.168.1.2 Connection reset, restarting [0]

And all the above errors are coming from almost all devices from intranet, i.e. laptop, phone, tablet, etc.
I tried to google this issue, but couldn't find anything useful.

This is driving me crazy... Am I missing something?

Thank you for your help.


Nick
 
Hello again,

This is getting ridiculous, my syslog is flooded with messages like this.

Does anyone know why this is happening, please?

upload_2018-12-10_22-26-9.png
 
nick_max said:
Hello again,

This is getting ridiculous, my syslog is flooded with messages like this.

Does anyone know why this is happening, please?

View attachment 15432
Click to expand...

Which port is your OpenVPN Server listening on? - i.e. clearly port 80/443 would be bad!

Try changing it to an obscure port to see if the message flood stops.
 
Hi Martineau,

Thank you for your reply.

Indeed, my OpenVPN server is listening on 443, but it has to because of the environment I am connecting from (where only 80 and 443 are open to internet).

Thing is I've been using OpenVPN on Asus-Merlin for a while now and up until recently I wasn't getting these messages and everything was fine. I figure either I've made a setting somewhere which triggered this problem, or the recent firmwares changed something in the workings of OpenVPN...
I have no idea...

Cheers
 
nick_max said:
Hi Martineau,

Thank you for your reply.

Indeed, my OpenVPN server is listening on 443, but it has to because of the environment I am connecting from (where only 80 and 443 are open to internet).

Thing is I've been using OpenVPN on Asus-Merlin for a while now and up until recently I wasn't getting these messages and everything was fine. I figure either I've made a setting somewhere which triggered this problem, or the recent firmwares changed something in the workings of OpenVPN...
I have no idea...

Cheers
Click to expand...

Are you using pixel-serv? etc.
 
Running anything on port 443 is sure to be bombarded by connection attempts from spiders, bots and malwares.

If your corporate firewall isn't properly tuned in then maybe they have 443/UDP open - give it a try. Port scanners would only hit 443/TCP.

And make sure your corporate IT department isn't going to flip out if they ever discover you are using an outbound VPN connection - they might have corporate reasons to only open these ports. In some companies this might be enough to get you fired if they ever find out, so best to check...

If your remote point has a static IP, then you could probably configure a firewall rule to only allow connections from that IP.
 
Hi Merlin,

Thank you for your reply.

I already checked 443/UDP is closed. Also, my remote point has a static IP and I've already configured that using iptables (with your help :)).

My problem is that the connections to OpenVPN server come from inside my LAN. Furthermore, I've started to see this behavior since I've updated the firmware to 384.7 or 384.7_2, if I remember correctly.
 
nick_max said:
My problem is that the connections to OpenVPN server come from inside my LAN.
Click to expand...

Check what's running on that client. Most likely this is a security suite that does LAN port scanning.
 
RMerlin said:
Check what's running on that client. Most likely this is a security suite that does LAN port scanning.
Click to expand...
The connection attempts from LAN come from almost all devices connected to the router: smartphones, laptops.
I was under the impression that OpenVPN listens to connection attempts only on ppp0 interface...
 
you can create a firewall rule to block internal traffic to port 443?
 
nick_max said:
The connection attempts from LAN come from almost all devices connected to the router: smartphones, laptops.
I was under the impression that OpenVPN listens to connection attempts only on ppp0 interface...
Click to expand...

The log shows them all coming from 192.168.1.2. Check on that device what might be trying to access port 443 of your router.
 
RMerlin said:
Running anything on port 443 is sure to be bombarded by connection attempts from spiders, bots and malwares.

If your corporate firewall isn't properly tuned in then maybe they have 443/UDP open - give it a try. Port scanners would only hit 443/TCP.

And make sure your corporate IT department isn't going to flip out if they ever discover you are using an outbound VPN connection - they might have corporate reasons to only open these ports. In some companies this might be enough to get you fired if they ever find out, so best to check...
Click to expand...

In most corp/enterprise networks, running a rouge OpenVPN endpoint is a fast track to a mutual meeting with the IT Folks and Human Resources - HR is there to brief one on post-separation benefits (if any)...
 
Hello again in a new year :)

I am reviving this thread with a question, please:
Is someone able to help me make some iptables rules for my AX88U to block access to the OpenVPN server from intranet and from VPN clients themselves, please?

I'm asking this because my syslog is continuously flooded by unnecessary messages:

Jan 14 14:14:59 ovpn-server1[16876]: 192.168.1.2:65089 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jan 14 14:14:59 ovpn-server1[16876]: 192.168.1.2:65089 Connection reset, restarting [0]
Jan 14 14:14:59 ovpn-server1[16876]: 192.168.1.2:65089 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jan 14 14:15:01 ovpn-server1[16876]: TCP connection established with [AF_INET]192.168.1.2:65092
Jan 14 14:15:01 ovpn-server1[16876]: 192.168.1.2:65092 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jan 14 14:15:01 ovpn-server1[16876]: 192.168.1.2:65092 Connection reset, restarting [0]
Jan 14 14:15:01 ovpn-server1[16876]: 192.168.1.2:65092 SIGUSR1[soft,connection-reset] received, client-instance restarting

Any help is greatly appreciated.

Cheers
 
nick_max said:
Hello again in a new year :)

I am reviving this thread with a question, please:
Is someone able to help me make some iptables rules for my AX88U to block access to the OpenVPN server from intranet and from VPN clients themselves, please?

I'm asking this because my syslog is continuously flooded by unnecessary messages:

Jan 14 14:14:59 ovpn-server1[16876]: 192.168.1.2:65089 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jan 14 14:14:59 ovpn-server1[16876]: 192.168.1.2:65089 Connection reset, restarting [0]
Jan 14 14:14:59 ovpn-server1[16876]: 192.168.1.2:65089 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jan 14 14:15:01 ovpn-server1[16876]: TCP connection established with [AF_INET]192.168.1.2:65092
Jan 14 14:15:01 ovpn-server1[16876]: 192.168.1.2:65092 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jan 14 14:15:01 ovpn-server1[16876]: 192.168.1.2:65092 Connection reset, restarting [0]
Jan 14 14:15:01 ovpn-server1[16876]: 192.168.1.2:65092 SIGUSR1[soft,connection-reset] received, client-instance restarting

Any help is greatly appreciated.

Cheers
Click to expand...
Why not just turn it off
 
You must log in or register to reply here.

Similar threads

ojigi
Asus RT-AX68U "hangs" about once per day
Replies
2
Views
533
ojigi
ojigi
K
OVPN server Bad encapsulated packet length...
Replies
3
Views
4K
Jaime Alvarez
J
L
Merlin 388.1 and Mulvad
Replies
2
Views
2K
linkwellfook
L
S
OpenVPN LAN to LAN: bad source address from client [172.26.1.78], packet dropped
Replies
3
Views
2K
sverker
S
G
messages in syslog wrt OpenVPN Server
Replies
6
Views
1K
GSpock
G
Similar threads
Thread starter Title Forum Replies Date
M OVPN HMAC authentication switching from SHA1 to SHA256 Asuswrt-Merlin 9
skeal Solved No Right Side Scroll Bar When Remoting Into AC68U/AC1900 By OVPN Asuswrt-Merlin 14
B Unable to establish VPN connection to my PiVPN (ovpn) from my Asus RT-AC86U running Asuswrt-Merlin 386.14 Asuswrt-Merlin 1
C OVPN server setup problem Asuswrt-Merlin 7
D Import long ovpn file Asuswrt-Merlin 3
rcfw Unable to flash firmware due to bad blocks Asuswrt-Merlin 14
N (Solved - Bad router) RT-AX88U node causes network instability (3004.388.7) Asuswrt-Merlin 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 2,139 (members: 13, guests: 2,126)
Back
Top