ovpn-server1 Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627

[netware5]

Hello again in a new year

I am reviving this thread with a question, please:
Is someone able to help me make some iptables rules for my AX88U to block access to the OpenVPN server from intranet and from VPN clients themselves, please?

I'm asking this because my syslog is continuously flooded by unnecessary messages:

Jan 14 14:14:59 ovpn-server1[16876]: 192.168.1.2:65089 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jan 14 14:14:59 ovpn-server1[16876]: 192.168.1.2:65089 Connection reset, restarting [0]
Jan 14 14:14:59 ovpn-server1[16876]: 192.168.1.2:65089 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jan 14 14:15:01 ovpn-server1[16876]: TCP connection established with [AF_INET]192.168.1.2:65092
Jan 14 14:15:01 ovpn-server1[16876]: 192.168.1.2:65092 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Jan 14 14:15:01 ovpn-server1[16876]: 192.168.1.2:65092 Connection reset, restarting [0]
Jan 14 14:15:01 ovpn-server1[16876]: 192.168.1.2:65092 SIGUSR1[soft,connection-reset] received, client-instance restarting

Any help is greatly appreciated.

Cheers

This is not normal - I am using OpenVPN server listening on TCP port 443 on my router since 2013. These messages appear frequently in syslog, but from external IP addresses. This is the price we pay to run OpenVPN server on TCP port 443.

But continuous connection attempts from internal devices are not normal. You should check what is wrong device by device, i.e. WHY a particular LAN device wants to connect to TCP port 443 on the router. You may have a malware infected device in your network. A possible scenario is a malware expecting that TCP port 443 is the router's admin interface. Then probing to connect to it by spoofing source IP addresses of the whole LAN 192.168.1.2/24. The other possibility is that all your LAN devices are infected by the same malware. The third possibility is that you have specific antivirus software installed on one of you LAN devices - I have some memories that somebody reported here in the forums some years ago, so do search the forum about similar cases.

You also may wish to check if the messages' appearance is tied to the physical presence and on/off state of each particular LAN device, i.e. if switching off a particular device leads to disappearance of the messages from its IP address or all 255 IPs are present constantly, which means an IP spoofing takes place.

 

[SomeWhereOverTheRainBow]

Can I ask why?

Hello again in a new year

I am reviving this thread with a question, please:
Is someone able to help me make some iptables rules for my AX88U to block access to the OpenVPN server from intranet and from VPN clients themselves, please?

I'm asking this because my syslog is continuously flooded by unnecessary messages:

To see if it removes the unnecessary messages


Verbosity determines how much output is sent to syslog

 

[SomeWhereOverTheRainBow]

This is not normal - I am using OpenVPN server listening on TCP port 443 on my router since 2013. These messages appear frequently in syslog, but from external IP addresses. This is the price we pay to run OpenVPN server on TCP port 443.

But continuous connection attempts from internal devices are not normal. You should check what is wrong device by device, i.e. WHY a particular LAN device wants to connect to TCP port 443 on the router. You may have a malware infected device in your network. A possible scenario is a malware expecting that TCP port 443 is the router's admin interface. Then probing to connect to it by spoofing source IP addresses of the whole LAN 192.168.1.2/24. The other possibility is that all your LAN devices are infected by the same malware. The third possibility is that you have specific antivirus software installed on one of you LAN devices - I have some memories that somebody reported here in the forums some years ago, so do search the forum about similar cases.

You also may wish to check if the messages' appearance is tied to the physical presence and on/off state of each particular LAN device, i.e. if switching off a particular device leads to disappearance of the messages from its IP address or all 255 IPs are present constantly, which means an IP spoofing takes place.

Some windows devices per media server (if enabled) may require internal 443 open but it usual outputs to a higher port number through upnp on the nat.

 

[SomeWhereOverTheRainBow]

192.168.1.2/24 I recommend trying a different ip range if possible.

 

[netware5]

192.168.1.2/24 I recommend trying a different ip range if possible.

This is the OPs ip range used, I just provided my considerations.

***EDIT***
Sorry, my post should say "192.168.1.0/24". This is my mistake.

 

[SomeWhereOverTheRainBow]

Another thought would be to switch to tun instead of tap if you are trying to run on tap.