OpenVPN client errors and traffic shaping

Started by keeka, April 07, 2026, 11:41:18 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 07, 2026, 11:41:18 AM
With my traffic shaping policy active, I see OpenVPN client indicating there are out of sequence packets.
These occur in bursts of 100+ when, for example, starting a youtube video stream or running the waveform buffer bloat test which, from a user perspective, aren't noticeably impacted.
The traffic shaping policy follows that set out in the docs' buffer bloat recipe.

Code Select
2026-04-07T08:21:27.000Z","fw","openvpn_client2","error","AEAD Decrypt error: bad packet ID (may be a replay): [ #25172 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings"
"2026-04-07T08:21:27.000Z","fw","openvpn_client2","error","AEAD Decrypt error: bad packet ID (may be a replay): [ #25161 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings"
"2026-04-07T08:21:27.000Z","fw","openvpn_client2","error","AEAD Decrypt error: bad packet ID (may be a replay): [ #25167 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings"
"2026-04-07T08:21:27.000Z","fw","openvpn_client2","error","AEAD Decrypt error: bad packet ID (may be a replay): [ #25174 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings"
"2026-04-07T08:21:27.000Z","fw","openvpn_client2","error","AEAD Decrypt error: bad packet ID (may be a replay): [ #25163 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings"
"2026-04-07T08:21:27.000Z","fw","openvpn_client2","error","AEAD Decrypt error: bad packet ID (may be a replay): [ #25173 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings"
"2026-04-07T08:21:27.000Z","fw","openvpn_client2","error","AEAD Decrypt error: bad packet ID (may be a replay): [ #25168 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings"
Other than this, a shaper setup based on the buffer bloat recipe seems to work well. If I disable the shaper rules, no openvpn errors are logged.

OPNsense is running on Proxmox VE, with the WAN (PPPoE) interface assigned to a proxmox bridge whose single member is the physical interface connected to the FTTP ONT.

What might I look at in order to retain the benefits of the shaper and resolve what appear to be the OpenVPN out of sequence packets it generates?
Print
Go Up Pages1
User actions