OpenVPN Server fails to start when set on TCP port 443

mnz
Posts: 21
Joined: Thu Jul 04, 2013 9:56 am

OpenVPN Server fails to start when set on TCP port 443

Postby mnz » Tue Jul 09, 2013 10:06 pm

Hello all.

- Client is Windows 8.
- Modem/Router is 2Wire 2701HG-G from Bell Canada.
- Server (Amahi) runs on Ubuntu 12.04

A bit of history:

I first tried OpenVPN the UDP way. Mostly works, which should mean that port forwarding is successful and that server and client can talk to eachother:

1- "OpenVPN Tester" (in control panel) tells me everything is fine.

2- I actually can connect to the server, but.. from my own network (the "A" icon of the HDAconnect application turns green and tooltip/popup text shows IP) -- which, presumably should be impossible... or should it ???

3- However, I can't connect using HDAConnect from 2 other test networks I tried (college network + a nearby library).


So... I tried the advices on https://wiki.amahi.org/index.php/VPN_troubleshooting.

I tried using TCP on port 443. However, the OpenVPN won't even start ! If I specify port 443, it just stops.

Please note that:
- on the router, port 443 has been forwarded
- port 1194, TCP (or,before, UDP), does "work" : OpenVPN server (re)starts normally.


TCP 443 Config goes like this :

Server side

my openvpn.conf (server side) looks like this

Code: Select all

port 443 proto tcp ;dev tap dev tun ca /etc/openvpn/amahi/ca.crt cert /etc/openvpn/amahi/server.crt
[...]

(The remaining is exactly like the original file. So I basically changed the port number + the protocol, as described in the troubleshooter.)


Client

my HomeHDA.ovpn file looks like this :

Code: Select all

client dev tun proto tcp remote [....removed...] 443 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert homehda.crt key homehda.key comp-lzo verb 3 auth-user-pass route-method exe route-delay 2
Router

As I said earlier... I forwarded TCP port 443

=====

I'm not sure what to do next.

Questions:


- Should I persist trying with TCP 443 (or even UDP 1194) ? How can I make the OpenVpn server start normally when config specifies port 443 ?

Removing the port 443 specification and leaving "proto TCP" allows OpenVPN to start normally, but I can't connect from the client, and the control panel "OpenVPN tester" says that the server is not enabled.

It could be a problem with my router and port 443. I tried turning all security features off but then I couldn't reach the dashboard from the server... :( I must say I didn't try very long as I put the router back as it was, restarted it and restarted the server... It's back to normal now.

- I haven't tried connecting from an external network with TCP 1194. Could that work ? (When I try the "OpenVPN Tester", it seems to like it... and I can connect internally, from my own network..!! which, from what I've read should be impossible... maybe that's where the problem lies...)

mnz
Posts: 21
Joined: Thu Jul 04, 2013 9:56 am

Re: OpenVPN Server fails to start when set on TCP port 443

Postby mnz » Wed Jul 10, 2013 11:31 am

OK, so everything seems to work now. But I'm connecting via TCP on port 1194. I'm not knowledgeable enough to now whether this is fine or not (security wise, etc.). Can someone help me with that ? Thanks.

[EDIT] It works, but it's s - l - o - w .[/EDIT]
----
P.S.: Please note that while I'm able to connect remotely, the "OpenVPN Tester" says "Inactive ... enable it". And before, when trying to connect via UDP, it was saying all was fine, but I couldn't connect... :ugeek:

If the "OpenVPN Tester" 's not truly reflecting the VPN state, it becomes more of a hindrance than a help: I spent 1 h yesterday trying to turn the red message into a green one and, surprise, I shouldn't have bothered. Since it seems to be unreliable (saw other post about it's unreliability), maybe it should just be removed from the control panel.

mnz
Posts: 21
Joined: Thu Jul 04, 2013 9:56 am

Re: OpenVPN Server fails to start when set on TCP port 443

Postby mnz » Thu Jul 11, 2013 1:32 pm

Is anybody here ? :)

To unreliably answer my own question : Port 1194 is the official OpenVPN port, whether used through UDP or TCP. So I should be okay.

TCP is also inherently slower than UDP -- which explains the slowness mentioned in my previous post.

Some sources:
http://en.wikipedia.org/wiki/OpenVPN
http://www.speedguide.net/port.php?port=1194
http://www.skullbox.net/tcpudp.php

Anyway : pretty happy with my Amahi solution for now. A few bumps on the road and had to reinstall 3 times (kept having problems with my Ethernet card being identified as ETH2 or ETH1 instead of ETH0 + other problems causing the VPN to not work).

I will keep connecting via TCP 1194, unless there's a need for speed.

Suggestion : it would be nice if some GUI could allow the user to easily switch protocol (both on client and server side) and, even better, if OpenVPN could switch protocol automatically depending on network security/connection problems (could be implemented as an option). TCP seems to go through firewalls or other security hardware better than UDP.

User avatar
bigfoot65
Project Manager
Posts: 11924
Joined: Mon May 25, 2009 4:31 pm

Re: OpenVPN Server fails to start when set on TCP port 443

Postby bigfoot65 » Thu Jul 11, 2013 3:24 pm

When you followed the guidance https://wiki.amahi.org/index.php/VPN_troubleshooting, did you miss a step?

Seems like it should have worked. Now if you are using Ubuntu, there might be another config file that needs updating.
ßîgƒσστ65
Applications Manager

My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 16GB RAM, 1TBx1+2TBx2+4TBx2

mnz
Posts: 21
Joined: Thu Jul 04, 2013 9:56 am

Re: OpenVPN Server fails to start when set on TCP port 443

Postby mnz » Thu Jul 11, 2013 4:02 pm

Thanks for offering your help.

As far as I can tell, I don't think I missed any step. You can look at how my config files look(ed) like in previous posts.

Concerning the troubleshooting page : I found the whole explanation not as well structured as it should be. Client and Server config are intertwined in ways that make the configuring process more complex to understand than it should -- as it's really simple. IMO, the first half should really deal only with the server config + router, and the second half with the client, or the reverse. Right now, you start working on the client, and then suddenly you have the "Blocked port 1194" section which involves tinkering with the server, and then back to the client, then sections about Windows, then Mac, etc. It's confusing when you're dealing with those config files for the first time.

What would also help is to show how both final config files should look like -- client and server. I realize those might be different depending on the OS, but it would still help.

Anyway, like is said : impossible for me to start the OpenVPN server on TCP port 443 (see server config file above). Port 1194 seems to work fine.
I'd still like to try to VPN through 443 as 1194 seems to be blocked at the library nearby, but...

Thanks a lot for an overall great product. I fondly remember my first days with OpenLinux, a long time ago... Needless to say : much harder to set up and get things done.

User avatar
bigfoot65
Project Manager
Posts: 11924
Joined: Mon May 25, 2009 4:31 pm

Re: OpenVPN Server fails to start when set on TCP port 443

Postby bigfoot65 » Thu Jul 11, 2013 6:04 pm

If you would like to update the wiki, we would greatly appreciate it. I will take a look at you files. If I see something I will let you know.
ßîgƒσστ65
Applications Manager

My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 16GB RAM, 1TBx1+2TBx2+4TBx2

mnz
Posts: 21
Joined: Thu Jul 04, 2013 9:56 am

Re: OpenVPN Server fails to start when set on TCP port 443

Postby mnz » Fri Jul 12, 2013 12:27 am

Thanks for your answer.
Sure, I could restructure the wiki a bit, but I'm not sure if I have enough knowledge to do so. Anyway: I'll see if I've got some time off during the weekend.
Thanks again.

User avatar
bigfoot65
Project Manager
Posts: 11924
Joined: Mon May 25, 2009 4:31 pm

Re: OpenVPN Server fails to start when set on TCP port 443

Postby bigfoot65 » Fri Jul 12, 2013 4:36 pm

No problem and thanks for helping out.
ßîgƒσστ65
Applications Manager

My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 16GB RAM, 1TBx1+2TBx2+4TBx2

Who is online

Users browsing this forum: No registered users and 17 guests