OpenVPN Bad encapsulated packet length from peer

Question

I have an OpenVPN server running in the cloud set to listen on 1194/tcp with a UFW addition that forwards 443 to 1194 (So I can use my VPN in places with restrictive firewalls.)

When I try and open a https connect to google.com I get the below on my OpenVPN server's log and the page pretty much dies.

WARNING: Bad encapsulated packet length from peer ([[Peer number]]), which must be > 0 and <= 1575 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

Normal HTTP traffic and any other types of traffic I've tested seems to work fine except HTTPS.

I followed this guide https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 almost fully to setup everything.

For forwarding I have a few lines added to UFW before.rules

...
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 1194
COMMIT

Any help is appreciated.

Edit: I shifted it off port 443 and it started working again. It seems you can't have a redirect if you're wanting to use HTTPS. I'll just have to find another open port.

Answer 1

The problem is a too broad REDIRECT iptables rule because it affects all NATed traffic. It should be limited to incoming traffic to the VPN server only.

Change that rule so that it would only match incoming traffic either by specifying interface or IP address which the client uses to connect to the VPN server.

For example:

-A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 1194

where eth0 is the interface that VPN client connects to (most probably, the WAN interface)

or:

-A PREROUTING -d 192.0.2.0 -p tcp --dport 443 -j REDIRECT --to-port 1194

where 192.0.2.0 is the IP address that VPN client connects to (most probably, the external IP address).