2

I'm running an OpenVPN Server Version 2.4.4 on my Ubuntu 16.04.3. The VPN connections work absolutely fine with UDP 1194 but when I try to change to TCP 443 it just won't connect. Im using an apache2, which I turned off before testing with the command service apache2 stop. ufw tcp 443 is allowed but even if I turn the firewall off, it wont connect. (Also on the Windows client)

Here is my server config:

port 443
proto tcp
;proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 213.133.98.98"
push "dhcp-option DNS 213.133.99.99"
push "dhcp-option DNS 213.133.100.100"
keepalive 10 120
tls-auth ta.key 0
key-direction 0
cipher AES-256-CBC
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
auth SHA512
max-clients 2
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
tls-version-min 1.2
reneg-sec 60
remote-cert-tls client

my client config:

client
dev tun
proto tcp
;proto udp
remote *super secret IP* 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
auth SHA512
key-direction 1
auth-nocache
reneg-sec 60
verb 3

client log:

Fri Nov 10 13:35:05 2017 SIGUSR1[soft,connection-reset] received, process restarting
Fri Nov 10 13:35:05 2017 MANAGEMENT: >STATE:1510317305,RECONNECTING,connection-reset,,,,,
Fri Nov 10 13:35:05 2017 Restart pause, 5 second(s)
Fri Nov 10 13:35:10 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]*super secret IP*:443
Fri Nov 10 13:35:10 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Nov 10 13:35:10 2017 Attempting to establish TCP connection with [AF_INET]*super secret IP*:443 [nonblock]
Fri Nov 10 13:35:10 2017 MANAGEMENT: >STATE:1510317310,TCP_CONNECT,,,,,,
Fri Nov 10 13:35:11 2017 TCP connection established with [AF_INET]*super secret IP*:443
Fri Nov 10 13:35:11 2017 TCP_CLIENT link local: (not bound)
Fri Nov 10 13:35:11 2017 TCP_CLIENT link remote: [AF_INET]*super secret IP*:443
Fri Nov 10 13:35:11 2017 MANAGEMENT: >STATE:1510317311,WAIT,,,,,,
Fri Nov 10 13:35:11 2017 Connection reset, restarting [0]

server log:

Nov 12 18:22:22 ubuntu systemd[1]: Starting OpenVPN connection to server...
Nov 12 18:22:22 ubuntu systemd[1]: Starting OpenVPN service...
Nov 12 18:22:22 ubuntu systemd[1]: Started OpenVPN service.
Nov 12 18:22:22 ubuntu systemd[1]: Failed to start OpenVPN connection to server.

ip addr show tun0 with UDP 1149:

12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever

ip addr show tun0 with TCP 443:

Device "tun0" does not exist.

Anyone knows why it wont work when I change to TCP 443?

obeN
  • 143
  • 2
  • 8
  • 1
    what does `netstat -tlupn | grep 443` show – Mike Nov 10 '17 at 13:20
  • Where is the server log? – Michael Hampton Nov 10 '17 at 16:05
  • 1
    openvpn doesn't provide https. Are you sure you want to run this on port 443? It seems likely this will cause confusion for you later. – chicks Nov 10 '17 at 16:33
  • Hey, I'm sorry for the late response. `netstat -tlupn | grep 443` shows nothing, but OpenVPN Server is running. When I've apache2 started, clearly I can see the apache2 service there. I have added the server log to my post. – obeN Nov 12 '17 at 17:17
  • Okay I've noticed, that no matter what port I'm using on tcp, it just wont work. But on UDP I can use whatever port I want. – obeN Nov 12 '17 at 17:29
  • `lsof /dev/net/tun` also shows nothing when running on tcp 443 – obeN Nov 12 '17 at 17:58

2 Answers2

1

probably openvpn server can't bind privileged port with:

user nobody group nogroup

try with

user root group root

and see if that works.

Martynas Saint
  • 1,221
  • 7
  • 15
  • Thanks for you help but it doesn't work. – obeN Nov 12 '17 at 17:35
  • 1
    I too suspected this. Your logs indicate OpenVPN cannot start, but we need more detailed logs. Try adding `log-append /var/log/openvpn.log` to your configuration and see if it gives you additional information. Also try removing the user and group entirely. It should just run as root without them. – djsumdog Nov 12 '17 at 17:54
1

Okay so I've found the solution! Tanks to djsumdog for giving me the hint with the log-append option. Error in the file: Options error: --explicit-exit-notify can only be used with --proto udp So I can't use this option when I want to use TCP. Now everything work perfectly fine.

obeN
  • 143
  • 2
  • 8