1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

OpenVPN both TCP and UDP?

Discussion in 'Asuswrt-Merlin' started by gjf, Jan 21, 2020.

Tags:
  1. gjf

    gjf Senior Member

    Joined:
    May 30, 2014
    Messages:
    222
    Hi all.

    I have configured OpenVPN using UDP succesfully.
    But as I was found some countries block VPN based on port number and UDP so for some cases I need TCP on port 443.

    When I tried to copy configuration from working UDP one with changing UDP to TCP and port number to 443 the configuration does not intitialize - I can see the following in log:
    So what is wrong? Does it mean it is not possible to run two instances of OpenVPN?
     
  2. miroco

    miroco Regular Contributor

    Joined:
    Mar 12, 2014
    Messages:
    118
  3. gjf

    gjf Senior Member

    Joined:
    May 30, 2014
    Messages:
    222
    There are different ports for UDP and TCP.
    TAP is required for some of my issues.
     
  4. elorimer

    elorimer Very Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    1,049
    I think your problem is here:
    Code:
    Jan 21 13:24:03 ovpn-server2[23028]: TCP/UDP: Socket bind failed on local address [AF_INET6][undef]:443: Address already in use (errno=98)
    Jan 21 13:24:03 ovpn-server2[23028]: Exiting due to fatal error
    Something else is sitting on port 443. Perhaps you have the webgui there, or maybe one of the Asus applications, and you could turn them off. Or, you could set openvpn to bind only to the wan address.

    It looks like you have compression enabled and are not requiring a client certificate. If you are worried about state actors you might rethink both those.
     
    gjf likes this.
  5. gjf

    gjf Senior Member

    Joined:
    May 30, 2014
    Messages:
    222
    Yes, I see it and it is really the case - but how to identify what is sitting at 443?
    Any idea?
     
  6. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,683
    Location:
    UK
    Log into the router and issue the following command:
    Code:
    netstat -nlp | grep 443
     
    martinr, elorimer and gjf like this.
  7. gjf

    gjf Senior Member

    Joined:
    May 30, 2014
    Messages:
    222
    tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1023/lighttpd
     
  8. elorimer

    elorimer Very Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    1,049
    In a terminal, run
    Code:
    netstat -tulpn | grep LISTEN
    You'll get something like:

    Code:
    [email protected]:/tmp/home/root# netstat -tulpn | grep LISTEN
    netstat: showing only processes with your user ID
    tcp        0      0 0.0.0.0:5152            0.0.0.0:*               LISTEN      607/envrams
    tcp        0      0 0.0.0.0:5473            0.0.0.0:*               LISTEN      1838/u2ec
    tcp        0      0 0.0.0.0:18017           0.0.0.0:*               LISTEN      923/wanduck
    tcp        0      0 0.0.0.0:3394            0.0.0.0:*               LISTEN      1838/u2ec
    tcp        0      0 192.168.50.1:515        0.0.0.0:*               LISTEN      1839/lpd
    tcp        0      0 127.0.0.1:47753         0.0.0.0:*               LISTEN      1986/mcpd
    tcp        0      0 192.168.50.1:9100       0.0.0.0:*               LISTEN      1839/lpd
    tcp        0      0 0.0.0.0:7788            0.0.0.0:*               LISTEN      1145/cfg_server
    tcp        0      0 192.168.50.3:80         0.0.0.0:*               LISTEN      2602/pixelserv-tls
    tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      1026/httpd
    tcp        0      0 192.168.50.1:80         0.0.0.0:*               LISTEN      1026/httpd
    tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      2404/dnsmasq
    tcp        0      0 192.168.50.1:53         0.0.0.0:*               LISTEN      2404/dnsmasq
    tcp        0      0 10.8.0.1:53             0.0.0.0:*               LISTEN      2404/dnsmasq
    tcp        0      0 10.16.0.1:53            0.0.0.0:*               LISTEN      2404/dnsmasq
    tcp        0      0 192.168.50.1:22         0.0.0.0:*               LISTEN      981/dropbear
    tcp        0      0 0.0.0.0:41240           0.0.0.0:*               LISTEN      2971/miniupnpd
    tcp        0      0 127.0.0.1:8888          0.0.0.0:*               LISTEN      1074/vis-dcon
    tcp        0      0 192.168.50.3:443        0.0.0.0:*               LISTEN      2602/pixelserv-tls
    tcp        0      0 xxx.xxx.xxx.xxx:443        0.0.0.0:*               LISTEN      2234/vpnserver1
    tcp        0      0 192.168.50.1:3838       0.0.0.0:*               LISTEN      1839/lpd
    
    From that you can see I have pixelserv running on the LAN side port 443, and vpn server 1 on the WAN side port 443.
     
    martinr and gjf like this.
  9. gjf

    gjf Senior Member

    Joined:
    May 30, 2014
    Messages:
    222
    tcp 0 0 0.0.0.0:18017 0.0.0.0:* LISTEN 196/wanduck
    tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 262/httpd
    tcp 0 0 192.168.111.1:80 0.0.0.0:* LISTEN 262/httpd
    tcp 0 0 0.0.0.0:8082 0.0.0.0:* LISTEN 1023/lighttpd
    udp 0 0 0.0.0.0:18018 0.0.0.0:* 196/wanduck
    udp 0 0 0.0.0.0:38000 0.0.0.0:* 218/eapd
    udp 0 0 127.0.0.1:38032 0.0.0.0:* 230/nas
    tcp 0 0 0.0.0.0:59328 0.0.0.0:* LISTEN 1386/miniupnpd
    tcp 0 0 0.0.0.0:5473 0.0.0.0:* LISTEN 705/u2ec
    tcp 0 0 192.168.111.1:33 0.0.0.0:* LISTEN 212/dropbear
    tcp 0 0 0.0.0.0:18017 0.0.0.0:* LISTEN 196/wanduck
    tcp 16 0 0.0.0.0:3394 0.0.0.0:* LISTEN 705/u2ec
    tcp 0 0 0.0.0.0:9091 0.0.0.0:* LISTEN 898/transmission-da
    tcp 0 0 192.168.111.1:515 0.0.0.0:* LISTEN 706/lpd
    tcp 0 0 0.0.0.0:8200 0.0.0.0:* LISTEN 1391/minidlna
    tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 1359/smbd
    tcp 0 0 192.168.111.1:139 0.0.0.0:* LISTEN 1359/smbd
    tcp 0 0 192.168.111.1:9100 0.0.0.0:* LISTEN 706/lpd
    tcp 0 0 0.0.0.0:7788 0.0.0.0:* LISTEN 394/cfg_server
    tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 262/httpd
    tcp 0 0 192.168.111.1:80 0.0.0.0:* LISTEN 262/httpd
    tcp 0 0 0.0.0.0:8082 0.0.0.0:* LISTEN 1023/lighttpd
    tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1364/vsftpd
    tcp 0 0 0.0.0.0:51413 0.0.0.0:* LISTEN 898/transmission-da
    tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 253/dnsmasq
    tcp 0 0 192.168.111.1:53 0.0.0.0:* LISTEN 253/dnsmasq
    tcp 0 0 0.0.0.0:3702 0.0.0.0:* LISTEN 1362/wsdd2
    tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1023/lighttpd
    tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 738/pptpd
    tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN 1359/smbd
    tcp 0 0 192.168.111.1:445 0.0.0.0:* LISTEN 1359/smbd
    tcp 0 0 192.168.111.1:3838 0.0.0.0:* LISTEN 706/lpd
    tcp 0 0 :::51413 :::* LISTEN 898/transmission-da
     
  10. elorimer

    elorimer Very Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    1,049
    AICloud?
     
    gjf likes this.
  11. gjf

    gjf Senior Member

    Joined:
    May 30, 2014
    Messages:
    222
    BINGO!!!!
    Thanks a lot!
     
  12. gjf

    gjf Senior Member

    Joined:
    May 30, 2014
    Messages:
    222
    Could you explain it more detailed?
    Unfortunately I was not able to find the way to generate client certificates in Asus Merlin.
     
  13. elorimer

    elorimer Very Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    1,049
    Two separate security issues.

    Unless you require certificates, all it takes to get access to your network is the username and password. That includes the admin name for the router too. The router automatically generates client certificates and exports them with the configuration. You can see them from the advanced settings.

    Compression is said not to do much, since a lot of traffic is compressed anyway. But compression offers a way to crack the encryption.
     
  14. gjf

    gjf Senior Member

    Joined:
    May 30, 2014
    Messages:
    222
    1. The config soes not include it, but the lines:
    So this is exactly why I switched it off.

    2. As for compression - should it be "disabled" or "none" - and what's the difference?
     
    Last edited: Jan 21, 2020
  15. elorimer

    elorimer Very Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    1,049
    Ah. Yes, I don't know why sometimes the exported configuration for a second server is incomplete this way. So for the second configuration file, just paste in the certificate info from that server's advanced setting page by opening up the "keys" button.

    "Disabled" means packets aren't framed for compression. "None" means they are framed for compression, even if the data isn't compressed according to one of the protocols. If the client and server are mismatched here, a connection will be made but no data will transfer, because they are talking different languages.
     
  16. gjf

    gjf Senior Member

    Joined:
    May 30, 2014
    Messages:
    222
    Does it mean I have to switch to Static Key Authorization Mode?
     
  17. elorimer

    elorimer Very Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    1,049
    No, just change the radio button for password only from yes to no.
     
  18. gjf

    gjf Senior Member

    Joined:
    May 30, 2014
    Messages:
    222
    Anyway - even first VPN does not export the correct ovpn files with client keys.
    On VPN tab in keys section I see: Static Key, Certificate Authority, Server Certificate, Server Key and Diffie Hellman parameters. All these data were generated by me when configuring the server.
    So - what I should copy for client certificate data and what - for client key data? It is not very clear for me.

    Let's focus on this for the moment as I have a number of questions regarding compression also.
     
  19. elorimer

    elorimer Very Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    1,049
    You would copy the CA, SC and SK fields into the corresponding places in the configuration file.

    But you might consider resetting the VPN servers to default and starting over. I'm not sure how you generated those on your own.
     
  20. gjf

    gjf Senior Member

    Joined:
    May 30, 2014
    Messages:
    222
    CA is already there in <ca> node as well as SK is in <tls-crypt> node.
    As I mentioned two new fields appear when changing redio button: <cert> and <key>.
    So what I should put there? SC in both looks incorrect.

    Please note all these valuse were generated a years ago and work OK on a number of devices.