OpenVpn issue need help

tdi200

Occasional Visitor
Want to thank you guys in advance as you guys have been helping allot beside my knowledge on networking being so weak combined with learning disability and dyslexia, here is my situation will try my best to describe it,

RT-AC5300 On latest Merlin Firmware, issue i am having is i cant connect to my openvpn as the location where i am at are anal about their 'free wifi' use.
Almost everything is blocked, so I run a vpnserver at home, and let it connect on port 443 TCP (both) and that did not work at the location but using my phone data i was able to connect to the router so i knew the server is good and running, next day i started server 2 on UDP 11941 (both) that also did not work the server fails to connect. (but works perfectly when using mobile data)

this happens with Paid Mullvad VPN too (apk installed in my phone) it fails to connects too at the location described above. so i tried the playstore "free vpn" called SecVPN proxy tool and that one worked and it connects but only downside is that it has allot of adds and i cant connect to my home router. i have included screenshot of how the free vpn reacts to the wifi at the location compared to while on wifi at home and when using phone data. while at homes wifi or when using phone data Sec vpn connects using UDP and while at the location it connects via TLS? is there something i am missing or have to check some box so that openvpn works at the location so that i dont have to use free vpn below are attached screenshots.

i do have paid mullvad vpn it did not work
free vpn from playstore worked
I can use VPN Server 1 and 2 to remotely access the public internet through home network using mobile data and other free wifi but i cant connect at the location i am always at

i want to conncet to my router at home instead via openvpn. openvpn connects on mobile data and other wifi locations except at the location where i am at you guys help will mean the world to me
 

Attachments

  • server1.PNG
    server1.PNG
    40.5 KB · Views: 53
  • server2.PNG
    server2.PNG
    41.1 KB · Views: 60
  • homevpn_wifi.png
    homevpn_wifi.png
    129.4 KB · Views: 53
  • vpn_mobile_data.png
    vpn_mobile_data.png
    123.6 KB · Views: 51
  • on sec VPN at location where openvpn do not work.png
    on sec VPN at location where openvpn do not work.png
    179.5 KB · Views: 57
Last edited:

eibgrad

Part of the Furniture
Based on your description, it appears the local wifi router is blocking access. But without further details, that's difficult to prove. Usually they have to leave TCP + port 443 open given so much other traffic uses it. But they could be doing traffic analysis and blocking VPNs specifically. Then again, other VPNs work. So again, difficult to know for sure.

BTW, there's a difference between the VPN "doesn't work" vs. "doesn't connect". You can have a connection, but it simply doesn't work as intended (e.g., internet access but no home network access). Or it might be a DNS problem, so a explicit ping works (8.8.8.8) but nothing by domain name (google.com).

IOW, let's be precise here so we know exactly what is and isn't working.

P.S. I just noticed on your OpenVPN server config that you are NOT pushing your home network's DNS server ("Advertise DNS to clients" is set to No). That's often the source of DNS problems, esp. if you're referencing hostnames back home.
 

tdi200

Occasional Visitor
Based on your description, it appears the local wifi router is blocking access. But without further details, that's difficult to prove. Usually they have to leave TCP + port 443 open given so much other traffic uses it. But they could be doing traffic analysis and blocking VPNs specifically. Then again, other VPNs work. So again, difficult to know for sure.

BTW, there's a difference between the VPN "doesn't work" vs. "doesn't connect". You can have a connection, but it simply doesn't work as intended (e.g., internet access but no home network access). Or it might be a DNS problem, so a explicit ping works (8.8.8.8) but nothing by domain name (google.com).

IOW, let's be precise here so we know exactly what is and isn't working.

P.S. I just noticed on your OpenVPN server config that you are NOT pushing your home network's DNS server ("Advertise DNS to clients" is set to No). That's often the source of DNS problems, esp. if you're referencing hostnames back home.
i apologize English is my 2nd language, i changed the "advertise dns to clients" to yes that did not fix the issue as even when it was set to no i was still able to connect via openvpn and browse internet the only issue is here at specific location using their guest wifi and main wifi the app "openVPN for android" gets stuck at "waiting for server reply" but when i use the phone data it instantly gets connected. (anywhere else works perfectly)

vpn server that i set up is working because i can connect to it using my phone data but when i turn on wifi and connect to the locations wifi using the wifi guest or main wifi at specified location it fails to connect.

but the free vpn apk named "secvpn proxy tool" can go through based of screenshot i sent you can see while at specified location the apk "secvpn proxy tool" shows United States:tls:r:Manassas-G088:1394ms and when turn on mobile data it connects as: United States:udp:q:199.195.248.53:120ms (same applies at home wifi)

ONLY 1 vpn worked; which connects via tls while the rest it get connected via udp is there something i can tweak so that my vpn does the same thing like how the free vpn is doing i think that will solve the issue

Mullvad vpn (paid) did not work, i tried the other free proton vpn that did not work even the atlas vpn did not work the only one worked is the "secvpn"
 
Last edited:

eibgrad

Part of the Furniture
As I said, there's just not enough here to work with. The mystery box is the local network you're using. It might be blocking access. It certainly looks that way given your description of every other type of accessing working fine. But presumably you have no means to diagnose this local router.
 

tdi200

Occasional Visitor
As I said, there's just not enough here to work with. The mystery box is the local network you're using. It might be blocking access. It certainly looks that way given your description of every other type of accessing working fine. But presumably you have no means to diagnose this local router.
that is very true with my limited findings i cant provide much beside i was able to find out they use a cisco swith catalyst 3850 with Meraki MR46 accesspoint using the app called Fing i did see they indeed do have 443 open screenshot included
 

Attachments

  • open_ports.png
    open_ports.png
    55.3 KB · Views: 31

Yota

Very Senior Member
Check out the logs in the OpenVPN client on your phone and it should tell you what's going on.
 

tdi200

Occasional Visitor
Check out the logs in the OpenVPN client on your phone and it should tell you what's going on.
thank you here is the log
 

Attachments

  • vpnlog.png
    vpnlog.png
    189.3 KB · Views: 32
  • waiting for server reply.png
    waiting for server reply.png
    55.2 KB · Views: 27

eibgrad

Part of the Furniture
thank you here is the log

Unfortunately, not very helpful since all it's reporting is a failure to connect to the remote public IP of your server. It just times out and tries again and again. So either it's being blocked locally, or perhaps the public IP is NOT correct, or perhaps your server has a CGNAT (i.e., private) IP making it unreachable. I was assuming CGNAT was unlikely given you can reach it over the cellular network w/ your smartphone, but maybe your ISP jumps between public and private IPs on the WAN when renewing the lease (I've seen it happen).
 

tdi200

Occasional Visitor
Unfortunately, not very helpful since all it's reporting is a failure to connect to the remote public IP of your server. It just times out and tries again and again. So either it's being blocked locally, or perhaps the public IP is NOT correct, or perhaps your server has a CGNAT (i.e., private) IP making it unreachable. I was assuming CGNAT was unlikely given you can reach it over the cellular network w/ your smartphone, but maybe your ISP jumps between public and private IPs on the WAN when renewing the lease (I've seen it happen).
probably its being blocked locally because even a paid vpn is failing to connect all the free ones are failing to connect too beside the one i mentioned above is the only one going through
 

Yota

Very Senior Member
Could you try changing the OpenVPN server side port to something larger than 1,024?

There are two reasons, the first is that some ISPs implement some kind of security for their customers that blocks port access from some specific IP addresses, and the second is that the TCP 443 port is assigned to AiCloud by default in Asuswrt , which may create some kind of unknown conflict.

If it were me, I would try a TCP port greater than 500,00 and less than 60,000.


I tend to have the problem with your router, not an unknown network firewall.
 

tdi200

Occasional Visitor
Could you try changing the OpenVPN server side port to something larger than 1,024?

There are two reasons, the first is that some ISPs implement some kind of security for their customers that blocks port access from some specific IP addresses, and the second is that the TCP 443 port is assigned to AiCloud by default in Asuswrt , which may create some kind of unknown conflict.

If it were me, I would try a TCP port greater than 500,00 and less than 60,000.


I tend to have the problem with your router, not an unknown network firewall.
Thanks for suggestion will give it a shot, but also have to say that the current setup works everywhere else beside at the location where i am it, and even other vpn refuse to connect at the same location just to be on same page u meant TCP port greater than 50,000 and less than 60,000.? or TCP port greater than 500,00 and less than 60,000.?
 

Yota

Very Senior Member
Thanks for suggestion will give it a shot, but also have to say that the current setup works everywhere else beside at the location where i am it, and even other vpn refuse to connect at the same location just to be on same page u meant TCP port greater than 50,000 and less than 60,000.? or TCP port greater than 500,00 and less than 60,000.?
Yes, greater than 50,000, sorry, wrong grouping of digits
 

tdi200

Occasional Visitor
Yes, greater than 50,000, sorry, wrong grouping of digits
negative- did not work tried to change port numbers as suggested nothing worked
still getting "enable extended error passing on tcp/udp socket failed (ipv6_recverr) protocol not available (errno=92)" but whenever ports changed i was still able to connect using mobile data and other wireless network beside the one which i really want it to work with.
 

Yota

Very Senior Member
negative- did not work tried to change port numbers as suggested nothing worked
still getting "enable extended error passing on tcp/udp socket failed (ipv6_recverr) protocol not available (errno=92)" but whenever ports changed i was still able to connect using mobile data and other wireless network beside the one which i really want it to work with.
Thanks for trying, can you confirm if your router logs have any information when you connect to your OpenVPN server via WiFi?

As for the error number 92, I don't know what it means, but this seems to be a new log introduced with openvpn 2.6.

Also, hopefully that WiFi doesn't do address translation like NAT64, I don't know what would happen if there was NAT64 there.
 

tdi200

Occasional Visitor
Thanks for trying, can you confirm if your router logs have any information when you connect to your OpenVPN server via WiFi?

As for the error number 92, I don't know what it means, but this seems to be a new log introduced with openvpn 2.6.

Also, hopefully that WiFi doesn't do address translation like NAT64, I don't know what would happen if there was NAT64 there.
Hey bro you dont have to thank me, matter of fact i appreciate you taking your time and trying your best to help me out, i am not at location right now but tomorrow i will have more accurate logs reason why its not accurate right now because whenever i changed ports i had to switch between phone data and wifi

Aug 9 1 ovpn-server1[10]: TCP connection established with
Aug 9 06: ovpn-server1[10]: TLS: Initial packet from
Aug 9 028 ovpn-server1[: read TCPv6_SERVER [NO-INFO]: Connection timed out (code=110)
Aug 9 28 ovpn-server1[17: Connection reset, restarting [0]
Aug 9 0248 ovpn-server1[1]: 4SIGUSR1[soft,connection-reset] received, client-instance restarting
Aug 9 06:25:15 ovpn-server1[17]: TCP connection established with [
Aug 9 0:31 ovpn-server1[10]: read TCPv6_SERVER [NO-INFO]: Connection timed out (code=110)
Aug 9 06:25:31 ovpn-server1[]: Connection reset, restarting [0]
Aug 9 0:31 ovpn-server1[]: SIGUSR1[soft,connection-reset] received, client-instance restarting
 
Last edited:

Yota

Very Senior Member
sorry for the late reply

The logs show that the OpenVPN server received a connection request from your phone:
Aug 9 06:24:11 ovpn-server1[17360]: X.X.X.X:50890 TLS: Initial packet from [AF_INET6]::ffff:X.X.X.X:50890, sid=831c5a68 f133f72f

But everything breaks with a timeout before proceeding further with the TLS handshake:
Aug 9 06:24:28 ovpn-server1[17360]: X.X.X.X:50890 read TCPv6_SERVER [NO-INFO]: Connection timed out (code=110)

This corroborates the logs seen on the client side, it looks like I was wrong earlier, because apparently there is a firewall running some kind of deep packet inspection/traffic detection that will break the connection when it detects a non-normal TLS handshake.

As for why a free VPN would work, it might not be a VPN at all, but some kind of proxy server, so it can evade firewall detection.

Speaking of proxies, OpenVPN clients usually allow you to obfuscate traffic with a http proxy, maybe you can give it a try.

There are many free HTTP proxy servers on the internet https://duckduckgo.com/?q=free+proxy+list

Sorry for the previous misdiagnosis.
 

tdi200

Occasional Visitor
sorry for the late reply

The logs show that the OpenVPN server received a connection request from your phone:


But everything breaks with a timeout before proceeding further with the TLS handshake:


This corroborates the logs seen on the client side, it looks like I was wrong earlier, because apparently there is a firewall running some kind of deep packet inspection/traffic detection that will break the connection when it detects a non-normal TLS handshake.

As for why a free VPN would work, it might not be a VPN at all, but some kind of proxy server, so it can evade firewall detection.

Speaking of proxies, OpenVPN clients usually allow you to obfuscate traffic with a http proxy, maybe you can give it a try.

There are many free HTTP proxy servers on the internet https://duckduckgo.com/?q=free+proxy+list

Sorry for the previous misdiagnosis.
thanks for the spot on explanation i appreciate your help in this
 

SoFluffy

Occasional Visitor
Chiming in here for a different direction - If DPI is blocking you, read up on bypassing China's GFW. I have setup and used Shadowsocks (with v2ray-plugin over nginx reverse proxy websocket and CDN), vmess, vless, and now my favorite, trojan-go. All of these solutions will allow for running a secure proxy on TCP 443 with proper https TLS handshakes, thus sneaking right by any deep packet inspection while in plain sight.

Trojan-go is a beast to run on Merlin routers though (but can be done on higher end models).. A lighter-weight version of "trojan" is available directly on entware (opkg install trojan) and can be setup in minutes (client or server - server just needs some TLS certs). This version (opposed to trojan-go) is the same protocol but lacks websocket, mux, and a couple other bells and whistles. It works great with proper TCP/UDP forwarding, and might be good enough to get past your super-anal-free-wifi situation without the websocket. (And yes, there are clients for this on iPhone/Android too.)
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top