1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

OpenVPN server issue when using TCP on port 443

Discussion in 'Asuswrt-Merlin' started by GSpock, Nov 14, 2019.

Tags:
  1. GSpock

    GSpock Regular Contributor

    Joined:
    May 19, 2015
    Messages:
    158
    Location:
    Belgium
    Hi all,
    I am running Merlin 384.13_1 on my RT-AC87U.
    I have created 2 OpenVPN Server, one UDP on port 11941 and another one TCP on 443 (this second is needed because the UDP does not work from a specific location).

    I can connect and access my router (192.168.1.1) with the "UDP" one but not when connected with the "TCP" one.
    Basically, they have the same detail config. Any idea where to look ? I think I made the same test with TCP some months ago before upgrading to 384.13_1 and it was working ....

    Thanks,
    GS
     
  2. miroco

    miroco Regular Contributor

    Joined:
    Mar 12, 2014
    Messages:
    120
    martinr likes this.
  3. GSpock

    GSpock Regular Contributor

    Joined:
    May 19, 2015
    Messages:
    158
    Location:
    Belgium
    ==> probably a mistake of mine, I have changed it but the result is the same, once connected I cannot access 192.168.1.1 ..... but indeed, I noticed some differences when doing nslookup 192.168.1.1, the output is now different. So the issue might be linked to DNS .... for the rest of your suggestion, I guess I need some time to understand it.

    My first objective is to have the TCP running like the UDP one ....

    Thanks,
    GS

    PS: this is the result of the nslookup on the client side with TCP:
    C:\Users\me>nslookup 192.168.1.1
    DNS request timed out.
    timeout was 2 seconds.
    Serveur : UnKnown
    Address: 192.168.1.1

    and this is the result when connected via UDP:
    C:\Users\me>nslookup 192.168.1.1
    Serveur : router.asus.com
    Address: 192.168.1.1

    Nom : router.asus.com
    Address: 192.168.1.1
     
    Last edited: Nov 14, 2019
  4. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,420
    Location:
    Manchester, United Kingdom
    Are you running pixelser-tls? If so, you need to use elorimer’s solution as set out in Para 6 of his OpenVPN Server Setup in his notes at:

    https://www.snbforums.com/threads/vpn-instructions-for-a-newbie.59478/#post-523302

    use the "local <ddns name>" command in the custom configuration box”. It works a treat.
     
  5. GSpock

    GSpock Regular Contributor

    Joined:
    May 19, 2015
    Messages:
    158
    Location:
    Belgium
    Hi, no, I am running pixelser-tls .... BTW, no idea what this is .... :eek:

    I do not understand what is the meaning of <ddns name > although I can see where the custom config box is ....:oops:
     
  6. GSpock

    GSpock Regular Contributor

    Joined:
    May 19, 2015
    Messages:
    158
    Location:
    Belgium
    ... this is very weird:
    when the 2 OpenVPN Severs are running, the "TCP" one cannot reach any local address BUT when I switch the off the UDP one, the TCP works OK ... :eek::eek::eek: then I switch on the UDP and then this one cannot reach any local address ... loosing my ....
     
    Last edited: Nov 14, 2019
  7. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,420
    Location:
    Manchester, United Kingdom
    pixelserv-tls is used when running Diversion. Pixelserv-tls also uses Port 443, and that’s where you get a conflIct unless you follow elorimer’s advice. So in my custom config box I have:


    local martinr.asuscomm.com

    #this config allows port 443 to listen externally for OpenVPN connections without interfering with pixelser-tls listening internally on port 443


    Note: DDNS name changed to protect the innocent, and I’m no longer using asuscomm.com. Also the # comments out the explanation so that I don’t delete that “local” command through ignorance in a year’s time when my (human) memory’s gone a bit rusty.
     
    Centrifuge likes this.
  8. miroco

    miroco Regular Contributor

    Joined:
    Mar 12, 2014
    Messages:
    120
    I should've noticed this before, but it seems as if you are using the same network address to booth servers 10.8.0.0. Change one of them to 10.9.0.0 for instance and see what happens.
     
    elorimer likes this.
  9. GSpock

    GSpock Regular Contributor

    Joined:
    May 19, 2015
    Messages:
    158
    Location:
    Belgium
    Wonderfull ! Many thanks, indeed that was the issue. Both are now running fine accessing all local addresses .... I should of course have seen this far before you, so again many thanks for pointing me into the right direction !
    GS
     
  10. elorimer

    elorimer Very Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    1,093
    While you are at it, you have two different compression types specified. You should consider changing both to "Disabled". It is a security vulnerability and compression may not do much for you. If you do, though, you will need to export new clients.
     
  11. elorimer

    elorimer Very Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    1,093
    I'm surprised that both servers would start running if you moved them off the defaults. But thanks, I've edited my notes for this.
     
    martinr likes this.
  12. GSpock

    GSpock Regular Contributor

    Joined:
    May 19, 2015
    Messages:
    158
    Location:
    Belgium
    OK - thanks, I have done that. BTW side question: do I need also to change the OpenVPN app on my android with regards to tunnel compression option (set to full) ?
    Rgds,
    GS
    (BTW I simply removed the compression line in the ovpn file, no need to regenerate)
     
  13. GSpock

    GSpock Regular Contributor

    Joined:
    May 19, 2015
    Messages:
    158
    Location:
    Belgium
    not sure I see what you mean by "moving them off the defaults" ...
     
  14. elorimer

    elorimer Very Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    1,093
    Server instance 1 is usually 10.8.0.0 (as you had it) and server instance 2 is usually 10.16.0.0 (but yours was 10.8.0.0).
     
  15. GSpock

    GSpock Regular Contributor

    Joined:
    May 19, 2015
    Messages:
    158
    Location:
    Belgium
    OK then, got it. Indeed, both were on 10.8.0.0 by default ....
    thx,
    GS
     
  16. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,981
    Location:
    UK
    As @elorimer said, "by default" server #2 is set to 10.16.0.0. So you must have changed it at some point to the non-default value.
     
  17. GSpock

    GSpock Regular Contributor

    Joined:
    May 19, 2015
    Messages:
    158
    Location:
    Belgium
    ... I know sometimes I am missing a few points and that my knowledge is somehow quite limited (probably due to my age ... ;-) ), but here I am 100% affirmative: I did not change this. Anyway, thanks for your help.
    Rgds,
    GS
     
  18. elorimer

    elorimer Very Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    1,093
    Okay, for giggles I changed my #2 to 10.8.0.0 and it failed to start: the up script failed with a fatal error creating the route. I changed it back and it started.

    So, I don't see how both servers could have been running at the same time.
     
    Last edited: Nov 14, 2019
    martinr likes this.
  19. GSpock

    GSpock Regular Contributor

    Joined:
    May 19, 2015
    Messages:
    158
    Location:
    Belgium
    I promise you that both were running at the same time, just look at my screenshots in my initial post ; at that time both were running with the parameters as shown ....
     
  20. GSpock

    GSpock Regular Contributor

    Joined:
    May 19, 2015
    Messages:
    158
    Location:
    Belgium
    Last edited: Nov 14, 2019