OpenVPN server issue when using TCP on port 443

[GSpock]

Hi all,
I am running Merlin 384.13_1 on my RT-AC87U.
I have created 2 OpenVPN Server, one UDP on port 11941 and another one TCP on 443 (this second is needed because the UDP does not work from a specific location).

I can connect and access my router (192.168.1.1) with the "UDP" one but not when connected with the "TCP" one.
Basically, they have the same detail config. Any idea where to look ? I think I made the same test with TCP some months ago before upgrading to 384.13_1 and it was working ....

Thanks,
GS

 

[miroco]

The immediate difference I can see is that the server using UDP has "Advertise DNS to clients" enabled. The TCP counterpart does not.

Why don't you use "TLS control channel security"?
https://community.openvpn.net/openvpn/wiki/Hardening

A phenomenon called "TCP meltdown" might be of interest.
https://www.snbforums.com/threads/openvpn-slows-to-crawl-after-24-hrs.60008/#post-524557

Changelog
https://www.asuswrt-merlin.net/changelog-382

 

[GSpock]

The immediate difference I can see is that the server using UDP has "Advertise DNS to clients" enabled. The TCP counterpart does not.

==> probably a mistake of mine, I have changed it but the result is the same, once connected I cannot access 192.168.1.1 ..... but indeed, I noticed some differences when doing nslookup 192.168.1.1, the output is now different. So the issue might be linked to DNS .... for the rest of your suggestion, I guess I need some time to understand it.

My first objective is to have the TCP running like the UDP one ....

Thanks,
GS

PS: this is the result of the nslookup on the client side with TCP:
C:\Users\me>nslookup 192.168.1.1
DNS request timed out.
timeout was 2 seconds.
Serveur : UnKnown
Address: 192.168.1.1

and this is the result when connected via UDP:
C:\Users\me>nslookup 192.168.1.1
Serveur : router.asus.com
Address: 192.168.1.1

Nom : router.asus.com
Address: 192.168.1.1

 

[martinr]

Hi all,
I am running Merlin 384.13_1 on my RT-AC87U.
I have created 2 OpenVPN Server, one UDP on port 11941 and another one TCP on 443 (this second is needed because the UDP does not work from a specific location).

I can connect and access my router (192.168.1.1) with the "UDP" one but not when connected with the "TCP" one.
Basically, they have the same detail config. Any idea where to look ? I think I made the same test with TCP some months ago before upgrading to 384.13_1 and it was working ....

Thanks,
GS

Are you running pixelser-tls? If so, you need to use elorimer’s solution as set out in Para 6 of his OpenVPN Server Setup in his notes at:

https://www.snbforums.com/threads/vpn-instructions-for-a-newbie.59478/#post-523302

“use the "local <ddns name>" command in the custom configuration box”. It works a treat.

 

[GSpock]

Are you running pixelser-tls? If so, you need to use elorimer’s solution as set out in Para 6 of his OpenVPN Server Setup in his notes at:

https://www.snbforums.com/threads/vpn-instructions-for-a-newbie.59478/#post-523302

“use the "local <ddns name>" command in the custom configuration box”. It works a treat.

Hi, no, I am not running pixelser-tls .... BTW, no idea what this is ....

I do not understand what is the meaning of <ddns name > although I can see where the custom config box is ....

 

[GSpock]

... this is very weird:
when the 2 OpenVPN Severs are running, the "TCP" one cannot reach any local address BUT when I switch the off the UDP one, the TCP works OK ... then I switch on the UDP and then this one cannot reach any local address ... loosing my ....

 

[martinr]

Hi, no, I am running pixelser-tls .... BTW, no idea what this is ....

I do not understand what is the meaning of <ddns name > although I can see where the custom config box is ....

pixelserv-tls is used when running Diversion. Pixelserv-tls also uses Port 443, and that’s where you get a conflIct unless you follow elorimer’s advice. So in my custom config box I have:


local martinr.asuscomm.com

#this config allows port 443 to listen externally for OpenVPN connections without interfering with pixelser-tls listening internally on port 443


Note: DDNS name changed to protect the innocent, and I’m no longer using asuscomm.com. Also the # comments out the explanation so that I don’t delete that “local” command through ignorance in a year’s time when my (human) memory’s gone a bit rusty.

 

[miroco]

I should've noticed this before, but it seems as if you are using the same network address to booth servers 10.8.0.0. Change one of them to 10.9.0.0 for instance and see what happens.

 

[GSpock]

I should've noticed this before, but it seems as if you are using the same network address to booth servers 10.8.0.0. Change one of them to 10.9.0.0 for instance and see what happens.

Wonderfull ! Many thanks, indeed that was the issue. Both are now running fine accessing all local addresses .... I should of course have seen this far before you, so again many thanks for pointing me into the right direction !
GS

 

[elorimer]

While you are at it, you have two different compression types specified. You should consider changing both to "Disabled". It is a security vulnerability and compression may not do much for you. If you do, though, you will need to export new clients.

 

[elorimer]

Wonderfull ! Many thanks, indeed that was the issue. Both are now running fine accessing all local addresses .... I should of course have seen this far before you, so again many thanks for pointing me into the right direction !
GS

I'm surprised that both servers would start running if you moved them off the defaults. But thanks, I've edited my notes for this.

 

[GSpock]

While you are at it, you have two different compression types specified. You should consider changing both to "Disabled". It is a security vulnerability and compression may not do much for you. If you do, though, you will need to export new clients.

OK - thanks, I have done that. BTW side question: do I need also to change the OpenVPN app on my android with regards to tunnel compression option (set to full) ?
Rgds,
GS
(BTW I simply removed the compression line in the ovpn file, no need to regenerate)

 

[GSpock]

I'm surprised that both servers would start running if you moved them off the defaults. But thanks, I've edited my notes for this.

not sure I see what you mean by "moving them off the defaults" ...

 

[elorimer]

not sure I see what you mean by "moving them off the defaults" ...

Server instance 1 is usually 10.8.0.0 (as you had it) and server instance 2 is usually 10.16.0.0 (but yours was 10.8.0.0).

 

[GSpock]

Server instance 1 is usually 10.8.0.0 (as you had it) and server instance 2 is usually 10.16.0.0 (but yours was 10.8.0.0).

OK then, got it. Indeed, both were on 10.8.0.0 by default ....
thx,
GS

 

[ColinTaylor]

Indeed, both were on 10.8.0.0 by default ....

As @elorimer said, "by default" server #2 is set to 10.16.0.0. So you must have changed it at some point to the non-default value.

 

[GSpock]

As @elorimer said, "by default" server #2 is set to 10.16.0.0. So you must have changed it at some point to the non-default value.

... I know sometimes I am missing a few points and that my knowledge is somehow quite limited (probably due to my age ... ;-) ), but here I am 100% affirmative: I did not change this. Anyway, thanks for your help.
Rgds,
GS

 

[elorimer]

Okay, for giggles I changed my #2 to 10.8.0.0 and it failed to start: the up script failed with a fatal error creating the route. I changed it back and it started.

So, I don't see how both servers could have been running at the same time.

 

[GSpock]

Okay, for giggles I changed my #2 to 10.8.0.0 and it failed to start: the up script failed with a fatal error creating the root. I changed it back and it started.

So, I don't see how both servers could have been running at the same time.

I promise you that both were running at the same time, just look at my screenshots in my initial post ; at that time both were running with the parameters as shown ....

 

[GSpock]

... look at these !