OpenVPN UDP/TCP single client config

  • Hoping someone can help me out.  Want the OpenVPN remote users to use UDP 1194 when available and when on restricted networks, fall back to TCP 443.  On the client this seems easy enough and it does try the TCP when UDP is blocked:

    Added connection tags to the config (IPs sanitized):
    <connection>remote 1194 udp</connection>
    <connection>remote 443 tcp</connection>

    I setup 2 different OpenVPN servers.  One on each port, using the same cert and using a different /25 network for each (this made it a /24 for routing purposes).  The UDP works fine, the TCP does not give out an IP address.

    Client side:
    Mon Dec 23 11:05:42 2013 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
    Mon Dec 23 11:05:52 2013 Control Channel Authentication: using 'fw1-udp-1194-tls.key' as a OpenVPN static key file
    Mon Dec 23 11:05:52 2013 Attempting to establish TCP connection with [AF_INET]
    Mon Dec 23 11:05:52 2013 TCP connection established with [AF_INET]
    Mon Dec 23 11:05:52 2013 TCPv4_CLIENT link local: [undef]
    Mon Dec 23 11:05:52 2013 TCPv4_CLIENT link remote: [AF_INET]
    Mon Dec 23 11:05:52 2013 Connection reset, restarting [0]

    Server side:
    Dec 23 11:05:49 openvpn[94364]: Fatal TLS error (check_tls_errors_co), restarting
    Dec 23 11:05:49 openvpn[94364]: TLS Error: incoming packet authentication failed from [AF_INET]
    Dec 23 11:05:49 openvpn[94364]: Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 23 11:05:49 openvpn[94364]: TCP connection established with [AF_INET]

    What am I missing here?


  • If I remember correct there are some parts which check the server you are connecting to.
    Further there will be a "TLS key" generated automatically when setting up an OpenVPN server. If you go into thise server config from GUI you can see the TLS key which was generated.

    Make sure that this key is the same on both servers because the client has this key, too, and needs this to be correct to connect.

    When you say "using the same cert" do you mean both servers use the same CA or the same server cert? If I remeber correct the server certificat can only be used one time so you probably mean same CA but different server certs. This should be correct.

    And when you use the Client Export utility - there are some settings how the server should be verified. I don't know which you should use but perhaps you have to use a different setting than the default.

    Ans you could set "debug 9" to you OpenVPN client config and then start tzhe connection again. This could give you more output what really goes wrong.

  • Both the CA and server certificate are the same on both servers.  I don't see a reason why they can't both use the same cert…

    I haven't played with any different settings on the client export, the only that would matter would be using Microsoft cert storage which I would rather not deal with.  I don't see how to do TLS-Auth with connection blocks if they couldn't use the same cert.

    Here is the client config (UDP connects fine):
    dev tun
    cipher AES-256-CBC
    auth SHA1
    resolv-retry infinite
    <connection>remote 443 tcp</connection>
    <connection>remote 1194 udp</connection>
    lport 0
    ca fw1-udp-1194-ca.crt
    tls-auth fw1-udp-1194-tls.key 1
    ns-cert-type server

  • Rebel Alliance Developer Netgate

    no need for the "<connection>…</connection>" bit that I've seen, just having the remote lines is usually OK.

    So long as everything (TLS key, CA, etc) is the same except for the tunnel network it should be OK.

    The error you posted makes it looks like the actual TLS key is different between the two, just copy/paste the TLS key in the box on the page from the UDP server to the one on the TCP server and it should work.

  • Damn… that was it.  Forgot to copy the TLS key from one to the other.  Works like a champ!

    You are correct the connection tags are not necessary, they do come in handy if you need to set a proxy for just one of the remote entries though.  So I leave them there.

    Thanks jimp!