• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN UDP/TCP single client config

Scheduled Pinned Locked Moved OpenVPN
5 Posts 3 Posters 10.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    rwalker
    last edited by Dec 23, 2013, 5:09 PM

    Hoping someone can help me out.  Want the OpenVPN remote users to use UDP 1194 when available and when on restricted networks, fall back to TCP 443.  On the client this seems easy enough and it does try the TCP when UDP is blocked:

    Added connection tags to the config (IPs sanitized):
    <connection>remote 10.1.1.1 1194 udp</connection>
    <connection>remote 10.1.1.1 443 tcp</connection>

    I setup 2 different OpenVPN servers.  One on each port, using the same cert and using a different /25 network for each (this made it a /24 for routing purposes).  The UDP works fine, the TCP does not give out an IP address.

    Client side:
    Mon Dec 23 11:05:42 2013 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
    Mon Dec 23 11:05:52 2013 Control Channel Authentication: using 'fw1-udp-1194-tls.key' as a OpenVPN static key file
    Mon Dec 23 11:05:52 2013 Attempting to establish TCP connection with [AF_INET]12.1.1.1:443
    Mon Dec 23 11:05:52 2013 TCP connection established with [AF_INET]12.1.1.1:443
    Mon Dec 23 11:05:52 2013 TCPv4_CLIENT link local: [undef]
    Mon Dec 23 11:05:52 2013 TCPv4_CLIENT link remote: [AF_INET]12.1.1.1:443
    Mon Dec 23 11:05:52 2013 Connection reset, restarting [0]

    Server side:
    Dec 23 11:05:49 openvpn[94364]: 172.56.6.21:44336 Fatal TLS error (check_tls_errors_co), restarting
    Dec 23 11:05:49 openvpn[94364]: 172.56.6.21:44336 TLS Error: incoming packet authentication failed from [AF_INET]172.56.6.21:44336
    Dec 23 11:05:49 openvpn[94364]: 172.56.6.21:44336 Authenticate/Decrypt packet error: packet HMAC authentication failed
    Dec 23 11:05:49 openvpn[94364]: TCP connection established with [AF_INET]172.56.6.21:44336

    What am I missing here?

    Thanks,
    Roy

    1 Reply Last reply Reply Quote 0
    • N
      Nachtfalke
      last edited by Dec 23, 2013, 7:20 PM

      If I remember correct there are some parts which check the server you are connecting to.
      Further there will be a "TLS key" generated automatically when setting up an OpenVPN server. If you go into thise server config from GUI you can see the TLS key which was generated.

      Make sure that this key is the same on both servers because the client has this key, too, and needs this to be correct to connect.

      When you say "using the same cert" do you mean both servers use the same CA or the same server cert? If I remeber correct the server certificat can only be used one time so you probably mean same CA but different server certs. This should be correct.

      And when you use the Client Export utility - there are some settings how the server should be verified. I don't know which you should use but perhaps you have to use a different setting than the default.

      Ans you could set "debug 9" to you OpenVPN client config and then start tzhe connection again. This could give you more output what really goes wrong.

      1 Reply Last reply Reply Quote 0
      • R
        rwalker
        last edited by Dec 23, 2013, 10:38 PM

        Both the CA and server certificate are the same on both servers.  I don't see a reason why they can't both use the same cert…

        I haven't played with any different settings on the client export, the only that would matter would be using Microsoft cert storage which I would rather not deal with.  I don't see how to do TLS-Auth with connection blocks if they couldn't use the same cert.

        Here is the client config (UDP connects fine):
        dev tun
        persist-tun
        persist-key
        cipher AES-256-CBC
        auth SHA1
        tls-client
        client
        resolv-retry infinite
        <connection>remote 12.1.1.1 443 tcp</connection>
        <connection>remote 12.1.1.1 1194 udp</connection>
        lport 0
        auth-user-pass
        ca fw1-udp-1194-ca.crt
        tls-auth fw1-udp-1194-tls.key 1
        ns-cert-type server

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Dec 24, 2013, 2:05 PM

          no need for the "<connection>…</connection>" bit that I've seen, just having the remote lines is usually OK.

          So long as everything (TLS key, CA, etc) is the same except for the tunnel network it should be OK.

          The error you posted makes it looks like the actual TLS key is different between the two, just copy/paste the TLS key in the box on the page from the UDP server to the one on the TCP server and it should work.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • R
            rwalker
            last edited by Dec 30, 2013, 7:11 PM

            Damn… that was it.  Forgot to copy the TLS key from one to the other.  Works like a champ!

            You are correct the connection tags are not necessary, they do come in handy if you need to set a proxy for just one of the remote entries though.  So I leave them there.

            Thanks jimp!

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received