TCP Port 443 Transport error TCP_SIZE_ERROR

matt3226 · Post by **matt3226** » Wed May 17, 2017 5:07 pm

Server Config

dev tun
proto tcp
port 443
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh4096.pem
topology subnet
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.1.0 255.255.255.0"
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
#crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
log /var/log/openvpn.log
verb 4
# Generated for use by PiVPN.io

Client Config

client
dev tun
proto tcp
remote no-ip domain name 443
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server name
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 1
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-auth>
</tls-auth>

cat of openvpn log

pi@raspberrypi:~ $ cat /var/log/openvpn.log
Wed May 17 16:58:30 2017 us=775313 MULTI: multi_create_instance called
Wed May 17 16:58:30 2017 us=775638 Re-using SSL/TLS context
Wed May 17 16:58:30 2017 us=775716 LZO compression initialized
Wed May 17 16:58:30 2017 us=776103 Control Channel MTU parms [ L:1572 D:180 EF:80 EB:0 ET:0 EL:0 ]
Wed May 17 16:58:30 2017 us=776209 Data Channel MTU parms [ L:1572 D:1450 EF:72 EB:135 ET:0 EL:0 AF:3/1 ]
Wed May 17 16:58:30 2017 us=776397 Local Options String: 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Wed May 17 16:58:30 2017 us=776456 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Wed May 17 16:58:30 2017 us=776569 Local Options hash (VER=V4): '165db97f'
Wed May 17 16:58:30 2017 us=776668 Expected Remote Options hash (VER=V4): '504bba81'
Wed May 17 16:58:30 2017 us=776969 TCP connection established with [AF_INET]192.168.1.152:38901
Wed May 17 16:58:30 2017 us=777038 TCPv4_SERVER link local: [undef]
Wed May 17 16:58:30 2017 us=777107 TCPv4_SERVER link remote: [AF_INET]192.168.1.152:38901
Wed May 17 16:58:30 2017 us=777418 192.168.1.152:38901 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Wed May 17 16:58:30 2017 us=777482 192.168.1.152:38901 Connection reset, restarting [0]
Wed May 17 16:58:30 2017 us=777542 192.168.1.152:38901 SIGUSR1[soft,connection-reset] received, client-instance restarting
Wed May 17 16:58:30 2017 us=777725 TCP/UDP: Closing socket
Wed May 17 16:58:30 2017 us=785237 MULTI: multi_create_instance called
Wed May 17 16:58:30 2017 us=785448 Re-using SSL/TLS context
Wed May 17 16:58:30 2017 us=785520 LZO compression initialized
Wed May 17 16:58:30 2017 us=785869 Control Channel MTU parms [ L:1572 D:180 EF:80 EB:0 ET:0 EL:0 ]
Wed May 17 16:58:30 2017 us=785973 Data Channel MTU parms [ L:1572 D:1450 EF:72 EB:135 ET:0 EL:0 AF:3/1 ]
Wed May 17 16:58:30 2017 us=786155 Local Options String: 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Wed May 17 16:58:30 2017 us=786214 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Wed May 17 16:58:30 2017 us=786323 Local Options hash (VER=V4): '165db97f'
Wed May 17 16:58:30 2017 us=786423 Expected Remote Options hash (VER=V4): '504bba81'
Wed May 17 16:58:30 2017 us=786539 TCP connection established with [AF_INET]192.168.1.152:38902
Wed May 17 16:58:30 2017 us=786604 TCPv4_SERVER link local: [undef]
Wed May 17 16:58:30 2017 us=786672 TCPv4_SERVER link remote: [AF_INET]192.168.1.152:38902
Wed May 17 16:58:30 2017 us=787319 192.168.1.152:38902 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Wed May 17 16:58:30 2017 us=787441 192.168.1.152:38902 Connection reset, restarting [0]
Wed May 17 16:58:30 2017 us=787502 192.168.1.152:38902 SIGUSR1[soft,connection-reset] received, client-instance restarting
Wed May 17 16:58:30 2017 us=787687 TCP/UDP: Closing socket
Wed May 17 16:58:30 2017 us=797339 MULTI: multi_create_instance called
Wed May 17 16:58:30 2017 us=797541 Re-using SSL/TLS context
Wed May 17 16:58:30 2017 us=797613 LZO compression initialized
Wed May 17 16:58:30 2017 us=797963 Control Channel MTU parms [ L:1572 D:180 EF:80 EB:0 ET:0 EL:0 ]
Wed May 17 16:58:30 2017 us=798084 Data Channel MTU parms [ L:1572 D:1450 EF:72 EB:135 ET:0 EL:0 AF:3/1 ]
Wed May 17 16:58:30 2017 us=798286 Local Options String: 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Wed May 17 16:58:30 2017 us=798346 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Wed May 17 16:58:30 2017 us=798457 Local Options hash (VER=V4): '165db97f'
Wed May 17 16:58:30 2017 us=798557 Expected Remote Options hash (VER=V4): '504bba81'
Wed May 17 16:58:30 2017 us=798675 TCP connection established with [AF_INET]192.168.1.152:38903
Wed May 17 16:58:30 2017 us=798738 TCPv4_SERVER link local: [undef]
Wed May 17 16:58:30 2017 us=798805 TCPv4_SERVER link remote: [AF_INET]192.168.1.152:38903
Wed May 17 16:58:30 2017 us=799496 192.168.1.152:38903 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Wed May 17 16:58:30 2017 us=799564 192.168.1.152:38903 Connection reset, restarting [0]
Wed May 17 16:58:30 2017 us=799623 192.168.1.152:38903 SIGUSR1[soft,connection-reset] received, client-instance restarting
Wed May 17 16:58:30 2017 us=799803 TCP/UDP: Closing socket

Running openvpn on raspberry pi installed using pivpn automated installer.

On connect from my android using openvpn connect I get the error

TCP_SIZE_ERROR

I think this is causing the problem:

Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers

The connection then resets and closes...

How should I resolve this problem?