OpenVPN hangs on TLS initial packet on one particular network

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Gedrean
OpenVpn Newbie
Posts: 5
Joined: Sat May 27, 2017 8:20 pm

OpenVPN hangs on TLS initial packet on one particular network

Post by Gedrean » Sat May 27, 2017 8:58 pm

Where I am, there is a local WiFi network which I use for connectivity. This WiFi network is somehow configured in that it blocks UDP data going outside the network and TCP is limited to ports 80 and 443 (that I can tell). I have never found any UDP ports that are open, nor any other TCP ports. In addition, certain IP ranges are not accessible directly within this network.

For a while, I subsided with a particular OpenVPN paid provider (ProXPN), but at some point something in the network configuration changed and ProXPN stopped working. I was able to switch to PrivateInternetAccess (a different OpenVPN provider), so I assumed it was an IP block and went about my day, but PIA does not provide incoming ports and no UPnP, while ProXPN basically provided an almost dedicated IP (some services wouldn't come in but most would).

Thinking I'd like to have those ports, I did some research, decided running my own OpenVPN service would be the best answer, got a cheap VPS whose IP range was accessible from this WiFi, and went to work.

I obtained OpenVPN 2.4.2 server for ubuntu server, and client for Windows, and configured based upon This Tutorial. I modified the configuration based upon some other openvpn configs I'd found (on both ends) to make it behave similarly to the PIA OpenVPN (though recognizing they may run a custom server with special options). I will post the configuration below. Note: I'm using port 443.

If I connect using a wifi-hotspot generated by my phone (which only has a gig data per month and has VERY poor reception here), then connect to the VPN, it connects and gets an IP address. I have not tested routing past the VPN, merely connecting.

However, if I'm connected using this WiFi network, a strange behavior occurs (which I figured out was the same behavior ACTUALLY occurring with ProXPN) during the connection. It connects to the server, gets the TLS initial packet, and then (when I have set verb high enough to see what's going on) the client does TCP writes of identical size about 4-5 times then times out the connection and tries again.

When I'm on the hotspot, or any other network, even on PIA while on the WiFi then connecting to the OpenVPN (I know, double-VPN bad), it gets write, then read from server, then repeats that a few times until it authenticates the TLS cert and then is on its way!

HELP!

I've removed comments from the config files unless I commented it in for some reason

-- Server Config --

Code: Select all

port 443
proto tcp
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key
dh easy-rsa/keys/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
duplicate-cn # Will be removed once completed
keepalive 10 120
cipher AES-128-CBC   # AES
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 6
# add up and down script for uPNP
script-security 2
up /etc/openvpn/server.up
down /etc/openvpn/server.down
-- Client Config --

Code: Select all

client
dev tun
proto tcp
remote server.address 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert mycert.crt
key mycert.key
remote-cert-tls server
cipher AES-128-CBC   # AES
comp-lzo
verb 6
-- Client Log --

Code: Select all

Sat May 27 16:51:32 2017 us=703078 Current Parameter Settings:
Sat May 27 16:51:32 2017 us=703078   config = 'server.ovpn'
Sat May 27 16:51:32 2017 us=703078   mode = 0
Sat May 27 16:51:32 2017 us=703078   show_ciphers = DISABLED
Sat May 27 16:51:32 2017 us=703078   show_digests = DISABLED
Sat May 27 16:51:32 2017 us=703078   show_engines = DISABLED
Sat May 27 16:51:32 2017 us=703078   genkey = DISABLED
Sat May 27 16:51:32 2017 us=703078   key_pass_file = '[UNDEF]'
Sat May 27 16:51:32 2017 us=703078   show_tls_ciphers = DISABLED
Sat May 27 16:51:32 2017 us=703078   connect_retry_max = 0
Sat May 27 16:51:32 2017 us=703078 Connection profiles [0]:
Sat May 27 16:51:32 2017 us=703078   proto = tcp-client
Sat May 27 16:51:32 2017 us=714049   local = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   local_port = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   remote = 'xxx.xxx'
Sat May 27 16:51:32 2017 us=715065   remote_port = '443'
Sat May 27 16:51:32 2017 us=715065   remote_float = DISABLED
Sat May 27 16:51:32 2017 us=715065   bind_defined = DISABLED
Sat May 27 16:51:32 2017 us=715065   bind_local = DISABLED
Sat May 27 16:51:32 2017 us=715065   bind_ipv6_only = DISABLED
Sat May 27 16:51:32 2017 us=715065   connect_retry_seconds = 5
Sat May 27 16:51:32 2017 us=715065   connect_timeout = 120
Sat May 27 16:51:32 2017 us=715065   socks_proxy_server = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   socks_proxy_port = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   tun_mtu = 1500
Sat May 27 16:51:32 2017 us=715065   tun_mtu_defined = ENABLED
Sat May 27 16:51:32 2017 us=715065   link_mtu = 1500
Sat May 27 16:51:32 2017 us=715065   link_mtu_defined = DISABLED
Sat May 27 16:51:32 2017 us=715065   tun_mtu_extra = 0
Sat May 27 16:51:32 2017 us=715065   tun_mtu_extra_defined = DISABLED
Sat May 27 16:51:32 2017 us=715065   mtu_discover_type = -1
Sat May 27 16:51:32 2017 us=715065   fragment = 0
Sat May 27 16:51:32 2017 us=715065   mssfix = 1450
Sat May 27 16:51:32 2017 us=715065   explicit_exit_notification = 0
Sat May 27 16:51:32 2017 us=715065 Connection profiles END
Sat May 27 16:51:32 2017 us=715065   remote_random = DISABLED
Sat May 27 16:51:32 2017 us=715065   ipchange = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   dev = 'tun'
Sat May 27 16:51:32 2017 us=715065   dev_type = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   dev_node = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   lladdr = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   topology = 1
Sat May 27 16:51:32 2017 us=715065   ifconfig_local = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   ifconfig_remote_netmask = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   ifconfig_noexec = DISABLED
Sat May 27 16:51:32 2017 us=715065   ifconfig_nowarn = DISABLED
Sat May 27 16:51:32 2017 us=715065   ifconfig_ipv6_local = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   ifconfig_ipv6_netbits = 0
Sat May 27 16:51:32 2017 us=715065   ifconfig_ipv6_remote = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   shaper = 0
Sat May 27 16:51:32 2017 us=715065   mtu_test = 0
Sat May 27 16:51:32 2017 us=715065   mlock = DISABLED
Sat May 27 16:51:32 2017 us=715065   keepalive_ping = 0
Sat May 27 16:51:32 2017 us=715065   keepalive_timeout = 0
Sat May 27 16:51:32 2017 us=715065   inactivity_timeout = 0
Sat May 27 16:51:32 2017 us=715065   ping_send_timeout = 0
Sat May 27 16:51:32 2017 us=715065   ping_rec_timeout = 0
Sat May 27 16:51:32 2017 us=715065   ping_rec_timeout_action = 0
Sat May 27 16:51:32 2017 us=715065   ping_timer_remote = DISABLED
Sat May 27 16:51:32 2017 us=715065   remap_sigusr1 = 0
Sat May 27 16:51:32 2017 us=715065   persist_tun = ENABLED
Sat May 27 16:51:32 2017 us=715065   persist_local_ip = DISABLED
Sat May 27 16:51:32 2017 us=715065   persist_remote_ip = DISABLED
Sat May 27 16:51:32 2017 us=715065   persist_key = ENABLED
Sat May 27 16:51:32 2017 us=715065   passtos = DISABLED
Sat May 27 16:51:32 2017 us=715065   resolve_retry_seconds = 1000000000
Sat May 27 16:51:32 2017 us=715065   resolve_in_advance = DISABLED
Sat May 27 16:51:32 2017 us=715065   username = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   groupname = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   chroot_dir = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   cd_dir = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   writepid = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   up_script = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   down_script = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   down_pre = DISABLED
Sat May 27 16:51:32 2017 us=715065   up_restart = DISABLED
Sat May 27 16:51:32 2017 us=715065   up_delay = DISABLED
Sat May 27 16:51:32 2017 us=715065   daemon = DISABLED
Sat May 27 16:51:32 2017 us=715065   inetd = 0
Sat May 27 16:51:32 2017 us=715065   log = ENABLED
Sat May 27 16:51:32 2017 us=715065   suppress_timestamps = DISABLED
Sat May 27 16:51:32 2017 us=715065   machine_readable_output = DISABLED
Sat May 27 16:51:32 2017 us=715065   nice = 0
Sat May 27 16:51:32 2017 us=715065   verbosity = 6
Sat May 27 16:51:32 2017 us=715065   mute = 0
Sat May 27 16:51:32 2017 us=715065   gremlin = 0
Sat May 27 16:51:32 2017 us=715065   status_file = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   status_file_version = 1
Sat May 27 16:51:32 2017 us=715065   status_file_update_freq = 60
Sat May 27 16:51:32 2017 us=715065   occ = ENABLED
Sat May 27 16:51:32 2017 us=715065   rcvbuf = 0
Sat May 27 16:51:32 2017 us=715065   sndbuf = 0
Sat May 27 16:51:32 2017 us=715065   sockflags = 0
Sat May 27 16:51:32 2017 us=715065   fast_io = DISABLED
Sat May 27 16:51:32 2017 us=715065   comp.alg = 2
Sat May 27 16:51:32 2017 us=715065   comp.flags = 1
Sat May 27 16:51:32 2017 us=715065   route_script = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   route_default_gateway = '[UNDEF]'
Sat May 27 16:51:32 2017 us=715065   route_default_metric = 0
Sat May 27 16:51:32 2017 us=715065   route_noexec = DISABLED
Sat May 27 16:51:32 2017 us=715065   route_delay = 5
Sat May 27 16:51:32 2017 us=716088   route_delay_window = 30
Sat May 27 16:51:32 2017 us=716088   route_delay_defined = ENABLED
Sat May 27 16:51:32 2017 us=716088   route_nopull = DISABLED
Sat May 27 16:51:32 2017 us=716088   route_gateway_via_dhcp = DISABLED
Sat May 27 16:51:32 2017 us=716088   allow_pull_fqdn = DISABLED
Sat May 27 16:51:32 2017 us=716088   management_addr = '127.0.0.1'
Sat May 27 16:51:32 2017 us=716088   management_port = '25342'
Sat May 27 16:51:32 2017 us=716088   management_user_pass = 'stdin'
Sat May 27 16:51:32 2017 us=716088   management_log_history_cache = 250
Sat May 27 16:51:32 2017 us=716088   management_echo_buffer_size = 100
Sat May 27 16:51:32 2017 us=716088   management_write_peer_info_file = '[UNDEF]'
Sat May 27 16:51:32 2017 us=716088   management_client_user = '[UNDEF]'
Sat May 27 16:51:32 2017 us=716088   management_client_group = '[UNDEF]'
Sat May 27 16:51:32 2017 us=716088   management_flags = 6
Sat May 27 16:51:32 2017 us=716088   shared_secret_file = '[UNDEF]'
Sat May 27 16:51:32 2017 us=716088   key_direction = 0
Sat May 27 16:51:32 2017 us=716088   ciphername = 'AES-128-CBC'
Sat May 27 16:51:32 2017 us=716088   ncp_enabled = ENABLED
Sat May 27 16:51:32 2017 us=716088   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Sat May 27 16:51:32 2017 us=716088   authname = 'SHA1'
Sat May 27 16:51:32 2017 us=716088   prng_hash = 'SHA1'
Sat May 27 16:51:32 2017 us=716088   prng_nonce_secret_len = 16
Sat May 27 16:51:32 2017 us=716088   keysize = 0
Sat May 27 16:51:32 2017 us=716088   engine = DISABLED
Sat May 27 16:51:32 2017 us=716088   replay = ENABLED
Sat May 27 16:51:32 2017 us=716088   mute_replay_warnings = DISABLED
Sat May 27 16:51:32 2017 us=716088   replay_window = 64
Sat May 27 16:51:32 2017 us=716088   replay_time = 15
Sat May 27 16:51:32 2017 us=716088   packet_id_file = '[UNDEF]'
Sat May 27 16:51:32 2017 us=716088   use_iv = ENABLED
Sat May 27 16:51:32 2017 us=716088   test_crypto = DISABLED
Sat May 27 16:51:32 2017 us=716088   tls_server = DISABLED
Sat May 27 16:51:32 2017 us=716088   tls_client = ENABLED
Sat May 27 16:51:32 2017 us=716088   key_method = 2
Sat May 27 16:51:32 2017 us=716088   ca_file = 'ca.crt'
Sat May 27 16:51:32 2017 us=716088   ca_path = '[UNDEF]'
Sat May 27 16:51:32 2017 us=716088   dh_file = '[UNDEF]'
Sat May 27 16:51:32 2017 us=716088   cert_file = 'mycert.crt'
Sat May 27 16:51:32 2017 us=716088   extra_certs_file = '[UNDEF]'
Sat May 27 16:51:32 2017 us=716088   priv_key_file = 'mycert.key'
Sat May 27 16:51:32 2017 us=716088   pkcs12_file = '[UNDEF]'
Sat May 27 16:51:32 2017 us=716088   cryptoapi_cert = '[UNDEF]'
Sat May 27 16:51:32 2017 us=716088   cipher_list = '[UNDEF]'
Sat May 27 16:51:32 2017 us=716088   tls_verify = '[UNDEF]'
Sat May 27 16:51:32 2017 us=716088   tls_export_cert = '[UNDEF]'
Sat May 27 16:51:32 2017 us=716088   verify_x509_type = 0
Sat May 27 16:51:32 2017 us=716088   verify_x509_name = '[UNDEF]'
Sat May 27 16:51:32 2017 us=716088   crl_file = '[UNDEF]'
Sat May 27 16:51:32 2017 us=716088   ns_cert_type = 0
Sat May 27 16:51:32 2017 us=716088   remote_cert_ku[i] = 65535
Sat May 27 16:51:32 2017 us=716088   remote_cert_ku[i] = 0
Sat May 27 16:51:32 2017 us=716088   remote_cert_ku[i] = 0
Sat May 27 16:51:32 2017 us=716088   remote_cert_ku[i] = 0
Sat May 27 16:51:32 2017 us=716088   remote_cert_ku[i] = 0
Sat May 27 16:51:32 2017 us=716088   remote_cert_ku[i] = 0
Sat May 27 16:51:32 2017 us=716088   remote_cert_ku[i] = 0
Sat May 27 16:51:32 2017 us=716088   remote_cert_ku[i] = 0
Sat May 27 16:51:32 2017 us=716088   remote_cert_ku[i] = 0
Sat May 27 16:51:32 2017 us=716088   remote_cert_ku[i] = 0
Sat May 27 16:51:32 2017 us=716088   remote_cert_ku[i] = 0
Sat May 27 16:51:32 2017 us=716088   remote_cert_ku[i] = 0
Sat May 27 16:51:32 2017 us=716088   remote_cert_ku[i] = 0
Sat May 27 16:51:32 2017 us=716088   remote_cert_ku[i] = 0
Sat May 27 16:51:32 2017 us=716088   remote_cert_ku[i] = 0
Sat May 27 16:51:32 2017 us=716088   remote_cert_ku[i] = 0
Sat May 27 16:51:32 2017 us=716088   remote_cert_eku = 'TLS Web Server Authentication'
Sat May 27 16:51:32 2017 us=716088   ssl_flags = 0
Sat May 27 16:51:32 2017 us=716088   tls_timeout = 2
Sat May 27 16:51:32 2017 us=716088   renegotiate_bytes = -1
Sat May 27 16:51:32 2017 us=716088   renegotiate_packets = 0
Sat May 27 16:51:32 2017 us=716088   renegotiate_seconds = 3600
Sat May 27 16:51:32 2017 us=716088   handshake_window = 60
Sat May 27 16:51:32 2017 us=716088   transition_window = 3600
Sat May 27 16:51:32 2017 us=716088   single_session = DISABLED
Sat May 27 16:51:32 2017 us=716088   push_peer_info = DISABLED
Sat May 27 16:51:32 2017 us=716088   tls_exit = DISABLED
Sat May 27 16:51:32 2017 us=716088   tls_auth_file = '[UNDEF]'
Sat May 27 16:51:32 2017 us=716088   tls_crypt_file = '[UNDEF]'
Sat May 27 16:51:32 2017 us=716088   pkcs11_protected_authentication = DISABLED
Sat May 27 16:51:32 2017 us=716088   pkcs11_protected_authentication = DISABLED
Sat May 27 16:51:32 2017 us=716088   pkcs11_protected_authentication = DISABLED
Sat May 27 16:51:32 2017 us=716088   pkcs11_protected_authentication = DISABLED
Sat May 27 16:51:32 2017 us=716088   pkcs11_protected_authentication = DISABLED
Sat May 27 16:51:32 2017 us=716088   pkcs11_protected_authentication = DISABLED
Sat May 27 16:51:32 2017 us=716088   pkcs11_protected_authentication = DISABLED
Sat May 27 16:51:32 2017 us=716088   pkcs11_protected_authentication = DISABLED
Sat May 27 16:51:32 2017 us=716088   pkcs11_protected_authentication = DISABLED
Sat May 27 16:51:32 2017 us=716088   pkcs11_protected_authentication = DISABLED
Sat May 27 16:51:32 2017 us=716088   pkcs11_protected_authentication = DISABLED
Sat May 27 16:51:32 2017 us=716088   pkcs11_protected_authentication = DISABLED
Sat May 27 16:51:32 2017 us=716088   pkcs11_protected_authentication = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_protected_authentication = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_protected_authentication = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_protected_authentication = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_private_mode = 00000000
Sat May 27 16:51:32 2017 us=717053   pkcs11_private_mode = 00000000
Sat May 27 16:51:32 2017 us=717053   pkcs11_private_mode = 00000000
Sat May 27 16:51:32 2017 us=717053   pkcs11_private_mode = 00000000
Sat May 27 16:51:32 2017 us=717053   pkcs11_private_mode = 00000000
Sat May 27 16:51:32 2017 us=717053   pkcs11_private_mode = 00000000
Sat May 27 16:51:32 2017 us=717053   pkcs11_private_mode = 00000000
Sat May 27 16:51:32 2017 us=717053   pkcs11_private_mode = 00000000
Sat May 27 16:51:32 2017 us=717053   pkcs11_private_mode = 00000000
Sat May 27 16:51:32 2017 us=717053   pkcs11_private_mode = 00000000
Sat May 27 16:51:32 2017 us=717053   pkcs11_private_mode = 00000000
Sat May 27 16:51:32 2017 us=717053   pkcs11_private_mode = 00000000
Sat May 27 16:51:32 2017 us=717053   pkcs11_private_mode = 00000000
Sat May 27 16:51:32 2017 us=717053   pkcs11_private_mode = 00000000
Sat May 27 16:51:32 2017 us=717053   pkcs11_private_mode = 00000000
Sat May 27 16:51:32 2017 us=717053   pkcs11_private_mode = 00000000
Sat May 27 16:51:32 2017 us=717053   pkcs11_cert_private = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_cert_private = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_cert_private = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_cert_private = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_cert_private = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_cert_private = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_cert_private = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_cert_private = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_cert_private = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_cert_private = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_cert_private = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_cert_private = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_cert_private = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_cert_private = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_cert_private = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_cert_private = DISABLED
Sat May 27 16:51:32 2017 us=717053   pkcs11_pin_cache_period = -1
Sat May 27 16:51:32 2017 us=717053   pkcs11_id = '[UNDEF]'
Sat May 27 16:51:32 2017 us=717053   pkcs11_id_management = DISABLED
Sat May 27 16:51:32 2017 us=717053   server_network = 0.0.0.0
Sat May 27 16:51:32 2017 us=717053   server_netmask = 0.0.0.0
Sat May 27 16:51:32 2017 us=717053   server_network_ipv6 = ::
Sat May 27 16:51:32 2017 us=717053   server_netbits_ipv6 = 0
Sat May 27 16:51:32 2017 us=717053   server_bridge_ip = 0.0.0.0
Sat May 27 16:51:32 2017 us=717053   server_bridge_netmask = 0.0.0.0
Sat May 27 16:51:32 2017 us=717053   server_bridge_pool_start = 0.0.0.0
Sat May 27 16:51:32 2017 us=717053   server_bridge_pool_end = 0.0.0.0
Sat May 27 16:51:32 2017 us=717053   ifconfig_pool_defined = DISABLED
Sat May 27 16:51:32 2017 us=717053   ifconfig_pool_start = 0.0.0.0
Sat May 27 16:51:32 2017 us=717053   ifconfig_pool_end = 0.0.0.0
Sat May 27 16:51:32 2017 us=717053   ifconfig_pool_netmask = 0.0.0.0
Sat May 27 16:51:32 2017 us=717053   ifconfig_pool_persist_filename = '[UNDEF]'
Sat May 27 16:51:32 2017 us=717053   ifconfig_pool_persist_refresh_freq = 600
Sat May 27 16:51:32 2017 us=717053   ifconfig_ipv6_pool_defined = DISABLED
Sat May 27 16:51:32 2017 us=717053   ifconfig_ipv6_pool_base = ::
Sat May 27 16:51:32 2017 us=717053   ifconfig_ipv6_pool_netbits = 0
Sat May 27 16:51:32 2017 us=717053   n_bcast_buf = 256
Sat May 27 16:51:32 2017 us=717053   tcp_queue_limit = 64
Sat May 27 16:51:32 2017 us=717053   real_hash_size = 256
Sat May 27 16:51:32 2017 us=717053   virtual_hash_size = 256
Sat May 27 16:51:32 2017 us=717053   client_connect_script = '[UNDEF]'
Sat May 27 16:51:32 2017 us=717053   learn_address_script = '[UNDEF]'
Sat May 27 16:51:32 2017 us=717053   client_disconnect_script = '[UNDEF]'
Sat May 27 16:51:32 2017 us=717053   client_config_dir = '[UNDEF]'
Sat May 27 16:51:32 2017 us=717053   ccd_exclusive = DISABLED
Sat May 27 16:51:32 2017 us=717053   tmp_dir = 'C:\Users\User\AppData\Local\Temp\'
Sat May 27 16:51:32 2017 us=717053   push_ifconfig_defined = DISABLED
Sat May 27 16:51:32 2017 us=717053   push_ifconfig_local = 0.0.0.0
Sat May 27 16:51:32 2017 us=717053   push_ifconfig_remote_netmask = 0.0.0.0
Sat May 27 16:51:32 2017 us=717053   push_ifconfig_ipv6_defined = DISABLED
Sat May 27 16:51:32 2017 us=717053   push_ifconfig_ipv6_local = ::/0
Sat May 27 16:51:32 2017 us=717053   push_ifconfig_ipv6_remote = ::
Sat May 27 16:51:32 2017 us=717053   enable_c2c = DISABLED
Sat May 27 16:51:32 2017 us=717053   duplicate_cn = DISABLED
Sat May 27 16:51:32 2017 us=717053   cf_max = 0
Sat May 27 16:51:32 2017 us=717053   cf_per = 0
Sat May 27 16:51:32 2017 us=717053   max_clients = 1024
Sat May 27 16:51:32 2017 us=717053   max_routes_per_client = 256
Sat May 27 16:51:32 2017 us=717053   auth_user_pass_verify_script = '[UNDEF]'
Sat May 27 16:51:32 2017 us=717053   auth_user_pass_verify_script_via_file = DISABLED
Sat May 27 16:51:32 2017 us=717053   auth_token_generate = DISABLED
Sat May 27 16:51:32 2017 us=717053   auth_token_lifetime = 0
Sat May 27 16:51:32 2017 us=717053   client = ENABLED
Sat May 27 16:51:32 2017 us=717053   pull = ENABLED
Sat May 27 16:51:32 2017 us=717053   auth_user_pass_file = '[UNDEF]'
Sat May 27 16:51:32 2017 us=717053   show_net_up = DISABLED
Sat May 27 16:51:32 2017 us=717053   route_method = 3
Sat May 27 16:51:32 2017 us=717053   block_outside_dns = DISABLED
Sat May 27 16:51:32 2017 us=717053   ip_win32_defined = DISABLED
Sat May 27 16:51:32 2017 us=717053   ip_win32_type = 3
Sat May 27 16:51:32 2017 us=717053   dhcp_masq_offset = 0
Sat May 27 16:51:32 2017 us=717053   dhcp_lease_time = 31536000
Sat May 27 16:51:32 2017 us=717053   tap_sleep = 0
Sat May 27 16:51:32 2017 us=717053   dhcp_options = DISABLED
Sat May 27 16:51:32 2017 us=717053   dhcp_renew = DISABLED
Sat May 27 16:51:32 2017 us=717053   dhcp_pre_release = DISABLED
Sat May 27 16:51:32 2017 us=717053   domain = '[UNDEF]'
Sat May 27 16:51:32 2017 us=717053   netbios_scope = '[UNDEF]'
Sat May 27 16:51:32 2017 us=717053   netbios_node_type = 0
Sat May 27 16:51:32 2017 us=717053   disable_nbt = DISABLED
Sat May 27 16:51:32 2017 us=717053 OpenVPN 2.4.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 11 2017
Sat May 27 16:51:32 2017 us=717053 Windows version 6.2 (Windows 8 or greater) 64bit
Sat May 27 16:51:32 2017 us=717053 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.10
Enter Management Password:
Sat May 27 16:51:32 2017 us=718052 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Sat May 27 16:51:32 2017 us=718052 Need hold release from management interface, waiting...
Sat May 27 16:51:33 2017 us=174520 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
Sat May 27 16:51:33 2017 us=275612 MANAGEMENT: CMD 'state on'
Sat May 27 16:51:33 2017 us=275612 MANAGEMENT: CMD 'log all on'
Sat May 27 16:51:33 2017 us=451719 MANAGEMENT: CMD 'echo all on'
Sat May 27 16:51:33 2017 us=452717 MANAGEMENT: CMD 'hold off'
Sat May 27 16:51:33 2017 us=454737 MANAGEMENT: CMD 'hold release'
Sat May 27 16:51:33 2017 us=587842 LZO compression initializing
Sat May 27 16:51:33 2017 us=587842 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sat May 27 16:51:33 2017 us=587842 MANAGEMENT: >STATE:1495918293,RESOLVE,,,,,,
Sat May 27 16:51:33 2017 us=590846 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sat May 27 16:51:33 2017 us=590846 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat May 27 16:51:33 2017 us=590846 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat May 27 16:51:33 2017 us=590846 TCP/UDP: Preserving recently used remote address: [AF_INET]104.237.203.158:443
Sat May 27 16:51:33 2017 us=590846 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat May 27 16:51:33 2017 us=590846 Attempting to establish TCP connection with [AF_INET]104.237.203.158:443 [nonblock]
Sat May 27 16:51:33 2017 us=590846 MANAGEMENT: >STATE:1495918293,TCP_CONNECT,,,,,,
Sat May 27 16:51:34 2017 us=592803 TCP connection established with [AF_INET]104.237.203.158:443
Sat May 27 16:51:34 2017 us=592803 TCP_CLIENT link local: (not bound)
Sat May 27 16:51:34 2017 us=592803 TCP_CLIENT link remote: [AF_INET]104.237.203.158:443
Sat May 27 16:51:34 2017 us=592803 MANAGEMENT: >STATE:1495918294,WAIT,,,,,,
Sat May 27 16:51:34 2017 us=592803 TCP_CLIENT WRITE [14] to [AF_INET]104.237.203.158:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sat May 27 16:51:34 2017 us=624834 TCP_CLIENT READ [26] from [AF_INET]104.237.203.158:443: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Sat May 27 16:51:34 2017 us=624834 MANAGEMENT: >STATE:1495918294,AUTH,,,,,,
Sat May 27 16:51:34 2017 us=624834 TLS: Initial packet from [AF_INET]104.237.203.158:443, sid=5366ea9f 3398e74d
Sat May 27 16:51:34 2017 us=624834 TCP_CLIENT WRITE [22] to [AF_INET]104.237.203.158:443: P_ACK_V1 kid=0 [ 0 ]
Sat May 27 16:51:34 2017 us=625781 TCP_CLIENT WRITE [187] to [AF_INET]104.237.203.158:443: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=173
Sat May 27 16:51:37 2017 us=102063 TCP_CLIENT WRITE [187] to [AF_INET]104.237.203.158:443: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=173
Sat May 27 16:51:42 2017 us=54510 TCP_CLIENT WRITE [187] to [AF_INET]104.237.203.158:443: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=173
Sat May 27 16:51:50 2017 us=656403 TCP_CLIENT WRITE [187] to [AF_INET]104.237.203.158:443: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=173
Sat May 27 16:51:53 2017 us=773186 read TCP_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060)
Sat May 27 16:51:53 2017 us=773186 TCP_CLIENT READ [0] from [AF_INET]104.237.203.158:443: DATA UNDEF len=-1
Sat May 27 16:51:53 2017 us=773186 Connection reset, restarting [-1]
Sat May 27 16:51:53 2017 us=773186 TCP/UDP: Closing socket
Sat May 27 16:51:53 2017 us=773186 SIGUSR1[soft,connection-reset] received, process restarting
Sat May 27 16:51:53 2017 us=774133 MANAGEMENT: >STATE:1495918313,RECONNECTING,connection-reset,,,,,
Sat May 27 16:51:53 2017 us=774133 Restart pause, 5 second(s)
Sat May 27 16:51:55 2017 us=775996 SIGTERM[hard,init_instance] received, process exiting
Sat May 27 16:51:55 2017 us=775996 MANAGEMENT: >STATE:1495918315,EXITING,init_instance,,,,,

Gedrean
OpenVpn Newbie
Posts: 5
Joined: Sat May 27, 2017 8:20 pm

Re: OpenVPN hangs on TLS initial packet on one particular network

Post by Gedrean » Wed May 31, 2017 1:02 am

Here's a copy of a server log (not from then, it's more recent, and it's on a slightly different config but the behaviors are the same)

Code: Select all

Tue May 30 19:53:23 2017 us=623821 MULTI: multi_create_instance called
Tue May 30 19:53:23 2017 us=623942 Re-using SSL/TLS context
Tue May 30 19:53:23 2017 us=623980 LZO compression initialized
Tue May 30 19:53:23 2017 us=624076 Control Channel MTU parms [ L:1560 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Tue May 30 19:53:23 2017 us=624100 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:143 ET:0 EL:3 AF:3/1 ]
Tue May 30 19:53:23 2017 us=624127 Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue May 30 19:53:23 2017 us=624135 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue May 30 19:53:23 2017 us=624151 Local Options hash (VER=V4): 'b695cb4a'
Tue May 30 19:53:23 2017 us=624162 Expected Remote Options hash (VER=V4): 'bc07730e'
Tue May 30 19:53:23 2017 us=624192 TCP connection established with [AF_INET]xx.xx.xx.xx:54520
Tue May 30 19:53:23 2017 us=624201 TCPv4_SERVER link local: [undef]
Tue May 30 19:53:23 2017 us=624209 TCPv4_SERVER link remote: [AF_INET]xx.xx.xx.xx:54520
Tue May 30 19:53:24 2017 us=601697 xx.xx.xx.xx:54520 TCPv4_SERVER READ [14] from [AF_INET]xx.xx.xx.xx:54520: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue May 30 19:53:24 2017 us=601756 xx.xx.xx.xx:54520 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:54520, sid=555adb8e 989a9b45
Tue May 30 19:53:24 2017 us=601789 xx.xx.xx.xx:54520 TCPv4_SERVER WRITE [26] to [AF_INET]xx.xx.xx.xx:54520: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Tue May 30 19:53:27 2017 us=4476 xx.xx.xx.xx:54520 TCPv4_SERVER WRITE [14] to [AF_INET]xx.xx.xx.xx:54520: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
Tue May 30 19:53:31 2017 us=809941 xx.xx.xx.xx:54520 TCPv4_SERVER WRITE [14] to [AF_INET]xx.xx.xx.xx:54520: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
Tue May 30 19:53:40 2017 us=7550 xx.xx.xx.xx:54520 TCPv4_SERVER WRITE [14] to [AF_INET]xx.xx.xx.xx:54520: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
Tue May 30 19:53:56 2017 us=131125 xx.xx.xx.xx:54520 TCPv4_SERVER WRITE [14] to [AF_INET]xx.xx.xx.xx:54520: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
Tue May 30 19:54:23 2017 us=150756 xx.xx.xx.xx:54520 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue May 30 19:54:23 2017 us=150856 xx.xx.xx.xx:54520 TLS Error: TLS handshake failed
Tue May 30 19:54:23 2017 us=150943 xx.xx.xx.xx:54520 Fatal TLS error (check_tls_errors_co), restarting
Tue May 30 19:54:23 2017 us=150958 xx.xx.xx.xx:54520 SIGUSR1[soft,tls-error] received, client-instance restarting
Tue May 30 19:54:23 2017 us=151010 TCP/UDP: Closing socket
I suspect now that the problem is that I've got SPI or DPI on the firewall on this wifi network and they're monitoring or blocking out data that sounds like OpenVPN in nature -- This doesn't explain why PIA can connect, but it would explain why I cannot connect to two different OpenVPN connections and why the data stops flowing right after the ACK packet is sent from the client.

Can anyone else shed some light or advice on this?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN hangs on TLS initial packet on one particular network

Post by TinCanTech » Wed May 31, 2017 11:27 am

Find a network which does not block you; make sure you can connect to your server properly then try with the other WiFi ..

Gedrean
OpenVpn Newbie
Posts: 5
Joined: Sat May 27, 2017 8:20 pm

Re: OpenVPN hangs on TLS initial packet on one particular network

Post by Gedrean » Thu Jun 01, 2017 12:07 am

TinCanTech wrote:Find a network which does not block you; make sure you can connect to your server properly then try with the other WiFi ..
I was able to find a network which didn't block and I connected without any difficulty.

So, I've been looking at auth-user-pass as a possible option... I'm not sure, is there a way to have cryptographic encryption without the TLS? I suppose what I'm trying to do is figure out why the TLS in OpenVPN is being blocked, while I can get onto secured websites using (I believe) TLS no problem?

If it's the firewall blocking or somehow preventing OpenVPN TLS packets from getting through (I don't know how they'd do that?!) then is there some workaround for it that would not use those TLS packets?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN hangs on TLS initial packet on one particular network

Post by TinCanTech » Thu Jun 01, 2017 12:36 am

Can you ssh into your server from the bad WiFi ?

Gedrean
OpenVpn Newbie
Posts: 5
Joined: Sat May 27, 2017 8:20 pm

Re: OpenVPN hangs on TLS initial packet on one particular network

Post by Gedrean » Thu Jun 01, 2017 9:53 pm

TinCanTech wrote:Can you ssh into your server from the bad WiFi ?
Yes I can, which is why this behavior is surprising.

If I reconfigure my server to use port 443 (or 80) for SSH, I connect to it using PuTTY and a standard configuration - I put in my server address, port #, my default user, and my private key, which I don't need to use if I set it to password auth (both work over SSH, but I prefer private key).

It connects easily, has a great connection.

Gedrean
OpenVpn Newbie
Posts: 5
Joined: Sat May 27, 2017 8:20 pm

Re: OpenVPN hangs on TLS initial packet on one particular network

Post by Gedrean » Sat Jun 24, 2017 1:01 am

I guess no ideas then.

Post Reply