Configuring OpenVPN behind load balancer

Post Reply
yusufhc
OpenVpn Newbie
Posts: 2
Joined: Fri May 13, 2016 8:09 am

Configuring OpenVPN behind load balancer

Post by yusufhc » Fri May 13, 2016 8:25 am

Hello,

I have an OpenVPN AS setup in AWS. I have it set up behind AWS Elastic Load Balancer (ELB). I have the following configuration in the "Additional OpenVPN Config Directives (Advanced)" section:

-remote *
remote openvpn.xxxx.co.uk 443 tcp

openvpn.xxxx.co.uk is a DNS record pointing to the ELB.

I then download the client and attempt the connection. In the client logs, I see this:

Fri May 13 09:10:41 2016 Control Channel Authentication: tls-auth using INLINE static key file
Fri May 13 09:10:41 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 13 09:10:41 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 13 09:10:41 2016 Socket Buffers: R=[87380->200000] S=[16384->200000]
Fri May 13 09:10:41 2016 Attempting to establish TCP connection with [AF_INET]52.18.69.XXX:443 [nonblock]
Fri May 13 09:10:42 2016 TCP connection established with [AF_INET]52.18.69.XXX:443
Fri May 13 09:10:42 2016 TCPv4_CLIENT link local: [undef]
Fri May 13 09:10:42 2016 TCPv4_CLIENT link remote: [AF_INET]52.18.69.XXX:443
Fri May 13 09:10:42 2016 WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Fri May 13 09:10:42 2016 Connection reset, restarting [0]
Fri May 13 09:10:42 2016 SIGUSR1[soft,connection-reset] received, process restarting
Fri May 13 09:10:42 2016 Restart pause, 5 second(s)

The ELB resolves to "52.18.69.XXX" and another IP. The client resolves the DNS query and contacts one of the ELB nodes and thinks that is the OpenVPN server and fails with that error.

When I change the DNS record to the IP of the OpenVPN AS server, it works like a charm.

How do I get this working? Anyone done this already?

Any help, much appreciated.

Thanks!
~Y

novaflash
I should be on the dev team.
Posts: 720
Joined: Fri Apr 13, 2012 8:43 pm

Re: Configuring OpenVPN behind load balancer

Post by novaflash » Fri May 13, 2016 10:56 am

We don't support Access Server behind a load balancer.

But to address your immediate problem, about the bad encapsulated packet length, you could try to set MTU 1500 on the network interface on your Access Server system yourself, see if that resolves it.

yusufhc
OpenVpn Newbie
Posts: 2
Joined: Fri May 13, 2016 8:09 am

Re: Configuring OpenVPN behind load balancer

Post by yusufhc » Fri May 13, 2016 12:32 pm

MTU is by default set to 1500 and I have set it as well in the directive. It works if I change the DNS to IP of the server rather than LB.

So if I understand right, the Access Server is not designed to run behind a LB at all?

novaflash
I should be on the dev team.
Posts: 720
Joined: Fri Apr 13, 2012 8:43 pm

Re: Configuring OpenVPN behind load balancer

Post by novaflash » Fri May 13, 2016 12:41 pm

Yeah, you understand correctly.

mallikharjuna
OpenVpn Newbie
Posts: 1
Joined: Tue Sep 11, 2018 6:49 am

Re: Configuring OpenVPN behind load balancer

Post by mallikharjuna » Tue Sep 11, 2018 7:01 am

HI Team,

We are trying to use openvpn server behind load balancer in aws, we have given load balancer arn as a server name in network settings of openvpn ui, we have used market place ami for openvpn, openvpn client is not connecting and throwing below errors,

Sat Sep 8 12:45:26 2018 Connection reset, restarting [0]
Sat Sep 8 12:45:26 2018 SIGUSR1[soft,connection-reset] received, process restarting
Sat Sep 8 12:45:26 2018 Restart pause, 5 second(s)
Sat Sep 8 12:45:31 2018 Control Channel Authentication: tls-auth using INLINE static key file
Sat Sep 8 12:45:31 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 8 12:45:31 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 8 12:45:31 2018 Socket Buffers: R=[212992->200000] S=[212992->200000]
Sat Sep 8 12:45:31 2018 UDPv4 link local: [undef]
Sat Sep 8 12:45:31 2018 UDPv4 link remote: [AF_INET]35.161.41.141:1194
Sat Sep 8 12:45:35 2018 Server poll timeout, restarting
Sat Sep 8 12:45:35 2018 SIGUSR1[soft,server_poll] received, process restarting
Sat Sep 8 12:45:35 2018 Control Channel Authentication: tls-auth using INLINE static key file
Sat Sep 8 12:45:35 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 8 12:45:35 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 8 12:45:35 2018 Socket Buffers: R=[212992->200000] S=[212992->200000]
Sat Sep 8 12:45:35 2018 UDPv4 link local: [undef]
Sat Sep 8 12:45:35 2018 UDPv4 link remote: [AF_INET]50.112.188.112:1194
Sat Sep 8 12:45:39 2018 Server poll timeout, restarting
Sat Sep 8 12:45:39 2018 SIGUSR1[soft,server_poll] received, process restarting


Mon Sep 10 21:43:58 2018 WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1563 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]


please let us know if still Openvpn Server is not designed to run behind a LB at all, since this doc has updated long back.

Is there any chance to get this done with any configuration changes, can we have any detailed instructions to configure openvpn behind load balancer ?

novaflash
I should be on the dev team.
Posts: 720
Joined: Fri Apr 13, 2012 8:43 pm

Re: Configuring OpenVPN behind load balancer

Post by novaflash » Tue Sep 11, 2018 3:28 pm

No, it's not supported to run it behind a load balancer.

Post Reply