Configuring OpenVPN behind load balancer

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
yusufhc
OpenVpn Newbie
Posts: 2
Joined: Fri May 13, 2016 8:09 am

Configuring OpenVPN behind load balancer

Post by yusufhc » Fri May 13, 2016 8:25 am

Hello,

I have an OpenVPN AS setup in AWS. I have it set up behind AWS Elastic Load Balancer (ELB). I have the following configuration in the "Additional OpenVPN Config Directives (Advanced)" section:

-remote *
remote openvpn.xxxx.co.uk 443 tcp

openvpn.xxxx.co.uk is a DNS record pointing to the ELB.

I then download the client and attempt the connection. In the client logs, I see this:

Fri May 13 09:10:41 2016 Control Channel Authentication: tls-auth using INLINE static key file
Fri May 13 09:10:41 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 13 09:10:41 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 13 09:10:41 2016 Socket Buffers: R=[87380->200000] S=[16384->200000]
Fri May 13 09:10:41 2016 Attempting to establish TCP connection with [AF_INET]52.18.69.XXX:443 [nonblock]
Fri May 13 09:10:42 2016 TCP connection established with [AF_INET]52.18.69.XXX:443
Fri May 13 09:10:42 2016 TCPv4_CLIENT link local: [undef]
Fri May 13 09:10:42 2016 TCPv4_CLIENT link remote: [AF_INET]52.18.69.XXX:443
Fri May 13 09:10:42 2016 WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Fri May 13 09:10:42 2016 Connection reset, restarting [0]
Fri May 13 09:10:42 2016 SIGUSR1[soft,connection-reset] received, process restarting
Fri May 13 09:10:42 2016 Restart pause, 5 second(s)

The ELB resolves to "52.18.69.XXX" and another IP. The client resolves the DNS query and contacts one of the ELB nodes and thinks that is the OpenVPN server and fails with that error.

When I change the DNS record to the IP of the OpenVPN AS server, it works like a charm.

How do I get this working? Anyone done this already?

Any help, much appreciated.

Thanks!
~Y

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: Configuring OpenVPN behind load balancer

Post by novaflash » Fri May 13, 2016 10:56 am

We don't support Access Server behind a load balancer.

But to address your immediate problem, about the bad encapsulated packet length, you could try to set MTU 1500 on the network interface on your Access Server system yourself, see if that resolves it.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

yusufhc
OpenVpn Newbie
Posts: 2
Joined: Fri May 13, 2016 8:09 am

Re: Configuring OpenVPN behind load balancer

Post by yusufhc » Fri May 13, 2016 12:32 pm

MTU is by default set to 1500 and I have set it as well in the directive. It works if I change the DNS to IP of the server rather than LB.

So if I understand right, the Access Server is not designed to run behind a LB at all?

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: Configuring OpenVPN behind load balancer

Post by novaflash » Fri May 13, 2016 12:41 pm

Yeah, you understand correctly.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

mallikharjuna
OpenVpn Newbie
Posts: 1
Joined: Tue Sep 11, 2018 6:49 am

Re: Configuring OpenVPN behind load balancer

Post by mallikharjuna » Tue Sep 11, 2018 7:01 am

HI Team,

We are trying to use openvpn server behind load balancer in aws, we have given load balancer arn as a server name in network settings of openvpn ui, we have used market place ami for openvpn, openvpn client is not connecting and throwing below errors,

Sat Sep 8 12:45:26 2018 Connection reset, restarting [0]
Sat Sep 8 12:45:26 2018 SIGUSR1[soft,connection-reset] received, process restarting
Sat Sep 8 12:45:26 2018 Restart pause, 5 second(s)
Sat Sep 8 12:45:31 2018 Control Channel Authentication: tls-auth using INLINE static key file
Sat Sep 8 12:45:31 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 8 12:45:31 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 8 12:45:31 2018 Socket Buffers: R=[212992->200000] S=[212992->200000]
Sat Sep 8 12:45:31 2018 UDPv4 link local: [undef]
Sat Sep 8 12:45:31 2018 UDPv4 link remote: [AF_INET]35.161.41.141:1194
Sat Sep 8 12:45:35 2018 Server poll timeout, restarting
Sat Sep 8 12:45:35 2018 SIGUSR1[soft,server_poll] received, process restarting
Sat Sep 8 12:45:35 2018 Control Channel Authentication: tls-auth using INLINE static key file
Sat Sep 8 12:45:35 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 8 12:45:35 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 8 12:45:35 2018 Socket Buffers: R=[212992->200000] S=[212992->200000]
Sat Sep 8 12:45:35 2018 UDPv4 link local: [undef]
Sat Sep 8 12:45:35 2018 UDPv4 link remote: [AF_INET]50.112.188.112:1194
Sat Sep 8 12:45:39 2018 Server poll timeout, restarting
Sat Sep 8 12:45:39 2018 SIGUSR1[soft,server_poll] received, process restarting


Mon Sep 10 21:43:58 2018 WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1563 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]


please let us know if still Openvpn Server is not designed to run behind a LB at all, since this doc has updated long back.

Is there any chance to get this done with any configuration changes, can we have any detailed instructions to configure openvpn behind load balancer ?

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: Configuring OpenVPN behind load balancer

Post by novaflash » Tue Sep 11, 2018 3:28 pm

No, it's not supported to run it behind a load balancer.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

yh
OpenVpn Newbie
Posts: 1
Joined: Wed Sep 09, 2020 3:38 pm

Re: Configuring OpenVPN behind load balancer

Post by yh » Wed Sep 09, 2020 3:39 pm

Hello, just checking to see if it's supported in 2020

udaykakkar
OpenVpn Newbie
Posts: 1
Joined: Tue Jul 06, 2021 2:10 am

Re: Configuring OpenVPN behind load balancer

Post by udaykakkar » Tue Jul 06, 2021 2:11 am

hello , want to check if this is supported now
We really want to use the open VPN behind load balancers , as we just can not expose the external IPs on a bare ec2 instance

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: Configuring OpenVPN behind load balancer

Post by chilinux » Tue Jul 06, 2021 2:53 pm

The goals of application aware load balancer (also known as Layer 7 load balancer) is not compatible with the goals of a VPN. L7 LBs will manipulate network packets while any good VPN must reject network packet manipulation.

It isn't up to OpenVPN to support a LB. Rather, it is up to the LB product to support VPN by avoiding manipulation of the network packets.

You might have greater success if you use a Layer 4 LB (preferably with Direct Server Return). AWS ELB in Gateway Load Balancer mode /might/ provide this. The question is if AWS ELB supports OpenVPN is best answered by AWS support.

Bill Stuzd
OpenVpn Newbie
Posts: 3
Joined: Mon Apr 05, 2021 3:01 pm

Re: Configuring OpenVPN behind load balancer

Post by Bill Stuzd » Sun Mar 27, 2022 2:38 pm

Hello.
OpenVPN behind an AWS NLB (layer 4) appears to now work for me "out of the box" ..?...

My problem is that this does not work on GCP.
I figure[d] this is because GCP NLB does DSR (Direct Server Return), while AWS NLB does not.

But, this appears to contradict what @chilinux says above....

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Configuring OpenVPN behind load balancer

Post by openvpn_inc » Sat Apr 02, 2022 4:42 pm

Hi Bill,

Generally the best way to have high availability is to use the Access Server clustering feature.
https://openvpn.net/for/access-server-clustering/
https://openvpn.net/vpn-server-resource ... r-cluster/

Your LB will work if it passes unmodified packets directly to Access Server, just as if it was a normal router. But it won't really provide any benefit over just using a normal router.

The only way for LBs to do anything useful for Access Server would be if the LB could decrypt and interpret the packets. But that sounds woefully insecure.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Bill Stuzd
OpenVpn Newbie
Posts: 3
Joined: Mon Apr 05, 2021 3:01 pm

Re: Configuring OpenVPN behind load balancer

Post by Bill Stuzd » Mon Apr 11, 2022 11:16 pm

I am not needing high availability; I have only one Access Server in this setup.

I am using GCP NLB for other aspects, as I was on AWS.
The NLBs are layer 4 .

You can easily try this yourself. There is some issue.
I now suspect the problem is that Access Server, in multi-daemon mode, does not appear to be listening, on udp.1194, for example.
If I set Access Server to single-daemon (udp) mode, my clients then connect!

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Configuring OpenVPN behind load balancer

Post by openvpn_inc » Wed Apr 13, 2022 10:45 am

Hello Bill Stuzd,

To reiterate - we don't support Access Server behind a load balancer.

That aside, you say in multi-daemon mode Access Server doesn't work. But in our QA tests we always test if Access Server is listening in multi-daemon mode. I run an Access Server running in multi-daemon mode even now. It's working. However you will not see UDP port 1194 open in the usual programs such as netstat or such. That is because iptables is doing load balancing between the multiple UDP daemons. Therefore in iptables you can see the rule for the UDP port used for incoming VPN connections.

Perhaps there is some condition in which the combination of using your own load balancer and multi-daemon load balancing in Access Server is causing a problem. But then.... we don't support Access Server behind a load balancer. If you can test without using a load balancer, you might see that it works correctly. But if introducing the load balancer causes problems, then I'm sorry, but then I don't have an answer for you here.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Cody
OpenVpn Newbie
Posts: 9
Joined: Mon Aug 02, 2021 2:16 am

Re: Configuring OpenVPN behind load balancer

Post by Cody » Thu Jul 14, 2022 1:35 am

Hello, Bill Stuzd, its possible, only one small trick. You need 2 load balancers, ALB for 80 443 webUI and NLB (TCP 443 TCP 943 UDP 1194) for hostname. Just set dns record of NLB balancer to your "Configuration -> Network Settings -> Hostname"

gog
OpenVpn Newbie
Posts: 9
Joined: Mon Jul 12, 2021 4:13 am

Re: Configuring OpenVPN behind load balancer

Post by gog » Sun Aug 28, 2022 5:00 am

Cody wrote:
Thu Jul 14, 2022 1:35 am
Hello, Bill Stuzd, its possible, only one small trick. You need 2 load balancers, ALB for 80 443 webUI and NLB (TCP 443 TCP 943 UDP 1194) for hostname. Just set dns record of NLB balancer to your "Configuration -> Network Settings -> Hostname"
Hello, Did you really succeed in SSL-VPN communication with this setup?
I set it up, but could not communicate.
Please let us know all the other settings on the OpenVPN Access Server side? I would like to run OpenVPN Access Server behind NLB too if I can.

Kind Regards,

gog
OpenVpn Newbie
Posts: 9
Joined: Mon Jul 12, 2021 4:13 am

Re: Configuring OpenVPN behind load balancer

Post by gog » Tue Aug 30, 2022 3:06 am

gog wrote:
Sun Aug 28, 2022 5:00 am
Cody wrote:
Thu Jul 14, 2022 1:35 am
Hello, Bill Stuzd, its possible, only one small trick. You need 2 load balancers, ALB for 80 443 webUI and NLB (TCP 443 TCP 943 UDP 1194) for hostname. Just set dns record of NLB balancer to your "Configuration -> Network Settings -> Hostname"
Hello, Did you really succeed in SSL-VPN communication with this setup?
I set it up, but could not communicate.
Please let us know all the other settings on the OpenVPN Access Server side? I would like to run OpenVPN Access Server behind NLB too if I can.

Kind Regards,
Hello,

I was able to get SSL-VPN communication to OpenVPN AS via NLB, it seems the FW was blocking the destination. I haven't done any failure tests yet, but so far it is working well.

Kind Regards,

Post Reply