UDP works but TCP doesn't

[jriker1]

I have OpenVPN 2.1 working with UDP however due to needing to use the proxy to get past a firewall to get to my OpenVPN server I need to switch to TCP. I have made the following changes to accomodate:

- switched my router to route 1194 TCP traffic instead of UDP to the internal OpenVPN server.
- switched from "pronto udp" in the server and client ovpn files to "proto tcp". Tried also the "pronto tcp-client" and tcp-server.
- Also added a http-proxy tag in the client but took it out for now for testing to eliminate the firewall from the issue.

Do I need to do something additional for TCP? Below are my current UDP ovpn files with the above changes where relevant:

client.ovpn:

Code: Select all

client

dev tap

proto tcp-client

remote <home_system_url_here> 1194

resolv-retry infinite

nobind

persist-key
persist-tun

ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"

# Specific user cert and key file.
# Modify for your use.

cert "c:\\Program Files\\OpenVPN\\config\\syarbrou.crt"
key "C:\\Program Files\\OpenVPN\\config\\syarbrou.key"

tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.key" 1

cipher AES-256-CBC

comp-lzo

verb 3

server.ovpn:

Code: Select all

port 1194

proto tcp-server

dev tap

dev-node OpenVPN

ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"  # This file should be kept secret

dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"

ifconfig-pool-persist ipp.txt

# Specific to my home LAN...
server-bridge 192.168.1.25 255.255.255.0 192.168.1.26 192.168.1.30

push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.14"

keepalive 10 120

comp-lzo

tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.key" 0

cipher AES-256-CBC

max-clients 3

persist-key
persist-tun

status "C:\\Program Files\\OpenVPN\\log\\openvpn-status.log"

verb 3

I get on connection:
Thu Jan 08 11:16:52 2009 Local Options hash (VER=V4): 'ad144f1c'
Thu Jan 08 11:16:52 2009 Expected Remote Options hash (VER=V4): '88107939'
Thu Jan 08 11:16:52 2009 TCP connection established with 15.190.64.31:6679
Thu Jan 08 11:16:52 2009 TCPv4_SERVER link local: [undef]
Thu Jan 08 11:16:52 2009 TCPv4_SERVER link remote: 15.190.64.31:6679
Thu Jan 08 11:17:52 2009 70.195.65.38:6679 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jan 08 11:17:52 2009 70.195.65.38:6679 TLS Error: TLS handshake failed
Thu Jan 08 11:17:52 2009 70.195.65.38:6679 Fatal TLS error (check_tls_errors_co), restarting
Thu Jan 08 11:17:52 2009 70.195.65.38:6679 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Jan 08 11:17:52 2009 TCP/UDP: Closing socket

Any ideas? UDP works successfully everytime.

Thanks.

JR

[krzee]

First thing I would check is the windows firewall.

[jriker1]

First thing I would check is the windows firewall.

Totally disabled for testing. I can see from the server logs that the client is physically getting to it, just doesn't seem to be completing the negotiation or something. Are the configurations for a bridged connection really that similar between a UDP and a TCP connection? Would think it would require more than changing just a proto tag.

Thanks.

JR

[smartas]

I would stay away from TCP. There's a tendency to break connections. See the following URL for more information:

http://sites.inka.de/~bigred/devel/tcp-tcp.html

[Douglas]

Logs would be excellent! Paste the logs!