Connection closed for remote public ip server address

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
nikfio
OpenVpn Newbie
Posts: 4
Joined: Wed Jan 17, 2018 3:12 pm

Connection closed for remote public ip server address

Post by nikfio » Wed Jan 17, 2018 3:57 pm

Hello everyone,
I am really interested about using openVPN throught its powerful potentialities.
Now, for my application, I am able to create a stable connection between server and client both connected toe the same wireless network with - summarizing - a udp connection on 1194 port.
BUt, I would like to use openVPN also across different networks, meaning only server public ip is known.
If I change remote server to the public and maintain the same configuration that works for "same network", on client side I get:

Code: Select all

Thu Jan 18 00:26:31 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Jan 18 00:26:31 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Jan 18 00:26:31 2018 Socket Buffers: R=[212992->131072] S=[212992->131072]
Thu Jan 18 00:26:31 2018 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Jan 18 00:26:31 2018 UDPv4 link local: [undef]
Thu Jan 18 00:26:31 2018 UDPv4 link remote: [AF_INET]133.34.33.141:80
Thu Jan 18 00:27:31 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jan 18 00:27:31 2018 TLS Error: TLS handshake failed
Thu Jan 18 00:27:31 2018 SIGUSR1[soft,tls-error] received, process restarting
Thu Jan 18 00:27:31 2018 Restart pause, 2 second(s)
Thu Jan 18 00:27:33 2018 Socket Buffers: R=[212992->131072] S=[212992->131072]
Thu Jan 18 00:27:33 2018 UDPv4 link local: [undef]
Thu Jan 18 00:27:33 2018 UDPv4 link remote: [AF_INET]133.34.33.141:80
Thu Jan 18 00:28:33 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jan 18 00:28:33 2018 TLS Error: TLS handshake failed
Thu Jan 18 00:28:33 2018 SIGUSR1[soft,tls-error] received, process restarting
Thu Jan 18 00:28:33 2018 Restart pause, 2 second(s)
Thu Jan 18 00:28:35 2018 Socket Buffers: R=[212992->131072] S=[212992->131072]
Tcpdump on tun0 server side doesn't print anything.
Trying all possible variations, nothing changes, but for one: tcp over port 80, on client side I get:

Code: Select all

Thu Jan 18 00:33:35 2018 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx:80 [nonblock]
Thu Jan 18 00:33:36 2018 TCP connection established with [AF_INET]xxx.xxx.xxx:80
Thu Jan 18 00:33:36 2018 TCPv4_CLIENT link local: [undef]
Thu Jan 18 00:33:36 2018 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx:80
Thu Jan 18 00:33:36 2018 WARNING: Bad encapsulated packet length from peer (15393), which must be > 0 and <= 1604 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Thu Jan 18 00:33:36 2018 Connection reset, restarting [0]
Thu Jan 18 00:33:36 2018 SIGUSR1[soft,connection-reset] received, process restarting
Thu Jan 18 00:33:36 2018 Restart pause, 5 second(s)
Tcpdump on tun0 server side still doesn't print anything, that "connection established" is a step forward or however something that made me think.
In particular, checking nmap on both sides:
Case 1) nmap ran on client side using remote public-ip server address with udp on 1194

Code: Select all

Nmap scan report for public-ip server
Host is up (0.0062s latency).
PORT     STATE  SERVICE
1194/udp closed openvpn

Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
Meanwhile,
Case 2): nmap ran on client side using remote public-ip server address with tcp on 80

Code: Select all

Nmap scan report for public-ip server
Host is up (0.019s latency).
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.62 seconds
Nmap ran on server.

Case 1) using remote public-ip server address with udp on 1194

Code: Select all

Nmap scan report for localhost
Host is up (0.0062s latency).
PORT     STATE  SERVICE
1194/udp open/filtered openvpn

Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
Case 2) using remote public-ip server address with tcp on 80

Code: Select all

Nmap scan report for localhost
Host is up (0.0062s latency).
PORT     STATE  SERVICE
80/tcp     open     http

Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
Case 3) the one workin, both client and server in the same network

Ran from server side

Code: Select all

Nmap scan report for localhost
Host is up (0.0062s latency).
PORT     STATE         SERVICE
1194/udp open/filtered  openvpn

Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
Ran from client side

Code: Select all

Nmap scan report for local-server-ip = 192.168.x.xxx
Host is up (0.0062s latency).
PORT     STATE          SERVICE
1194/udp open/filtered  openvpn

Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
So, by the fact that I am working under university networks, I think maybe there is a firewall higher than me that is blocking 1194 port for openVPN.
Also, because the common port 80, open for http, prints out better result but still no real connection realized because service is not openvpn on that port, I think.

I would be very happy to hear your opinion and/or suggestions about,also to learn more about OpenVPN.
If you want, I can provide iptables configuration, I didn't report here because modifications didn't lead to different results.

Thank you.

EDIT: here are the configuration files as requested.

Server configuration:

Code: Select all


[oconf=Client configuration]

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

port 1194

# TCP or UDP server?
;proto tcp
proto udp

;dev tap
dev tun


;dev-node MyTap

ca   /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key  /etc/openvpn/server.key  # This file should be kept secret

dh /etc/openvpn/dh4096.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist /etc/openvpn/ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100


;server-bridge


;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248

;client-config-dir ccd
;route 10.9.0.0 255.255.255.252

#   ifconfig-push 10.9.0.1 10.9.0.2

;learn-address ./script

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 127.0.1.1"

client-to-client

#duplicate-cn


keepalive 10 120


key-direction 0

tls-auth /etc/openvpn/ta.key 0 # This file is secret

;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
cipher AES-256-CBC

comp-lzo

;max-clients 100

user name_user
group name_group

persist-key
persist-tun

status /etc/openvpn/openvpn-status.log

;log         /etc/openvpn/openvpn.log
;log-append  /etc/openvpn/openvpn.log

verb 3

;mute 20

# Auth Digest
auth SHA512

# Limit Ciphers
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA



Code: Select all


[oconf=Client config]
client

;dev tap
dev tun

;dev-node MyTap

;proto tcp
proto udp

;remote 192.168.x.xxx 1194
remote xxx.xx.xx.xxx 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

resolv-retry infinite

nobind

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

;mute-replay-warnings

ca ca.crt
cert client1.crt
key client1.key

ns-cert-type server

key-direction 1

tls-auth ta.key 1

cipher AES-256-CBC

comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20


# Authentication Digest
auth SHA512

# Cipher Restrictions
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

Last edited by nikfio on Wed Jan 17, 2018 8:38 pm, edited 4 times in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4896
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connection closed for remote public ip server address

Post by TinCanTech » Wed Jan 17, 2018 6:11 pm

nikfio wrote:
Wed Jan 17, 2018 3:57 pm
tcp over port 80, on client side I get:

Thu Jan 18 00:33:36 2018 WARNING: Bad encapsulated packet length from peer (15393), which must be > 0 and <= 1604 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Thu Jan 18 00:33:36 2018 Connection reset, restarting [0]
Please post your config files.

Please also see:
HOWTO: Request Help !

nikfio
OpenVpn Newbie
Posts: 4
Joined: Wed Jan 17, 2018 3:12 pm

Re: Connection closed for remote public ip server address

Post by nikfio » Wed Jan 17, 2018 8:41 pm

TinCanTech wrote:
Wed Jan 17, 2018 6:11 pm

Please post your config files.
Thank you for your interest, I edited the opening post with my config files.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4896
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connection closed for remote public ip server address

Post by TinCanTech » Wed Jan 17, 2018 9:19 pm

So here is the first problem.

Your log:
nikfio wrote:
Wed Jan 17, 2018 3:57 pm
Thu Jan 18 00:33:35 2018 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx:80 [nonblock]
But your config reads:
nikfio wrote:
Wed Jan 17, 2018 3:57 pm
client
<--snip-->
proto udp
nikfio wrote:
Wed Jan 17, 2018 3:57 pm
I am really interested about using openVPN
I highly recommend you .. Start here:
HOWTO: For OpenVPN Community Edition

nikfio
OpenVpn Newbie
Posts: 4
Joined: Wed Jan 17, 2018 3:12 pm

Re: Connection closed for remote public ip server address

Post by nikfio » Thu Jan 18, 2018 12:18 am

TinCanTech wrote:
Wed Jan 17, 2018 9:19 pm
So here is the first problem.
While copying I forgot to correct, when I set tcp it means on both sides proto equal to tcp.
I highly recommend you .. Start here:
HOWTO: For OpenVPN Community Edition
Reading here, I get there's something I have to change. I'm trying some modifications mainly on iptables config.

nikfio
OpenVpn Newbie
Posts: 4
Joined: Wed Jan 17, 2018 3:12 pm

Re: Connection closed for remote public ip server address

Post by nikfio » Thu Jan 18, 2018 6:44 am

TinCanTech wrote: I highly recommend you .. Start here:
HOWTO: For OpenVPN Community Edition
I can't use port 1194 with remote as default gateway public ip, it is firewalled by institution. So, Is it feasible to use port 80 or 443 over tcp?

Post Reply