Unable to connect OpenVPN GUI

[I'm]

Hi ...

I'm new to OpenVPN and have some problem with it.
I try to use OpeVPN as Anti-Censorship tunnel to surf the internet safely and secure so I try to use OpenVPN GUI and install it on my VPS and config both client.ovpn and server.ovpn

here is my config files

Code: Select all

local X.X.X.X
port 1325
proto tcp
dev tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"  
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “redirect-gateway"
push “dhcp-option DNS 208.67.222.222"
push “dhcp-option DNS 208.67.220.220"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 3

Code: Select all

client
dev tun
proto tcp
remote X.X.X.X 1325
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.key"
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3

but when i try to connect its faild here is the log

Code: Select all

Tue Mar 01 23:47:16 2011 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Tue Mar 01 23:47:16 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Mar 01 23:47:16 2011 LZO compression initialized
Tue Mar 01 23:47:16 2011 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Mar 01 23:47:16 2011 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 01 23:47:16 2011 Local Options hash (VER=V4): '958c5492'
Tue Mar 01 23:47:16 2011 Expected Remote Options hash (VER=V4): '79ef4284'
Tue Mar 01 23:47:16 2011 Attempting to establish TCP connection with X.X.X.X:1325
Tue Mar 01 23:47:17 2011 TCP: connect to X.X.X.X:1325 failed, will try again in 5 seconds
Tue Mar 01 23:47:22 2011 TCP: connect to X.X.X.X:1325 failed, will try again in 5 seconds
Tue Mar 01 23:47:28 2011 TCP: connect to X.X.X.X:1325 failed, will try again in 5 seconds
Tue Mar 01 23:47:34 2011 TCP: connect to X.X.X.X:1325 failed, will try again in 5 seconds

what should i do?

[janjust]

the message

TCP: connect to X.X.X.X:1325 failed, will try again in 5 seconds

suggests that a firewall is blocking you; try port 443 to see if the firewall is less restrictive for that port.

[I'm]

the message

TCP: connect to X.X.X.X:1325 failed, will try again in 5 seconds

suggests that a firewall is blocking you; try port 443 to see if the firewall is less restrictive for that port.

Nope ... Same Error! nothing changed!

[I'm]

And here is the log with port 443

Code: Select all

Wed Mar 02 19:39:55 2011 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Wed Mar 02 19:39:55 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Mar 02 19:39:55 2011 LZO compression initialized
Wed Mar 02 19:39:55 2011 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Mar 02 19:39:55 2011 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Mar 02 19:39:55 2011 Local Options hash (VER=V4): '958c5492'
Wed Mar 02 19:39:55 2011 Expected Remote Options hash (VER=V4): '79ef4284'
Wed Mar 02 19:39:55 2011 Attempting to establish TCP connection with X.X.X.X:443
Wed Mar 02 19:39:57 2011 TCP: connect to X.X.X.X:443 failed, will try again in 5 seconds
Wed Mar 02 19:40:04 2011 TCP/UDP: Closing socket
Wed Mar 02 19:40:04 2011 SIGTERM[hard,init_instance] received, process exiting

I guess this could be useful that when i use udp the error is changed.here is log:

Code: Select all

Wed Mar 02 19:43:57 2011 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Wed Mar 02 19:43:57 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Mar 02 19:43:57 2011 LZO compression initialized
Wed Mar 02 19:43:57 2011 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Mar 02 19:43:57 2011 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Mar 02 19:43:57 2011 Local Options hash (VER=V4): '22188c5b'
Wed Mar 02 19:43:57 2011 Expected Remote Options hash (VER=V4): 'a8f55717'
Wed Mar 02 19:43:57 2011 UDPv4 link local: [undef]
Wed Mar 02 19:43:57 2011 UDPv4 link remote: X.X.X.X:11555
Wed Mar 02 19:43:58 2011 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Mar 02 19:44:01 2011 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Mar 02 19:44:02 2011 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Mar 02 19:44:04 2011 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Mar 02 19:44:05 2011 TCP/UDP: Closing socket
Wed Mar 02 19:44:05 2011 SIGTERM[hard,] received, process exiting

[janjust]

nope, the udp error and tcp error are closely related; something is blocking access; try running the server on port 443, then open a CMD.EXE window on the client and use 'telnet <remote-ip> 443' to see if you can get a connection .

[I'm]

nope, the udp error and tcp error are closely related; something is blocking access; try running the server on port 443, then open a CMD.EXE window on the client and use 'telnet <remote-ip> 443' to see if you can get a connection .

OK...and the error is the same.
Port 443 and udp

Code: Select all

UDPv4 link remote: X.X.X.X:443
read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)

[maikcat]

hi there,

the telnet test janjust mentioned works only if tcp is used.

you have to check 3 things:

1)if router on your client side is blocking outbound access
2)if router on your server side is blocking inbound access
3)if vpn server itself performs any type of filtering

cheers,

michael.

[I'm]

hi there,

the telnet test janjust mentioned works only if tcp is used.

you have to check 3 things:

1)if router on your client side is blocking outbound access
2)if router on your server side is blocking inbound access
3)if vpn server itself performs any type of filtering

cheers,

michael.

Hi...
i think i found what's the problem!
The ISP is blocking any kind of package which have some parameters in their headers.
for example if in the header of package which send from openvpn some sort of detail available which shows that it's a openvpn package and contain of it encrypted they drop this to not allow people tunneling the censorship engine so is there anything available to change the header of packages? like some sort of script or things like that?

I already use ta.key but nothing changed.
here is my config files and log file

server config file

Code: Select all

local X.X.X.X
port 443
proto tcp
dev tun
ifconfig 10.9.0.1 255.255.255.0
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"  
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"
tls-auth "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ta.key" 0
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30
comp-lzo
cipher AES-256-CBC
persist-key
persist-tun
status server-tcp.log
verb 3

client config file

Code: Select all

client
dev tap
proto tcp
remote X.X.X.X 54698
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\asghar.crt"
key  "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\asghar.key"
tls-auth "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ta.key" 1
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3

Server log

Code: Select all

Thu Mar 03 09:30:31 2011 MULTI: multi_create_instance called
Thu Mar 03 09:30:31 2011 Re-using SSL/TLS context
Thu Mar 03 09:30:31 2011 LZO compression initialized
Thu Mar 03 09:30:31 2011 Control Channel MTU parms [ L:1549 D:168 EF:68 EB:0 ET:0 EL:0 ]
Thu Mar 03 09:30:31 2011 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Mar 03 09:30:31 2011 Local Options hash (VER=V4): 'eca919a6'
Thu Mar 03 09:30:31 2011 Expected Remote Options hash (VER=V4): 'faf8d2b2'
Thu Mar 03 09:30:31 2011 TCP connection established with Y.Y.Y.Y:18003
Thu Mar 03 09:30:31 2011 TCPv4_SERVER link local: [undef]
Thu Mar 03 09:30:31 2011 TCPv4_SERVER link remote: Y.Y.Y.Y:18003
Thu Mar 03 09:30:31 2011 Y.Y.Y.Y:18003 TLS: Initial packet from Y.Y.Y.Y:18003, sid=7f19c2aa f81a8645
Thu Mar 03 09:31:31 2011 Y.Y.Y.Y:18003 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Mar 03 09:31:31 2011 Y.Y.Y.Y:18003 TLS Error: TLS handshake failed
Thu Mar 03 09:31:31 2011 Y.Y.Y.Y:18003 Fatal TLS error (check_tls_errors_co), restarting
Thu Mar 03 09:31:31 2011 Y.Y.Y.Y:18003 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Mar 03 09:31:31 2011 TCP/UDP: Closing socket

Client log

Code: Select all

Thu Mar 03 19:00:27 2011 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov  8 2010
Thu Mar 03 19:00:27 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Mar 03 19:00:27 2011 Control Channel Authentication: using 'C:\Program Files\OpenVPN\easy-rsa\keys\ta.key' as a OpenVPN static key file
Thu Mar 03 19:00:27 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 03 19:00:27 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 03 19:00:27 2011 LZO compression initialized
Thu Mar 03 19:00:27 2011 Control Channel MTU parms [ L:1549 D:168 EF:68 EB:0 ET:0 EL:0 ]
Thu Mar 03 19:00:27 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Mar 03 19:00:27 2011 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Mar 03 19:00:27 2011 Local Options hash (VER=V4): 'faf8d2b2'
Thu Mar 03 19:00:27 2011 Expected Remote Options hash (VER=V4): 'eca919a6'
Thu Mar 03 19:00:27 2011 Attempting to establish TCP connection with X.X.X.X:443
Thu Mar 03 19:00:27 2011 TCP connection established with X.X.X.X:443
Thu Mar 03 19:00:27 2011 TCPv4_CLIENT link local: [undef]
Thu Mar 03 19:00:27 2011 TCPv4_CLIENT link remote: X.X.X.X:443
Thu Mar 03 19:00:28 2011 TLS: Initial packet from X.X.X.X:443, sid=9f09d0c3 0b3e549a
Thu Mar 03 19:01:27 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Mar 03 19:01:27 2011 TLS Error: TLS handshake failed
Thu Mar 03 19:01:27 2011 Fatal TLS error (check_tls_errors_co), restarting
Thu Mar 03 19:01:27 2011 TCP/UDP: Closing socket
Thu Mar 03 19:01:27 2011 SIGUSR1[soft,tls-error] received, process restarting
Thu Mar 03 19:01:27 2011 Restart pause, 5 second(s)

[janjust]

OpenVPN does not disguise itself in any way: modern routers/firewalls which do stateful packet inspection can easily pick out OpenVPN traffic. If this is the case for your ISP/country then you're out of luck ; I'd recommend to investigat an 'stunnel' or SOCKS proxy setup to see if you can duck the firewall-radar.

[I'm]

OpenVPN does not disguise itself in any way: modern routers/firewalls which do stateful packet inspection can easily pick out OpenVPN traffic. If this is the case for your ISP/country then you're out of luck ; I'd recommend to investigat an 'stunnel' or SOCKS proxy setup to see if you can duck the firewall-radar.

with a small trick i change the header of my package which is i install a proxy server software on my server and sent my openvpn data through that proxy so the header is changed and i connected successfully but the problem is very low speed in data transfer through the openvpn about 80~100 KBiT/S which is very low!

I already able to use L2TP/IPSec VPN but the problem is L2TP VPN has specific port (UDP 1701) and every time it's possible to block the data transfer on this port and it's the same with PPTP which is (TCP 1723) and it's the pros of OpenVPN that i can choose the port and protocol.

I read some treads which said use lighter encryption and i did this but the speed doesn't change and it remains the same and some others said use UDP which is I'm unable to use because i sent data through the proxy which means i must use tcp
what do you guys suggest?

[janjust]

running openvpn over tcp often results in tcp-over-tcp deadlock; try reducing the MTU size on both ends to see if that helps

Code: Select all

tun-mtu 1400

Another option that sometimes helps is to add

Code: Select all

tcp-nodelay

to the server - this can speed up the connection a bit as well.