TCP client-server mode - Connect to client Net

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
bortek
OpenVpn Newbie
Posts: 4
Joined: Mon Nov 01, 2021 9:52 am

TCP client-server mode - Connect to client Net

Post by bortek » Wed Jul 20, 2022 12:17 pm

I had a Net-to-Net OpenVPN setup which was working fine. Until recently when my mobile operator provider change and UDP started to fail for some reason, likely MTU size. But at that time I did not have a chance to test it.

As a quick fix I had to change the protocol from UDP to TCP and that solved it. But the communication became unidirectional that is from the client net I can access the nodes on the server net. But not the other way around. Right now I cannot change anything on the client side since that node is on a different location (think of it on the moon). So the only way to play around is to change config on the server side. I want to be able to reach client net from the server net. Or particular nodes on the client net.

I have tried to add the following on the server side config without any success

client-to-client
mode server

My configs look like this. Any chance to get this working on TCP and without changing anything on the client side?

Client side net is 192.168.1.0 and has this config
client

dev tun
remote myhost.com
port 12345
proto tcp-client

ifconfig 10.1.0.2 10.1.0.1

tls-client
cipher AES-256-CBC
auth SHA512
persist-tun
persist-key
verb 3


<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END RSA PRIVATE KEY-----
</key>



Server side has 192.168.0.0 net and this config
server

dev tun

ifconfig 10.1.0.1 10.1.0.2
route 192.168.1.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
push "route 10.1.0.0 255.255.255.0"

tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem

cipher AES-256-CBC
auth SHA512
port 12345

#client-to-client
#mode server
#duplicate-cn

proto tcp-server

user nobody
group nobody
persist-tun
persist-key

verb 3

daemon somenamehere

keepalive 10 300

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: TCP client-server mode - Connect to client Net

Post by TinCanTech » Wed Jul 20, 2022 1:16 pm

bortek wrote:
Wed Jul 20, 2022 12:17 pm
I had to change the protocol from UDP to TCP and that solved it. But the communication became unidirectional
Changing protocol has no such effect, therefore you must have changed something else.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: TCP client-server mode - Connect to client Net

Post by openvpn_inc » Fri Jul 22, 2022 2:17 pm

Hi bortek,

See --ifconfig in the manual. It's a subtle thing: when you specify "ifconfig local-endpoint remote-endpoint" as you did, what you have is not a client-server in openvpn terms, it is a --mode p2p peer connection.

As a result all your client-specific or server-specific options won't work. --mode server can't work when you have implicitly told openvpn that it is a p2p instance.

TCP for OpenVPN is generally anywhere from a bad idea to a VERY bad idea. If a change in your ISP resulted in UDP OpenVPN failures, the problem is in your ISP. Complain to them and look for better providers.

I could also mention, using the networks you have chosen will limit you in the future. Every off-the-shelf router will use one of those networks. Most routers will allow you to change the LAN network address; again as with the ISP, if yours does not allow this, it is garbage. Get rid of it. Also, --cipher is deprecated if you do try to make your VPN into a client/server. (It's still appropriate for p2p, I think.)

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

bortek
OpenVpn Newbie
Posts: 4
Joined: Mon Nov 01, 2021 9:52 am

Re: TCP client-server mode - Connect to client Net

Post by bortek » Fri Aug 12, 2022 7:37 pm

you are right. I have changed it back to the other ISP (which was working bi-directional) and also changed protocol back to UDP but the communication is still unidirectional. There is something else going here. Any idea what could it be ?

Post Reply