Please help......openvpn not working in china

[ali]

hello
i have ubuntu server with openvpn installed on it ....
after a big amount of effort i manged to connect to it successfully
BUT
i only just connect through HTTP proxy....
when i try to connect directly i get the error:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
ANOTHER problem is ......
when i connect to it from china it is very slow and every blocked site still blocked (so what is vpn is doing??)

so the prolem is :
in my country i do connect but through HTTP proxy (which makes it slower)
and in china the service in completely useless


any help would be appreciated...

[soinc16]

OpenVPN default ports are occasionally blocked in some parts of the country, and the speeds may be slow either because you are far from your server or the Great Firewall of China is throttling or slowing down the connection purposely.
I'm going to China in a few months for some personal business [visiting family and conducting business], and I'm thinking about changing my port from 1194 to a unused port such as port 8, port 100 but I'm not exactly sure if it'll be secure. Port 443 sounds like a good alternative but it is blocked from time to time as well, and for the most part, in Xinjiang and Tibet.

[soinc16]

In regards to my last post, I can say that the reason may be connected with multiple world leaders, green experts, President and Premier of Russia, diplomats and various international world figures have been landing into Beijing throughout the week for international meetings, delegations and conferences.

[ali]

well
if port 443 is not working
and it doesn't work through http proxy
how can it work then???

[haggismn]

It sounds like you aren't using encryption. The routers can find blocked sites and kill the connection, regardless of the IP address the sites are coming from.

To solve your problems, use Stunnel or ssh and tunnel Openvpn through it in TCP mode. Don't use default port numbers either, as 22 and 443 regularly get scanned after they have been accessed from China. Configure both sides of the tunnel to drop RST packets on the WAN interface, as the Chinese routers like to generate these to disrupt connections, eg

Code: Select all

iptables -I INPUT -p tcp --tcp-flags RST RST -m state --state RELATED,ESTABLISHED -j DROP

On the client you need to alter the destination to the localhost and port which you have ssh or stunnel listening on with DNAT;

Code: Select all

iptables -t nat -I OUTPUT -p tcp --dport 1194 -j DNAT --to-destination 127.0.0.1:443

Can you see the text "TLS: Initial packet from...." in your log file, after which nothing happens before the 60 second time out? In locations where openvpn is filtered, this initial packet will be received, but everything after will fail. However AFAIK China isn't doing this yet. Best of luck.

server stunnel.conf

Code: Select all

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
options = DONT_INSERT_EMPTY_FRAGMENTS
pid = /tmp/stunnel.pid
cert = /tmp/etc/server.crt
key = /tmp/etc/server.key
ciphers=AES128-SHA
[openvpn]
accept = 993
connect = 1194

client stunnel.conf

Code: Select all

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
options = DONT_INSERT_EMPTY_FRAGMENTS
pid = /tmp/stunnel.pid
cert = /tmp/client.crt
key = /tmp/client.key
ciphers=AES128-SHA
client = yes
[openvpn]
accept = 443
connect = inserthost:993

PS to make things a bit easier, you can use the same certs for stunnel as you do for openvpn. You can also disable openvpn's encryption, to decrease cpu usage ("cipher none" in your openvpn conf on both server and client)