UDP vs TCP... TCP works, UDP won't!

[Stuck]

Hi All

I recently upgrade my router to DD-WRT with the VPN option. It serves as the main router for my network and gateway to the internet. The OpenVPN server runs on it.

I have had no problems configuring the setup, except for when attempting to use UDP instead of TCP. Whenever I use TCP as the protocol, it connects no problem. When I attempt to use TCP, connecting from a remote site through the internet to the cable modem's IP, it connects no problem. When I try to connect through the internet with UDP, it fails.

Code: Select all

Mon May 12 12:50:28 2014 UDPv4 link local: [undef]
Mon May 12 12:50:28 2014 UDPv4 link remote: [AF_INET]MY.IP.IS.HERE:21005
Mon May 12 12:51:28 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon May 12 12:51:28 2014 TLS Error: TLS handshake failed
Mon May 12 12:51:28 2014 SIGUSR1[soft,tls-error] received, process restarting

When I try to VPN directly to the router (10.0.0.1) instead of through the internet, UDP works. Here is my firewall exception on the DD-WRT router:

Code: Select all

iptables -A INPUT -i tap0 -j ACCEPT
iptables -I INPUT -p udp --dport 21005 -j ACCEPT

I'm just puzzled as to why TCP will work, but UDP never makes it through. I don't even see the successful or dropped connects in my router's log. I have ever turned off the firewall to see if it was my firewall causing the problems. Any thoughts? Thanks in advance for your help.

[antfx]

Did you ever figure this out?

I have the same issue.. TCP works great but UDP times out. Have used the setup on other servers and they all connect fine on UDP.

[dannyprods]

Same problem here, it's driving me crazy
Do you guys now have a solution?

[Traffic]

Perhaps the client side network admins are blocking UPD packets ...

[dannyprods]

Perhaps the client side network admins are blocking UPD packets ...

I don't know if that's the problem. Because when I connect with my MacBook with wifi in the same LAN I can connect. When I do the same with my iPhone it won't work.

Could it be a restriction of my iPhone/iPad (iOS9.2)? Or maybe a bug in de OpenVPN-iOS-app?
Thx, Danny.

CLIENT LOG
2016-01-10 16:36:30 ----- OpenVPN Start -----
OpenVPN core 3.0 ios arm64 64-bit
2016-01-10 16:36:30 UNUSED OPTIONS
6 [keepalive] [15] [60]
12 [resolv-retry] [infinite]
13 [nobind]

2016-01-10 16:36:30 LZO-ASYM init swap=0 asym=0
2016-01-10 16:36:30 EVENT: RESOLVE
2016-01-10 16:36:30 Contacting 12.34.567.89:1194 via UDP
2016-01-10 16:36:30 EVENT: WAIT
2016-01-10 16:36:30 SetTunnelSocket returned 1
2016-01-10 16:36:30 Connecting to blablabla.net:1194 (12.34.567.89) via UDPv4
2016-01-10 16:36:40 Server poll timeout, trying next remote entry...
2016-01-10 16:36:40 EVENT: RECONNECTING
2016-01-10 16:36:40 LZO-ASYM init swap=0 asym=0
2016-01-10 16:36:40 EVENT: RESOLVE
2016-01-10 16:36:40 Contacting 12.34.567.89:1194 via UDP
2016-01-10 16:36:40 EVENT: WAIT
2016-01-10 16:36:40 SetTunnelSocket returned 1
2016-01-10 16:36:40 Connecting to blablabla.net:1194 (12.34.567.89) via UDPv4
2016-01-10 16:36:50 Server poll timeout, trying next remote entry...
2016-01-10 16:36:50 EVENT: RECONNECTING
2016-01-10 16:36:50 LZO-ASYM init swap=0 asym=0
2016-01-10 16:36:50 EVENT: RESOLVE
2016-01-10 16:36:50 Contacting 12.34.567.89:1194 via UDP
2016-01-10 16:36:50 EVENT: WAIT
2016-01-10 16:36:50 SetTunnelSocket returned 1
2016-01-10 16:36:50 Connecting to blablabla.net:1194 (12.34.567.89) via UDPv4
2016-01-10 16:37:00 Server poll timeout, trying next remote entry...
2016-01-10 16:37:00 EVENT: RECONNECTING
2016-01-10 16:37:00 LZO-ASYM init swap=0 asym=0
2016-01-10 16:37:00 EVENT: RESOLVE
2016-01-10 16:37:00 Contacting 12.34.567.89:1194 via UDP
2016-01-10 16:37:00 EVENT: WAIT
2016-01-10 16:37:00 SetTunnelSocket returned 1
2016-01-10 16:37:00 Connecting to blablabla.net:1194 (12.34.567.89) via UDPv4
2016-01-10 16:37:10 Server poll timeout, trying next remote entry...
2016-01-10 16:37:10 EVENT: RECONNECTING
2016-01-10 16:37:10 LZO-ASYM init swap=0 asym=0
2016-01-10 16:37:10 EVENT: RESOLVE
2016-01-10 16:37:10 Contacting 12.34.567.89:1194 via UDP
2016-01-10 16:37:10 EVENT: WAIT
2016-01-10 16:37:10 SetTunnelSocket returned 1
2016-01-10 16:37:10 Connecting to blablabla.net:1194 (12.34.567.89) via UDPv4
2016-01-10 16:37:20 Server poll timeout, trying next remote entry...
2016-01-10 16:37:20 EVENT: RECONNECTING
2016-01-10 16:37:20 LZO-ASYM init swap=0 asym=0
2016-01-10 16:37:20 EVENT: RESOLVE
2016-01-10 16:37:20 Contacting 12.34.567.89:1194 via UDP
2016-01-10 16:37:20 EVENT: WAIT
2016-01-10 16:37:20 SetTunnelSocket returned 1
2016-01-10 16:37:20 Connecting to blablabla.net:1194 (12.34.567.89) via UDPv4
2016-01-10 16:37:30 EVENT: CONNECTION_TIMEOUT [ERR]
2016-01-10 16:37:30 EVENT: DISCONNECTED
2016-01-10 16:37:30 Raw stats on disconnect:
BYTES_OUT : 420
PACKETS_OUT : 30
CONNECTION_TIMEOUT : 1
N_RECONNECT : 5
2016-01-10 16:37:30 Performance stats on disconnect:
CPU usage (microseconds): 47312
Network bytes per CPU second: 8877
Tunnel bytes per CPU second: 0
2016-01-10 16:37:30 EVENT: DISCONNECT_PENDING
2016-01-10 16:37:30 ----- OpenVPN Stop -----

SERVER LOG
Jan 10 16:35:32 rc_service: httpd 2605:notify_rc restart_vpnd;restart_chpass
Jan 10 16:35:33 openvpn[3181]: /sbin/route del -net 10.8.0.0 netmask 255.255.255.0
Jan 10 16:35:33 openvpn[3181]: Closing TUN/TAP interface
Jan 10 16:35:33 openvpn[3181]: /sbin/ifconfig tun21 0.0.0.0
Jan 10 16:35:33 openvpn[3181]: PLUGIN_CLOSE: /usr/lib/openvpn-plugin-auth-pam.so
Jan 10 16:35:33 openvpn[3181]: SIGTERM[hard,] received, process exiting
Jan 10 16:35:35 openvpn[3239]: OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Oct 27 2015
Jan 10 16:35:35 openvpn[3239]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Jan 10 16:35:35 openvpn[3239]: Diffie-Hellman initialized with 2048 bit key
Jan 10 16:35:35 openvpn[3239]: Socket Buffers: R=[122880->131072] S=[122880->131072]
Jan 10 16:35:35 openvpn[3239]: TUN/TAP device tun21 opened
Jan 10 16:35:35 openvpn[3239]: TUN/TAP TX queue length set to 100
Jan 10 16:35:35 openvpn[3239]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 10 16:35:35 openvpn[3239]: /sbin/ifconfig tun21 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Jan 10 16:35:36 openvpn[3239]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Jan 10 16:35:36 openvpn[3248]: UDPv4 link local (bound): [undef]
Jan 10 16:35:36 openvpn[3248]: UDPv4 link remote: [undef]
Jan 10 16:35:36 openvpn[3248]: MULTI: multi_init called, r=256 v=256
Jan 10 16:35:36 openvpn[3248]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Jan 10 16:35:36 openvpn[3248]: Initialization Sequence Completed
Jan 10 16:36:30 openvpn[3248]: 192.168.1.105:65457 TLS: Initial packet from [AF_INET]192.168.1.105:65457, sid=70f0b21b bcc781bb
Jan 10 16:36:39 openvpn[3248]: 192.168.1.105:64855 TLS: Initial packet from [AF_INET]192.168.1.105:64855, sid=4c7dd5a7 b6530181
Jan 10 16:36:49 openvpn[3248]: 192.168.1.105:52576 TLS: Initial packet from [AF_INET]192.168.1.105:52576, sid=de52ff38 440103ac
Jan 10 16:36:59 openvpn[3248]: 192.168.1.105:60695 TLS: Initial packet from [AF_INET]192.168.1.105:60695, sid=fcf92264 fb6c9c5e
Jan 10 16:37:09 openvpn[3248]: 192.168.1.105:60017 TLS: Initial packet from [AF_INET]192.168.1.105:60017, sid=8c760a0f aa053796
Jan 10 16:37:19 openvpn[3248]: 192.168.1.105:58348 TLS: Initial packet from [AF_INET]192.168.1.105:58348, sid=c5001a8a 0f3c7c72
Jan 10 16:37:30 openvpn[3248]: 192.168.1.105:65457 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 10 16:37:30 openvpn[3248]: 192.168.1.105:65457 TLS Error: TLS handshake failed
Jan 10 16:37:30 openvpn[3248]: 192.168.1.105:65457 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 10 16:37:39 openvpn[3248]: 192.168.1.105:64855 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 10 16:37:39 openvpn[3248]: 192.168.1.105:64855 TLS Error: TLS handshake failed
Jan 10 16:37:39 openvpn[3248]: 192.168.1.105:64855 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 10 16:37:49 openvpn[3248]: 192.168.1.105:52576 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 10 16:37:49 openvpn[3248]: 192.168.1.105:52576 TLS Error: TLS handshake failed
Jan 10 16:37:49 openvpn[3248]: 192.168.1.105:52576 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 10 16:37:59 openvpn[3248]: 192.168.1.105:60695 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 10 16:37:59 openvpn[3248]: 192.168.1.105:60695 TLS Error: TLS handshake failed
Jan 10 16:37:59 openvpn[3248]: 192.168.1.105:60695 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 10 16:38:09 openvpn[3248]: 192.168.1.105:60017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 10 16:38:09 openvpn[3248]: 192.168.1.105:60017 TLS Error: TLS handshake failed
Jan 10 16:38:09 openvpn[3248]: 192.168.1.105:60017 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 10 16:38:19 openvpn[3248]: 192.168.1.105:58348 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 10 16:38:19 openvpn[3248]: 192.168.1.105:58348 TLS Error: TLS handshake failed
Jan 10 16:38:19 openvpn[3248]: 192.168.1.105:58348 SIGUSR1[soft,tls-error] received, client-instance restarting

[Traffic]

I suggest you post your server and client config files.

[dannyprods]

I suggest you post your server and client config files.

Thx for looking at it:

---------------
Server Settings
---------------
Interface Type: TUN
Protocol: UDP
Server Port: 1194
Firewall: Auto (I also tried the other 2 options, custom and external only)
Authorization Mode: TLS
Username/Password Auth. Only: No
Extra HMAC authorization: Disable
VPN Subnet/Netmask: 10.8.0.0 / 255.255.255.0
Poll Interval: 0
Push LAN to Clients: Yes
Direct Clients te redirect Internet Traffic: Yes
Respond to DNS: No
Encryption Cipher: Default
Compression: Adaptive
TLS Renegotiation Time: -1
Managa Client-Specific Options: No

-----------
Config File
-----------
client
dev tun
proto udp
remote blablabla.net 1194
float
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
blablabla

[Traffic]

Jan 10 16:35:36 openvpn[3248]: Initialization Sequence Completed
Jan 10 16:36:30 openvpn[3248]: 192.168.1.105:65457 TLS: Initial packet from [AF_INET]192.168.1.105:65457, sid=70f0b21b bcc781bb

Is 192.168.1.105 your client IP on your LAN or your router IP on your LAN ?

[dannyprods]

Jan 10 16:35:36 openvpn[3248]: Initialization Sequence Completed
Jan 10 16:36:30 openvpn[3248]: 192.168.1.105:65457 TLS: Initial packet from [AF_INET]192.168.1.105:65457, sid=70f0b21b bcc781bb

Is 192.168.1.105 your client IP on your LAN or your router IP on your LAN ?

192.168.1.105 is the client on my LAN (iPhone).

[Traffic]

It appears this client tries to connect to your public IP:

2016-01-10 16:36:30 Contacting 12.34.567.89:1194 via UDP

while your server thinks it is a local connection:

Jan 10 16:36:30 openvpn[3248]: 192.168.1.105:65457 TLS: Initial packet from [AF_INET]192.168.1.105:65457, sid=70f0b21b bcc781bb

You must have configured your router badly ..

[dannyprods]

It appears this client tries to connect to your public IP:

2016-01-10 16:36:30 Contacting 12.34.567.89:1194 via UDP

while your server thinks it is a local connection:

Jan 10 16:36:30 openvpn[3248]: 192.168.1.105:65457 TLS: Initial packet from [AF_INET]192.168.1.105:65457, sid=70f0b21b bcc781bb

You must have configured your router badly ..

The only thing I did with 192.168.1.105 is manually assigned it in the DHCP list (MAC address iPhone). I did some port forwarding but none forwarded to the VPN Server.
Can you tell me where the problem possibly is? And why is TCP working and UDP not?

Thx!

[dannyprods]

Just updated to iOS 9.2.1. Problem not solved.
I don't get it, why works TCP and UDP won't?

[superdx]

I don't know if you ever got this solved but it looks like a firewall problem? Have you tried turning everything (ufw) off and see if that solves it? Then you can re-enable ufw / iptables one at a time.

In another thread which I just found a workaround, iOS seems to have issues resolving DNS. Symptoms were similar, Mac could connect fine with the same config files (no handshake errors or anything like that), iOS could not.

Typing in the DNS server on the iOS device fixed it immediately for me, but it's still a bug in the app. Dreading the thought of having to do that every time I connect to a new wifi hotspot.

[Traffic]

Re: The Title of this thread..

UDP vs TCP... TCP works, UDP won't!

Use TCP ..

Then probe on common UDP ports .. like DNS

Otherwise .. complain to your carrier ..

[dannyprods]

I just set my router to factory settings and installed the latest Merllin firmware. I configured the router from scratch but the problem isn't solved. I even exported new ovpn-files and imported them into the OpenVPN-iOS-app. It even doesn't work with the firewall disabled.

I also called my carrier, they can't help me. They block nothing, they say.

[Traffic]

Can you post your server log ?

[LordGybator]

There is probably misconfiguration on your firewall rules.

1. Select Firewall, and then Rules.
2. Click the WAN sub-menu.
3. Next, click Add to create a new rule.
4. Choose between IPv4 and IPv4 + IPv6, depending on your setup. The default is
IPv4.
5. The Protocol should be set to UDP, and the Source set to Any.
6. The Destination Port Range should be set to the port your server runs on.
7. Name your rule in the Description section.
8. Click Save, and Apply Changes to finish.