OpenVPN Support Forum

Hello,

I have an OpenVPN AS setup in AWS. I have it set up behind AWS Elastic Load Balancer (ELB). I have the following configuration in the "Additional OpenVPN Config Directives (Advanced)" section:

-remote *
remote openvpn.xxxx.co.uk 443 tcp

openvpn.xxxx.co.uk is a DNS record pointing to the ELB.

I then download the client and attempt the connection. In the client logs, I see this:

Fri May 13 09:10:41 2016 Control Channel Authentication: tls-auth using INLINE static key file
Fri May 13 09:10:41 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 13 09:10:41 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 13 09:10:41 2016 Socket Buffers: R=[87380->200000] S=[16384->200000]
Fri May 13 09:10:41 2016 Attempting to establish TCP connection with [AF_INET]52.18.69.XXX:443 [nonblock]
Fri May 13 09:10:42 2016 TCP connection established with [AF_INET]52.18.69.XXX:443
Fri May 13 09:10:42 2016 TCPv4_CLIENT link local: [undef]
Fri May 13 09:10:42 2016 TCPv4_CLIENT link remote: [AF_INET]52.18.69.XXX:443
Fri May 13 09:10:42 2016 WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Fri May 13 09:10:42 2016 Connection reset, restarting [0]
Fri May 13 09:10:42 2016 SIGUSR1[soft,connection-reset] received, process restarting
Fri May 13 09:10:42 2016 Restart pause, 5 second(s)

The ELB resolves to "52.18.69.XXX" and another IP. The client resolves the DNS query and contacts one of the ELB nodes and thinks that is the OpenVPN server and fails with that error.

When I change the DNS record to the IP of the OpenVPN AS server, it works like a charm.

How do I get this working? Anyone done this already?

Any help, much appreciated.

Thanks!
~Y

We don't support Access Server behind a load balancer.

But to address your immediate problem, about the bad encapsulated packet length, you could try to set MTU 1500 on the network interface on your Access Server system yourself, see if that resolves it.

MTU is by default set to 1500 and I have set it as well in the directive. It works if I change the DNS to IP of the server rather than LB.

So if I understand right, the Access Server is not designed to run behind a LB at all?

Yeah, you understand correctly.

HI Team,

We are trying to use openvpn server behind load balancer in aws, we have given load balancer arn as a server name in network settings of openvpn ui, we have used market place ami for openvpn, openvpn client is not connecting and throwing below errors,

Sat Sep 8 12:45:26 2018 Connection reset, restarting [0]
Sat Sep 8 12:45:26 2018 SIGUSR1[soft,connection-reset] received, process restarting
Sat Sep 8 12:45:26 2018 Restart pause, 5 second(s)
Sat Sep 8 12:45:31 2018 Control Channel Authentication: tls-auth using INLINE static key file
Sat Sep 8 12:45:31 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 8 12:45:31 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 8 12:45:31 2018 Socket Buffers: R=[212992->200000] S=[212992->200000]
Sat Sep 8 12:45:31 2018 UDPv4 link local: [undef]
Sat Sep 8 12:45:31 2018 UDPv4 link remote: [AF_INET]35.161.41.141:1194
Sat Sep 8 12:45:35 2018 Server poll timeout, restarting
Sat Sep 8 12:45:35 2018 SIGUSR1[soft,server_poll] received, process restarting
Sat Sep 8 12:45:35 2018 Control Channel Authentication: tls-auth using INLINE static key file
Sat Sep 8 12:45:35 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 8 12:45:35 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 8 12:45:35 2018 Socket Buffers: R=[212992->200000] S=[212992->200000]
Sat Sep 8 12:45:35 2018 UDPv4 link local: [undef]
Sat Sep 8 12:45:35 2018 UDPv4 link remote: [AF_INET]50.112.188.112:1194
Sat Sep 8 12:45:39 2018 Server poll timeout, restarting
Sat Sep 8 12:45:39 2018 SIGUSR1[soft,server_poll] received, process restarting


Mon Sep 10 21:43:58 2018 WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1563 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]


please let us know if still Openvpn Server is not designed to run behind a LB at all, since this doc has updated long back.

Is there any chance to get this done with any configuration changes, can we have any detailed instructions to configure openvpn behind load balancer ?

No, it's not supported to run it behind a load balancer.

Hello, just checking to see if it's supported in 2020

hello , want to check if this is supported now
We really want to use the open VPN behind load balancers , as we just can not expose the external IPs on a bare ec2 instance

The goals of application aware load balancer (also known as Layer 7 load balancer) is not compatible with the goals of a VPN. L7 LBs will manipulate network packets while any good VPN must reject network packet manipulation.

It isn't up to OpenVPN to support a LB. Rather, it is up to the LB product to support VPN by avoiding manipulation of the network packets.

You might have greater success if you use a Layer 4 LB (preferably with Direct Server Return). AWS ELB in Gateway Load Balancer mode /might/ provide this. The question is if AWS ELB supports OpenVPN is best answered by AWS support.

Hello.
OpenVPN behind an AWS NLB (layer 4) appears to now work for me "out of the box" ..?...

My problem is that this does not work on GCP.
I figure[d] this is because GCP NLB does DSR (Direct Server Return), while AWS NLB does not.

But, this appears to contradict what @chilinux says above....

Hi Bill,

Generally the best way to have high availability is to use the Access Server clustering feature.
https://openvpn.net/for/access-server-clustering/
https://openvpn.net/vpn-server-resource ... r-cluster/

Your LB will work if it passes unmodified packets directly to Access Server, just as if it was a normal router. But it won't really provide any benefit over just using a normal router.

The only way for LBs to do anything useful for Access Server would be if the LB could decrypt and interpret the packets. But that sounds woefully insecure.

regards, rob0

I am not needing high availability; I have only one Access Server in this setup.

I am using GCP NLB for other aspects, as I was on AWS.
The NLBs are layer 4 .

You can easily try this yourself. There is some issue.
I now suspect the problem is that Access Server, in multi-daemon mode, does not appear to be listening, on udp.1194, for example.
If I set Access Server to single-daemon (udp) mode, my clients then connect!

Hello Bill Stuzd,

To reiterate - we don't support Access Server behind a load balancer.

That aside, you say in multi-daemon mode Access Server doesn't work. But in our QA tests we always test if Access Server is listening in multi-daemon mode. I run an Access Server running in multi-daemon mode even now. It's working. However you will not see UDP port 1194 open in the usual programs such as netstat or such. That is because iptables is doing load balancing between the multiple UDP daemons. Therefore in iptables you can see the rule for the UDP port used for incoming VPN connections.

Perhaps there is some condition in which the combination of using your own load balancer and multi-daemon load balancing in Access Server is causing a problem. But then.... we don't support Access Server behind a load balancer. If you can test without using a load balancer, you might see that it works correctly. But if introducing the load balancer causes problems, then I'm sorry, but then I don't have an answer for you here.

Kind regards,
Johan

Hello, Bill Stuzd, its possible, only one small trick. You need 2 load balancers, ALB for 80 443 webUI and NLB (TCP 443 TCP 943 UDP 1194) for hostname. Just set dns record of NLB balancer to your "Configuration -> Network Settings -> Hostname"

Cody wrote: ↑

Thu Jul 14, 2022 1:35 am

Hello, Bill Stuzd, its possible, only one small trick. You need 2 load balancers, ALB for 80 443 webUI and NLB (TCP 443 TCP 943 UDP 1194) for hostname. Just set dns record of NLB balancer to your "Configuration -> Network Settings -> Hostname"

Hello, Did you really succeed in SSL-VPN communication with this setup?
I set it up, but could not communicate.
Please let us know all the other settings on the OpenVPN Access Server side? I would like to run OpenVPN Access Server behind NLB too if I can.

Kind Regards,

gog wrote: ↑

Sun Aug 28, 2022 5:00 am

Cody wrote: ↑

Thu Jul 14, 2022 1:35 am

Hello, Bill Stuzd, its possible, only one small trick. You need 2 load balancers, ALB for 80 443 webUI and NLB (TCP 443 TCP 943 UDP 1194) for hostname. Just set dns record of NLB balancer to your "Configuration -> Network Settings -> Hostname"

Hello, Did you really succeed in SSL-VPN communication with this setup?
I set it up, but could not communicate.
Please let us know all the other settings on the OpenVPN Access Server side? I would like to run OpenVPN Access Server behind NLB too if I can.

Kind Regards,

Hello,

I was able to get SSL-VPN communication to OpenVPN AS via NLB, it seems the FW was blocking the destination. I haven't done any failure tests yet, but so far it is working well.

Kind Regards,