openVPN over TCP

I am trying to establish a VPN connection via TCP using openVPN (because of interruptions of my network connection)…

However, it seems that Nethserver only allows somehow connections via UDP, even if I edit the configuration file of openVPN manually (replacing udp by tcp) and allowing connections via TCP by a firewall rule…
Connections over UDP work fine.

when trying to connect via TCP, no messages are logged in the server’s log (even with verb 6)…
In the client log ord: Sun May 07 16:07:12 2017 us=850788 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Sun May 07 16:07:12 2017 us=850788 Need hold release from management interface, waiting... Sun May 07 16:07:13 2017 us=323815 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Sun May 07 16:07:13 2017 us=424821 MANAGEMENT: CMD 'state on' Sun May 07 16:07:13 2017 us=424821 MANAGEMENT: CMD 'log all on' Sun May 07 16:07:13 2017 us=514826 MANAGEMENT: CMD 'hold off' Sun May 07 16:07:13 2017 us=514826 MANAGEMENT: CMD 'hold release' Sun May 07 16:07:44 2017 us=48572 MANAGEMENT: CMD 'username "Auth" "aaron"' Sun May 07 16:07:44 2017 us=54573 MANAGEMENT: CMD 'password [...]' Sun May 07 16:07:59 2017 us=96433 MANAGEMENT: CMD 'password [...]' Sun May 07 16:07:59 2017 us=96433 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Sun May 07 16:07:59 2017 us=96433 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Sun May 07 16:07:59 2017 us=96433 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Sun May 07 16:07:59 2017 us=97433 LZO compression initializing Sun May 07 16:07:59 2017 us=97433 Control Channel MTU parms [ L:1624 D:1138 EF:112 EB:0 ET:0 EL:3 ] Sun May 07 16:07:59 2017 us=97433 MANAGEMENT: >STATE:1494166079,RESOLVE,,,,,, Sun May 07 16:07:59 2017 us=100433 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ] Sun May 07 16:07:59 2017 us=100433 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client' Sun May 07 16:07:59 2017 us=100433 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server' Sun May 07 16:07:59 2017 us=100433 TCP/UDP: Preserving recently used remote address: [AF_INET]77.47.65.103:37516 Sun May 07 16:07:59 2017 us=100433 Socket Buffers: R=[8192->8192] S=[8192->8192] Sun May 07 16:07:59 2017 us=100433 Attempting to establish TCP connection with [AF_INET]77.47.65.103:37516 [nonblock] Sun May 07 16:07:59 2017 us=100433 MANAGEMENT: >STATE:1494166079,TCP_CONNECT,,,,,, Sun May 07 16:09:59 2017 us=109297 TCP: connect to [AF_INET]77.47.65.103:37516 failed: Connection timed out (WSAETIMEDOUT) Sun May 07 16:09:59 2017 us=109297 SIGUSR1[connection failed(soft),init_instance] received, process restarting Sun May 07 16:09:59 2017 us=109297 MANAGEMENT: >STATE:1494166199,RECONNECTING,init_instance,,,,,
and so on…

the content of /etc/openvpn/host-to-net.conf file is `dev tunrw
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
ifconfig-pool-persist host-to-net.pool 0

port 1194
proto tcp
script-security 3
float
multihome
dh /var/lib/nethserver/certs/dh8369.pem
ca /etc/pki/tls/certs/ECroot.crt
cert /etc/pki/tls/certs/ECserver.crt
key /etc/pki/tls/private/ECserver.key
crl-verify /etc/pki/CA/crl/ECroot.crl
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option WINS 10.8.0.1"
push "dhcp-option NBDD 10.8.0.1"
push "dhcp-option NBT 2"
push "route 10.1.2.0 255.255.255.0"
push “route 192.168.2.0 255.255.255.0”
;push “route 192.168.2.0 255.255.255.0”

Authentication: certificate + password

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/login

#tls 1.2 only + secure Ciphers
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
ecdh-curve secp521r1
cipher AES-256-CBC
auth SHA512

Renegociate encryption keys each 5 minutes

reneg-sec 0

status /var/log/openvpn/host-to-net-status.log
log-append /var/log/openvpn/openvpn.log
comp-lzo
keepalive 20 120
user nobody
group nobody
client-config-dir ccd
persist-key
persist-tun
management /var/spool/openvpn/host-to-net unix
tls-auth /etc/openvpn/static.key 0
verb 6`

The certificates and keys are all ok since when I change tcp to udp (on both the server and the client) everything works…

Does someone have any idea what I do wrongly? What do I have to change additionally for TCP connections?

Problem solved!!! :wink:
I just comment the line keepalive 20 120 out… and now it works!!!

2 Likes