Solved

OpenVPN TLS error behind proxy

Posted on 2011-09-16
23
4,402 Views
Last Modified: 2012-05-12
Hi,

I have openvpn configured on my Synology NAS 210J.
It works fine, even when I configure within my openvpn client to use port 443, my router reroutes it to the openvpn port (1194 I thought?).

However, when I connect from behind a proxy (work), I cannot connect & get the following messages:

Thu Sep 15 09:00:01 2011 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Thu Sep 15 09:00:07 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Sep 15 09:00:07 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Sep 15 09:00:07 2011 LZO compression initialized
Thu Sep 15 09:00:07 2011 UDPv4 link local (bound): [undef]:1194
Thu Sep 15 09:00:07 2011 UDPv4 link remote: 94.193.102.31:443
Thu Sep 15 09:01:07 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Sep 15 09:01:07 2011 TLS Error: TLS handshake failed
Thu Sep 15 09:01:07 2011 SIGUSR1[soft,tls-error] received, process restarting
Thu Sep 15 09:01:09 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Sep 15 09:01:09 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Sep 15 09:01:09 2011 LZO compression initialized
Thu Sep 15 09:01:09 2011 UDPv4 link local (bound): [undef]:1194
Thu Sep 15 09:01:09 2011 UDPv4 link remote: 94.193.102.31:443

Please advise.
J.
0
Comment
Question by:janhoedt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 8
23 Comments
 
LVL 10

Accepted Solution

by:
acbxyz earned 500 total points
ID: 36556615
This logfile doesn't look like it is using a proxy but using udp. If you want to connect home through a proxy to port 443 and present it as https to this proxy, make sure you use proto tcp on both sides.
http://www.openvpn.net/index.php/open-source/documentation/howto.html#http
0
 

Author Comment

by:janhoedt
ID: 36558352
Thanks! I ll check!
0
 

Author Comment

by:janhoedt
ID: 36558592
I have two issues: connection via 3G and behind proxy but I think they are related.
Opened already another ticket for the 3G.

Here is the output for "behind the proxy":

Local ip 192.168.1.0
VPN: 172.16.0.0 are correct


SETTINGS CLIENT:
-----------------

dev tun
tls-client

remote synology-nas-ipaddress 443

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

#redirect-gateway

pull

proto tcp-client
script-security 2

ca ca.crt

comp-lzo

reneg-sec 0

SETTINGS SERVER:
-----------------
DS> vi openvpn.conf
push "route 192.168.1.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
dev tun

management 127.0.0.1 1195

server 172.16.1.0 255.255.255.0


dh /usr/local/synovpn/etc/openvpn/keys/dh1024.pem
ca /usr/local/synovpn/etc/openvpn/keys/ca.crt
cert /usr/local/synovpn/etc/openvpn/keys/server.crt
key /usr/local/synovpn/etc/openvpn/keys/server.key

max-clients 5

comp-lzo

persist-tun
persist-key

verb 3


#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /usr/local/synovpn/lib/radiusplugin.so /usr/local/synovpn/etc/openvpn/rad
client-cert-not-required
username-as-common-name
duplicate-cn
proto tcp
~



auth-user-pass




Note: issue = Connection timed out (WSAETIMEDOUT).
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 10

Expert Comment

by:acbxyz
ID: 36561889
on client configuration:
What is "proto tcp-client"? I only know "proto tcp" and "client" which works very well.
There is no "http-proxy your.proxy.server 3128" (last is your proxy's port)

On server configuration:
If your server is 172.16.1.0/24, you don't need to push this route explicit.
0
 

Author Comment

by:janhoedt
ID: 36562278
Ok, thanks, I'll check.
I found these settings somewhere but I'll change them and doublecheck.

172.16.1.0 is the network which vpn gives to me.

Another question: on the work-lan all private ranges are used: 192.168/172.X/10....
Could that cause issues?
0
 

Author Comment

by:janhoedt
ID: 36562381
If I add proto tcp I get this error:

Options error: --proto tcp is ambiguous in this context.  Please specify --proto tcp-server or --proto tcp-client
Use --help for more information.
0
 
LVL 10

Expert Comment

by:acbxyz
ID: 36562402
Assuming you access these other subnets via a default gateway and not static routes on your maschine, the only problem might be that the subnets you redirect through your vpn can't be reached any more.
If your vpn is connected, you will see all routes using "route -n" on linux or "route print" on windows.
0
 

Author Comment

by:janhoedt
ID: 36562413
... and with this setting proto tcp-client it works fine when I connect fom home (LAN) to this openvpn.

Note: proxy was not indicated on work-network because you can indicate to use proxy in openvpn-client.
0
 

Author Comment

by:janhoedt
ID: 36562431
To acbxyz:
Don't understand your explanation, if your vpn is connected, you will see all routes.
=> My question is how to connect, how could I see my routes? The routes on the work network I know, I checked them with route print and as I mentioned all private ones are in use.
0
 
LVL 10

Expert Comment

by:acbxyz
ID: 36562509
In your first post, there were these two lines, which says openvpn tries udp. These lines must not appear in log output
Thu Sep 15 09:00:07 2011 UDPv4 link local (bound): [undef]:1194
Thu Sep 15 09:00:07 2011 UDPv4 link remote: 94.193.102.31:443

Open in new window


I used an openvpn gui for windows myself about two years back and it also said I could enter a proxy there or use it from internet explorer. But both settings doesn't work, the only way worked was specified in config file explicit.

About the routes: If you don't want to redirect the subnet which contains the gateway to your proxy nor the subnet of your proxy itself, it should connect.
0
 

Author Comment

by:janhoedt
ID: 36562556
Thanks, I know, I changed them, this is not actually my ip (which is dynamic btw).

Ok, I'll specify the proxy explicitly.

About the routes: ok, so if I'm on 10.0.0.X on work network and even there is a 172.x.x.x route/network it should connect although my openvpn distributed a 172.16 address?
0
 
LVL 10

Expert Comment

by:acbxyz
ID: 36562627
Yes, but the subnet mask does its part.
If your networks at work are 172.16.0.0/16 (=255.255.0.0) and you distribute 172.16.1.0/24 (=255.255.255.0) then 172.16.1.1 or 172.16.1.248 will be routed through vpn, while 172.16.0.248 will still be a reachable workstation at your work.
0
 
LVL 10

Expert Comment

by:acbxyz
ID: 36562639
To be clear: the two lines printing ip addresses and ports are not bad at all, but UDPv4 should not be there. Instead there should be something with TCPv4.
0
 

Author Comment

by:janhoedt
ID: 36563059
Ok.

UDP shouldn't be the issue anymore since I changed to TCP.
Works fine now, from my lan, I'll check tomorrow on my work. Config should be fine now.

This is the output:

Mon Sep 19 21:56:30 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Mon Sep 19 21:57:41 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Sep 19 21:57:41 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Sep 19 21:57:41 2011 LZO compression initialized
Mon Sep 19 21:57:41 2011 Attempting to establish TCP connection with x.x.207.251:8080
Mon Sep 19 21:57:41 2011 TCP connection established with x.x.x.251:8080
Mon Sep 19 21:57:41 2011 TCPv4_CLIENT link local: [undef]
Mon Sep 19 21:57:41 2011 TCPv4_CLIENT link remote: 81.83.207.251:8080
Mon Sep 19 21:57:41 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Sep 19 21:57:42 2011 [Snake_Oil_CA] Peer Connection Initiated with 81.83.207.251:8080
Mon Sep 19 21:57:45 2011 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{0FD5FF74-EED2-4559-990D-8E8662F545B7}.tap
Mon Sep 19 21:57:45 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.16.1.6/255.255.255.252 on interface {0FD5FF74-EED2-4559-990D-8E8662F545B7} [DHCP-serv: 172.16.1.5, lease-time: 31536000]
Mon Sep 19 21:57:45 2011 Successful ARP Flush on interface [3] {0FD5FF74-EED2-4559-990D-8E8662F545B7}
Mon Sep 19 21:57:50 2011 WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]
Mon Sep 19 21:57:50 2011 Initialization Sequence Completed


Don't understand where the route subnet conflict comes from, vpn is 172.16.x.x.
0
 
LVL 10

Expert Comment

by:acbxyz
ID: 36563142
Since many proxy servers only allow a CONNECT to known secure ports like 443 it might not work with 8080 as public port.
0
 
LVL 10

Expert Comment

by:acbxyz
ID: 36563190
Just saw the other question:
Your VPN server sends a route request to the client, it should route all packets to 192.168.1.0/24 through the vpn. But 192.168.1.0/24 is directly attached to your client now.
Directly attached subnets can't be redirected for a good reason.Otherwise you would route your vpn tunnel packets through your vpn, whose packets would be sent through the vpn and again and again..
If your computer at work is not directy attached to a network called 192.168.1.0/24 you won't get this error.

Besides, if you XX out your official IP, you should do it everywhere ;-)
0
 

Author Comment

by:janhoedt
ID: 36564737
I took 8080 to connect since my test to connect to my ssh server on port 8080 worked.
0
 

Author Comment

by:janhoedt
ID: 36565272
Can connect now over 3G (see other post) over port 8080 with tcp.

Errorlog opvenvpn client:
-------------------------------
Tue Sep 20 09:34:25 2011 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Enter Auth Password:
Tue Sep 20 09:34:33 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Sep 20 09:34:33 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Sep 20 09:34:33 2011 LZO compression initialized
Tue Sep 20 09:34:33 2011 Attempting to establish TCP connection with 81.83.207.254:8080
Tue Sep 20 09:34:55 2011 TCP: connect to 81.83.207.254:8080 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Tue Sep 20 09:35:21 2011 TCP: connect to 81.83.207.254:8080 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)

Set proxy according to openvpn manual, same result. Just cannot connect.
Proxy should be cause but don't see where.
0
 

Author Comment

by:janhoedt
ID: 36565280
Wait a minute: Tue Sep 20 09:37:52 2011 RESOLVE: Cannot resolve host address: supportsite.servehttp.com: [NO_DATA] The requested name is valid but does not have an IP address.

This didn't popup before. There is something with this proxy. It is a Bluecoat btw.
0
 

Author Comment

by:janhoedt
ID: 36565353
And it works!!!!!
I've set the proxy settings from the client to HTTP proxy and selected to ask for user/password ... works like a charm.
0
 

Author Comment

by:janhoedt
ID: 36566970
Another issue occured:

Tue Sep 20 15:25:32 2011 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Tue Sep 20 15:25:37 2011 WARNING: No server certificate verification method has been enabled.  

See http://openvpn.net/howto.html#mitm for more info.
Tue Sep 20 15:25:37 2011 NOTE: the current --script-security setting may allow this configuration

to call user-defined scripts
Tue Sep 20 15:25:38 2011 LZO compression initialized
Tue Sep 20 15:25:38 2011 Attempting to establish TCP connection with ***proxy*** :8080
Tue Sep 20 15:25:38 2011 TCP connection established with ***proxy*** :8080
Tue Sep 20 15:25:40 2011 SIGTERM[soft,init_instance] received, process exiting


Note I found on Internet:
--------------------------
I'm taking a stab here, because I'm not sure exactly how you're configured, but whether you're

using a peer to peer setup or a client-server setup, you should add the "float" option to the

ovpn (config) file for each peer, client, or server. Normally, the port that openvpn uses is

1194, so each peer or server is expecting that port from each connection - the "float" option

tells the peer / server to accept incoming connections from any port (as long as the other

security requirements have been met)
0
 

Author Comment

by:janhoedt
ID: 36567294
Never mind, was proxy authentication. No issues at all anymore.
0
 

Author Closing Comment

by:janhoedt
ID: 36567299
tcp did the trick
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question