OpenVPN TLS error behind proxy

Hi,

I have openvpn configured on my Synology NAS 210J.
It works fine, even when I configure within my openvpn client to use port 443, my router reroutes it to the openvpn port (1194 I thought?).

However, when I connect from behind a proxy (work), I cannot connect & get the following messages:

Thu Sep 15 09:00:01 2011 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Thu Sep 15 09:00:07 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Sep 15 09:00:07 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Sep 15 09:00:07 2011 LZO compression initialized
Thu Sep 15 09:00:07 2011 UDPv4 link local (bound): [undef]:1194
Thu Sep 15 09:00:07 2011 UDPv4 link remote: 94.193.102.31:443
Thu Sep 15 09:01:07 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Sep 15 09:01:07 2011 TLS Error: TLS handshake failed
Thu Sep 15 09:01:07 2011 SIGUSR1[soft,tls-error] received, process restarting
Thu Sep 15 09:01:09 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Sep 15 09:01:09 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Sep 15 09:01:09 2011 LZO compression initialized
Thu Sep 15 09:01:09 2011 UDPv4 link local (bound): [undef]:1194
Thu Sep 15 09:01:09 2011 UDPv4 link remote: 94.193.102.31:443

Please advise.
J.
janhoedtAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
acbxyzCommented:
This logfile doesn't look like it is using a proxy but using udp. If you want to connect home through a proxy to port 443 and present it as https to this proxy, make sure you use proto tcp on both sides.
http://www.openvpn.net/index.php/open-source/documentation/howto.html#http
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
janhoedtAuthor Commented:
Thanks! I ll check!
0
 
janhoedtAuthor Commented:
I have two issues: connection via 3G and behind proxy but I think they are related.
Opened already another ticket for the 3G.

Here is the output for "behind the proxy":

Local ip 192.168.1.0
VPN: 172.16.0.0 are correct


SETTINGS CLIENT:
-----------------

dev tun
tls-client

remote synology-nas-ipaddress 443

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

#redirect-gateway

pull

proto tcp-client
script-security 2

ca ca.crt

comp-lzo

reneg-sec 0

SETTINGS SERVER:
-----------------
DS> vi openvpn.conf
push "route 192.168.1.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
dev tun

management 127.0.0.1 1195

server 172.16.1.0 255.255.255.0


dh /usr/local/synovpn/etc/openvpn/keys/dh1024.pem
ca /usr/local/synovpn/etc/openvpn/keys/ca.crt
cert /usr/local/synovpn/etc/openvpn/keys/server.crt
key /usr/local/synovpn/etc/openvpn/keys/server.key

max-clients 5

comp-lzo

persist-tun
persist-key

verb 3


#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /usr/local/synovpn/lib/radiusplugin.so /usr/local/synovpn/etc/openvpn/rad
client-cert-not-required
username-as-common-name
duplicate-cn
proto tcp
~



auth-user-pass




Note: issue = Connection timed out (WSAETIMEDOUT).
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
acbxyzCommented:
on client configuration:
What is "proto tcp-client"? I only know "proto tcp" and "client" which works very well.
There is no "http-proxy your.proxy.server 3128" (last is your proxy's port)

On server configuration:
If your server is 172.16.1.0/24, you don't need to push this route explicit.
0
 
janhoedtAuthor Commented:
Ok, thanks, I'll check.
I found these settings somewhere but I'll change them and doublecheck.

172.16.1.0 is the network which vpn gives to me.

Another question: on the work-lan all private ranges are used: 192.168/172.X/10....
Could that cause issues?
0
 
janhoedtAuthor Commented:
If I add proto tcp I get this error:

Options error: --proto tcp is ambiguous in this context.  Please specify --proto tcp-server or --proto tcp-client
Use --help for more information.
0
 
acbxyzCommented:
Assuming you access these other subnets via a default gateway and not static routes on your maschine, the only problem might be that the subnets you redirect through your vpn can't be reached any more.
If your vpn is connected, you will see all routes using "route -n" on linux or "route print" on windows.
0
 
janhoedtAuthor Commented:
... and with this setting proto tcp-client it works fine when I connect fom home (LAN) to this openvpn.

Note: proxy was not indicated on work-network because you can indicate to use proxy in openvpn-client.
0
 
janhoedtAuthor Commented:
To acbxyz:
Don't understand your explanation, if your vpn is connected, you will see all routes.
=> My question is how to connect, how could I see my routes? The routes on the work network I know, I checked them with route print and as I mentioned all private ones are in use.
0
 
acbxyzCommented:
In your first post, there were these two lines, which says openvpn tries udp. These lines must not appear in log output
Thu Sep 15 09:00:07 2011 UDPv4 link local (bound): [undef]:1194
Thu Sep 15 09:00:07 2011 UDPv4 link remote: 94.193.102.31:443

Open in new window


I used an openvpn gui for windows myself about two years back and it also said I could enter a proxy there or use it from internet explorer. But both settings doesn't work, the only way worked was specified in config file explicit.

About the routes: If you don't want to redirect the subnet which contains the gateway to your proxy nor the subnet of your proxy itself, it should connect.
0
 
janhoedtAuthor Commented:
Thanks, I know, I changed them, this is not actually my ip (which is dynamic btw).

Ok, I'll specify the proxy explicitly.

About the routes: ok, so if I'm on 10.0.0.X on work network and even there is a 172.x.x.x route/network it should connect although my openvpn distributed a 172.16 address?
0
 
acbxyzCommented:
Yes, but the subnet mask does its part.
If your networks at work are 172.16.0.0/16 (=255.255.0.0) and you distribute 172.16.1.0/24 (=255.255.255.0) then 172.16.1.1 or 172.16.1.248 will be routed through vpn, while 172.16.0.248 will still be a reachable workstation at your work.
0
 
acbxyzCommented:
To be clear: the two lines printing ip addresses and ports are not bad at all, but UDPv4 should not be there. Instead there should be something with TCPv4.
0
 
janhoedtAuthor Commented:
Ok.

UDP shouldn't be the issue anymore since I changed to TCP.
Works fine now, from my lan, I'll check tomorrow on my work. Config should be fine now.

This is the output:

Mon Sep 19 21:56:30 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Mon Sep 19 21:57:41 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Sep 19 21:57:41 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Sep 19 21:57:41 2011 LZO compression initialized
Mon Sep 19 21:57:41 2011 Attempting to establish TCP connection with x.x.207.251:8080
Mon Sep 19 21:57:41 2011 TCP connection established with x.x.x.251:8080
Mon Sep 19 21:57:41 2011 TCPv4_CLIENT link local: [undef]
Mon Sep 19 21:57:41 2011 TCPv4_CLIENT link remote: 81.83.207.251:8080
Mon Sep 19 21:57:41 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Sep 19 21:57:42 2011 [Snake_Oil_CA] Peer Connection Initiated with 81.83.207.251:8080
Mon Sep 19 21:57:45 2011 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{0FD5FF74-EED2-4559-990D-8E8662F545B7}.tap
Mon Sep 19 21:57:45 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.16.1.6/255.255.255.252 on interface {0FD5FF74-EED2-4559-990D-8E8662F545B7} [DHCP-serv: 172.16.1.5, lease-time: 31536000]
Mon Sep 19 21:57:45 2011 Successful ARP Flush on interface [3] {0FD5FF74-EED2-4559-990D-8E8662F545B7}
Mon Sep 19 21:57:50 2011 WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]
Mon Sep 19 21:57:50 2011 Initialization Sequence Completed


Don't understand where the route subnet conflict comes from, vpn is 172.16.x.x.
0
 
acbxyzCommented:
Since many proxy servers only allow a CONNECT to known secure ports like 443 it might not work with 8080 as public port.
0
 
acbxyzCommented:
Just saw the other question:
Your VPN server sends a route request to the client, it should route all packets to 192.168.1.0/24 through the vpn. But 192.168.1.0/24 is directly attached to your client now.
Directly attached subnets can't be redirected for a good reason.Otherwise you would route your vpn tunnel packets through your vpn, whose packets would be sent through the vpn and again and again..
If your computer at work is not directy attached to a network called 192.168.1.0/24 you won't get this error.

Besides, if you XX out your official IP, you should do it everywhere ;-)
0
 
janhoedtAuthor Commented:
I took 8080 to connect since my test to connect to my ssh server on port 8080 worked.
0
 
janhoedtAuthor Commented:
Can connect now over 3G (see other post) over port 8080 with tcp.

Errorlog opvenvpn client:
-------------------------------
Tue Sep 20 09:34:25 2011 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Enter Auth Password:
Tue Sep 20 09:34:33 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Sep 20 09:34:33 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Sep 20 09:34:33 2011 LZO compression initialized
Tue Sep 20 09:34:33 2011 Attempting to establish TCP connection with 81.83.207.254:8080
Tue Sep 20 09:34:55 2011 TCP: connect to 81.83.207.254:8080 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Tue Sep 20 09:35:21 2011 TCP: connect to 81.83.207.254:8080 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)

Set proxy according to openvpn manual, same result. Just cannot connect.
Proxy should be cause but don't see where.
0
 
janhoedtAuthor Commented:
Wait a minute: Tue Sep 20 09:37:52 2011 RESOLVE: Cannot resolve host address: supportsite.servehttp.com: [NO_DATA] The requested name is valid but does not have an IP address.

This didn't popup before. There is something with this proxy. It is a Bluecoat btw.
0
 
janhoedtAuthor Commented:
And it works!!!!!
I've set the proxy settings from the client to HTTP proxy and selected to ask for user/password ... works like a charm.
0
 
janhoedtAuthor Commented:
Another issue occured:

Tue Sep 20 15:25:32 2011 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Tue Sep 20 15:25:37 2011 WARNING: No server certificate verification method has been enabled.  

See http://openvpn.net/howto.html#mitm for more info.
Tue Sep 20 15:25:37 2011 NOTE: the current --script-security setting may allow this configuration

to call user-defined scripts
Tue Sep 20 15:25:38 2011 LZO compression initialized
Tue Sep 20 15:25:38 2011 Attempting to establish TCP connection with ***proxy*** :8080
Tue Sep 20 15:25:38 2011 TCP connection established with ***proxy*** :8080
Tue Sep 20 15:25:40 2011 SIGTERM[soft,init_instance] received, process exiting


Note I found on Internet:
--------------------------
I'm taking a stab here, because I'm not sure exactly how you're configured, but whether you're

using a peer to peer setup or a client-server setup, you should add the "float" option to the

ovpn (config) file for each peer, client, or server. Normally, the port that openvpn uses is

1194, so each peer or server is expecting that port from each connection - the "float" option

tells the peer / server to accept incoming connections from any port (as long as the other

security requirements have been met)
0
 
janhoedtAuthor Commented:
Never mind, was proxy authentication. No issues at all anymore.
0
 
janhoedtAuthor Commented:
tcp did the trick
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.