Solved

OpenVPN TLS error behind proxy

Posted on 2011-09-16
23
3,960 Views
Last Modified: 2012-05-12
Hi,

I have openvpn configured on my Synology NAS 210J.
It works fine, even when I configure within my openvpn client to use port 443, my router reroutes it to the openvpn port (1194 I thought?).

However, when I connect from behind a proxy (work), I cannot connect & get the following messages:

Thu Sep 15 09:00:01 2011 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Thu Sep 15 09:00:07 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Sep 15 09:00:07 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Sep 15 09:00:07 2011 LZO compression initialized
Thu Sep 15 09:00:07 2011 UDPv4 link local (bound): [undef]:1194
Thu Sep 15 09:00:07 2011 UDPv4 link remote: 94.193.102.31:443
Thu Sep 15 09:01:07 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Sep 15 09:01:07 2011 TLS Error: TLS handshake failed
Thu Sep 15 09:01:07 2011 SIGUSR1[soft,tls-error] received, process restarting
Thu Sep 15 09:01:09 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Sep 15 09:01:09 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Sep 15 09:01:09 2011 LZO compression initialized
Thu Sep 15 09:01:09 2011 UDPv4 link local (bound): [undef]:1194
Thu Sep 15 09:01:09 2011 UDPv4 link remote: 94.193.102.31:443

Please advise.
J.
0
Comment
Question by:janhoedt
  • 15
  • 8
23 Comments
 
LVL 10

Accepted Solution

by:
acbxyz earned 500 total points
Comment Utility
This logfile doesn't look like it is using a proxy but using udp. If you want to connect home through a proxy to port 443 and present it as https to this proxy, make sure you use proto tcp on both sides.
http://www.openvpn.net/index.php/open-source/documentation/howto.html#http
0
 

Author Comment

by:janhoedt
Comment Utility
Thanks! I ll check!
0
 

Author Comment

by:janhoedt
Comment Utility
I have two issues: connection via 3G and behind proxy but I think they are related.
Opened already another ticket for the 3G.

Here is the output for "behind the proxy":

Local ip 192.168.1.0
VPN: 172.16.0.0 are correct


SETTINGS CLIENT:
-----------------

dev tun
tls-client

remote synology-nas-ipaddress 443

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

#redirect-gateway

pull

proto tcp-client
script-security 2

ca ca.crt

comp-lzo

reneg-sec 0

SETTINGS SERVER:
-----------------
DS> vi openvpn.conf
push "route 192.168.1.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
dev tun

management 127.0.0.1 1195

server 172.16.1.0 255.255.255.0


dh /usr/local/synovpn/etc/openvpn/keys/dh1024.pem
ca /usr/local/synovpn/etc/openvpn/keys/ca.crt
cert /usr/local/synovpn/etc/openvpn/keys/server.crt
key /usr/local/synovpn/etc/openvpn/keys/server.key

max-clients 5

comp-lzo

persist-tun
persist-key

verb 3


#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /usr/local/synovpn/lib/radiusplugin.so /usr/local/synovpn/etc/openvpn/rad
client-cert-not-required
username-as-common-name
duplicate-cn
proto tcp
~



auth-user-pass




Note: issue = Connection timed out (WSAETIMEDOUT).
0
 
LVL 10

Expert Comment

by:acbxyz
Comment Utility
on client configuration:
What is "proto tcp-client"? I only know "proto tcp" and "client" which works very well.
There is no "http-proxy your.proxy.server 3128" (last is your proxy's port)

On server configuration:
If your server is 172.16.1.0/24, you don't need to push this route explicit.
0
 

Author Comment

by:janhoedt
Comment Utility
Ok, thanks, I'll check.
I found these settings somewhere but I'll change them and doublecheck.

172.16.1.0 is the network which vpn gives to me.

Another question: on the work-lan all private ranges are used: 192.168/172.X/10....
Could that cause issues?
0
 

Author Comment

by:janhoedt
Comment Utility
If I add proto tcp I get this error:

Options error: --proto tcp is ambiguous in this context.  Please specify --proto tcp-server or --proto tcp-client
Use --help for more information.
0
 
LVL 10

Expert Comment

by:acbxyz
Comment Utility
Assuming you access these other subnets via a default gateway and not static routes on your maschine, the only problem might be that the subnets you redirect through your vpn can't be reached any more.
If your vpn is connected, you will see all routes using "route -n" on linux or "route print" on windows.
0
 

Author Comment

by:janhoedt
Comment Utility
... and with this setting proto tcp-client it works fine when I connect fom home (LAN) to this openvpn.

Note: proxy was not indicated on work-network because you can indicate to use proxy in openvpn-client.
0
 

Author Comment

by:janhoedt
Comment Utility
To acbxyz:
Don't understand your explanation, if your vpn is connected, you will see all routes.
=> My question is how to connect, how could I see my routes? The routes on the work network I know, I checked them with route print and as I mentioned all private ones are in use.
0
 
LVL 10

Expert Comment

by:acbxyz
Comment Utility
In your first post, there were these two lines, which says openvpn tries udp. These lines must not appear in log output
Thu Sep 15 09:00:07 2011 UDPv4 link local (bound): [undef]:1194
Thu Sep 15 09:00:07 2011 UDPv4 link remote: 94.193.102.31:443

Open in new window


I used an openvpn gui for windows myself about two years back and it also said I could enter a proxy there or use it from internet explorer. But both settings doesn't work, the only way worked was specified in config file explicit.

About the routes: If you don't want to redirect the subnet which contains the gateway to your proxy nor the subnet of your proxy itself, it should connect.
0
 

Author Comment

by:janhoedt
Comment Utility
Thanks, I know, I changed them, this is not actually my ip (which is dynamic btw).

Ok, I'll specify the proxy explicitly.

About the routes: ok, so if I'm on 10.0.0.X on work network and even there is a 172.x.x.x route/network it should connect although my openvpn distributed a 172.16 address?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 10

Expert Comment

by:acbxyz
Comment Utility
Yes, but the subnet mask does its part.
If your networks at work are 172.16.0.0/16 (=255.255.0.0) and you distribute 172.16.1.0/24 (=255.255.255.0) then 172.16.1.1 or 172.16.1.248 will be routed through vpn, while 172.16.0.248 will still be a reachable workstation at your work.
0
 
LVL 10

Expert Comment

by:acbxyz
Comment Utility
To be clear: the two lines printing ip addresses and ports are not bad at all, but UDPv4 should not be there. Instead there should be something with TCPv4.
0
 

Author Comment

by:janhoedt
Comment Utility
Ok.

UDP shouldn't be the issue anymore since I changed to TCP.
Works fine now, from my lan, I'll check tomorrow on my work. Config should be fine now.

This is the output:

Mon Sep 19 21:56:30 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul  1 2011
Mon Sep 19 21:57:41 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Sep 19 21:57:41 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Sep 19 21:57:41 2011 LZO compression initialized
Mon Sep 19 21:57:41 2011 Attempting to establish TCP connection with x.x.207.251:8080
Mon Sep 19 21:57:41 2011 TCP connection established with x.x.x.251:8080
Mon Sep 19 21:57:41 2011 TCPv4_CLIENT link local: [undef]
Mon Sep 19 21:57:41 2011 TCPv4_CLIENT link remote: 81.83.207.251:8080
Mon Sep 19 21:57:41 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Sep 19 21:57:42 2011 [Snake_Oil_CA] Peer Connection Initiated with 81.83.207.251:8080
Mon Sep 19 21:57:45 2011 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{0FD5FF74-EED2-4559-990D-8E8662F545B7}.tap
Mon Sep 19 21:57:45 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.16.1.6/255.255.255.252 on interface {0FD5FF74-EED2-4559-990D-8E8662F545B7} [DHCP-serv: 172.16.1.5, lease-time: 31536000]
Mon Sep 19 21:57:45 2011 Successful ARP Flush on interface [3] {0FD5FF74-EED2-4559-990D-8E8662F545B7}
Mon Sep 19 21:57:50 2011 WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]
Mon Sep 19 21:57:50 2011 Initialization Sequence Completed


Don't understand where the route subnet conflict comes from, vpn is 172.16.x.x.
0
 
LVL 10

Expert Comment

by:acbxyz
Comment Utility
Since many proxy servers only allow a CONNECT to known secure ports like 443 it might not work with 8080 as public port.
0
 
LVL 10

Expert Comment

by:acbxyz
Comment Utility
Just saw the other question:
Your VPN server sends a route request to the client, it should route all packets to 192.168.1.0/24 through the vpn. But 192.168.1.0/24 is directly attached to your client now.
Directly attached subnets can't be redirected for a good reason.Otherwise you would route your vpn tunnel packets through your vpn, whose packets would be sent through the vpn and again and again..
If your computer at work is not directy attached to a network called 192.168.1.0/24 you won't get this error.

Besides, if you XX out your official IP, you should do it everywhere ;-)
0
 

Author Comment

by:janhoedt
Comment Utility
I took 8080 to connect since my test to connect to my ssh server on port 8080 worked.
0
 

Author Comment

by:janhoedt
Comment Utility
Can connect now over 3G (see other post) over port 8080 with tcp.

Errorlog opvenvpn client:
-------------------------------
Tue Sep 20 09:34:25 2011 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Enter Auth Password:
Tue Sep 20 09:34:33 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Sep 20 09:34:33 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Sep 20 09:34:33 2011 LZO compression initialized
Tue Sep 20 09:34:33 2011 Attempting to establish TCP connection with 81.83.207.254:8080
Tue Sep 20 09:34:55 2011 TCP: connect to 81.83.207.254:8080 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Tue Sep 20 09:35:21 2011 TCP: connect to 81.83.207.254:8080 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)

Set proxy according to openvpn manual, same result. Just cannot connect.
Proxy should be cause but don't see where.
0
 

Author Comment

by:janhoedt
Comment Utility
Wait a minute: Tue Sep 20 09:37:52 2011 RESOLVE: Cannot resolve host address: supportsite.servehttp.com: [NO_DATA] The requested name is valid but does not have an IP address.

This didn't popup before. There is something with this proxy. It is a Bluecoat btw.
0
 

Author Comment

by:janhoedt
Comment Utility
And it works!!!!!
I've set the proxy settings from the client to HTTP proxy and selected to ask for user/password ... works like a charm.
0
 

Author Comment

by:janhoedt
Comment Utility
Another issue occured:

Tue Sep 20 15:25:32 2011 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Tue Sep 20 15:25:37 2011 WARNING: No server certificate verification method has been enabled.  

See http://openvpn.net/howto.html#mitm for more info.
Tue Sep 20 15:25:37 2011 NOTE: the current --script-security setting may allow this configuration

to call user-defined scripts
Tue Sep 20 15:25:38 2011 LZO compression initialized
Tue Sep 20 15:25:38 2011 Attempting to establish TCP connection with ***proxy*** :8080
Tue Sep 20 15:25:38 2011 TCP connection established with ***proxy*** :8080
Tue Sep 20 15:25:40 2011 SIGTERM[soft,init_instance] received, process exiting


Note I found on Internet:
--------------------------
I'm taking a stab here, because I'm not sure exactly how you're configured, but whether you're

using a peer to peer setup or a client-server setup, you should add the "float" option to the

ovpn (config) file for each peer, client, or server. Normally, the port that openvpn uses is

1194, so each peer or server is expecting that port from each connection - the "float" option

tells the peer / server to accept incoming connections from any port (as long as the other

security requirements have been met)
0
 

Author Comment

by:janhoedt
Comment Utility
Never mind, was proxy authentication. No issues at all anymore.
0
 

Author Closing Comment

by:janhoedt
Comment Utility
tcp did the trick
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now