Hello,
I can connect to OpenVPN on port 1194/UDP only. 443/TCP, 8443/TCP, ... don't work.
The server is dedicated to SoftEther and nothing else is installed. Firewall is disabled.
SoftEther VPN Server Manager connects on port 443 but OpenVPN cannot.
The error I receive is:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Please advise.
Omid
Can't connect to OpenVPN on any port other than 1194
-
- Posts: 14
- Joined: Mon Oct 10, 2016 5:12 pm
-
- Posts: 14
- Joined: Mon Oct 10, 2016 5:12 pm
-
- Posts: 50
- Joined: Mon Dec 02, 2019 6:29 am
Re: Can't connect to OpenVPN on any port other than 1194
I hope you don't have some MITM going on. Try to take this starting point for your OpenVPN config file and see if you get better results. You'll need to correct a few places: 'remote', 'verify-x509-name', 'route', 'dhcp-option', and the certificates.
# Obviously, this is a typical Ethan Olson config file for OpenVPN.
# Obviously, this is the client-side connection, so we define that.
client
# Tunnel mode because this is a traditional Client-Server VPN connection
dev tun
# Use TCP instead of UDP
proto tcp
# Define VPN Server and Port
remote spazmaster77.softether.net 443
# Yep, TLS for sure.
tls-client
# Define TLS 1.2 as minimum
tls-version-min 1.2
# Choose TLS 1.3 cipher suites
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
# Choose TLS 1.2 cipher suites. Criteria are PFS, high encryption, AEAD, SHA2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
# Define the symmetric encryption. Criteria are 192-bit, Camellia or AES. Sadly, SE server doesn't support GCM.
#cipher AES-192-GCM
cipher CAMELLIA-192-CBC
# Define hash that fully accommodates encryption key (2x cipher key length)
auth SHA384
# Spend 9 seconds looking for the VPN server
resolv-retry 9
# Use dynamic port for packet return
nobind
# These next two lines reopen the tunnel if it collapses
persist-key
persist-tun
# Not using compression (SE server doesn't support LZx compressions)
#compress lz4-v2
# How verbose are we going to be? 2.
verb 2
# Since SE is on the other end, it has to be username and password
auth-user-pass
# Don't cache credentials in memory (reduce credential theft from memory, but require reentry if tunnel reestablishes).
auth-nocache
# Detect MITM... kind of a big deal.
verify-x509-name 'spazmaster77.softether.net' "name"
# No MTU defined (certain techs, like PPPoE, mess with it anyway). Prefer MSS Fixing instead.
#link-mtu 1500
# Use the largest non-fragmenting packet size available.
mssfix max
# Don't bother with the client certificates. Though they are included so OpenVPN clients don't complain.
setenv CLIENT_CERT 0
# Routing rules that make a split tunnel instead of a full tunnel. Don't use this block if you want all traffic to flow through the VPN.
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
# Routing rules to define which subnets are accessed through the VPN tunnel.
route 192.168.206.0 255.255.255.0 vpn_gateway 1
# Provide DNS info for the connected network.
dhcp-option DNS 192.168.206.12
dhcp-option DOMAIN 'sinofipasteur.com'
# I hope you know what the rest of this is.
<ca>
---take it from here, yo!
# Obviously, this is a typical Ethan Olson config file for OpenVPN.
# Obviously, this is the client-side connection, so we define that.
client
# Tunnel mode because this is a traditional Client-Server VPN connection
dev tun
# Use TCP instead of UDP
proto tcp
# Define VPN Server and Port
remote spazmaster77.softether.net 443
# Yep, TLS for sure.
tls-client
# Define TLS 1.2 as minimum
tls-version-min 1.2
# Choose TLS 1.3 cipher suites
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
# Choose TLS 1.2 cipher suites. Criteria are PFS, high encryption, AEAD, SHA2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
# Define the symmetric encryption. Criteria are 192-bit, Camellia or AES. Sadly, SE server doesn't support GCM.
#cipher AES-192-GCM
cipher CAMELLIA-192-CBC
# Define hash that fully accommodates encryption key (2x cipher key length)
auth SHA384
# Spend 9 seconds looking for the VPN server
resolv-retry 9
# Use dynamic port for packet return
nobind
# These next two lines reopen the tunnel if it collapses
persist-key
persist-tun
# Not using compression (SE server doesn't support LZx compressions)
#compress lz4-v2
# How verbose are we going to be? 2.
verb 2
# Since SE is on the other end, it has to be username and password
auth-user-pass
# Don't cache credentials in memory (reduce credential theft from memory, but require reentry if tunnel reestablishes).
auth-nocache
# Detect MITM... kind of a big deal.
verify-x509-name 'spazmaster77.softether.net' "name"
# No MTU defined (certain techs, like PPPoE, mess with it anyway). Prefer MSS Fixing instead.
#link-mtu 1500
# Use the largest non-fragmenting packet size available.
mssfix max
# Don't bother with the client certificates. Though they are included so OpenVPN clients don't complain.
setenv CLIENT_CERT 0
# Routing rules that make a split tunnel instead of a full tunnel. Don't use this block if you want all traffic to flow through the VPN.
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
# Routing rules to define which subnets are accessed through the VPN tunnel.
route 192.168.206.0 255.255.255.0 vpn_gateway 1
# Provide DNS info for the connected network.
dhcp-option DNS 192.168.206.12
dhcp-option DOMAIN 'sinofipasteur.com'
# I hope you know what the rest of this is.
<ca>
---take it from here, yo!
-
- Posts: 14
- Joined: Mon Oct 10, 2016 5:12 pm
Re: Can't connect to OpenVPN on any port other than 1194
Hello,
Thank you very much. Here's my config file. It still doesn't work:
Thank you very much. Here's my config file. It still doesn't work:
Code: Select all
###############################################################################
# OpenVPN 2.0 Sample Configuration File
# for PacketiX VPN / SoftEther VPN Server
#
# !!! AUTO-GENERATED BY SOFTETHER VPN SERVER MANAGEMENT TOOL !!!
#
# !!! YOU HAVE TO REVIEW IT BEFORE USE AND MODIFY IT AS NECESSARY !!!
#
# This configuration file is auto-generated. You might use this config file
# in order to connect to the PacketiX VPN / SoftEther VPN Server.
# However, before you try it, you should review the descriptions of the file
# to determine the necessity to modify to suitable for your real environment.
# If necessary, you have to modify a little adequately on the file.
# For example, the IP address or the hostname as a destination VPN Server
# should be confirmed.
#
# Note that to use OpenVPN 2.0, you have to put the certification file of
# the destination VPN Server on the OpenVPN Client computer when you use this
# config file. Please refer the below descriptions carefully.
###############################################################################
# Specify the type of the layer of the VPN connection.
#
# To connect to the VPN Server as a "Remote-Access VPN Client PC",
# specify 'dev tun'. (Layer-3 IP Routing Mode)
#
# To connect to the VPN Server as a bridging equipment of "Site-to-Site VPN",
# specify 'dev tap'. (Layer-2 Ethernet Bridgine Mode)
dev tun
###############################################################################
# Specify the underlying protocol beyond the Internet.
# Note that this setting must be correspond with the listening setting on
# the VPN Server.
#
# Specify either 'proto tcp' or 'proto udp'.
proto tcp
###############################################################################
# The destination hostname / IP address, and port number of
# the target VPN Server.
#
# You have to specify as 'remote <HOSTNAME> <PORT>'. You can also
# specify the IP address instead of the hostname.
#
# Note that the auto-generated below hostname are a "auto-detected
# IP address" of the VPN Server. You have to confirm the correctness
# beforehand.
#
# When you want to connect to the VPN Server by using TCP protocol,
# the port number of the destination TCP port should be same as one of
# the available TCP listeners on the VPN Server.
#
# When you use UDP protocol, the port number must same as the configuration
# setting of "OpenVPN Server Compatible Function" on the VPN Server.
# Note: The below hostname is came from the Dynamic DNS Client function
# which is running on the VPN Server. If you don't want to use
# the Dynamic DNS hostname, replace it to either IP address or
# other domain's hostname.
remote nyc3-02.solidvpn.net 1194
###############################################################################
# The HTTP/HTTPS proxy setting.
#
# Only if you have to use the Internet via a proxy, uncomment the below
# two lines and specify the proxy address and the port number.
# In the case of using proxy-authentication, refer the OpenVPN manual.
;http-proxy-retry
;http-proxy [proxy server] [proxy port]
###############################################################################
# The encryption and authentication algorithm.
#
# Default setting is good. Modify it as you prefer.
# When you specify an unsupported algorithm, the error will occur.
#
# The supported algorithms are as follows:
# cipher: [NULL-CIPHER] NULL AES-128-CBC AES-192-CBC AES-256-CBC BF-CBC
# CAST-CBC CAST5-CBC DES-CBC DES-EDE-CBC DES-EDE3-CBC DESX-CBC
# RC2-40-CBC RC2-64-CBC RC2-CBC CAMELLIA-128-CBC CAMELLIA-192-CBC CAMELLIA-256-CBC
# auth: SHA SHA1 SHA256 SHA384 SHA512 MD5 MD4 RMD160
tls-client
tls-version-min 1.2
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
#cipher AES-256-CBC
cipher CAMELLIA-192-CBC
#auth SHA512
auth SHA384
###############################################################################
# Other parameters necessary to connect to the VPN Server.
#
# It is not recommended to modify it unless you have a particular need.
resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
block-outside-dns
-
- Posts: 50
- Joined: Mon Dec 02, 2019 6:29 am
Re: Can't connect to OpenVPN on any port other than 1194
You need to change this line in your config file...
from:
remote nyc3-02.solidvpn.net 1194
to:
remote nyc3-02.solidvpn.net 443
Or change it to whichever port other than 1194 you want to use and your SE server is setup to use (and your firewall has open/forwarded).
from:
remote nyc3-02.solidvpn.net 1194
to:
remote nyc3-02.solidvpn.net 443
Or change it to whichever port other than 1194 you want to use and your SE server is setup to use (and your firewall has open/forwarded).
-
- Posts: 14
- Joined: Mon Oct 10, 2016 5:12 pm
Re: Can't connect to OpenVPN on any port other than 1194
Sorry that was a typo. It is actually 443.
Still can't connect. I get "connection reset".
This is driving me crazy.
Still can't connect. I get "connection reset".
This is driving me crazy.