Can't connect to OpenVPN on any port other than 1194

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Omid
Posts: 13
Joined: Mon Oct 10, 2016 5:12 pm

Can't connect to OpenVPN on any port other than 1194

Post by Omid » Thu Jan 09, 2020 7:34 pm

Hello,

I can connect to OpenVPN on port 1194/UDP only. 443/TCP, 8443/TCP, ... don't work.

The server is dedicated to SoftEther and nothing else is installed. Firewall is disabled.

SoftEther VPN Server Manager connects on port 443 but OpenVPN cannot.

The error I receive is:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Please advise.

Omid

Omid
Posts: 13
Joined: Mon Oct 10, 2016 5:12 pm

Re: Can't connect to OpenVPN on any port other than 1194

Post by Omid » Fri Jan 10, 2020 1:20 pm

Anybody?

ethanolson
Posts: 30
Joined: Mon Dec 02, 2019 6:29 am

Re: Can't connect to OpenVPN on any port other than 1194

Post by ethanolson » Sat Jan 11, 2020 3:17 am

I hope you don't have some MITM going on. Try to take this starting point for your OpenVPN config file and see if you get better results. You'll need to correct a few places: 'remote', 'verify-x509-name', 'route', 'dhcp-option', and the certificates.

# Obviously, this is a typical Ethan Olson config file for OpenVPN.

# Obviously, this is the client-side connection, so we define that.
client

# Tunnel mode because this is a traditional Client-Server VPN connection
dev tun

# Use TCP instead of UDP
proto tcp

# Define VPN Server and Port
remote spazmaster77.softether.net 443

# Yep, TLS for sure.
tls-client

# Define TLS 1.2 as minimum
tls-version-min 1.2

# Choose TLS 1.3 cipher suites
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

# Choose TLS 1.2 cipher suites. Criteria are PFS, high encryption, AEAD, SHA2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

# Define the symmetric encryption. Criteria are 192-bit, Camellia or AES. Sadly, SE server doesn't support GCM.
#cipher AES-192-GCM
cipher CAMELLIA-192-CBC

# Define hash that fully accommodates encryption key (2x cipher key length)
auth SHA384

# Spend 9 seconds looking for the VPN server
resolv-retry 9

# Use dynamic port for packet return
nobind

# These next two lines reopen the tunnel if it collapses
persist-key
persist-tun

# Not using compression (SE server doesn't support LZx compressions)
#compress lz4-v2

# How verbose are we going to be? 2.
verb 2

# Since SE is on the other end, it has to be username and password
auth-user-pass

# Don't cache credentials in memory (reduce credential theft from memory, but require reentry if tunnel reestablishes).
auth-nocache

# Detect MITM... kind of a big deal.
verify-x509-name 'spazmaster77.softether.net' "name"

# No MTU defined (certain techs, like PPPoE, mess with it anyway). Prefer MSS Fixing instead.
#link-mtu 1500

# Use the largest non-fragmenting packet size available.
mssfix max

# Don't bother with the client certificates. Though they are included so OpenVPN clients don't complain.
setenv CLIENT_CERT 0

# Routing rules that make a split tunnel instead of a full tunnel. Don't use this block if you want all traffic to flow through the VPN.
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

# Routing rules to define which subnets are accessed through the VPN tunnel.
route 192.168.206.0 255.255.255.0 vpn_gateway 1

# Provide DNS info for the connected network.
dhcp-option DNS 192.168.206.12
dhcp-option DOMAIN 'sinofipasteur.com'

# I hope you know what the rest of this is.
<ca>

---take it from here, yo!

Omid
Posts: 13
Joined: Mon Oct 10, 2016 5:12 pm

Re: Can't connect to OpenVPN on any port other than 1194

Post by Omid » Sat Jan 11, 2020 8:30 am

Hello,

Thank you very much. Here's my config file. It still doesn't work:

Code: Select all

###############################################################################
# OpenVPN 2.0 Sample Configuration File
# for PacketiX VPN / SoftEther VPN Server
# 
# !!! AUTO-GENERATED BY SOFTETHER VPN SERVER MANAGEMENT TOOL !!!
# 
# !!! YOU HAVE TO REVIEW IT BEFORE USE AND MODIFY IT AS NECESSARY !!!
# 
# This configuration file is auto-generated. You might use this config file
# in order to connect to the PacketiX VPN / SoftEther VPN Server.
# However, before you try it, you should review the descriptions of the file
# to determine the necessity to modify to suitable for your real environment.
# If necessary, you have to modify a little adequately on the file.
# For example, the IP address or the hostname as a destination VPN Server
# should be confirmed.
# 
# Note that to use OpenVPN 2.0, you have to put the certification file of
# the destination VPN Server on the OpenVPN Client computer when you use this
# config file. Please refer the below descriptions carefully.


###############################################################################
# Specify the type of the layer of the VPN connection.
# 
# To connect to the VPN Server as a "Remote-Access VPN Client PC",
#  specify 'dev tun'. (Layer-3 IP Routing Mode)
#
# To connect to the VPN Server as a bridging equipment of "Site-to-Site VPN",
#  specify 'dev tap'. (Layer-2 Ethernet Bridgine Mode)

dev tun


###############################################################################
# Specify the underlying protocol beyond the Internet.
# Note that this setting must be correspond with the listening setting on
# the VPN Server.
# 
# Specify either 'proto tcp' or 'proto udp'.

proto tcp


###############################################################################
# The destination hostname / IP address, and port number of
# the target VPN Server.
# 
# You have to specify as 'remote <HOSTNAME> <PORT>'. You can also
# specify the IP address instead of the hostname.
# 
# Note that the auto-generated below hostname are a "auto-detected
# IP address" of the VPN Server. You have to confirm the correctness
# beforehand.
# 
# When you want to connect to the VPN Server by using TCP protocol,
# the port number of the destination TCP port should be same as one of
# the available TCP listeners on the VPN Server.
# 
# When you use UDP protocol, the port number must same as the configuration
# setting of "OpenVPN Server Compatible Function" on the VPN Server.

# Note: The below hostname is came from the Dynamic DNS Client function
#       which is running on the VPN Server. If you don't want to use
#       the Dynamic DNS hostname, replace it to either IP address or
#       other domain's hostname.

remote nyc3-02.solidvpn.net 1194


###############################################################################
# The HTTP/HTTPS proxy setting.
# 
# Only if you have to use the Internet via a proxy, uncomment the below
# two lines and specify the proxy address and the port number.
# In the case of using proxy-authentication, refer the OpenVPN manual.

;http-proxy-retry
;http-proxy [proxy server] [proxy port]


###############################################################################
# The encryption and authentication algorithm.
# 
# Default setting is good. Modify it as you prefer.
# When you specify an unsupported algorithm, the error will occur.
# 
# The supported algorithms are as follows:
#  cipher: [NULL-CIPHER] NULL AES-128-CBC AES-192-CBC AES-256-CBC BF-CBC
#          CAST-CBC CAST5-CBC DES-CBC DES-EDE-CBC DES-EDE3-CBC DESX-CBC
#          RC2-40-CBC RC2-64-CBC RC2-CBC CAMELLIA-128-CBC CAMELLIA-192-CBC CAMELLIA-256-CBC
#  auth:   SHA SHA1 SHA256 SHA384 SHA512 MD5 MD4 RMD160

tls-client
tls-version-min 1.2
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
#cipher AES-256-CBC
cipher CAMELLIA-192-CBC
#auth SHA512
auth SHA384


###############################################################################
# Other parameters necessary to connect to the VPN Server.
# 
# It is not recommended to modify it unless you have a particular need.

resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
block-outside-dns


ethanolson
Posts: 30
Joined: Mon Dec 02, 2019 6:29 am

Re: Can't connect to OpenVPN on any port other than 1194

Post by ethanolson » Sun Jan 12, 2020 3:30 pm

You need to change this line in your config file...
from:
remote nyc3-02.solidvpn.net 1194
to:
remote nyc3-02.solidvpn.net 443

Or change it to whichever port other than 1194 you want to use and your SE server is setup to use (and your firewall has open/forwarded).

Omid
Posts: 13
Joined: Mon Oct 10, 2016 5:12 pm

Re: Can't connect to OpenVPN on any port other than 1194

Post by Omid » Sun Jan 12, 2020 4:35 pm

Sorry that was a typo. It is actually 443.

Still can't connect. I get "connection reset".

This is driving me crazy.

Post Reply