Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm attempting to install OpenVPN with Stunnel on a CentOS 6 based server and access via an OpenVPN client on a windows machine. When I try to connect, I get in a long soft,connection-reset loop. It will eventually connect, but then I cannot browse the internet. Here's a log from the OpenVPN client (I masked my IP to all x's):
Code:
Thu Aug 20 12:41:53 2015 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443 [nonblock]
Thu Aug 20 12:41:53 2015 MANAGEMENT: >STATE:1440045713,TCP_CONNECT,,,
Thu Aug 20 12:41:54 2015 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443
Thu Aug 20 12:41:54 2015 TCPv4_CLIENT link local: [undef]
Thu Aug 20 12:41:54 2015 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
Thu Aug 20 12:41:54 2015 MANAGEMENT: >STATE:1440045714,WAIT,,,
Thu Aug 20 12:41:54 2015 Connection reset, restarting [-1]
Thu Aug 20 12:41:54 2015 TCP/UDP: Closing socket
Thu Aug 20 12:41:54 2015 SIGUSR1[soft,connection-reset] received, process restarting
Thu Aug 20 12:41:54 2015 MANAGEMENT: >STATE:1440045714,RECONNECTING,connection-reset,,
Thu Aug 20 12:41:54 2015 Restart pause, 5 second(s)
Thu Aug 20 12:41:59 2015 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Aug 20 12:41:59 2015 Re-using SSL/TLS context
Thu Aug 20 12:41:59 2015 Control Channel MTU parms [ L:1575 D:140 EF:40 EB:0 ET:0 EL:3 ]
Thu Aug 20 12:41:59 2015 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Aug 20 12:41:59 2015 Data Channel MTU parms [ L:1575 D:1450 EF:43 EB:12 ET:32 EL:3 ]
Thu Aug 20 12:41:59 2015 Local Options String: 'V4,dev-type tun,link-mtu 1575,tun-mtu 1532,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Aug 20 12:41:59 2015 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1575,tun-mtu 1532,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Aug 20 12:41:59 2015 Local Options hash (VER=V4): '8292e75f'
Thu Aug 20 12:41:59 2015 Expected Remote Options hash (VER=V4): 'cc595d13'
Thu Aug 20 12:41:59 2015 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443 [nonblock]
Thu Aug 20 12:41:59 2015 MANAGEMENT: >STATE:1440045719,TCP_CONNECT,,,
Thu Aug 20 12:42:00 2015 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443
Thu Aug 20 12:42:00 2015 TCPv4_CLIENT link local: [undef]
Thu Aug 20 12:42:00 2015 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
Thu Aug 20 12:42:00 2015 MANAGEMENT: >STATE:1440045720,WAIT,,,
Thu Aug 20 12:42:00 2015 Connection reset, restarting [-1]
Thu Aug 20 12:42:00 2015 TCP/UDP: Closing socket
Thu Aug 20 12:42:00 2015 SIGUSR1[soft,connection-reset] received, process restarting
Thu Aug 20 12:42:00 2015 MANAGEMENT: >STATE:1440045720,RECONNECTING,connection-reset,,
Thu Aug 20 12:42:00 2015 Restart pause, 5 second(s)
Thu Aug 20 12:42:05 2015 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Aug 20 12:42:05 2015 Re-using SSL/TLS context
Thu Aug 20 12:42:05 2015 Control Channel MTU parms [ L:1575 D:140 EF:40 EB:0 ET:0 EL:3 ]
Thu Aug 20 12:42:05 2015 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Aug 20 12:42:05 2015 Data Channel MTU parms [ L:1575 D:1450 EF:43 EB:12 ET:32 EL:3 ]
Thu Aug 20 12:42:05 2015 Local Options String: 'V4,dev-type tun,link-mtu 1575,tun-mtu 1532,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Aug 20 12:42:05 2015 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1575,tun-mtu 1532,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Aug 20 12:42:05 2015 Local Options hash (VER=V4): '8292e75f'
Thu Aug 20 12:42:05 2015 Expected Remote Options hash (VER=V4): 'cc595d13'
Thu Aug 20 12:42:05 2015 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443 [nonblock]
Thu Aug 20 12:42:05 2015 MANAGEMENT: >STATE:1440045725,TCP_CONNECT,,,
Thu Aug 20 12:42:06 2015 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443
Thu Aug 20 12:42:06 2015 TCPv4_CLIENT link local: [undef]
Thu Aug 20 12:42:06 2015 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
Thu Aug 20 12:42:06 2015 MANAGEMENT: >STATE:1440045726,WAIT,,,
Thu Aug 20 12:42:07 2015 MANAGEMENT: >STATE:1440045727,AUTH,,,
Thu Aug 20 12:42:07 2015 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:443, sid=be5d4aef f7717550
Thu Aug 20 12:42:07 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Aug 20 12:42:14 2015 VERIFY OK: depth=1, C=JP, ST=Tokyo, L=Tokyo, O=Cinder, OU=changeme, CN=cinder, name=Matt, emailAddress=matt@cindercooks.com
Thu Aug 20 12:42:14 2015 VERIFY OK: depth=0, C=JP, ST=Tokyo, L=Tokyo, O=Cinder, OU=changeme, CN=cinder, name=Matt, emailAddress=matt@cindercooks.com
Thu Aug 20 12:42:24 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Aug 20 12:42:24 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 20 12:42:24 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Aug 20 12:42:24 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 20 12:42:24 2015 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Thu Aug 20 12:42:24 2015 [cinder] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:443
Thu Aug 20 12:42:25 2015 MANAGEMENT: >STATE:1440045745,GET_CONFIG,,,
Thu Aug 20 12:42:27 2015 SENT CONTROL [cinder]: 'PUSH_REQUEST' (status=1)
Thu Aug 20 12:42:27 2015 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.8.0.6 10.8.0.5'
Thu Aug 20 12:42:27 2015 OPTIONS IMPORT: timers and/or timeouts modified
Thu Aug 20 12:42:27 2015 OPTIONS IMPORT: --ifconfig/up options modified
Thu Aug 20 12:42:27 2015 OPTIONS IMPORT: route options modified
Thu Aug 20 12:42:27 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Aug 20 12:42:27 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Aug 20 12:42:27 2015 MANAGEMENT: >STATE:1440045747,ASSIGN_IP,,10.8.0.6,
Thu Aug 20 12:42:27 2015 open_tun, tt->ipv6=0
Thu Aug 20 12:42:27 2015 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{B6A9607C-0150-49AF-90A9-AA0FD35EB133}.tap
Thu Aug 20 12:42:27 2015 TAP-Windows Driver Version 9.21
Thu Aug 20 12:42:27 2015 TAP-Windows MTU=1500
Thu Aug 20 12:42:27 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {B6A9607C-0150-49AF-90A9-AA0FD35EB133} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Thu Aug 20 12:42:27 2015 DHCP option string: 06080808 08080808 0404
Thu Aug 20 12:42:27 2015 NOTE: FlushIpNetTable failed on interface [12] {B6A9607C-0150-49AF-90A9-AA0FD35EB133} (status=5) : Access is denied.
Thu Aug 20 12:42:32 2015 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Thu Aug 20 12:42:32 2015 C:\Windows\system32\route.exe ADD xxx.xxx.xxx.xxx MASK 255.255.255.255 192.168.1.1
Thu Aug 20 12:42:32 2015 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=3]
Thu Aug 20 12:42:32 2015 Route addition via IPAPI failed [adaptive]
Thu Aug 20 12:42:32 2015 Route addition fallback to route.exe
Thu Aug 20 12:42:32 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Thu Aug 20 12:42:32 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1
Thu Aug 20 12:42:32 2015 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Thu Aug 20 12:42:32 2015 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=12]
Thu Aug 20 12:42:32 2015 Route addition via IPAPI failed [adaptive]
Thu Aug 20 12:42:32 2015 Route addition fallback to route.exe
Thu Aug 20 12:42:32 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Thu Aug 20 12:42:32 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1
Thu Aug 20 12:42:32 2015 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Thu Aug 20 12:42:32 2015 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=12]
Thu Aug 20 12:42:32 2015 Route addition via IPAPI failed [adaptive]
Thu Aug 20 12:42:32 2015 Route addition fallback to route.exe
Thu Aug 20 12:42:32 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Thu Aug 20 12:42:32 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1
Thu Aug 20 12:42:32 2015 MANAGEMENT: >STATE:1440045752,ADD_ROUTES,,,
Thu Aug 20 12:42:32 2015 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Thu Aug 20 12:42:32 2015 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=12]
Thu Aug 20 12:42:32 2015 Route addition via IPAPI failed [adaptive]
Thu Aug 20 12:42:32 2015 Route addition fallback to route.exe
Thu Aug 20 12:42:32 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Thu Aug 20 12:42:32 2015 ERROR: Windows route add command failed [adaptive]: returned error code 1
Thu Aug 20 12:42:32 2015 Initialization Sequence Completed
Thu Aug 20 12:42:32 2015 MANAGEMENT: >STATE:1440045752,CONNECTED,SUCCESS,10.8.0.6,xxx.xxx.xxx.xxx
Here's the /var/log/messages on the server:
Code:
Aug 20 13:20:37 openvpn[1335]: TCP connection established with [AF_INET]yyy.yyy.yyy.yyy:46845
Aug 20 13:20:38 openvpn[1335]: yyy.yyy.yyy.yyy:46845 TLS: Initial packet from [AF_INET]yyy.yyy.yyy.yyy:46845, sid=ee759bd4 ba9e09b3
Aug 20 13:20:38 openvpn[1335]: yyy.yyy.yyy.yyy:46845 Connection reset, restarting [-1]
Aug 20 13:20:38 openvpn[1335]: yyy.yyy.yyy.yyy:46845 SIGUSR1[soft,connection-reset] received, client-instance restarting
Aug 20 13:20:43 openvpn[1335]: TCP connection established with [AF_INET]yyy.yyy.yyy.yyy:46849
Aug 20 13:20:44 openvpn[1335]: yyy.yyy.yyy.yyy:46849 Connection reset, restarting [0]
Aug 20 13:20:44 openvpn[1335]: yyy.yyy.yyy.yyy:46849 SIGUSR1[soft,connection-reset] received, client-instance restarting
Aug 20 13:26:12 openvpn[1335]: TCP connection established with [AF_INET]zzz.zzz.zzz.zzz:30566
Aug 20 13:26:12 openvpn[1335]: zzz.zzz.zzz.zzz:30566 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1578 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Aug 20 13:26:12 openvpn[1335]: zzz.zzz.zzz.zzz:30566 Connection reset, restarting [0]
Aug 20 13:26:12 openvpn[1335]: zzz.zzz.zzz.zzz:30566 SIGUSR1[soft,connection-reset] received, client-instance restarting
Aug 20 13:29:00 openvpn[1335]: TCP connection established with [AF_INET]yyy.yyy.yyy.yyy:48441
Aug 20 13:29:01 openvpn[1335]: yyy.yyy.yyy.yyy:48441 TLS: Initial packet from [AF_INET]yyy.yyy.yyy.yyy:48441, sid=a55e96e3 30e84f74
Aug 20 13:29:01 openvpn[1335]: yyy.yyy.yyy.yyy:48441 Connection reset, restarting [-1]
Aug 20 13:29:01 openvpn[1335]: yyy.yyy.yyy.yyy:48441 SIGUSR1[soft,connection-reset] received, client-instance restarting
Aug 20 13:29:06 openvpn[1335]: TCP connection established with [AF_INET]yyy.yyy.yyy.yyy:48445
Aug 20 13:29:07 openvpn[1335]: yyy.yyy.yyy.yyy:48445 TLS: Initial packet from [AF_INET]yyy.yyy.yyy.yyy:48445, sid=9f70cdc9 24f153af
Aug 20 13:29:07 openvpn[1335]: yyy.yyy.yyy.yyy:48445 Connection reset, restarting [-1]
Aug 20 13:29:07 openvpn[1335]: yyy.yyy.yyy.yyy:48445 SIGUSR1[soft,connection-reset] received, client-instance restarting
Aug 20 13:29:13 openvpn[1335]: TCP connection established with [AF_INET]yyy.yyy.yyy.yyy:48446
Aug 20 13:29:13 openvpn[1335]: yyy.yyy.yyy.yyy:48446 TLS: Initial packet from [AF_INET]yyy.yyy.yyy.yyy:48446, sid=4a6cfe7b 1b3e016e
Aug 20 13:29:13 openvpn[1335]: yyy.yyy.yyy.yyy:48446 Connection reset, restarting [-1]
Aug 20 13:29:13 openvpn[1335]: yyy.yyy.yyy.yyy:48446 SIGUSR1[soft,connection-reset] received, client-instance restarting
And my OpenVPN /etc/openvpn/server.conf:
Code:
port 443 #- port
proto tcp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /etc/openvpn/openvpn-auth-pam.so /etc/pam.d/login
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
# comp-lzo
persist-key
persist-tun
status 443.log
verb 3
client
dev tun
proto tcp
remote xxx.xxx.xxx.xxx 443 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
# comp-lzo
reneg-sec 0
verb 5
I've tried to disable lzo and changed verb 3 to 5 to see if I could find anything, but so far no luck. I've read that I most likely have a config issue, so I figured I could use some help :-)
Ok, so I solved a few of my woes. It turns out that stunnel wasn't starting because I didn't have bind or chroot. I also needed to create my /var/run/stunnel directory with the proper permissions. Once I got all that squared away, I needed to add a stunnel client on the Windows side.
Now, OpenVPN + Stunnel appear to connect on Windows every time. BUT there's one weird quirk. I can surf all the non-blocked websites in China over OpenVPN/Stunnel, but all the GFW blocked sites are still blocked over OpenVPN. What gives? Perhaps they are still poisoning my DNS? I tried manually setting the DNS servers of my WiFi adapter and the TUN adapter to Google's DNS (8.8.8.8/8.8.4.4) but no luck.
Would be very interested to learn about what's going on.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
