[Openvpn-users] Changing from UDP to TCP and failing to connect. Why?

[Tony <kb2wjw@xxxxxxxxx>]

winXP-SP2, OpenVPN v2.0.5.
I start with the working configuration (UDP). I add one more TAP-Win32  
device called "TAP-Win32-tcp", I add it to the bridge.

I edit just few lines in the UDP config - new port, new node, TCP protocol  
and no "fragment" option. I assign the separate IP range for the  
TCP-server.
Here is my server's config:

port 443
;port 1194
proto tcp
;proto udp
dev tap

tun-mtu 1500
;fragment 1300
mssfix

dev-node TAP-Win32-tcp

ca ca.crt
cert openvpn.crt
key openvpn.key  # This file should be kept secret
dh dh1024.pem

ifconfig-pool-persist ipp-tcp.txt

server-bridge 172.27.104.12 255.255.255.0 172.27.104.13 172.27.104.20

push "redirect-gateway"

push "dhcp-option DNS 172.27.104.1"
push "dhcp-option DISABLE-NBT"
push "dhcp-option DOMAIN my.domain"

keepalive 10 120

tls-auth ta.key 0 # This file is secret
replay-persist tls-session-tcp.log

cipher BF-CBC        # Blowfish (default)
comp-lzo

max-clients 8
persist-key
persist-tun

status openvpn-status-tcp.log

log         openvpn-tcp.log

verb 3

On my client I do the similar edits.
When I try to connect it fails and I get this report:

Tue Apr 04 21:40:34 2006 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on  
Nov  2 2005
Tue Apr 04 21:40:35 2006 Diffie-Hellman initialized with 1024 bit key
Tue Apr 04 21:40:36 2006 Control Channel Authentication: using 'ta.key' as  
a OpenVPN static key file
Tue Apr 04 21:40:36 2006 Outgoing Control Channel Authentication: Using  
160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 04 21:40:36 2006 Incoming Control Channel Authentication: Using  
160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 04 21:40:36 2006 TLS-Auth MTU parms [ L:1576 D:168 EF:68 EB:0 ET:0  
EL:0 ]
Tue Apr 04 21:40:36 2006 TAP-WIN32 device [TAP-Win32-tcp] opened:  
\\.\Global\{769EB1AF-0B09-4427-BAA9-DA2EAFC15E90}.tap
Tue Apr 04 21:40:36 2006 TAP-Win32 Driver Version 8.3
Tue Apr 04 21:40:36 2006 TAP-Win32 MTU=1500
Tue Apr 04 21:40:36 2006 Sleeping for 10 seconds...
Tue Apr 04 21:40:46 2006 NOTE: could not get adapter index for  
\DEVICE\TCPIP_{769EB1AF-0B09-4427-BAA9-DA2EAFC15E90}, status=55 : The  
specified network resource or device is no longer available.
Tue Apr 04 21:40:46 2006 Data Channel MTU parms [ L:1576 D:1450 EF:44  
EB:135 ET:32 EL:0 AF:3/1 ]
Tue Apr 04 21:40:46 2006 Listening for incoming TCP connection on  
[undef]:443
Tue Apr 04 21:40:46 2006 TCPv4_SERVER link local (bound): [undef]:443
Tue Apr 04 21:40:46 2006 TCPv4_SERVER link remote: [undef]
Tue Apr 04 21:40:46 2006 MULTI: multi_init called, r=256 v=256
Tue Apr 04 21:40:46 2006 IFCONFIG POOL: base=172.27.104.13 size=8
Tue Apr 04 21:40:46 2006 IFCONFIG POOL LIST
Tue Apr 04 21:40:46 2006 MULTI: TCP INIT maxclients=8 maxevents=12
Tue Apr 04 21:40:46 2006 Initialization Sequence Completed
Tue Apr 04 21:42:46 2006 MULTI: multi_create_instance called
Tue Apr 04 21:42:46 2006 Re-using SSL/TLS context
Tue Apr 04 21:42:46 2006 LZO compression initialized
Tue Apr 04 21:42:46 2006 Control Channel MTU parms [ L:1576 D:168 EF:68  
EB:0 ET:0 EL:0 ]
Tue Apr 04 21:42:46 2006 Data Channel MTU parms [ L:1576 D:1450 EF:44  
EB:135 ET:32 EL:0 AF:3/1 ]
Tue Apr 04 21:42:46 2006 Local Options hash (VER=V4): '3c14feac'
Tue Apr 04 21:42:46 2006 Expected Remote Options hash (VER=V4): 'e39a3273'
Tue Apr 04 21:42:46 2006 TCP connection established with 83.149.3.147:18271
Tue Apr 04 21:42:46 2006 TCPv4_SERVER link local: [undef]
Tue Apr 04 21:42:46 2006 TCPv4_SERVER link remote: 83.149.3.147:18271
Tue Apr 04 21:42:46 2006 83.149.3.147:18271 TLS: Initial packet from  
83.149.3.147:18271, sid=8d6dd50b 009b97bc
Tue Apr 04 21:43:38 2006 83.149.3.147:18271 Authenticate/Decrypt packet  
error: packet HMAC authentication failed
Tue Apr 04 21:43:38 2006 83.149.3.147:18271 TLS Error: incoming packet  
authentication failed from 83.149.3.147:18271
Tue Apr 04 21:43:38 2006 83.149.3.147:18271 Fatal TLS error  
(check_tls_errors_co), restarting
Tue Apr 04 21:43:38 2006 83.149.3.147:18271 SIGUSR1[soft,tls-error]  
received, client-instance restarting
Tue Apr 04 21:43:38 2006 TCP/UDP: Closing socket
Tue Apr 04 21:44:03 2006 MULTI: multi_create_instance called
Tue Apr 04 21:44:03 2006 Re-using SSL/TLS context
Tue Apr 04 21:44:03 2006 LZO compression initialized
Tue Apr 04 21:44:03 2006 Control Channel MTU parms [ L:1576 D:168 EF:68  
EB:0 ET:0 EL:0 ]
Tue Apr 04 21:44:03 2006 Data Channel MTU parms [ L:1576 D:1450 EF:44  
EB:135 ET:32 EL:0 AF:3/1 ]
Tue Apr 04 21:44:03 2006 Local Options hash (VER=V4): '3c14feac'
Tue Apr 04 21:44:03 2006 Expected Remote Options hash (VER=V4): 'e39a3273'
Tue Apr 04 21:44:03 2006 TCP connection established with 83.149.3.147:18341
Tue Apr 04 21:44:03 2006 TCPv4_SERVER link local: [undef]
Tue Apr 04 21:44:03 2006 TCPv4_SERVER link remote: 83.149.3.147:18341
Tue Apr 04 21:44:03 2006 83.149.3.147:18341 TLS: Initial packet from  
83.149.3.147:18341, sid=9c990dca 4838a608
Tue Apr 04 21:44:41 2006 83.149.3.147:18341 Authenticate/Decrypt packet  
error: packet HMAC authentication failed
Tue Apr 04 21:44:41 2006 83.149.3.147:18341 TLS Error: incoming packet  
authentication failed from 83.149.3.147:18341
Tue Apr 04 21:44:41 2006 83.149.3.147:18341 Fatal TLS error  
(check_tls_errors_co), restarting
Tue Apr 04 21:44:41 2006 83.149.3.147:18341 SIGUSR1[soft,tls-error]  
received, client-instance restarting
Tue Apr 04 21:44:41 2006 TCP/UDP: Closing socket

Why this happens?
With exactly the same set of keys and certs I can connect via UDP.

Before the TCP server tears the connection down I can see it's  
certificate. (I use GUI)

Please comment.

Tony.


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users