I have two sites which I want to connect via an OpenVPN tunnel. I have the setup running using TCP as transport protocol, but as this comes with a performance hit, I want to change this to UDP. But the setup fails then.
Site A has a DSL Uplink with Dual-Stack for v4 and v6. Directly connected there is a Fritzbox and after that I have an computer running Ubuntu as firewall. Also running there is an OpenVPN server with the following config:
port 1194
proto udp
dev tun2
ca /etc/openvpn/server-fw/ca.crt
cert /etc/openvpn/server-fw/server.crt
key /etc/openvpn/server-fw/server.key
dh /etc/openvpn/server-fw/dh2048.pem
server 192.168.42.0 255.255.255.0
ifconfig-pool-persist server-fw-udp-ipp.txt
client-to-client
keepalive 10 120
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status-fw-udp.log
verb 4
cipher AES-256-CBC
auth SHA384
tun-mtu 1500
fragment 1300
mssfix
client-config-dir server-fw-ccd
Also the Fritzbox has a port forwarding for UDP port 1194 and the Ubuntu machines firewall has a rule which allows the traffic.
On site B I have a TV-Cable connection with a Unitymedia ConnectBox (router shipped by my cable provider) and after that an Ubiquity EdgeRouter X which has the following config for the VPN.
mode client
openvpn-option "--cipher AES-256-CBC"
openvpn-option "--comp-lzo yes"
openvpn-option "--remote-cert-tls server"
openvpn-option --nobind
openvpn-option --auth-nocache
openvpn-option "--user nobody"
openvpn-option "--group nogroup"
openvpn-option --persist-key
openvpn-option --persist-tun
openvpn-option "--auth SHA384"
openvpn-option "--tun-mtu 1500"
openvpn-option "--fragment 1300"
openvpn-option --mssfix
protocol udp
remote-host siteA.example.com
remote-port 1194
tls {
ca-cert-file /config/auth/ca.crt
cert-file /config/auth/siteB.crt
key-file /config/auth/siteB.key
}
In my opinion this should work as expected, but it does not. On the server I get:
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Re-using SSL/TLS context
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 LZO compression initialized
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Data Channel MTU parms [ L:1590 D:1300 EF:90 EB:135 ET:0 EL:0 AF:3/1 ]
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Fragmentation MTU parms [ L:1590 D:1300 EF:89 EB:135 ET:1 EL:0 AF:3/1 ]
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Local Options String: 'V4,dev-type tun,link-mtu 1590,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA384,keysize 256,key-method 2,tls-server'
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1590,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA384,keysize 256,key-method 2,tls-client'
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Local Options hash (VER=V4): '1ef2d687'
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 Expected Remote Options hash (VER=V4): '98978d60'
Sep 29 19:35:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 TLS: Initial packet from [AF_INET]46.223.1.89:65349, sid=b15d42d0 78edefc1
Sep 29 19:36:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 29 19:36:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 TLS Error: TLS handshake failed
Sep 29 19:36:39 firewall ovpn-server-fw-udp[18467]: 46.223.1.89:65349 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep 29 19:36:42 firewall ovpn-server-fw-udp[18467]: MULTI: multi_create_instance called
On the EdgeRouter I get:
Sep 29 19:35:35 edgerouter openvpn[15093]: Socket Buffers: R=[180224->131072] S=[180224->131072]
Sep 29 19:35:35 edgerouter openvpn[15093]: UDPv4 link local: [undef]
Sep 29 19:35:35 edgerouter openvpn[15093]: UDPv4 link remote: [AF_INET]217.11.153.95:1194
Sep 29 19:36:36 edgerouter openvpn[15093]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 29 19:36:36 edgerouter openvpn[15093]: TLS Error: TLS handshake failed
Sep 29 19:36:36 edgerouter openvpn[15093]: SIGUSR1[soft,tls-error] received, process restarting
Sep 29 19:36:36 edgerouter openvpn[15093]: Restart pause, 2 second(s)
If I change the protocol in both configurations to TCP the tunnel works as expected. What can be the problem here? Do you have any tips on how to debug or resolve this issue?
