OpenVPN: Changing Ports

[memnarc]

OpenVPN was working fine until I needed to change ports from 1194 to 443. I changed the port number in the server.conf on my VPS and client files too. However the connection hangs but doesn't connect. The error messages I got from the logs in particular are these:

tls key negotiation failed to occur within 60 seconds
tls handshake failed

I even turned off my firewall but no luck. The last message on the log reads

Wed Oct 30 22:04:26 2013 MANAGEMENT: >STATE:1383195866,WAIT,,,

Then it just stops at that point.

 

[wlanboy]

Please run:


sudo netstat -taupen

and post the output.

 

[budi1413]

May we see the server and client configuration? You can censor the ip.

 

[peterw]

Looks familiar.

Either the server cert was signed using another CA certificate or the server cert was not generated correctly.

Or you mixed up port numbers, tcp/udp protocol.

 

[memnarc]

root@xxxx:/etc/openvpn# sudo netstat -taupen
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          960453495   1909/apache2
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          960424683   1575/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          960452779   1809/sendmail: MTA:
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      0          960452780   1809/sendmail: MTA:
tcp        0     64 XX.XX.XXX.XXX:22        75.36.167.143:49589     ESTABLISHED 0          269830220   21330/0
tcp6       0      0 :::22                   :::*                    LISTEN      0          960424685   1575/sshd
udp        0      0 XX.XX.XXX.XXX:1194      0.0.0.0:*                           0          962666406   3921/openvpn
 

That's weird.  Openvpn shows up still as port 1194 even though I changed the /etc/openvpn/server.conf file to 443.  is there something else I need to change?

 

[memnarc]

Server config file:

local XX.XX.XXX.XXX # Server IP address through which you connect, replace this with yours
port 443 # Port the server runs on (default)
proto udp # Protocol to use (default)
dev tap
ca ca.crt # Root certificate
cert server.crt # Server certificate
key server.key  # Server key file
dh dh1024.pem # DH file
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt # File that keeps track of IP leases
push "redirect-gateway def1 bypass-dhcp"  # Push some options to the client
duplicate-cn
keepalive 10 120 # When should we disconnect a client?
tls-auth ta.key 0
comp-lzo # Enable compression
user nobody # Run as user nobody
group nogroup # Run as group nobody
persist-key # Avoid trying to access unavailable resources after a restart
persist-tun # Avoid trying to access unavailable resources after a restart
status openvpn-status.log # Status log for active connections
log-append  openvpn.log # Append the OpenVPN log rather then starting with a new one every time you restart
verb 3 # Log verbosity level
mute 20 # Limit the number of repeating messages
script-security 2 # Set the security level for the usage of external programs and scripts
link-mtu 1648

Client config file:

client # Indicates this is the client-side
dev tap # Use TAP device
proto udp # Use UDP
remote XX.XX.XXX.XXX 443
resolv-retry infinite # Keep trying to resolve the hostname of the OpenVPN server
nobind # Don’t bind to a specific local port
persist-key # Avoid trying to access unavailable resources after a restart
persist-tun # Avoid trying to access unavailable resources after a restart
ca ca.crt
cert client.crt
key client.key
ns-cert-type server # Protect against certain attacks
tls-auth ta.key 1
comp-lzo # Enable compression
verb 3 # Log verbosity level
link-mtu 1648 # Set link MTU to the same value as the server
 

 

[fisle]

Kind of silly question, but did you restart openvpn server daemon after the changes?

 

[memnarc]

Fisle, being new to LInux, I indeed didn't restart the server daemon.  Nice catch, thank you.

Thank you everyone for your suggestions.  It has allowed the problem to be solved quickly.  It is very much appreciated.