amuck-landowner

OpenVPN: Changing Ports

memnarc

New Member
OpenVPN was working fine until I needed to change ports from 1194 to 443. I changed the port number in the server.conf on my VPS and client files too. However the connection hangs but doesn't connect. The error messages I got from the logs in particular are these:

tls key negotiation failed to occur within 60 seconds
tls handshake failed

I even turned off my firewall but no luck. The last message on the log reads

Wed Oct 30 22:04:26 2013 MANAGEMENT: >STATE:1383195866,WAIT,,,

Then it just stops at that point.
 

peterw

New Member
Looks familiar.

Either the server cert was signed using another CA certificate or the server cert was not generated correctly.

Or you mixed up port numbers, tcp/udp protocol.
 

memnarc

New Member
root@xxxx:/etc/openvpn# sudo netstat -taupen
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          960453495   1909/apache2
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          960424683   1575/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          960452779   1809/sendmail: MTA:
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      0          960452780   1809/sendmail: MTA:
tcp        0     64 XX.XX.XXX.XXX:22        75.36.167.143:49589     ESTABLISHED 0          269830220   21330/0
tcp6       0      0 :::22                   :::*                    LISTEN      0          960424685   1575/sshd
udp        0      0 XX.XX.XXX.XXX:1194      0.0.0.0:*                           0          962666406   3921/openvpn
 

That's weird.  Openvpn shows up still as port 1194 even though I changed the /etc/openvpn/server.conf file to 443.  is there something else I need to change?
 

memnarc

New Member
Server config file:

local XX.XX.XXX.XXX # Server IP address through which you connect, replace this with yours
port 443 # Port the server runs on (default)
proto udp # Protocol to use (default)
dev tap
ca ca.crt # Root certificate
cert server.crt # Server certificate
key server.key  # Server key file
dh dh1024.pem # DH file
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt # File that keeps track of IP leases
push "redirect-gateway def1 bypass-dhcp"  # Push some options to the client
duplicate-cn
keepalive 10 120 # When should we disconnect a client?
tls-auth ta.key 0
comp-lzo # Enable compression
user nobody # Run as user nobody
group nogroup # Run as group nobody
persist-key # Avoid trying to access unavailable resources after a restart
persist-tun # Avoid trying to access unavailable resources after a restart
status openvpn-status.log # Status log for active connections
log-append  openvpn.log # Append the OpenVPN log rather then starting with a new one every time you restart
verb 3 # Log verbosity level
mute 20 # Limit the number of repeating messages
script-security 2 # Set the security level for the usage of external programs and scripts
link-mtu 1648

Client config file:

client # Indicates this is the client-side
dev tap # Use TAP device
proto udp # Use UDP
remote XX.XX.XXX.XXX 443
resolv-retry infinite # Keep trying to resolve the hostname of the OpenVPN server
nobind # Don’t bind to a specific local port
persist-key # Avoid trying to access unavailable resources after a restart
persist-tun # Avoid trying to access unavailable resources after a restart
ca ca.crt
cert client.crt
key client.key
ns-cert-type server # Protect against certain attacks
tls-auth ta.key 1
comp-lzo # Enable compression
verb 3 # Log verbosity level
link-mtu 1648 # Set link MTU to the same value as the server
 
 

memnarc

New Member
Fisle, being new to LInux, I indeed didn't restart the server daemon.  Nice catch, thank you.

Thank you everyone for your suggestions.  It has allowed the problem to be solved quickly.  It is very much appreciated.
 
Last edited by a moderator:
Top
amuck-landowner