I need to open tcp port for connecting through proxy

[ZahiriNatZuke]

I need to be able to connect to the open vpn server using a proxy in my client application via tcp not udp. What changes should I make to the server configuration to achieve this

[d3vilh]

Hi @ZahiriNatZuke

You'll need to add this line - "1194:1194/tcp" to your docker-compose file and recreate container.

Compose file should looks like:

---
version: "3.5"

services:
    openvpn:
       container_name: openvpn
       # If you want to build your own image with docker-compose, uncomment the next line, comment the "image:" line and run "docker-compose build" following by "docker-compose up -d"
       # build: .
       image: d3vilh/openvpn-server:latest
       privileged: true
       ports: 
         # - "1194:1194/udp"   # openvpn UDP port
          - "1194:1194/tcp"   # openvpn TCP port
         # - "2080:2080/tcp"  # management port. uncomment if you would like to share it with the host
       environment:
           TRUST_SUB: "10.0.70.0/24"
           GUEST_SUB: "10.0.71.0/24"  
           HOME_SUB: "192.168.88.0/24"
       volumes:
           - ./pki:/etc/openvpn/pki
           - ./clients:/etc/openvpn/clients
           - ./config:/etc/openvpn/config
           - ./staticclients:/etc/openvpn/staticclients
           - ./log:/var/log/openvpn
           - ./fw-rules.sh:/opt/app/fw-rules.sh
           - ./checkpsw.sh:/opt/app/checkpsw.sh
           - ./server.conf:/etc/openvpn/server.conf
       cap_add:
           - NET_ADMIN
       restart: always

In server.conf do this:

#proto  udp
proto  tcp 

Then re-create container and server will listen on TCP instead on UDP.

[ZahiriNatZuke]

Thanks @d3vilh , I will try this way soon

[ZahiriNatZuke]

This is the error I still get when trying to connect to the open vpn server using a proxy

[ZahiriNatZuke]

I have tried another openvpn server using my proxy configuration and I have had no problem, but in this case I still can't get it to connect

[d3vilh]

First, let's check server is listening on correct port, by running this on th server where container is running:

hover@gover1:~ $ sudo netstat -tuln | grep 1194
udp        0      0 0.0.0.0:1194            0.0.0.0:*
udp6       0      0 :::1194                 :::*

In case new configuration is applied correctly you should have tcp instead of UDP.

If it is listen, as expected, then try to connect externally to the server with netcat (sudo apt install netcat):

hover@gover4:~ $ nc -vz 176.12.48.XX 1194
Connection to 176.12.48.XX 1194 port [tcp/openvpn] succeeded!
hover@gover4:~ $

If one of this steps fail, please share your openvpn.log file and docker logs openvpn output post container restart. Client config *.ovpn file you are using would also be great.

Don't forget to mask IP addresses in the logs and configuration files.

[ZahiriNatZuke]

I have tried the steps that you described in the previous comment, and the only thing that failed was the nc -vz command to the IP of my server, in this case it gave me a timeout. Here I share the files that you told me about in case of failure, to see if you detect what I am doing wrong in my case, thank you. files.zip

[d3vilh]

In the openvpn.log I can see that client connected and authenticated successfully, and then we have TCP connection reset:

2024-03-17 15:47:47 zahiri/152.206.XXX.X:13580 Connection reset, restarting [-1]
2024-03-17 15:47:47 zahiri/152.206.XXX.X:13580 SIGUSR1[soft,connection-reset] received, client-instance restarting

This may indicate connection issues, does your ISP allow OpenVPN connections? If you do need proxy like connection and your ISP is greedy for OpenVPN/Wireguard connections, you could try x-ray it will provide just SOCKS5 Proxy, not the VPN but, at least internet will work fine.

[d3vilh]

you could try to play with timers on the server and client sides:

keepalive 10 120       # ping-like messages to be sent back and forth over the link so that each side knows when the other side has gone down. Ping every 10 seconds and assume that the remote peer is down if no ping is received after 120 seconds.
connect-retry 5        # initial TCP connect timeout. If OpenVPN cannot connect to the server on the first try, it will retry after a delay, and this delay doubles with each successive retry. Start with a 5 second timeout and double it with each retry.
connect-timeout 120    # The TCP connection setup timeout. Wait up to 120 seconds for a TCP connection to be established.

It may help.

[d3vilh]

Hi @ZahiriNatZuke how is it going? Were you able to squeeze the Internet?

[ZahiriNatZuke]

The truth is that I couldn't solve the connection problem using tcp + http proxy. I tried the opinions you told me before, but nothing. I had not given news before because I have had a few days full of work. What other options can you think of that I can apply to make the server work as I need?

[d3vilh]

Yes, I had same busy week (couple of weeks in fact).

If you tried different times on the client and server side, then we have no other choice except merging configuration between working server+client and our Docker container. If you could link me to the project you sure works fine - I'll have a look on it.

[ZahiriNatZuke]

Hi @d3vilh What do you need? May I share my current docker-compose with you to review it?

[d3vilh]

Hi @ZahiriNatZuke, server.conf, client.ovpn and docker-compose of this working solution would be enough.

As per your logs I see that your OpenVPN Server is running fine and your client session got authenticated and connected successfully, but then your client got disconnected on TCP level. By checking working configuration we can find the solution for you.

[ZahiriNatZuke]

Hi @d3vilh . Here you have the files that you told me about. To tell you, I managed to connect without problems to the openvpn server using mobile data, but when trying to connect to a network that uses an http proxy facing the internet was when I had problems, it seems to me that it has nothing to do with whether the server protocol is udp or tcp, but hey, you should know more than me about these topics. openvpn-server.zip

[ZahiriNatZuke]

Hello @d3vilh, today I managed to connect to the open vpn server through an http proxy, in my case the solution was not to save the profile password in the open vpn client, and that way it connects perfectly. I'm not sure why, but it works. openvpn-server.zip

[d3vilh]

HI @ZahiriNatZuke it looks like this bug should be fixed in next release.

Thank you for the reporting.

[d3vilh]

it was fixed