SSL negotiation timeout

[sMohammad14]

Hi I get this log in anyconnect client:

POST https://x.x.x.x/ Attempting to connect to server x.x.x.x:443 Connected to x.x.x.x:443 There was a non-CA certificate in the trusted list: OU=Copyright (c) 1997 Microsoft Corp.,OU=Microsoft Corporation,CN=Microsoft Root Authority. There was a non-CA certificate in the trusted list: C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority. There was a non-CA certificate in the trusted list: CN=Root Agency. SSL negotiation with x.x.x.x SSL connection failure: The operation timed out Failed to open HTTPS connection to x.x.x.x Authentication error; cannot obtain cookie Disconnected

[iw4p]

Hello, Try OpenConnect client.

[sMohammad14]

sorry, in previous post client pc app is OpenConnect not AnyConnect... I tested it on OpenConnect Adroid version, but not work again you write tested on ubuntu 18 and 16, my server is ubuntu, that is ok?

[iw4p]

Are you sure you can ping your server with your current IP?

[sMohammad14]

no I cant!!! but I connected to in via putty and connection work perfectly... I open port 25 for ping but not pinging... even disable UFW, but not work ping command

[iw4p]

You can change your ssh port (22) or install shellinabox, then set ocserv port on 22. Before all of then make sure the ports are open.

Sent from Proton Mail for iOS

On Mon, Oct 17, 2022 at 3:04 PM, Seyed Mohammad @.***> wrote:

no I cant!!! but I connected to in via putty and connection work perfectly... I open port 25 for ping but not pinging... even disable UFW, but not work ping command

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.***>

[sMohammad14]

i reset my modem and my IP was changes. now i can pinging server and its ok i allow port 443/tcp and 443/udp (your default script port) but OpenConnect not connect again with ssl negotiation problem

UPDATE: i used below command to see open ports: lsof -i -P -n | grep LISTEN and then see: systemd-r 749 systemd-resolve 14u IPv4 20984 0t0 TCP 127.0.0.53:53 (L ISTEN) sshd 833 root 3u IPv4 21621 0t0 TCP *:9822 (LISTEN) sshd 833 root 4u IPv6 21632 0t0 TCP *:9822 (LISTEN) docker-pr 1423 root 4u IPv4 24627 0t0 TCP *:443 (LISTEN) docker-pr 1428 root 4u IPv6 24633 0t0 TCP *:443 (LISTEN)

NOTE: I was changed my SSH port number to 9822

[iw4p]

Have you ever test the script way? Users often have problem with anyconnect and when they change their client to openconnect their connection work fine.

[sMohammad14]

I test your original script on ubuntu 18.04, and it was worked. (but disconnect after some minutes, I thinks it was for port number 443)

I clone script's git on ubuntu 22 then edit ocserv.conf file to value 1 for client at same filed and set max clients filed value to 1000, then build and run image, but not work for SSL problem. I delete modified image and clone and build original project, but problem not solved

[iw4p]

I'm sure the script is working fine on Ubuntu 16 and 18. But I have not tested on 20 or 22. And If live in Iran, consider that ports, time of testing and trying and also server providers and ISP matter.

[sMohammad14]

yes live in Iran i think it is a server problem because now only I can pinging server and it work perfectly!, and all connection was failed, even now I cant connect via SSH on 9822 port number

Thanks a lot for spending time for me dear compatriot

[iw4p]

You're welcome. Iran's infrastructure system now can detect suspicious connections, and they put these types of servers into their blacklist. Therefore, the servers become useless. If it's an Iranian server, be careful how you are going to tunnel it. But if it's a Non-Iranian server you can get it from DigitalOcean or AWS or ... so when it is detected by the Iran government, just terminate and create new one with new IP address.

[sMohammad14]

I see a video from your script in youtube ,he run codes on Ubuntu 22.04 LTS, for me is 20.04 LTS, and you say code works on 18 and 16. It may be that code not works on 20.04 but work on previous and next version of 22.04?

[iw4p]

No, I don't think so. Double check that ipv4.ip_forward is equal to 1, sometimes it wrote 11 by mistake. Use command sysctl -a|grep net.ipv4.ip_forward to check the IP forwarding status. If net.ipv4.ip_forward=1, the IP forwarding is enabled. If net.ipv4.ip_forward=0, use this link to enable it. And can I have the link of that YouTube video?

[sMohammad14]

I send a message to my VPS provider for solve connection problem (SSH) and waiting for response... Why not? Click This Link

[iw4p]

OK. Thank you!

[Saulul]

Hello @iw4p ,

I am having the same issue (in Iran). I used the Docker method on Ubuntu 20.04, I can ping my server from my client. But when trying to connect to the server with OpenConnect-GUI or AnyConnect it seems to fail on SSL negotiation. see image below:

Then out of curiosity I tried something else, I first connected to ExpressVPN and then tried to connect to my OpenConnect server using OpenConnect-GUI and low and behold, the connection is established successfully. So I think there might be something going on with the Iranian ISPs blocking this protocol. I have no idea what they might be doing as it's not my area of expertise.

Do you have any ideas of changes to make in the config to avoid this? It's definitely not them blacklisting my server's IP address because I can ping it just fine and I tried multiple droplets on DigitalOcean.

Thanks

[iw4p]

Hi @Saulul Thank you for sharing this great and interesting result. Government uses DPI, they usually don't block IP addresses or doing classic ways. Maybe changing ports can help. e.x use 22 for ocserv, not ssh.

[Saulul]

Maybe changing ports can help. e.x use 22 for ocserv, not ssh.

Thank you for the reply, how can I change the port # for ocserv? Is it possible in the Docker method?

[iw4p]

Maybe changing ports can help. e.x use 22 for ocserv, not ssh.

Thank you for the reply, how can I change the port # for ocserv? Is it possible in the Docker method?

Of course, you can change the port (from these lines) and then docker build and docker run it manually. But the fact is a closed source application like AnyConnect is just worked on 443, because it is defined on the app, so it has no idea that you are going to connect to it with other port number. I suggest you to clone the project, modify your parameters you think they are important and then try to docker build the Dockerfile and then run it (Don't run it like what I said on README because it gets the Dockerfile from the internet, so when you locally change ocserv.conf, you have to manually build your docker file on your local too) build command (must be in the same directory as Dockerfile): sudo docker build -t ocserv . Run command (Be careful to change 443 ports): docker run --name ocserv --privileged -p 443:443 -p 443:443/udp -d ocserv 123:456 123 is your docker port and ocserv.conf port 456 is your exposed port, outside of docker and out of your server

[Saulul]

Thanks again for the detailed reply @iw4p , I will try what you proposed. Another thing is that since 2 days ago the Iranian Government is heavily blocking any sort of UDP packets with their firewall which has basically made any VPN protocol using UDP impossible. Is there a way to force OpenConnect to only use TCP on 443? I'm guessing they won't be just outright blocking every TCP packet on 443 as that would cripple access to any website using SSL.

[iw4p]

You're welcome @Saulul I'm not sure you, can comment UDP line. The better way is using V2Ray (Use CDN like China).

[ttvd94]

The better way is using V2Ray (Use CDN like China).

The problem with V2Ray is that there's no way to control number of connected clients since it works as a proxy not a VPN.

[iw4p]

The better way is using V2Ray (Use CDN like China).

The problem with V2Ray is that there's no way to control number of connected clients since it works as a proxy not a VPN.

Not a good solution, but you can add alterId and clients update their config through the subscription. Or you can make a watcher for v2ray log file and program a logic to manage users.

[ttvd94]

Of course that is a good workaround @iw4p, but I'm not into that much of scripting right now. I'm looking for a plug-and-play solution.

Btw, I'm not sure how alterId's gonna help maintaining clients.

[iw4p]

When you change alterId, all of your clients need to have the new alterId, otherwise they can not connect to your server anymore. With subscription method you can force users to keep their confing file update. So if a client give its config to someone else, they'll not be able to have the new config when you update alterId via subscription.