OpenVPN constantly resetting connection when run in TCP mode

[kikulikov]

trafficstars

I followed the tutorial on https://github.com/kylemanna/docker-openvpn/blob/master/docs/tcp.md to setup OpenVPN to work over TCP.

I run it on AWS. 443 port is open to security groups and I can telnet to it.

Steps to reproduce:

export OVPN_DATA="ovpn-data-example"

docker volume create --name $OVPN_DATA

docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u tcp://xxx:443

docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki

docker run -v $OVPN_DATA:/etc/openvpn -d -p 443:1194/tcp --cap-add=NET_ADMIN kylemanna/openvpn

docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass

docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn

then export CLIENTNAME.ovpn to tunnelblick and connect.

OpenVPN logs:

Fri Mar 23 10:43:11 2018 141.206.231.10:19141 TLS: Initial packet from [AF_INET]141.206.231.10:19141, sid=177f8fc3 c0de4ad3
Fri Mar 23 10:43:11 2018 141.206.231.10:19141 Connection reset, restarting [-1]
Fri Mar 23 10:43:11 2018 141.206.231.10:19141 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Mar 23 10:43:11 2018 TCP connection established with [AF_INET]141.206.231.10:19149
Fri Mar 23 10:43:12 2018 141.206.231.10:19149 TLS: Initial packet from [AF_INET]141.206.231.10:19149, sid=550f2d8b 04527227
Fri Mar 23 10:43:12 2018 141.206.231.10:19149 Connection reset, restarting [-1]
Fri Mar 23 10:43:12 2018 141.206.231.10:19149 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Mar 23 10:43:13 2018 TCP connection established with [AF_INET]141.206.231.10:19168
Fri Mar 23 10:43:14 2018 141.206.231.10:19168 TLS: Initial packet from [AF_INET]141.206.231.10:19168, sid=f45aef6c fc3cdb40
Fri Mar 23 10:43:14 2018 141.206.231.10:19168 Connection reset, restarting [-1]
Fri Mar 23 10:43:14 2018 141.206.231.10:19168 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Mar 23 10:43:14 2018 TCP connection established with [AF_INET]141.206.231.10:19172
Fri Mar 23 10:43:15 2018 141.206.231.10:19172 TLS: Initial packet from [AF_INET]141.206.231.10:19172, sid=cddd1676 a833b93d
Fri Mar 23 10:43:15 2018 141.206.231.10:19172 Connection reset, restarting [-1]
Fri Mar 23 10:43:15 2018 141.206.231.10:19172 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Mar 23 10:43:15 2018 TCP connection established with [AF_INET]141.206.231.10:19178
Fri Mar 23 10:43:16 2018 141.206.231.10:19178 TLS: Initial packet from [AF_INET]141.206.231.10:19178, sid=9e2a75a0 b1866815
Fri Mar 23 10:43:16 2018 141.206.231.10:19178 Connection reset, restarting [-1]
Fri Mar 23 10:43:16 2018 141.206.231.10:19178 SIGUSR1[soft,connection-reset] received, client-instance restarting

Tunnelblick logs:

2018-03-23 10:43:10 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-03-23 10:43:10 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-03-23 10:43:10 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-03-23 10:43:10 MANAGEMENT: >STATE:1521801790,RESOLVE,,,,,,
2018-03-23 10:43:10 TCP/UDP: Preserving recently used remote address: [AF_INET]35.177.38.134:443
2018-03-23 10:43:10 Socket Buffers: R=[131072->131072] S=[131072->131072]
2018-03-23 10:43:10 Attempting to establish TCP connection with [AF_INET]35.177.38.134:443 [nonblock]
2018-03-23 10:43:10 MANAGEMENT: >STATE:1521801790,TCP_CONNECT,,,,,,
2018-03-23 10:43:10 MANAGEMENT: CMD 'hold release'
2018-03-23 10:43:11 TCP connection established with [AF_INET]35.177.38.134:443
2018-03-23 10:43:11 TCP_CLIENT link local: (not bound)
2018-03-23 10:43:11 TCP_CLIENT link remote: [AF_INET]35.177.38.134:443
2018-03-23 10:43:11 MANAGEMENT: >STATE:1521801791,WAIT,,,,,,
2018-03-23 10:43:11 Connection reset, restarting [-1]
2018-03-23 10:43:11 SIGUSR1[soft,connection-reset] received, process restarting
2018-03-23 10:43:11 MANAGEMENT: >STATE:1521801791,RECONNECTING,connection-reset,,,,,
2018-03-23 10:43:11 MANAGEMENT: CMD 'hold release'
2018-03-23 10:43:11 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-03-23 10:43:11 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-03-23 10:43:11 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-03-23 10:43:11 MANAGEMENT: >STATE:1521801791,RESOLVE,,,,,,
2018-03-23 10:43:11 TCP/UDP: Preserving recently used remote address: [AF_INET]35.177.38.134:443
2018-03-23 10:43:11 Socket Buffers: R=[131072->131072] S=[131072->131072]
2018-03-23 10:43:11 Attempting to establish TCP connection with [AF_INET]35.177.38.134:443 [nonblock]
2018-03-23 10:43:11 MANAGEMENT: >STATE:1521801791,TCP_CONNECT,,,,,,
2018-03-23 10:43:11 MANAGEMENT: CMD 'hold release'
2018-03-23 10:43:12 TCP connection established with [AF_INET]35.177.38.134:443
2018-03-23 10:43:12 TCP_CLIENT link local: (not bound)
2018-03-23 10:43:12 TCP_CLIENT link remote: [AF_INET]35.177.38.134:443
2018-03-23 10:43:12 MANAGEMENT: >STATE:1521801792,WAIT,,,,,,
2018-03-23 10:43:12 Connection reset, restarting [-1]
2018-03-23 10:43:12 SIGUSR1[soft,connection-reset] received, process restarting
2018-03-23 10:43:12 MANAGEMENT: >STATE:1521801792,RECONNECTING,connection-reset,,,,,
2018-03-23 10:43:13 MANAGEMENT: CMD 'hold release'
2018-03-23 10:43:13 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-03-23 10:43:13 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-03-23 10:43:13 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-03-23 10:43:13 MANAGEMENT: >STATE:1521801793,RESOLVE,,,,,,
2018-03-23 10:43:13 TCP/UDP: Preserving recently used remote address: [AF_INET]35.177.38.134:443
2018-03-23 10:43:13 Socket Buffers: R=[131072->131072] S=[131072->131072]
2018-03-23 10:43:13 Attempting to establish TCP connection with [AF_INET]35.177.38.134:443 [nonblock]
2018-03-23 10:43:13 MANAGEMENT: >STATE:1521801793,TCP_CONNECT,,,,,,
2018-03-23 10:43:13 MANAGEMENT: CMD 'hold release'
2018-03-23 10:43:14 TCP connection established with [AF_INET]35.177.38.134:443
2018-03-23 10:43:14 TCP_CLIENT link local: (not bound)
2018-03-23 10:43:14 TCP_CLIENT link remote: [AF_INET]35.177.38.134:443
2018-03-23 10:43:14 MANAGEMENT: >STATE:1521801794,WAIT,,,,,,
2018-03-23 10:43:14 Connection reset, restarting [-1]
2018-03-23 10:43:14 SIGUSR1[soft,connection-reset] received, process restarting
2018-03-23 10:43:14 MANAGEMENT: >STATE:1521801794,RECONNECTING,connection-reset,,,,,
2018-03-23 10:43:14 MANAGEMENT: CMD 'hold release'
2018-03-23 10:43:14 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-03-23 10:43:14 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-03-23 10:43:14 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-03-23 10:43:14 MANAGEMENT: >STATE:1521801794,RESOLVE,,,,,,
2018-03-23 10:43:14 TCP/UDP: Preserving recently used remote address: [AF_INET]35.177.38.134:443
2018-03-23 10:43:14 Socket Buffers: R=[131072->131072] S=[131072->131072]
2018-03-23 10:43:14 Attempting to establish TCP connection with [AF_INET]35.177.38.134:443 [nonblock]
2018-03-23 10:43:14 MANAGEMENT: >STATE:1521801794,TCP_CONNECT,,,,,,
2018-03-23 10:43:14 MANAGEMENT: CMD 'hold release'
2018-03-23 10:43:15 TCP connection established with [AF_INET]35.177.38.134:443
2018-03-23 10:43:15 TCP_CLIENT link local: (not bound)
2018-03-23 10:43:15 TCP_CLIENT link remote: [AF_INET]35.177.38.134:443
2018-03-23 10:43:15 MANAGEMENT: >STATE:1521801795,WAIT,,,,,,
2018-03-23 10:43:15 Connection reset, restarting [-1]
2018-03-23 10:43:15 SIGUSR1[soft,connection-reset] received, process restarting
2018-03-23 10:43:15 MANAGEMENT: >STATE:1521801795,RECONNECTING,connection-reset,,,,,
2018-03-23 10:43:15 MANAGEMENT: CMD 'hold release'
2018-03-23 10:43:15 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2018-03-23 10:43:15 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-03-23 10:43:15 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2018-03-23 10:43:15 MANAGEMENT: >STATE:1521801795,RESOLVE,,,,,,
2018-03-23 10:43:15 TCP/UDP: Preserving recently used remote address: [AF_INET]35.177.38.134:443
2018-03-23 10:43:15 Socket Buffers: R=[131072->131072] S=[131072->131072]
2018-03-23 10:43:15 Attempting to establish TCP connection with [AF_INET]35.177.38.134:443 [nonblock]
2018-03-23 10:43:15 MANAGEMENT: >STATE:1521801795,TCP_CONNECT,,,,,,
2018-03-23 10:43:15 MANAGEMENT: CMD 'hold release'
2018-03-23 10:43:16 TCP connection established with [AF_INET]35.177.38.134:443
2018-03-23 10:43:16 TCP_CLIENT link local: (not bound)
2018-03-23 10:43:16 TCP_CLIENT link remote: [AF_INET]35.177.38.134:443
2018-03-23 10:43:16 MANAGEMENT: >STATE:1521801796,WAIT,,,,,,
2018-03-23 10:43:16 Connection reset, restarting [-1]
2018-03-23 10:43:16 SIGUSR1[soft,connection-reset] received, process restarting
2018-03-23 10:43:16 MANAGEMENT: >STATE:1521801796,RECONNECTING,connection-reset,,,,,
2018-03-23 10:43:16 SIGTERM[hard,init_instance] received, process exiting
2018-03-23 10:43:16 MANAGEMENT: >STATE:1521801796,EXITING,init_instance,,,,,

[Mehonoshin]

This happens with me using UDP as well.

[marvin-w]

This looks quite similar to https://github.com/kylemanna/docker-openvpn/issues/180#issuecomment-327683431.

Can you check?

[kikulikov]

I do not have it running now. Will check when have a moment.

[quater]

Since you are using TCP, I think that is very likely that you have a Load Balancer fronting the OpenVPN service?

The provided OpenVPN server log looks as if there is an AWS LoadBalancer firing every second. With each ELB Health Check ping, telnet or netcat etc. you will get this.

Fri Mar 23 10:43:12 2018 141.206.231.10:19149 TLS: Initial packet from [AF_INET]141.206.231.10:19149, sid=550f2d8b 04527227
Fri Mar 23 10:43:12 2018 141.206.231.10:19149 Connection reset, restarting [-1]
Fri Mar 23 10:43:12 2018 141.206.231.10:19149 SIGUSR1[soft,connection-reset] received, client-instance restarting

There is not really a way around it apart from getting less of such entrances in the logs by adjusting the ELB interval.

[mathieu-aubin]

Just to be absolutely certain, you do have a valid ssl cert/key while using port 443, right?

[slisznia]

If you deployed OpenVPN server in AWS and are runing it behind a Network Load Balancer, make it hit a different port/service for health checking. You can make it probe port 22 (SSH) for example. That will get rid of the endless "Connection reset, restarting "

[colegatron]

as @quater points it is due the healthcheck but not restricted to NLB, it happens on ELB too. Even probably do not matter if you have it on AWS or not. the health check is just a 'service alive' that check the port is open and answering whatever that makes openvpn to see an incomming but not properly finishing the protocol handshake. Since vpn is a service I will notice very soon when it fails, I have just increased the healthcheck period from the 10 secs aws standard to 120secs. is is waaaaay less annyoing on the logs, despite it does not fully dissapears.

[alegmal]

Have the same problem without load balancers

[a0s]

I have the exact same problem (AWS NLB + OpenVPN ran at ECS). Unfortunately openvpn is a piece of old ~~shit~~ soft. It does not provide separate ports for monitoring and healthcheck. This problem is especially relevant when using the UDP protocol.