dockerfiles
dockerfiles copied to clipboard
vimagick
DTLS handshake failed: Error in the push function.
As mention in subject, Debian Stretch / openconnect 7.08-1 / network-manager-openconnect 1.2.4-1 run on host, I would like to establish a tunnel by openconnect to ocserv docker image which fresh deploy on vps.
Procedure on host as below, How to use both tcp and especially UDP.
~$ openconnect https://*.*.*.*:4443
POST https://*.*.*.*:4443/
Connected to *.*.*.*:4443
SSL negotiation with *.*.*.*
Server certificate verify failed: signer not found
Certificate from VPN server "*.*.*.* failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
--servercert sha256:***********
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on *.*.*.*
XML POST enabled
Please enter your username.
Username: **** [72/106]
POST https://*.*.*.*:4443/auth
Please enter your password.
Password:
POST https://*.*.*.*:4443/auth
Got CONNECT response: HTTP/1.1 200 CONNECTED
CSTP connected. DPD 90, Keepalive 32400
Connected as 10.20.30.14, using SSL + lz4
DTLS handshake failed: Error in the push function.
(Is a firewall preventing you from sending UDP packets?)
DTLS handshake failed: Error in the push function.
(Is a firewall preventing you from sending UDP packets?)
DTLS handshake failed: Error in the push function.
(Is a firewall preventing you from sending UDP packets?)
DTLS handshake failed: Error in the push function.
(Is a firewall preventing you from sending UDP packets?)
SSL read error: The TLS connection was non-properly terminated.; reconnecting.
SSL negotiation with *.*.*.*
Server certificate verify failed: signer not found
Connected to HTTPS on *.*.*.*
Got CONNECT response: HTTP/1.1 200 CONNECTED
CSTP connected. DPD 90, Keepalive 32400
DTLS handshake failed: Error in the push function.
(Is a firewall preventing you from sending UDP packets?)
On vps, netstat check udp was not established. Testing udp port 4443 colud not be reached from public. Iptables accept all to anywhere with no doubt.
~$ netstat -uanp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp6 0 0 :::4443 :::*
BTW, it is a clean machine definitely, I just add one line "accept udp 4443".
~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:4443
Chain FORWARD (policy DROP)
target prot opt source destination
Chain FORWARD (policy DROP) [0/639]
target prot opt source destination
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:https
ACCEPT udp -- anywhere 172.17.0.2 udp dpt:443
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere