I am trying to configure openvpn, I used a config and certificate/key example that comes with OpenVPN. It works perfectly when I use with UDP but it doesn't works with TCP
server-tls.conf
# OpenVPN config "server-tls.conf"
#
# test using: openvpn –-config server-tls.conf
proto tcp #default
dev tun #default
port 8080 #default
management 127.0.0.1 8080
# Tunnel IP-number plan:
# network: 10.4.0.0/24 all tunnel-endpoints (TEPs)
# IP: 10.4.0.1 server
# IP: 10.4.0.2 server p2p address (not-used)
# IP: 10.4.0.5 client-1 p2p address (not-used)
# IP: 10.4.0.6 client-1
# IP: 10.4.0.9 client-2 p2p address (not-used)
# IP: 10.4.0.10 client-2
# IP: 10.4.0.13 client-3 p2p address (not-used)
# IP: 10.4.0.14 client-3
# etc... This setup allows (2^(32-24)/4)-1=63 clients
server 10.4.0.0 255.255.255.0 # the server Tunnel-IP will be .1
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
# The 'server' command also established a pool of Tunnel-IPs for the clients (like DHCP)
#route 10.4.0.0 255.255.255.0 # this command is implicit with 'server' command
cd /etc/openvpn/
log /var/log/openvpn.log
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0 # Use 0=server, 1=client
verb 3
keepalive 10 60
persist-tun
persist-key
persist-local-ip
comp-lzo
duplicate-cn # needed if all clients use same client.crt/key
# Uncomment following line if you want to allow client-to-client traffic:
# (dont use this option if you want to filter the client-to-client packets via iptables)
#client-to-client
#push "route 10.4.0.0 255.255.255.0" # this is done automatically with client-to-client command (else do specify)
# end of "server-tls.conf"
client-tls.conf
# OpenVPN config "client-tls.conf"
#
# run with: openvpn –config client-tls.conf
proto tcp #default
dev tun #default
client
remote x.x.x.x 8080
#cd /etc/openvpn/
#log /var/log/openvpn.log
#log openvpn.log
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1 # Use 0=server, 1=client
# Verify that we are connected with the correct server:
tls-remote "Test-Server"
ns-cert-type server
nobind
verb 3
keepalive 10 60
comp-lzo
explicit-exit-notify 2
# end of "client-tls.conf"
Server log:
cat /var/log/openvpn.log
Tue Dec 11 17:36:18 2012 OpenVPN 2.2.0 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jul 4 2011
Tue Dec 11 17:36:18 2012 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:8080
Tue Dec 11 17:36:18 2012 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Tue Dec 11 17:36:18 2012 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Dec 11 17:36:18 2012 Diffie-Hellman initialized with 1024 bit key
Tue Dec 11 17:36:18 2012 WARNING: file 'server.key' is group or others accessible
Tue Dec 11 17:36:18 2012 WARNING: file 'ta.key' is group or others accessible
Tue Dec 11 17:36:18 2012 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Tue Dec 11 17:36:18 2012 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 11 17:36:18 2012 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 11 17:36:18 2012 TLS-Auth MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
Tue Dec 11 17:36:18 2012 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Dec 11 17:36:18 2012 TCP/UDP: Socket bind failed on local address [undef]: Address already in use
Tue Dec 11 17:36:18 2012 Exiting
Client log:
Options error: --explicit-exit-notify can only be used with --proto udp
Use --help for more information.
Why it doesn't work in TCP mode?
Best Answer
The server log is very clear on why it's not working.
You've got something else running on that combination of protocol/port. You can take a look what it is by doing
netstat -nlp | grep 1234
(change port number accordingly) and kill that process or move that to another port.