Windows – OpenVPN client timeout when browsing https sites on Windows 7

openvpntimeoutvpnwindowswindows 7

Client config

client
dev tun
proto tcp
remote -.-.-.- 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
auth SHA256
key-direction 1
comp-lzo
verb 3

Server config (on Ubuntu 16)

port 443
proto tcp
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.77.77.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.8.8"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-128-CBC   # AES
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

The issue only occurs on all my Windows machine, when i try opening any secure sites like https://google.com but when i open it from my iPhone or Ubuntu while being connected to the OpenVPN the connection does not timeout at all.

EDIT: Example if i ping google.com when browsing a non secure site (http) it's stable and fine but the moment i open a secure site (https) the ping shoots up very high to about 2k ms and then timeouts for about 1-2mins before returning back to normal. eventually the page gets loaded but only after that long delay.

I'm using OpenVPN TAP Adapter for Windows, could it be the adapter problem or perhaps the cipher?

Best Answer

If you can ping hosts by small packets and can't do it by big packets then you may have one of two problems: 1) bad cable or connection with many errors, 2) MTU problem. If you can ping your gateway host by big packets and other devices works fine then your problem isn't first. There's MTU problem. But why? May be Windows firewall or ISP is blocking some type of ICMP or Path MTU discovery packets.

From documentation:

Currently on Windows, the only way to change the TAP-Windows MTU is to go to the adapter advanced properties and do it manually. Because of this, the easiest choice is to leave the TAP-Windows MTU setting at “1500” and tell OpenVPN on both sides of the connection to use an MTU of “1500” with the config option: tun-mtu 1500

If you then need to lower the MTU because of fragmentation or router problems, use: mssfix 1300.

Also use UDP packets instead TCP for good performance.

Considering all of the above, include in both the client and server config files:

proto udp 
dev tun 
tun-mtu 1500 
mssfix 1300

Read about it from good article Solving OpenVPN MTU issues and Notes -- MTU at official documentation site

Related Topic