Tag: computer network

What happens if an IPv4 client tries to access an IPv6-only server (SOLVED)

Posted by Alex On April 9, 2022

Question:

Hey! The article says that IPv6 is a completely different protocol, I had a question. If my recipient's email works only on IPv6 (that is, his mail server listens only through the IPv6 protocol), does this mean that when sending a letter from a mail server that is connected only to IPv4, the letter simply will not reach the recipient, that is, I will have to choose some kind of mail service whose mail server works with both IPv6 and IPv4 so that my friend can read my letter?

Answer:

The considered situation, when one server has only an IPv4 address, and the second server has only an IPv6 address, is purely theoretical. ISPs that use IPv6 and provide IPv6 addresses to customers also provide IPv4 addresses at the same time.

For example, this router is connected to an ISP that supports IPv6. However, a router has two types of IP addresses:

  • 10.241.24.29
  • 2001:fb1:fc0:135:20e8:31d0:4821:6624

My computer is connected to this router, so it also has two types of IP addresses:

  • 192.168.1.58
  • 2001:fb1:139:20d8:82c0:cb25:b750:24d4

Note that IPv4 and IPv6 are such separate networks that for IPv6, the router has its own DNS server IP – 2001:fb0:100::207:49.

The same is true for hosting providers. For example, ISPs in my country do not support IPv6. But at the same time, hosting providers in my country have been supporting IPv6 for a very long time (for example, I set up IPv6 for SuIP.biz back in 2016, while one rented VPS server came with one free IPv4 and 3 free IPv6).

You can search for websites with IPv6 support and look at their DNS records – you will see that in addition to the AAAA record (IPv6 address of the site), there is also an A record for the site (IPv4 address of the site).

That is, yes, if one of the computers (client or server1) is connected only to an IPv4 network, and the second computer (server or server2) is connected only to an IPv6 network, then theoretically it is simply impossible to build a network route between them from the first to the second. But in practice, this problem does not arise simply for the reason that absolutely all clients and servers support IPv4, and some also support IPv6. That is, all possible combinations work according to one of the following options:

  • client and server support IPv6 – IPv6 is used
  • client supports IPv6 and server does not support IPv6 – IPv4 is used
  • client does not support IPv6 and server supports IPv6 – IPv4 is used
  • client does not support IPv6 and server does not support IPv6 – IPv4 is used

However, it is possible to isolate an IPv6-enabled server from an IPv4 network, which is what I talk about in the section “How to configure SSH to work with IPv6 only”.

In short: IPv4 and IPv6 are two different networks, even though they run on the same wires and on the same hardware.

If you're interested in a specific error, when you try to open an IPv6-only site from an IPv4-only client, you get the “Network is unreachable” error.

Another example of an error: if you try to run the following command from an IPv6-enabled network: 

sudo nmap -6 suip.biz

then the host suip.biz will be scanned.

If you run the same command from a network without IPv6 support, an error will be displayed: “setup_target: failed to determine route to suip.biz (2a02:f680:1:1100::3d60)”.

See also detailed IPv6 guides:

Online services with IPv6 support:

How to edit the Access denied page in Squid? How to insert custom pictures and mail?

Posted by Alex On April 7, 2022

The custom Access denied page can only be shown if the user connects via HTTP. For HTTPS connections (which are currently the vast majority), it is impossible to change the displayed page (that is, display the configured Access denied page) due to the very nature of HTTPS, which is precisely designed to ensure that the transmitted data cannot be modified.

That is, you can edit the Access denied page in Squid, but it will only show up on the few occasions when an HTTP connection is made.

For HTTPS connections, a standard web browser page will be displayed with a message like “The proxy server is refusing connections”.

That is, it can be stated that the custom Access denied page in Squid will be used quite rarely and its setting can be attributed rather to outdated functionality.

Squid has page templates with various messages, including denied access, in various languages. For example: /usr/share/squid/errors/en/ERR_ACCESS_DENIED (“ERROR: The requested URL could not be retrieved”).

You can edit this page like a regular HTML file.

This page uses codes to insert into the template, for example:

  • %U
  • %c
  • %w
  • %W

The meaning of these codes, as well as many other codes, can be found on the following page: https://wiki.squid-cache.org/Features/CustomErrors

How to set Squid cache manager e-mail?

If you only want to specify the e-mail address of the Squid cache manager, then you do not need to edit the template files. You can use the following directives:

  • cache_mgr is email-address of local cache manager who will receive mail if the cache dies. The default is “webmaster”.
  • email_err_data – if enabled, information about the occurred error will be included in the mailto links of the ERR pages (if %W is set) so that the email body contains the data. Syntax is <A HREF="mailto:%w%W">%w</A>. It is already enabled by default, so no further configuration is required.

See also the complete guide: How to create and configure a Squid proxy server

How to connect to Tor with OpenVPN

Posted by Alex On March 1, 2022

Connecting to Tor via a VPN is usually used in practice not so much to increase anonymity (although such use takes place), but to bypass the blocking of the Tor network. In some countries, the Tor network is blocked at the state level, so to connect the Tor browser or the Tor service, you must use bridges – intermediate nodes of the Tor network. Instead of bridges, you can connect to the Tor network through a VPN.

In fact, connecting to Tor via a VPN is even easier than using bridges.

Please note that due to the peculiarities of the blocking implementation (for example, blocking is performed only at the level of providers of the last mile), even the VPN of the country in which the Tor network is blocked can be used to bypass the connection blocking to the Tor network.

Signs that the ISP is blocking access to the Tor network are that the connection to Tor stops at the very first stages.

For example, Tor Browser freezes at the inscription: 

Connecting to a Tor relay
Tor Browser routes your traffic over the Tor Network, run by thousands of volunteers around the world.

Another possible error: 

Loading relay information

When trying to use the Tor service by starting it with the command 

sudo systemctl start tor

status check 

systemctl status tor

will show that the initial bootstrap stopped at 5%, that is, at the stage of connecting to the relay: 

Jan 08 11:21:40 HackWare systemd[1]: Started Anonymizing overlay network for TCP.
Jan 08 11:21:41 HackWare Tor[25392]: Bootstrapped 5% (conn): Connecting to a relay

To connect to the Tor network over a VPN, start by connecting to a VPN server, for example using OpenVPN.

Right after that, you can use the Tor service as usual – no additional configuration is required.

The Tor Browser successfully connects to the Tor network and opens websites.

The tor service successfully establishes a connection to the Tor network.

See also:

Script to connect and disconnect from OpenVPN depending on server availability

Posted by Alex On January 25, 2022

Task:

Branch subnets are connected via OpenVPN. All clients connect to the server and routes to the Internet are set through the OpenVPN server. Everything works, but there is a problem. If the OpenVPN server for some reason loses Internet connection, then all other branches also lose Internet access, because the traffic does not go through its gateway, but through the OpenVPN server. Is there any way to write a script to:

1. If there was no connection to the OpenVPN server, the routes were restored and worked through their own gateway.

2. Once every 2-3 minutes the client would try to connect to the OpenVPN server.

3. When the connection is restored, the routes would be registered again through the OpenVPN server.

Solution:

In theory, it is quite possible to write a script in Bash (for Linux) or PowerShell (for Windows) that would ping the OpenVPN server and if the server is online connecting to it or if the connection is already present, it would do nothing. And if the OpenVPN server is offline, then it would disconnect from it or do nothing if the server is already offline. On Linux, such a script can be added to startup and then run regularly using Systemd timers or Cron. In Windows, too, this can be solved using the Windows Task Scheduler.

But, IMHO, this is a radically wrong approach. It is necessary to strive to ensure that the OpenVPN server is always online. Because for some reason it is needed in the work of users if they connect to it, right? And if so, then when users disconnect from OpenVPN, there will be failures in connecting to local resources.

And nevertheless, here are examples of scripts.

For Windows, the script is written in PowerShell, create the vpn.ps1 file and copy it into it (replace the IP address of the OpenVPN server and the path to the configuration file with yours): 

# OpenVPN server IP address
$openvpnIP='185.117.153.79'
# path to the configuration file for connecting the client to the OpenVPN server
$openvpnFILE='C:\Users\MiAl\client1.ovpn'

if (Test-Connection -TargetName $openvpnIP -IPv4 -Count 1 -Quiet -TimeoutSeconds 1)
{
	'OpenVPN server is up'
	if (Get-Process | Where-Object { $_.Name -eq "openvpn" })
	{
		'OpenVPN connection is active.  Nothing to do'
	}
		else
	{
		Write-Warning 'No OpenVPN connections, trying to connect...'
		 & "C:\Program Files\OpenVPN\bin\openvpn.exe" --config $openvpnFILE &
	}
}
else
{
	Write-Warning 'OpenVPN server is down'
	if (Get-Process | Where-Object { $_.Name -eq "openvpn" })
	{
		'OpenVPN connection is active, let us kill it'
		Get-Process | Where-Object { $_.Name -eq "openvpn" } | Select-Object -First 1 | Stop-Process
	}
	else
	{
		Write-Warning 'No OpenVPN connections. Nothing to do'
	}
}

Check like this: 

.\vpn.ps1

The OpenVPN server is online, so the script connects to it and does nothing on subsequent checks. Checking the client's IP shows that Internet access is really through OpenVPN:

OpenVPN is offline, so the script disconnects from it. On subsequent checks, the script does nothing until the OpenVPN server is available. When OpenVPN is online again, a connection is made to it.

Use Windows Task Manager to run your script like this: 

powershell -File vpn.ps1 -WindowStyle Hidden

Furthermore create the script that it runs under a specific user account and not only when that user is logged on. Otherwise you'll see a console window.

Sample script for Linux – create a vpn.sh file and copy into it: 

#!/bin/bash

# OpenVPN server IP address
openvpnIP='185.117.153.79'
# path to the configuration file for connecting the client to the OpenVPN server
openvpnFILE='/home/mial/bin/OpenVPNassistent-конфигурации/configs/client1.ovpn'

isOpenVPNActive=`pgrep openvpn`

timeout 1 ping -c 1 $openvpnIP > /dev/null;
if [ $? -eq 0 ]; then
	echo 'OpenVPN server is up'
	if [ -z "$isOpenVPNActive" ]; then
		echo 'No OpenVPN connections, trying to connect.'
		sudo openvpn "$openvpnFILE" &
	else
		echo 'OpenVPN connection is active. Nothing to do'	 
	fi	
else
	echo 'OpenVPN server is down'
	if [ -z "$isOpenVPNActive" ]; then
		echo 'No OpenVPN connections. Nothing to do.'
	else
		echo 'OpenVPN connection is active, let us kill it.'
		kill "$isOpenVPNActive"
	fi 
fi

Run like this: 

sudo bash vpn.sh

The OpenVPN server is online, so the script connects to it and does nothing on subsequent checks. Checking the client's IP shows that Internet access is really through OpenVPN. OpenVPN is offline, so the script disconnects from it. On subsequent checks, the script does nothing until the OpenVPN server is available. When OpenVPN is online again, a connection is made to it.

To run regularly, use systemd's .timer or cron.

See also:

Where NetworkManager stores settings (SOLVED)

Posted by Alex On January 9, 2022

NetworkManager Configuration Files

NetworkManager supports various plug-ins that can define new locations for storing configuration information.

The main configuration file for NetworkManager, which is usually changed, is /etc/NetworkManager/NetworkManager.conf. You can view its contents with the following command: 

cat /etc/NetworkManager/NetworkManager.conf

In addition to this file, NetworkManager settings can be saved in the /etc/NetworkManager/conf.d and /usr/lib/NetworkManager/conf.d directories.

For a list of all NetworkManager settings, taking into account all configuration files, run the command: 

NetworkManager --print-config

Where NetworkManager stores network connection settings

NetworkManager stores the settings for each connection in separate text files with the .nmconnection extension. A typical storage location for configuration files is /var/run/NetworkManager/system-connections. In addition to it, files with connections can be located in other places defined by NetworkManager plugins, for example, settings for network connections via Bluetooth can be stored in the /etc/NetworkManager/NetworkManager.conf folder. The NetworkManager configuration file is /etc/NetworkManager/NetworkManager.conf. Besides these main locations, there may be other paths that are specific to Linux distributions.

To list all network connections and the location of their configuration files, run the command: 

nmcli -f NAME,DEVICE,FILENAME connection show

All NetworkManager configuration files

So, the configuration files for NetworkManager are as follows:

  • /etc/NetworkManager/NetworkManager.conf – main configuration file
  • /etc/NetworkManager/conf.d – directory with configuration files
  • /usr/lib/NetworkManager/conf.d – system directory with configuration files (for example, file /usr/lib/NetworkManager/conf.d/20-connectivity.conf)
  • /var/lib/NetworkManager/NetworkManager-intern.conf – internal configuration file. This file is written and read by NetworkManager, and its configuration values are merged with the configuration from NetworkManager.conf. Changes made to this file will be overwritten
  • /var/lib/NetworkManager/NetworkManager.state – file with a set of states
  • /etc/NetworkManager/system-connections/ – directory where wired and wireless connections are stored
  • /var/run/NetworkManager/system-connections/ – directory with some types of connections, for example, Internet via Bluetooth modem
  • /var/lib/NetworkManager/
  • /etc/NetworkManager/dispatcher.d/
  • /etc/NetworkManager/dnsmasq.d/
  • /etc/NetworkManager/dnsmasq-shared.d/

See also: How to remove Mobile broadband and Bluetooth connection in NetworkManager

How to manage VPN Settings in GNOME 3

Posted by Alex On November 25, 2021

A popular example of a Linux distribution using GNOME 3 is Ubuntu.

Install NetworkManager VPN plugin for OpenVPN

In order for you to have the menu item shown in this manual in NetworkManager, you must have the NetworkManager VPN plugin for OpenVPN installed.

Some distributions have it installed by default. If you don't have it, run one of the following commands to install it.

  • Installation on Debian and derivative distributions (Linux Mint, Ubuntu, Kali Linux and others): 
sudo apt install network-manager-openvpn-gnome
  • Installation on Arch Linux and derivative distributions (Manjaro, BlackArch and others): 
sudo pacman -S networkmanager-openvpn

In order for the changes to take effect (for NetworkManager to start using the installed plugin), restart the NetworkManager service with the following command: 

sudo systemctl restart NetworkManager

How to add OpenVPN connection settings to GNOME 3

To add an OpenVPN connection, click on the network connection icon and expand the connections section.

Select “Wired Settings”:

You will find yourself in the OS settings. On the “Network” tab, you can add a new VPN connection or manage existing ones. Click the plus sign (+) to add a new one.

You can enter the data manually, or import the OpenVPN connection settings from the .ovpn file.

With manual configuration, you do not need to change anything in the “IPv4” and “IPv6” tabs. Some of the settings are located on the “Identity” tab, to access other settings, click the “Advanced” button:

How to connect to OpenVPN on GNOME 3

You can enable OpenVPN connection by clicking on the network connections button, then selecting the desired VPN connection.

You can also go to Network Settings and enable the selected OpenVPN connection there.

How to change OpenVPN connection settings in GNOME 3

To edit VPN connections, click on the network connections button, then expand the VPN list and select “VPN Settings”.

Select the connection you want to change and press the gear.

How to remove OpenVPN connection in GNOME 3

To remove an OpenVPN connection, go to its settings, as shown just above, and click the “Remove VPN” button.

How to manage VPN Settings in Xfce

Posted by Alex On November 25, 2021

Popular distributions with Xfce include Kali Linux and Xubuntu.

In Xfce, networks are managed in the “Network Connections” window.

Install NetworkManager VPN plugin for OpenVPN

In order for you to have the menu item shown in this manual in NetworkManager, you must have the NetworkManager VPN plugin for OpenVPN installed.

Some distributions have it installed by default. If you don't have it, run one of the following commands to install it.

  • Installation on Debian and derivative distributions (Linux Mint, Ubuntu, Kali Linux and others): 
sudo apt install network-manager-openvpn-gnome
  • Installation on Arch Linux and derivative distributions (Manjaro, BlackArch and others): 
sudo pacman -S networkmanager-openvpn

In order for the changes to take effect (for NetworkManager to start using the installed plugin), restart the NetworkManager service with the following command: 

sudo systemctl restart NetworkManager

How to add OpenVPN connection settings to Xfce

There are two ways to add a new OpenVPN connection:

1) Right-click on the network connection icon and select “Edit Connections”:

In the Network Connections, click the plus sign (+).

2) Or left-click on the network connection icon and select “VPN Connections”→ “Add a VPN Connection”.

Select your preferred VPN connection type.

To import a VPN connection from a file, select “Import a saved VPN configuration”.

Click the “Create” button and specify the settings file.

With manual configuration, you do not need to change anything on the “General”, “Proxy”, “IPv4 Settings”, and “IPv6 Settings” tabs. Some of the settings are located on the “VPN” tab, to access other settings, click the “Advanced” button.

How to connect to OpenVPN in Xfce

To connect to OpenVPN, left-click on the network connection icon and select “VPN Connections” and then select the desired connection.

If the connection is successful, a check mark will appear next to the VPN connection name.

How to change or remove OpenVPN connection settings in Xfce

To add, change and remove VPN connections, go to Network Connections, for this, right-click on the network connection icon and select “Edit Connections”.

How to manage VPN Settings in Cinnamon

Posted by Alex On November 25, 2021

The Cinnamon desktop environment is primarily characteristic of Linux Mint.

Install NetworkManager VPN plugin for OpenVPN

In order for you to have the menu item shown in this manual in NetworkManager, you must have the NetworkManager VPN plugin for OpenVPN installed.

Some distributions have it installed by default. If you don't have it, run one of the following commands to install it.

  • Installation on Debian and derivative distributions (Linux Mint, Ubuntu, Kali Linux and others): 
sudo apt install network-manager-openvpn-gnome
  • Installation on Arch Linux and derivative distributions (Manjaro, BlackArch and others): 
sudo pacman -S networkmanager-openvpn

In order for the changes to take effect (for NetworkManager to start using the installed plugin), restart the NetworkManager service with the following command: 

sudo systemctl restart NetworkManager

Network Connections and Network Settings in Cinnamon

When you click on the network connection icon (its appearance depends on whether you are using a wired or wireless connection), two options will be available to manage networks:

  • Network Settings – featured by Cinnamon (therefore, it is present only in this desktop environment)
  • Network Connections – featured by NetworkManager (hence, it is present in any distribution with NetworkManager)

In general, these settings allow you to do the same things: add, edit and remove network connections.

Network Settings contains a list of Wi-Fi networks available for connection, as well as a list of OpenVPN settings, proxies, wired connections. In Network Settings, you can activate a particular network connection.

Network Connections does not show Wi-Fi networks available for connection, but it stores the settings of the networks to which the computer has ever connected.

Managing OpenVPN Connections in Network Settings

To remove an OpenVPN connection, select it and click the minus sign (-).

The connection will be dropped without confirmation.

Click the plus sign (+) to add an OpenVPN connection.

You will be presented with 2 options:

  • OpenVPN (compatible with the OpenVPN server) – you will need to enter the settings manually and specify the certificate files
  • Import from file – import settings from an .ovpn file

With manual configuration, you don't need to change anything in the “IPv4” and “IPv6” tabs. Some of the settings are located on the “Identity” tab, to access other settings, click the “Advanced” button:

To edit an OpenVPN connection, select it and click the gear icon.

Some of the settings are located on the “Identity” tab.

To access other settings, click the “Advanced” button.

Managing OpenVPN Connections in Network Connections

To remove an OpenVPN connection, select it and click the minus sign (-).

Click the plus sign (+) to add an OpenVPN connection.

In the drop-down list, you will have many options available, 2 of them are related to OpenVPN:

  • OpenVPN – you will need to enter the settings manually and specify the certificate files
  • Import a saved VPN configuration

With manual configuration, you do not need to change anything on the “General”, “Proxy”, “IPv4 Settings”, and “IPv6 Settings” tabs. Some of the settings are located on the “VPN” tab, to access other settings, click the “Advanced” button.

To edit an OpenVPN connection, select it and click the gear icon.

Connecting to OpenVPN server

You can add multiple OpenVPN connections and enable any of them depending on your needs. You can enable them as in the main NetworkManager panel – click on the selected connection:

You can also enable VPN connections in Network Settings, to do this, select the desired VPN connection and click the switch:

Simultaneous use of multiple OpenVPNs on one server

Posted by Alex On November 25, 2021

You can simultaneously use several OpenVPN processes on the same server, while they will work on different ports and provide separate virtual private networks that do not overlap with each other.

Multiple instances of OpenVPN are provided out of the box, but additional configuration is required.

1. OpenVPN services must use different ports

All OpenVPN services must use a free port. Remember that the same UDP and TCP port numbers are different ports, that is, you can use the same port number in two instances of OpenVPN, provided that one of them is a UDP port and the other is a TCP port.

If two OpenVPN services use the same port, then the OpenVPN instance that is started first will work without error, and the second instance will not start due to the error “TCP/UDP: Socket bind failed on local address [AF_INET][undef]:…: Address already in use (errno=98)”, for example: 

2021-11-02 09:26:50 us=736094 TCP/UDP: Socket bind failed on local address [AF_INET][undef]:53: Address already in use (errno=98)
2021-11-02 09:26:50 us=736216 Exiting due to fatal error

2. Range of addresses of the virtual private network

By default, a range of IP addresses for a virtual private network is specified in the server configuration file, for example: 

server 10.8.0.0 255.255.255.0

Additional instances of the OpenVPN service must use different ranges. For example, for the second service, you can specify the following range: 

server 10.8.1.0 255.255.255.0

For the third service, you can specify the following range of IP addresses, and so on: 

server 10.8.2.0 255.255.255.0

3. Traffic routing for all virtual private networks

The section “Enable traffic routing on the OpenVPN server” shows how to enable NAT for VPN traffic so that clients can make connections to the Internet. The example in the above section shows how to configure routing for traffic from the 10.8.1.0/24 subnet. Since additional instances of the OpenVPN service use different subnets (for example, 10.8.1.0/24), in order for the clients of these virtual networks to access the Internet, you must configure routing for each of these networks.

An example of the original contents of the /root/bin/vpn_route.sh file: 

#!/bin/sh

# specify the name of the interface, otherwise the script will try to select it automatically
#DEV='eth0'
DEV='ens3'
PRIVATE=10.8.0.0/24
 
if [ -z "$DEV" ]; then
	DEV="$(ip route | grep default | head -n 1 | awk '{print $5}')"
fi
# Turn forwarding packets on from the tunnel interface
# they got to the external interface
sysctl net.ipv4.ip_forward=1
# Make sure iptables do not block redirected traffic:
iptables -I FORWARD -j ACCEPT
# Network Address Translation (NAT) for packets coming from the tunnel
# When forwarding is enabled, packets are forwarded by default.
# with the original address unchanged, that is, in our case 10.8.0.*
# such packages are either deleted at the ISP gateway, or even if they are
# go to the destination, the answer never finds a way back.
# These private addresses are not routed to the Internet.
#
# The solution is Network Address Translation (NAT) of outgoing traffic,
# i.e. replace private 10.8.0.* address with the public IP address of the VPN server.
# This will allow responses to reach the VPN server,
# and there they will be sent back to the tunnel.
iptables -t nat -I POSTROUTING -s $PRIVATE -o $DEV -j MASQUERADE

The file /root/bin/vpn_route.sh which has added NAT for subnets 10.8.1.0/24, 10.8.2.0/24, and 10.8.3.0/24: 

#!/bin/sh
 
DEV='ens3'
PRIVATE=10.8.0.0/24
 
if [ -z "$DEV" ]; then
	DEV="$(ip route | grep default | head -n 1 | awk '{print $5}')"
fi

sysctl net.ipv4.ip_forward=1

iptables -I FORWARD -j ACCEPT

iptables -t nat -I POSTROUTING -s $PRIVATE -o $DEV -j MASQUERADE

iptables -t nat -I POSTROUTING -s 10.8.1.0/24 -o $DEV -j MASQUERADE

iptables -t nat -I POSTROUTING -s 10.8.2.0/24 -o $DEV -j MASQUERADE

To check the NAT settings, run the command 

iptables -L -t nat

4. Configuring local static addresses

If you used the section “How to make static IPs for OpenVPN clients” and added entries like “ifconfig-push 10.8.0.10 255.255.255.0” to the file “/etc/openvpn/ccd/client1”, then you need to use different client names for the second and subsequent OpenVPN networks as they use different VPN IP ranges.

5. Starting and adding the second and subsequent OpenVPN services to startup

Note that with systemctl you can use a command like 

openvpn-server@<configuration>.service

where <configuration> is a configuration file located in the /etc/openvpn/server/ folder, but without the .conf extension

For example, the second configuration file for the second instance of the OpenVPN service is placed in the /etc/openvpn/server/server-tcp.conf file, then the program for starting the service is as follows: 

sudo systemctl start openvpn-server@server-tcp.service

Checking the status of the service with the server-tcp.conf configuration file: 

systemctl status openvpn-server@server-tcp.service

View OpenVPN service errors with server-tcp.conf config file: 

journalctl -xeu openvpn-server@server-tcp.service

Add service to startup: 

sudo systemctl enable openvpn-server@server-tcp.service

See also:

Comparison of performance (data transfer rate) of OpenVPN over UDP and TCP

Posted by Alex On November 25, 2021

The previous article showed how to use OpenVPN with TCP instead of the default UDP. It is also known that the use of the TCP protocol is not recommended because, due to the “overhead” of the TCP transport protocol, less payload will be transmitted, since part of the channel will be occupied by the transmission of overhead information necessary to control the integrity of transmitted packets. But how exactly will switching from UDP to TCP affect the performance of the OpenVPN server and the speed of receiving and sending data? This article is devoted to the answer to this question.

My internet connection speed without using OpenVPN:

My internet connection speed using OpenVPN over UDP:

My internet connection speed using OpenVPN over TCP:

As you can see, the speed loss when migrating from UDP to TCP is quite significant. The difference in speed between the absence of OpenVPN and OpenVPN over UDP is negligible – in fact, in both cases, the speed is practically limited by the maximum bandwidth of my network.

See also:

Loading...
X