TCP Port 443 Transport error TCP_SIZE_ERROR

This isn't exactly a pi-hole issue, and it isn't exactly the proper forum to post in either, but I've already posted this same question in two other forums but got no response there. I'm posting it here because I noticed the really quick response times here...so I hope I'm not breaking any forum rules :pray: :pray:

Okay, here goes:

Server Config
dev tun
proto tcp
port 443
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh4096.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
status-version 3
log /var/log/openvpn.log
verb 4




Client Config
client
dev tun
proto tcp
remote no-ip domain name 443
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server name
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 1
<ca>
--STRIPPED INLINE CA CERT--
</ca>
<cert>
--STRIPPED INLINE CERT--
</cert>
<key>
--STRIPPED INLINE KEY--
</key>
<tls-auth>
</tls-auth>




cat of openvpn log
pi@raspberrypi:~ $ cat /var/log/openvpn.log
Wed May 17 16:58:30 2017 us=775313 MULTI: multi_create_instance called
Wed May 17 16:58:30 2017 us=775638 Re-using SSL/TLS context
Wed May 17 16:58:30 2017 us=775716 LZO compression initialized
Wed May 17 16:58:30 2017 us=776103 Control Channel MTU parms [ L:1572 D:180 EF:80 EB:0 ET:0 EL:0 ]
Wed May 17 16:58:30 2017 us=776209 Data Channel MTU parms [ L:1572 D:1450 EF:72 EB:135 ET:0 EL:0 AF:3/1 ]
Wed May 17 16:58:30 2017 us=776397 Local Options String: 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Wed May 17 16:58:30 2017 us=776456 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Wed May 17 16:58:30 2017 us=776569 Local Options hash (VER=V4): '165db97f'
Wed May 17 16:58:30 2017 us=776668 Expected Remote Options hash (VER=V4): '504bba81'
Wed May 17 16:58:30 2017 us=776969 TCP connection established with [AF_INET]192.168.1.152:38901
Wed May 17 16:58:30 2017 us=777038 TCPv4_SERVER link local: [undef]
Wed May 17 16:58:30 2017 us=777107 TCPv4_SERVER link remote: [AF_INET]192.168.1.152:38901
Wed May 17 16:58:30 2017 us=777418 192.168.1.152:38901 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Wed May 17 16:58:30 2017 us=777482 192.168.1.152:38901 Connection reset, restarting [0]
Wed May 17 16:58:30 2017 us=777542 192.168.1.152:38901 SIGUSR1[soft,connection-reset] received, client-instance restarting
Wed May 17 16:58:30 2017 us=777725 TCP/UDP: Closing socket
Wed May 17 16:58:30 2017 us=785237 MULTI: multi_create_instance called
Wed May 17 16:58:30 2017 us=785448 Re-using SSL/TLS context
Wed May 17 16:58:30 2017 us=785520 LZO compression initialized
Wed May 17 16:58:30 2017 us=785869 Control Channel MTU parms [ L:1572 D:180 EF:80 EB:0 ET:0 EL:0 ]
Wed May 17 16:58:30 2017 us=785973 Data Channel MTU parms [ L:1572 D:1450 EF:72 EB:135 ET:0 EL:0 AF:3/1 ]
Wed May 17 16:58:30 2017 us=786155 Local Options String: 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Wed May 17 16:58:30 2017 us=786214 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Wed May 17 16:58:30 2017 us=786323 Local Options hash (VER=V4): '165db97f'
Wed May 17 16:58:30 2017 us=786423 Expected Remote Options hash (VER=V4): '504bba81'
Wed May 17 16:58:30 2017 us=786539 TCP connection established with [AF_INET]192.168.1.152:38902
Wed May 17 16:58:30 2017 us=786604 TCPv4_SERVER link local: [undef]
Wed May 17 16:58:30 2017 us=786672 TCPv4_SERVER link remote: [AF_INET]192.168.1.152:38902
Wed May 17 16:58:30 2017 us=787319 192.168.1.152:38902 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Wed May 17 16:58:30 2017 us=787441 192.168.1.152:38902 Connection reset, restarting [0]
Wed May 17 16:58:30 2017 us=787502 192.168.1.152:38902 SIGUSR1[soft,connection-reset] received, client-instance restarting
Wed May 17 16:58:30 2017 us=787687 TCP/UDP: Closing socket
Wed May 17 16:58:30 2017 us=797339 MULTI: multi_create_instance called
Wed May 17 16:58:30 2017 us=797541 Re-using SSL/TLS context
Wed May 17 16:58:30 2017 us=797613 LZO compression initialized
Wed May 17 16:58:30 2017 us=797963 Control Channel MTU parms [ L:1572 D:180 EF:80 EB:0 ET:0 EL:0 ]
Wed May 17 16:58:30 2017 us=798084 Data Channel MTU parms [ L:1572 D:1450 EF:72 EB:135 ET:0 EL:0 AF:3/1 ]
Wed May 17 16:58:30 2017 us=798286 Local Options String: 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Wed May 17 16:58:30 2017 us=798346 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Wed May 17 16:58:30 2017 us=798457 Local Options hash (VER=V4): '165db97f'
Wed May 17 16:58:30 2017 us=798557 Expected Remote Options hash (VER=V4): '504bba81'
Wed May 17 16:58:30 2017 us=798675 TCP connection established with [AF_INET]192.168.1.152:38903
Wed May 17 16:58:30 2017 us=798738 TCPv4_SERVER link local: [undef]
Wed May 17 16:58:30 2017 us=798805 TCPv4_SERVER link remote: [AF_INET]192.168.1.152:38903
Wed May 17 16:58:30 2017 us=799496 192.168.1.152:38903 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Wed May 17 16:58:30 2017 us=799564 192.168.1.152:38903 Connection reset, restarting [0]
Wed May 17 16:58:30 2017 us=799623 192.168.1.152:38903 SIGUSR1[soft,connection-reset] received, client-instance restarting
Wed May 17 16:58:30 2017 us=799803 TCP/UDP: Closing socket

I installed openvpn using the pivpn automated installer.

On connect from my android using openvpn connect I get the error :

Unknown OpenVPN event occurred: Transport error on 'no-ip domain name here: TCP_SIZE_ERROR

Looking at the server logs, I think this might be the problem:

Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1572 -- please ensure that --tun-mtu or --link-mtu is equal on both peers

The connection then resets and closes...

It is a fresh install of openvpn, using tcp port 443. Nothing has changed since installation.

How do I fix this?

You're going to run into issues running OpenVPN via TCP 443 because of how pihole works. The only way to fix this (I believe) is to change the port.

Could you explain a little more of how pihole is causing a problem? I'm curious...

I'll try changing the port

The devs can give a better explanation, but Pihole uses that port to handle HTTPS requests. Pihole and OpenVPN don't work well together on 443.

For diagnosing, try lowering mtu size (packet length) to something lower as the default 1500 in the server config:

tun-mtu 1300

https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

And I think that's it, I changed the port to 4096, port forward on router end, and now it works...

So, the only way to get it to work is to have a second computer running openVPN? And this second computer running the vpn can't have pihole on it too because both using port 443 causes issues?

So yeah, I think that's it..

An alternative fix would be to do this. Have one device running openVPN, then have another one running Pihole. Connect them together via configuration and you shouldn't have any issues.

That's exactly what I mentioned. If I ever give that a try in the future, say, I got a second raspberry pi to run the openVPN on, could you tell me the configuration needed to make it work properly?

Edit this line in the openVPN configuration file to the IP of your second pi:

push "dhcp-option DNS <ip here>"

1 Like

Yeah, thanks for the useful tidbit. :+1: