OpenVPN on port TCP 80 failed

[SierraMike]

Hi,

I kindly ask for your help. Asus RT-AC68U after updating to latest Merlin firmware (380.68_4) my OpenVPN server stopped working with port 80 TCP. I never touched the settings. VPN server does not start properly, yellow message appears saying : "OpenVPN server daemon failed to start. Please check your device environment or contents on the Advanced Setting page"

I tried reverting to older firmware, changed settings... but I cannot get it running. Switching to UDP solves the issue. But my workplace's networking rules only allow TCP 80 for VPN.

 

[ColinTaylor]

Any error messages in the router's syslog?

 

[SierraMike]

Oct 31 21:00:31 rc_service: httpd 477:notify_rc restart_chpass;restart_vpnserver1
Oct 31 21:00:34 kernel: ADDRCONF(NETDEV_UP): tun21: link is not ready
Oct 31 21:00:34 kernel: device tun21 entered promiscuous mode
Oct 31 21:00:35 openvpn[13248]: OpenVPN 2.4.3 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 16 2017
Oct 31 21:00:35 openvpn[13248]: library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08
Oct 31 21:00:35 openvpn[13249]: Diffie-Hellman initialized with 2048 bit key
Oct 31 21:00:35 kernel: ADDRCONF(NETDEV_CHANGE): tun21: link becomes ready
Oct 31 21:00:35 openvpn[13249]: TUN/TAP device tun21 opened
Oct 31 21:00:35 openvpn[13249]: TUN/TAP TX queue length set to 100
Oct 31 21:00:35 openvpn[13249]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Oct 31 21:00:35 openvpn[13249]: /usr/sbin/ip link set dev tun21 up mtu 1500
Oct 31 21:00:35 openvpn[13249]: /usr/sbin/ip addr add dev tun21 10.8.0.1/24 broadcast 10.8.0.255
Oct 31 21:00:35 openvpn[13249]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Oct 31 21:00:35 openvpn[13249]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Oct 31 21:00:35 openvpn[13249]: setsockopt(IPV6_V6ONLY=0)
Oct 31 21:00:35 openvpn[13249]: TCP/UDP: Socket bind failed on local address [AF_INET6][undef]:80: Address already in use
Oct 31 21:00:35 openvpn[13249]: Exiting due to fatal error
Oct 31 21:00:35 openvpn[13249]: Closing TUN/TAP interface
Oct 31 21:00:35 openvpn[13249]: /usr/sbin/ip addr del dev tun21 10.8.0.1/24

 

[SierraMike]

My problem is that I do not understand VPN in depth. I bought this router not too long ago, primary reason was to use it for VPN. It was so easy to setup with Merlin firmware and I have been so happily using it for weeks without problems. But recent firmware updates probably mixed things up.

 

[ColinTaylor]

Oct 31 21:00:35 openvpn[13249]: TCP/UDP: Socket bind failed on local address [AF_INET6][undef]:80: Address already in use
Oct 31 21:00:35 openvpn[13249]: Exiting due to fatal error

It looks like there is already something using port 80. Have you enabled HTTP access to the router from the WAN (which is a very bad idea)? Check the setting at Administration > System > Web Access

 

[SierraMike]

It is enabled for sure, as I was testing from my workplace. This way I could manipulate configuration from there.

Let me try disabling it.

 

[SierraMike]

Actually the option you have pointed at is disabled. However I have 8080 forwarded to 80, so I could remotely manipulate settings.

I try disabling it.

 

[SierraMike]

This is how it looks when I try starting the VPN server :

Do you think some kind of a reset would help?


Oct 31 23:22:48 rc_service: httpd 476:notify_rc restart_chpass;restart_vpnserver1
Oct 31 23:22:51 kernel: ADDRCONF(NETDEV_UP): tun21: link is not ready
Oct 31 23:22:51 kernel: device tun21 entered promiscuous mode
Oct 31 23:22:52 openvpn[3951]: OpenVPN 2.4.3 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 4 2017
Oct 31 23:22:52 openvpn[3951]: library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08
Oct 31 23:22:52 openvpn[3952]: Diffie-Hellman initialized with 2048 bit key
Oct 31 23:22:52 openvpn[3952]: TUN/TAP device tun21 opened
Oct 31 23:22:52 openvpn[3952]: TUN/TAP TX queue length set to 100
Oct 31 23:22:52 openvpn[3952]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Oct 31 23:22:52 openvpn[3952]: /usr/sbin/ip link set dev tun21 up mtu 1500
Oct 31 23:22:52 kernel: ADDRCONF(NETDEV_CHANGE): tun21: link becomes ready
Oct 31 23:22:52 openvpn[3952]: /usr/sbin/ip addr add dev tun21 10.8.0.1/24 broadcast 10.8.0.255
Oct 31 23:22:52 openvpn[3952]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Oct 31 23:22:52 openvpn[3952]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Oct 31 23:22:52 openvpn[3952]: setsockopt(IPV6_V6ONLY=0)
Oct 31 23:22:52 openvpn[3952]: TCP/UDP: Socket bind failed on local address [AF_INET6][undef]:80: Address already in use
Oct 31 23:22:52 openvpn[3952]: Exiting due to fatal error
Oct 31 23:22:52 openvpn[3952]: Closing TUN/TAP interface
Oct 31 23:22:52 openvpn[3952]: /usr/sbin/ip addr del dev tun21 10.8.0.1/24

 

[ColinTaylor]

Ok I've managed to recreate the problem.

It appears to be a conflict with the router's web interface that is running on port 80 (on the LAN side). If you change this port to something else (like 81) the VPN server can bind to port 80 and will start.

That's the good news. The bad news is I don't understand why/how this is happening. It might possibly be a bug.

If I do a netstat after successfully starting the VPN server the only entry I see listening on port 80 is this:

tcp 0 0 :::80 :::* LISTEN

Now as far as I know that's an IPv6 socket but it seems to be behaving as though it's IPv6 and IPv4. I'll have to go and read the documentation to understand this.

In the meantime a work around would be to use a port other than 80 to access the router's web interface from the LAN.

 

[ColinTaylor]

UPDATE:

I've not found an answer yet. Even forcing the VPN server to use IPv4 only (proto tcp4-server) doesn't help. The problem is that the server is trying to bind to all of the interfaces rather than just the WAN interface. Perhaps this is a change of behaviour. Maybe @RMerlin or @john9527 would know the answer to that.

You said this used to work? When was that? There were some significant changes in OpenVPN 2.4.0 and that came in with Merlin version 380.65.

 

[sfx2000]

Hi,

I kindly ask for your help. Asus RT-AC68U after updating to latest Merlin firmware (380.68_4) my OpenVPN server stopped working with port 80 TCP. I never touched the settings. VPN server does not start properly, yellow message appears saying : "OpenVPN server daemon failed to start. Please check your device environment or contents on the Advanced Setting page"

I tried reverting to older firmware, changed settings... but I cannot get it running. Switching to UDP solves the issue. But my workplace's networking rules only allow TCP 80 for VPN.

Somebody at the office updated firewall rules, as 80/UDP is typically not normal traffic - and I would suspect that 443/UDP would be as well.

Bigger question - why are you doing VPN from the Office to Home?

Could be a very interesting discussion between IT Management and HR during your exit interview...

 

[ColinTaylor]

@sfx2000 You make some very valid points regarding HR, etc. But that aside, the OP's issue is that his OpenVPN server is not starting as shown in his syslog. The reason for that is in posts #9 and #10.

 

[SierraMike]

Thanks guys for your comments. I checked it. Setting webgui access to different port resolves the problem. VPN is up and running on TCP port 80. Thank you so much for your contribution!

(VPN is supported by the IT at the workplace. Primarily I use it to access "smart home" functions to easily access from anywhere.)

 

[SierraMike]

Hi again. After firmware update, my system faces the same problem again . Openvpn server is not starting up Webgui is still on port 8443 in order not to conflict with VPN. Still, something is in conflict with TCP 80.

Following previous discussions in here (in October/November) my setup was working perfectly until recent firmware update.

Anybody please again who could help?

 

[ColinTaylor]

Are you still seeing this message:

TCP/UDP: Socket bind failed on local address [AF_INET6][undef]:80: Address already in use

There was a similar discussion here. From that thread you could try adding the following line to VPN server's custom configuration, where a.b.c.d is the IP address of your WAN interface:

local a.b.c.d

If you have setup DDNS for your router you could use that name instead of an IP address:

local my.ddnsaddress.com

 

[SierraMike]

ColinTaylor thanks for the suggestion. Addig
local my.ddnsaddress.com to the custom configuration solved the issue.