Hi,
I'm trying to establish a VPN connection from "outside" to my sme9. I use the contribs smeserver-openvpn-bridge and I followed the wiki for the configuration.
The client is a Fedora.
As written into the title, when the client is connected to the internal side of the sme, the VPN connection is done immediately but when I connect the client to the external side (= to the same "box" than the sme is connected with) I get no connection.
The address hostname.domain.tld is resolvable and can be ping from "outside". The "box" is in bridged mode and redirect everything to the sme.
Here the db of the sme:
# db configuration show openvpn-bridge
openvpn-bridge=service
ConfigRequired=disabled
CrlUrl=http://localhost:940/phpki/index.php?stage=dl_crl_pem
UDPPort=1194
access=public
cipher=AES-256-CFB
clientToClient=disabled
endPool=192.168.2.245
management=localhost:11194:koCBPnQLxNpx9NJNonhUhXNYpE
maxClients=2
redirectGW=PerClient
startPool=192.168.2.240
status=enabled
tapIf=tap0
userAuth=CrtWithPass
# db configuration show bridge
bridge=service
bridgeInterface=br0
ethernetInterface=eth0
status=enabled
tapInterface=tap0
VPN connection is allowed for the user into the server-manager (evenif it works without from the LAN)
On the client I get:
# journalctl -u NetworkManager
juin 15 17:52:29 fedora-compaq.guedel.eu NetworkManager[712]: <info> [1497541949.1945] audit: op="connection-activate" uuid="cc396581-b172-4720-a381-3f2855b352b8" name="guedel_arnaud_local" pid=5969 uid=1000 result="success"
juin 15 17:52:29 fedora-compaq.guedel.eu NetworkManager[712]: <info> [1497541949.2014] vpn-connection[0x55bd530a24e0,cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local",0]: Started the VPN service, PID 7682
juin 15 17:52:29 fedora-compaq.guedel.eu NetworkManager[712]: <info> [1497541949.2140] vpn-connection[0x55bd530a24e0,cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local",0]: Saw the service appear; activating connection
juin 15 17:52:45 fedora-compaq.guedel.eu NetworkManager[712]: <info> [1497541965.1733] keyfile: update /etc/NetworkManager/system-connections/guedel_arnaud_local (cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local")
juin 15 17:52:45 fedora-compaq.guedel.eu NetworkManager[712]: <info> [1497541965.1904] vpn-connection[0x55bd530a24e0,cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local",0]: VPN plugin: state changed: starting (3)
juin 15 17:52:45 fedora-compaq.guedel.eu NetworkManager[712]: <info> [1497541965.1905] vpn-connection[0x55bd530a24e0,cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local",0]: VPN connection: (ConnectInteractive) reply received
juin 15 17:52:45 fedora-compaq.guedel.eu nm-openvpn[7697]: OpenVPN 2.4.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 11 2017
juin 15 17:52:45 fedora-compaq.guedel.eu nm-openvpn[7697]: library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.08
juin 15 17:52:45 fedora-compaq.guedel.eu nm-openvpn[7697]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
juin 15 17:52:45 fedora-compaq.guedel.eu nm-openvpn[7697]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
juin 15 17:52:45 fedora-compaq.guedel.eu nm-openvpn[7697]: TCP/UDP: Preserving recently used remote address: [AF_INET]188.118.130.93:1194
juin 15 17:52:45 fedora-compaq.guedel.eu nm-openvpn[7697]: UDP link local: (not bound)
juin 15 17:52:45 fedora-compaq.guedel.eu nm-openvpn[7697]: UDP link remote: [AF_INET]188.118.130.93:1194
juin 15 17:52:45 fedora-compaq.guedel.eu nm-openvpn[7697]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
juin 15 17:53:45 fedora-compaq.guedel.eu nm-openvpn[7697]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
juin 15 17:53:45 fedora-compaq.guedel.eu nm-openvpn[7697]: TLS Error: TLS handshake failed
juin 15 17:53:45 fedora-compaq.guedel.eu nm-openvpn[7697]: SIGUSR1[soft,tls-error] received, process restarting
juin 15 17:53:45 fedora-compaq.guedel.eu nm-openvpn-serv[7682]: Connect timer expired, disconnecting.
juin 15 17:53:45 fedora-compaq.guedel.eu nm-openvpn[7697]: SIGTERM[hard,init_instance] received, process exiting
juin 15 17:53:45 fedora-compaq.guedel.eu NetworkManager[712]: <warn> [1497542025.7686] vpn-connection[0x55bd530a24e0,cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local",0]: VPN connection: connect timeout exceeded.
juin 15 17:53:45 fedora-compaq.guedel.eu NetworkManager[712]: <warn> [1497542025.7720] vpn-connection[0x55bd530a24e0,cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local",0]: VPN plugin: failed: connect-failed (1)
juin 15 17:53:45 fedora-compaq.guedel.eu NetworkManager[712]: <info> [1497542025.7729] vpn-connection[0x55bd530a24e0,cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local",0]: VPN plugin: state changed: stopping (5)
juin 15 17:53:45 fedora-compaq.guedel.eu NetworkManager[712]: <info> [1497542025.7735] vpn-connection[0x55bd530a24e0,cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local",0]: VPN plugin: state changed: stopped (6)
juin 15 17:53:45 fedora-compaq.guedel.eu NetworkManager[712]: <info> [1497542025.7763] vpn-connection[0x55bd530a24e0,cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local",0]: VPN service disappeared
juin 15 18:00:14 fedora-compaq.guedel.eu NetworkManager[712]: <info> [1497542414.7628] device (enp3s0): state change: activated -> unavailable (reason 'carrier-changed') [100 20 40]
juin 15 18:00:14 fedora-compaq.guedel.eu NetworkManager[712]: <info> [1497542414.7681] manager: NetworkManager state is now CONNECTED_LOCAL
juin 15 18:00:14 fedora-compaq.guedel.eu NetworkManager[712]: <info> [1497542414.7688] manager: NetworkManager state is now DISCONNECTED
=> At 17:33:45 there is/was an TLS error.
and before: juin 15 17:52:45 fedora-compaq.guedel.eu nm-openvpn[7697]:
UDP link local: (not bound) => is it normal?
I noticed that there is
no logs into "openvpn-bridge" for such a failing connection
. Connections from "inside" are into the logs visible. So I'm not sure that a request for a connection is reaching the sme (=the client doesn't try to connect).
My questions are: why do I get this TLS error only by connecting from "outside"? and how to solve it (of course...)?
Thanks.
Arnaud