Topic: openvpn problems

[robf355]

Hi I've installed openvpn-bridge, from the contribs, including the bridge interface and the phpki, the services all appear be running.
Problem is I can't connect from android or windows clients, using either the external internet or a local Lan.

Port 1194 UDP is forwarded to my server; I've checked with an online open port checker.
The windows openvpn client just says :
8/19/2019, 3:54:13 PM Connecting to [server.kjctechnik.com]:1194 (94.173.63.126) via UDPv4
8/19/2019, 3:54:13 PM EVENT: WAIT ⏎8/19/2019, 3:54:23 PM EVENT: CONNECTION_TIMEOUT 8/19/2019, 3:54:23 PM EVENT: DISCONNECTED ⏎

My openvpn client config is:
port 1194
remote server.kjctechnik.com
tls-client
auth-user-pass
ca ca.crt
cert client.crt
key client.key
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull
comp-lzo
verb 4

if I try:
tailf /var/log/openvpn-bridge/current I get:

@400000005d5abaf0315c9ab4 Could not determine IPv4/IPv6 protocol. Using AF_INET
@400000005d5abaf0315cbddc Socket Buffers: R=[124928->124928] S=[124928->124928]
@400000005d5abaf0315cd54c UDPv4 link local (bound): [AF_INET][undef]:1194
@400000005d5abaf0315ce8d4 UDPv4 link remote: [AF_UNSPEC]
@400000005d5abaf0315d0044 chroot to '/etc/openvpn/bridge' and cd to '/' succeeded
@400000005d5abaf0315d1b9c GID set to nobody
@400000005d5abaf0315d3adc UID set to nobody
@400000005d5abaf0315d5634 MULTI: multi_init called, r=256 v=256
@400000005d5abaf0315d989c IFCONFIG POOL: base=192.168.0.250 size=5, ipv6=0
@400000005d5abaf0315ddb04 Initialization Sequence Completed

nothing else appears on the screen

Can anyone point me in the direction of where to check?
Thanks
Regards
Rob Carter

[ReetP]

Probably need to see your server setup as well....

You should at least see some connection attempt but it looks like you are not getting the client to make contact with the servers

Are we listening (probably yes as your server log looks OK with no errors - it is just sitting and waiting for connections I think - "Initialization Sequence Completed" )

Code: [Select]

netstat -tulpn |grep openvpn
Have you checked your firewall logs?

See if masq has a line allowing openvpn:

Code: [Select]

grep 1194 /etc/rc.d/init.d/masq
Anything else that might block packets? Fail2ban or similar?

Can you tell us the steps you took to install this?

[robf355]

Thanks for the reply,
output from netstat -tulpn |grep openvpn
tcp        0      0 127.0.0.1:11194             0.0.0.0:*                   LISTEN      4650/openvpn
udp        0      0 0.0.0.0:1194                0.0.0.0:*                               4650/openvpn

output from grep 1194 /etc/rc.d/init.d/masq
   # openvpn-bridge: UDPPorts: 1194, AllowHosts: 0.0.0.0/0, DenyHosts:
    /sbin/iptables -A $NEW_InboundUDP --proto udp --dport 1194 \

I installed openvpn using the howto:
https://wiki.contribs.org/OpenVPN_Bridge and
https://wiki.contribs.org/BridgeInterface

I'm trying to connect from the android app, i have generated a client profile and certificate bundle using the certificate management contrib:
https://wiki.contribs.org/PHPki

When i tap connect on the android app, it just sits there with a rotating pattern, the app log says:
11:40:48.800 -- ----- OpenVPN Start -----
11:40:48.805 -- EVENT: CORE_THREAD_ACTIVE
11:40:48.880 -- Frame=512/2048/512 mssfix-ctrl=1250
11:40:48.881 -- EVENT: TAP_NOT_SUPPORTED info='OSI layer 2 tunnels are not currently supported'
11:40:48.903 -- EVENT: CORE_THREAD_INACTIVE
11:40:48.909 -- Tunnel bytes per CPU second: 0
11:40:48.912 -- ----- OpenVPN Stop -----

seeing the error "TAP_NOT_SUPPORTED info='OSI layer 2 tunnels are not currently supported I changed the dev tap to dev tun, I then get a connection failed message on the android app but the server log reports a connection attempt:

2019-08-20 12:09:37.280148500 213.205.198.3:52922 VERIFY OK: depth=1, C=UK, ST=worcs, L=kidderminster, O=VPN SERVICE, OU=Certificate Authority, CN=Karter Electronics, emailAddress=rob@karterelectronic.com
2019-08-20 12:09:37.280456500 213.205.198.3:52922 VERIFY OK: depth=0, C=UK, ST=worcs, L=kidderminster, O=Karter Electronics, O=21232f297a57a5a743894a0e4a801fc3, OU=office, CN=VPN, emailAddress=rob@karterelectronic.com
2019-08-20 12:09:37.409931500 213.205.198.3:52922 peer info: IV_GUI_VER=OC30Android
2019-08-20 12:09:37.409933500 213.205.198.3:52922 peer info: IV_VER=3.2
2019-08-20 12:09:37.409933500 213.205.198.3:52922 peer info: IV_PLAT=android
2019-08-20 12:09:37.409934500 213.205.198.3:52922 peer info: IV_NCP=2
2019-08-20 12:09:37.409934500 213.205.198.3:52922 peer info: IV_TCPNL=1
2019-08-20 12:09:37.409935500 213.205.198.3:52922 peer info: IV_PROTO=2
2019-08-20 12:09:37.409935500 213.205.198.3:52922 peer info: IV_LZO=1
2019-08-20 12:09:37.409978500 213.205.198.3:52922 peer info: IV_BS64DL=1
2019-08-20 12:09:37.412552500 213.205.198.3:52922 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
2019-08-20 12:09:37.412626500 213.205.198.3:52922 TLS: Username/Password authentication succeeded for username 'rob100763'
2019-08-20 12:09:37.412648500 213.205.198.3:52922 WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
2019-08-20 12:09:37.412659500 213.205.198.3:52922 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1574', remote='link-mtu 1542'
2019-08-20 12:09:37.412669500 213.205.198.3:52922 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
2019-08-20 12:09:37.469120500 213.205.198.3:52922 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
2019-08-20 12:09:37.469122500 213.205.198.3:52922 [VPN] Peer Connection Initiated with [AF_INET]213.205.198.3:52922
2019-08-20 12:09:37.469284500 MULTI: new connection by client 'VPN' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
2019-08-20 12:09:37.469287500 MULTI_sva: pool returned IPv4=192.168.0.250, IPv6=(Not enabled)
2019-08-20 12:09:37.479149500 VPN/213.205.198.3:52922 PUSH: Received control message: 'PUSH_REQUEST'
2019-08-20 12:09:37.479176500 VPN/213.205.198.3:52922 SENT CONTROL [VPN]: 'PUSH_REPLY,dhcp-option DOMAIN kjctechnik.com,dhcp-option DNS 192.168.0.10,dhcp-option WINS 192.168.0.10,comp-lzo adaptive,route-gateway 192.168.0.10,ping 10,ping-restart 120,ifconfig 192.168.0.250 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
2019-08-20 12:09:37.479178500 VPN/213.205.198.3:52922 Data Channel: using negotiated cipher 'AES-256-GCM'
2019-08-20 12:09:37.479319500 VPN/213.205.198.3:52922 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-08-20 12:09:37.479321500 VPN/213.205.198.3:52922 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-08-20 12:09:39.549789500 VPN/213.205.198.3:52922 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.

The android app says there was an error attempting to connect, cancel retry.
retry does does the same thing.
This is the android app log:
12:14:12.482 -- ----- OpenVPN Start -----
12:14:12.488 -- EVENT: CORE_THREAD_ACTIVE
12:14:12.564 -- Frame=512/2048/512 mssfix-ctrl=1250
12:14:12.565 -- UNUSED OPTIONS
0 [rport] [1194]
3 [nobind]
5 [tls-client]
8 [pkcs12] [VPN.p12]
9 [mtu-test]
11 [pull]

12:14:12.567 -- EVENT: RESOLVE
12:14:12.588 -- Contacting [64:ff9b::5ead:3f7e]:1194 via UDP
12:14:12.589 -- EVENT: WAIT
12:14:12.601 -- Transport Error: UDP connect error on 'server.kjctechnik.com:1194' ([64:ff9b::5ead:3f7e]:1194): Network is unreachable
12:14:12.603 -- Client terminated, restarting in 2000 ms...
12:14:14.589 -- EVENT: RECONNECTING
12:14:14.621 -- EVENT: RESOLVE
12:14:14.641 -- Contacting [64:ff9b::5ead:3f7e]:1194 via UDP
12:14:14.642 -- EVENT: WAIT
12:14:14.669 -- Transport Error: UDP connect error on 'server.kjctechnik.com:1194' ([64:ff9b::5ead:3f7e]:1194): Network is unreachable
12:14:14.673 -- Client terminated, restarting in 2000 ms...
12:14:16.630 -- EVENT: RECONNECTING
12:14:16.652 -- EVENT: RESOLVE
12:14:16.690 -- Contacting [64:ff9b::5ead:3f7e]:1194 via UDP
12:14:16.691 -- EVENT: WAIT
12:14:16.723 -- Transport Error: UDP connect error on 'server.kjctechnik.com:1194' ([64:ff9b::5ead:3f7e]:1194): Network is unreachable
12:14:16.724 -- Client terminated, restarting in 2000 ms...
12:14:18.662 -- EVENT: RECONNECTING
12:14:18.679 -- EVENT: RESOLVE
12:14:18.707 -- Contacting [64:ff9b::5ead:3f7e]:1194 via UDP
12:14:18.708 -- EVENT: WAIT
12:14:18.729 -- Transport Error: UDP connect error on 'server.kjctechnik.com:1194' ([64:ff9b::5ead:3f7e]:1194): Network is unreachable
12:14:18.731 -- Client terminated, restarting in 2000 ms...
12:14:20.668 -- EVENT: RECONNECTING
12:14:20.684 -- EVENT: RESOLVE
12:14:20.727 -- Contacting 94.173.63.126:1194 via UDP
12:14:20.729 -- EVENT: WAIT
12:14:20.752 -- Connecting to [server.kjctechnik.com]:1194 (94.173.63.126) via UDPv4
12:14:22.185 -- EVENT: CONNECTING
12:14:22.198 -- Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
12:14:22.200 -- Creds: Username/Password
12:14:22.202 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.2
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_BS64DL=1

12:14:24.042 -- VERIFY OK : depth=1
cert. version     : 3
serial number     : 80:0E:85:3C:A8:80:03:4B
issuer name       : C=UK, ST=worcs, L=kidderminster, O=VPN SERVICE, OU=Certificate Authority, CN=Karter Electronics, emailAddress=rob@karterelectronic.com
subject name      : C=UK, ST=worcs, L=kidderminster, O=VPN SERVICE, OU=Certificate Authority, CN=Karter Electronics, emailAddress=rob@karterelectronic.com
issued  on        : 2019-08-19 11:24:21
expires on        : 2034-08-18 11:24:21
signed using      : RSA with SHA1
RSA key size      : 2048 bits
basic constraints : CA=true
subject alt name  :
cert. type        : SSL CA, Email CA, Object Signing CA
key usage         : Key Cert Sign, CRL Sign

12:14:24.044 -- VERIFY OK : depth=0
cert. version     : 3
serial number     : 10:00:01
issuer name       : C=UK, ST=worcs, L=kidderminster, O=VPN SERVICE, OU=Certificate Authority, CN=Karter Electronics, emailAddress=rob@karterelectronic.com
subject name      : C=UK, ST=worcs, L=kidderminster, O=Karter Electronics, O=21232f297a57a5a743894a0e4a801fc3, OU=office, CN=VPN, emailAddress=rob@karterelectronic.com
issued  on        : 2019-08-19 11:26:49
expires on        : 2020-08-18 11:26:49
signed using      : RSA with SHA1
RSA key size      : 1024 bits
basic constraints : CA=false
subject alt name  : VPN
cert. type        : SSL Client, SSL Server
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication, TLS Web Client Authentication

12:14:24.803 -- SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
12:14:24.817 -- Session is ACTIVE
12:14:24.819 -- EVENT: GET_CONFIG
12:14:24.863 -- Sending PUSH_REQUEST to server...
12:14:24.886 -- OPTIONS:
0 [dhcp-option] [DOMAIN] [kjctechnik.com]
1 [dhcp-option] [DNS] [192.168.0.10]
2 [dhcp-option] [WINS] [192.168.0.10]
3 [comp-lzo] [adaptive]
4 [route-gateway] [192.168.0.10]
5 [ping] [10]
6 [ping-restart] [120]
7 [ifconfig] [192.168.0.250] [255.255.255.0]
8 [peer-id]

9 [cipher] [AES-256-GCM]

12:14:24.889 -- PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA1
  compress: LZO
  peer ID: 0
12:14:24.891 -- EVENT: ASSIGN_IP
12:14:24.919 -- TUN Error: tun_prop_error: ifconfig addresses are not in the same /30 subnet (topology net30)
12:14:24.921 -- EVENT: TUN_SETUP_FAILED info='tun_prop_error: ifconfig addresses are not in the same /30 subnet (topology net30)'
12:14:24.937 -- EVENT: DISCONNECTED
12:14:24.939 -- Client exception in transport_recv: tun_exception: not connected
12:14:24.943 -- EVENT: CORE_THREAD_INACTIVE
12:14:24.944 -- Tunnel bytes per CPU second: 0
12:14:24.945 -- ----- OpenVPN Stop -----

[ReetP]

OK - so you are confusing things a bit here.

First you say you are using a Windows client, and then Android?

The windows openvpn client just says

trying to connect from the android app

So your latest (Android) issue is here:

TAP_NOT_SUPPORTED info='OSI layer 2 tunnels are not currently supported'

Note there is no information on Android in the wiki page, and for a good reason:

https://openvpn.net/faq/why-does-the-app-not-support-tap-style-tunnels/

I'll add a note to say Android does not support TAP/Bridged mode currently.

The upshot is you can use 'bridged' for linking two networks together, and certain desktop clients.

Use 'routed' for dial in clients like Android.

[robf355]

Hi
I installed both android and windows, my overall intention was to use the android client, I tried the windows version to try and get a bit more detail about the problem I was seeing - to no avail.
I'll uninstall and give the routed option a try.
Thanks for your help

[ReetP]

I have the routed working on Android and iOS for some long while, and desktop can use it too.

Android is pretty easy to setup.... iOS you need to create the ovpn file with the certs embedded and it is a bit more tricky but I can probably assist a bit if required

[robf355]

Hi
I just installed the routed contrib, worked first time, thanks for your help

[ReetP]

 

Yayyyy !

Pleased to help.