Posted: Mon May 17, 2021 17:37 Post subject: Never Been Able to Get OpenVPN working on my network
Title really says it all. I've been a dd-wrt user since probably it's inception and I have tried to get OpenVPN working multiple times on my network and have never been successful. I ALWAYS end up getting:
Code:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2021-05-17 12:11:14 us=624502
TLS Error: TLS handshake failed
I've been in the process of completely re-doing my network with my R9000 as the primary AP Router hooked up to my Cisco SG-500-28P Switches via SFP+ connectivity and random trunking. But the R9000 is what handles all (for the most part) wireless traffic, and routes directly to my cable modem.
After following this guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795 All I'm trying to do is access my own network and machines from off-site. I do a lot of traveling, and I have Hyper-V VMs running at home that I need to access and be able to coordinate things on my network. I just can't figure out what the problem is. I was wondering if someone could help examine my settings and figure out what I'm missing. Screenshots below:
Joined: 18 Mar 2014 Posts: 12885 Location: Netherlands
Posted: Tue May 18, 2021 8:00 Post subject:
I assume the OpenVPN server log is clean and showing CONNECTED SUCCESS?
To be sure post a screenshot of the OpenVPN status page to show the server and an updated screenshot of the OpenVPN setup page (whole page including anything in additional config
I assume this error is coming from a windows client, which could indicate a problem with that client like a firewall blocking or third party virus scanner on your windows client, so check that and also check if you have network connectivity, you cannot test from inside your network so the windows client has to be outside e.g. connect via cellular.
Consider reinstalling the OpenVPN client
I assume the OpenVPN server log is clean and showing CONNECTED SUCCESS?
To be sure post a screenshot of the OpenVPN status page to show the server and an updated screenshot of the OpenVPN setup page (whole page including anything in additional config
I assume this error is coming from a windows client, which could indicate a problem with that client like a firewall blocking or third party virus scanner on your windows client, so check that and also check if you have network connectivity, you cannot test from inside your network so the windows client has to be outside e.g. connect via cellular.
Consider reinstalling the OpenVPN client
To rule out a server problem setup a client on your android phone to check if that will connect
Screen Shots Attached. EDIT** - I re-uploaded the images, if you zoom now, it should be clear as day.
I can confirm the following:
1) Windows 10 Client, Firewall COMPLETETELY turned off.
2) Accessing from outside my network (I tried yesterday from a hotel, today from the airports wi-fi, and neighbors house).
3) There are no third party virus scanners turned on.
OpenVPN Status Page
OpenVPN Settings Page
edit Just Tried from my mobile device as well... receive an error that it can't connect. Mobile was setup as client2 with a separate cert, key, etc.
I also have the following setup in the firewall rules:
Joined: 18 Mar 2014 Posts: 12885 Location: Netherlands
Posted: Thu May 20, 2021 11:12 Post subject:
What I can see the OVPN server looks correctly setup.
The only firewall rule needed is the NAT rule (on recent builds there is a GUI setting for that so that you do not need anything)
Obvious things to check:
Is the router rebooted after setup?
Is the router reachable via the WAN? e.g. is your router directly connected to the internet with a Public IP address (and not a CGNAT address)
If not is port forwarding in place on the Primary router.
Could your ISP block ports (if so use another port e.g.4595.
As a test consider setting up remote administration do not leave it enabled after testing as you will have a lot of hackers knocking on your door.
What I can see the OVPN server looks correctly setup.
The only firewall rule needed is the NAT rule (on recent builds there is a GUI setting for that so that you do no need anything)
Obvious things to check:
Is the router rebooted after setup?
Is the router reachable via the WAN? e.g. is your router directly connected to the internet with a Public IP address (and not a CGNAT address)
If not is port forwarding in place on the Primary router.
Could your ISP block ports (if so use another port e.g.4595.
As a test consider setting up remote administration do not leave it enabled after testing as you will have a lot of hackers knocking on your door.
When testing test from outside your own network e.g. with a laptop or phone on cellular.
Is the router rebooted after setup? - Yes, several times.
Is the router reachable via the WAN? e.g. is your router directly connected to the internet with a Public IP address (and not a CGNAT address) - Yes - DDNS is setup, and I can access the router from anywhere
If not is port forwarding in place on the Primary router.
Could your ISP block ports (if so use another port e.g.4595. - I have not specifically tried altering the port... but I can try that next.
EDIT - Tried several different ports. No dice. Same issue.
Last edited by usaf-lt-g on Thu May 20, 2021 17:01; edited 1 time in total
Please use the right links for the images. You are linking the thumbnails, not the full-sized images.
When attempting to connect via cell phone the server log on the router shows:
Code:
20210520 11:56:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20210520 11:56:47 D MANAGEMENT: CMD 'state'
20210520 11:56:47 MANAGEMENT: Client disconnected
20210520 11:56:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20210520 11:56:47 D MANAGEMENT: CMD 'state'
20210520 11:56:47 MANAGEMENT: Client disconnected
20210520 11:56:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20210520 11:56:47 D MANAGEMENT: CMD 'state'
20210520 11:56:47 MANAGEMENT: Client disconnected
20210520 11:56:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20210520 11:56:47 MANAGEMENT: Client disconnected
20210520 11:56:47 NOTE: --mute triggered...
20210520 11:56:47 1 variation(s) on previous 3 message(s) suppressed by --mute
20210520 11:56:47 D MANAGEMENT: CMD 'status 2'
20210520 11:56:47 MANAGEMENT: Client disconnected
20210520 11:56:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20210520 11:56:47 D MANAGEMENT: CMD 'status 2'
20210520 11:56:47 MANAGEMENT: Client disconnected
20210520 11:56:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20210520 11:56:47 D MANAGEMENT: CMD 'log 500'
19691231 18:00:00
Is the 127.0.0.1 normal? I tried various ports now, and they still result in the same problem. Unable to connect. I checked to verify the router is using googles DNS for now.
This is absolutely mind boggling that I can't seem to figure this out.
usa, where are you? The reason I ask is because China is known to block OpenVPN protocols. Also, DPI (deep packet inspection) is available in even inexpensive Cisco Firepower firewalls and I would not put it past a hotel handing out "free" wifi to block OpenVPN.
I was travelling recently from PDX to SF and I had no problems with wifi in the cheapest take-your-hooker-to scummy motels that I stayed in (on my dime) but one of the expensive snooty high end ones I was put up in (on my customers dime) apparently felt as though they had the right to inject spamvertising in my web browsing sessions via transparent proxy and they did indeed block vpn protocols.
If you are running a "home" Internet account, not a "business" internet account, your ISP may have a block erected.
Since you are in control of both ends you might try different protocols and ports and see if that works.