[SOLVED]OpenVPN succeeds on Android fails on Win11

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
puterboy2
DD-WRT User


Joined: 24 Feb 2019
Posts: 139

PostPosted: Sun Aug 14, 2022 5:12    Post subject: [SOLVED]OpenVPN succeeds on Android fails on Win11 Reply with quote
I am using the OpenVPN Connect app on both Android and Windows 11 with the same profile.
It works fine on Android but fails to connect on Windows.

On Android: OpenVPN Connect 3.3.0
On Win11: OpenVPN Connect 3.3.6

I don't think it's a firewall issue, since the problem persists even when Windows firewall is turned off.

The dd-wrt log shows:
Code:


Aug 14 00:25:30 myrouter daemon.notice openvpn[1225]: 192.168.1.2:57215 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Aug 14 00:25:30 myrouter daemon.notice openvpn[1225]: 192.168.1.2:57215 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Aug 14 00:25:30 myrouter daemon.notice openvpn[1225]: 192.168.1.2:57215 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Aug 14 00:25:30 myrouter daemon.notice openvpn[1225]: 192.168.1.2:57215 NOTE: --mute triggered...
Aug 14 00:25:30 myrouter daemon.notice openvpn[1225]: 192.168.1.2:57215 1 variation(s) on previous 3 message(s) suppressed by --mute
Aug 14 00:25:30 myrouter daemon.warn openvpn[1225]: 192.168.1.2:57215 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Aug 14 00:25:30 myrouter daemon.notice openvpn[1225]: 192.168.1.2:57215 TLS: Initial packet from [AF_INET]192.168.1.2:57215, sid=dec08bfe 356809ba
Aug 14 00:25:31 myrouter daemon.err openvpn[1225]: 192.168.1.2:57215 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1660451130) 2022-08-14 00:25:30 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warn
Aug 14 00:25:31 myrouter daemon.err openvpn[1225]: 192.168.1.2:57215 tls-crypt unwrap error: packet replay
Aug 14 00:25:31 myrouter daemon.err openvpn[1225]: 192.168.1.2:57215 TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.1.2:57215
Aug 14 00:25:32 myrouter daemon.err openvpn[1225]: 192.168.1.2:57215 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1660451130) 2022-08-14 00:25:30 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warn
Aug 14 00:25:32 myrouter daemon.err openvpn[1225]: 192.168.1.2:57215 tls-crypt unwrap error: packet replay
Aug 14 00:25:32 myrouter daemon.err openvpn[1225]: 192.168.1.2:57215 TLS Error: tls-crypt unwrapping failed from [AF_INET]192.168.1.2:57215
...


The Win11 log shows:
Code:

⏎[Aug 14, 2022, 24:42:13] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Aug 14, 2022, 24:42:13] UNUSED OPTIONS
4 [nobind]
5 [persist-key]
6 [persist-tun]
8 [auth-nocache]
9 [verb] [4]
12 [data-ciphers] [CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC]
13 [resolv-retry] [infinite]
⏎[Aug 14, 2022, 24:42:13] EVENT: RESOLVE ⏎[Aug 14, 2022, 24:42:13] Contacting 146.115.145.129:1194 via UDP
⏎[Aug 14, 2022, 24:42:13] EVENT: WAIT ⏎[Aug 14, 2022, 24:42:13] WinCommandAgent: transmitting bypass route to 146.115.145.129
{
   "host" : "146.115.145.129",
   "ipv6" : false
}

⏎[Aug 14, 2022, 24:42:13] Connecting to [kosowsky.us]:1194 (146.115.145.129) via UDPv4
⏎[Aug 14, 2022, 24:42:23] Server poll timeout, trying next remote entry...
⏎[Aug 14, 2022, 24:42:23] EVENT: RECONNECTING ⏎[Aug 14, 2022, 24:42:23] EVENT: RESOLVE ⏎[Aug 14, 2022, 24:42:23] Contacting 146.115.145.129:1194 via UDP
⏎[Aug 14, 2022, 24:42:23] EVENT: WAIT ⏎[Aug 14, 2022, 24:42:23] WinCommandAgent: transmitting bypass route to 146.115.145.129
{
   "host" : "146.115.145.129",
   "ipv6" : false
}

⏎[Aug 14, 2022, 24:42:23] Connecting to [kosowsky.us]:1194 (146.115.145.129) via UDPv4
⏎[Aug 14, 2022, 24:42:33] Server poll timeout, trying next remote entry...


If I remove the tls key from both client and server, I get the following error on the dd-wrt server:
Code:

20220814 01:00:02 192.168.1.170:41922 TLS: Initial packet from [AF_INET]192.168.1.170:41922 sid=790490bf 73125d5c
20220814 01:00:02 N 192.168.1.170:45054 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20220814 01:00:02 N 192.168.1.170:45054 TLS Error: TLS handshake failed
20220814 01:00:02 192.168.1.170:45054 SIGUSR1[soft tls-error] received client-instance restarting
20220814 01:00:02 W 192.168.1.2:61016 WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400)


My profile is:
Code:

client
dev tun
proto udp4
remote mydomain.com 1194
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4 #Verbosity
float
tun-mtu 1400 #Lowered default can be commented to let OpenVPN decide
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC

resolv-retry infinite
remote-random

<ca>
...
</ca>

<cert>
...
</cert>

<key>
...
</key>

<tls-crypt>
...
<tls-crypt>



Any suggestions?
Thanks
Sponsor
puterboy2
DD-WRT User


Joined: 24 Feb 2019
Posts: 139

PostPosted: Mon Aug 15, 2022 0:24    Post subject: SOLVED Reply with quote
I figured out the problem.
I had my laptop on my guest network 192.168.5.x which apparently is *not* separate (enough) from my LAN on 192.168.1.x

However, when I connected my laptop to my mobile running a hotspot, then it worked.

Would like to understand though why I can't access the VPN from my guest network which I thought was considered separate from the regular LAN.
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Mon Aug 15, 2022 11:07    Post subject: Reply with quote
vpn server/client is used from outside your WAN to reach your LAN.
_________________
Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.

No one can build you the bridge on which you, and only you, must cross the river of life!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Aug 15, 2022 11:21    Post subject: Reply with quote
A lot of answers (also of your earlier postings) can be found in the guides, sometimes it helps reading them Wink

First item in the troubleshooting guide see attachment Smile

When you test from inside you have a routing problem the control channel establishing the connection uses the WAN but there is also an internal route directly to the server.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
puterboy2
DD-WRT User


Joined: 24 Feb 2019
Posts: 139

PostPosted: Mon Aug 15, 2022 23:57    Post subject: Reply with quote
egc wrote:
A lot of answers (also of your earlier postings) can be found in the guides,

I actually did read through 4 documents:

    DDWRT OpenVPN Server Setup guide v24
    DDWRT VPN troubleshooting guide v44
    DDWRT OpenVPN Client setup guide v18
    DDWRT VPN and DNS 1.2

Quote:

sometimes it helps reading them Wink

And sometimes reading (and following) the documents *causes* the very problems in the post Smile
Specifically, I followed the recommendation in the DDWRT OpenVPN Server Setup guide v24 (see circled below) and that ended up being WRONG and one of the cited possible CAUSES of the problem in my first posting. (And the second issue was due to the fact that it was highly not obvious that setting compression to disabled is NOT the same as setting it to None). Of course, it all makes sense in retrospect but not to a new user Smile

Quote:

First item in the troubleshooting guide see attachment Smile

When you test from inside you have a routing problem the control channel establishing the connection uses the WAN but there is also an internal route directly to the server.


Yes. I know (and read) that "you cannot test from inside the network". But I was on the guest network which by design and by firewall rules is isolated from the server which sits on the primary LAN. So, that's why even AFTER reading the guides, I was surprised that I couldn't access the VPN running on my LAN from the isolated Guest Network which I would think was *OUTSIDE* my LAN.

So still would like to know why the VPN doesn't see the guest network as a separate (i.e. OUTSIDE) network?
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Tue Aug 16, 2022 9:44    Post subject: Reply with quote
Guest network is still within your LAN.
_________________
Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.

No one can build you the bridge on which you, and only you, must cross the river of life!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum