DD-WRT :: View topic - R9000 - OpenVPN Can't Connect

R9000 - OpenVPN Can't Connect - Could use some help

DD-WRT Forum Index -> Advanced Networking

View previous topic :: View next topic

Author

Message

usaf-lt-g
DD-WRT Novice

Joined: 16 Mar 2012
Posts: 43

Posted: Sun Jan 15, 2023 17:53 Post subject: R9000 - OpenVPN Can't Connect - Could use some help

Netgear Nighthawk R9000
Build: v3.0-r51275 std (01/09/23)
OpenVPN Client: 2.5.8 - Windows 10 Client x64

I have tried to connect both at home and away, and I get the TLS can't connect error. I can see the client hitting router but it keeps connecting and disconnecting and never establishes a connection. I need to be able to access my own internal network while on the road. Despite different router's / builds I've never ever been successful in getting OpenVPN or PPTP to work. There's nothing else in front of my router so I don't know if it's software on the client blocking it or what.

On the client:

Code:

Sun Jan 15 11:39:28 2023 pkcs11_private_mode = 00000000
Sun Jan 15 11:39:28 2023 pkcs11_private_mode = 00000000
Sun Jan 15 11:39:28 2023 pkcs11_private_mode = 00000000
Sun Jan 15 11:39:28 2023 pkcs11_private_mode = 00000000
Sun Jan 15 11:39:28 2023 pkcs11_private_mode = 00000000
Sun Jan 15 11:39:28 2023 pkcs11_private_mode = 00000000
Sun Jan 15 11:39:28 2023 pkcs11_private_mode = 00000000
Sun Jan 15 11:39:28 2023 pkcs11_private_mode = 00000000
Sun Jan 15 11:39:28 2023 pkcs11_private_mode = 00000000
Sun Jan 15 11:39:28 2023 pkcs11_private_mode = 00000000
Sun Jan 15 11:39:28 2023 pkcs11_private_mode = 00000000
Sun Jan 15 11:39:28 2023 pkcs11_private_mode = 00000000
Sun Jan 15 11:39:28 2023 pkcs11_private_mode = 00000000
Sun Jan 15 11:39:28 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 11:39:28 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 11:39:28 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 11:39:28 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 11:39:28 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 11:39:28 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 11:39:28 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 11:39:28 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 11:39:28 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 11:39:28 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 11:39:28 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 11:39:28 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 11:39:28 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 11:39:28 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 11:39:28 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 11:39:28 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 11:39:28 2023 pkcs11_pin_cache_period = -1
Sun Jan 15 11:39:28 2023 pkcs11_id = '[UNDEF]'
Sun Jan 15 11:39:28 2023 pkcs11_id_management = DISABLED
Sun Jan 15 11:39:28 2023 server_network = 0.0.0.0
Sun Jan 15 11:39:28 2023 server_netmask = 0.0.0.0
Sun Jan 15 11:39:28 2023 server_network_ipv6 = ::
Sun Jan 15 11:39:28 2023 server_netbits_ipv6 = 0
Sun Jan 15 11:39:28 2023 server_bridge_ip = 0.0.0.0
Sun Jan 15 11:39:28 2023 server_bridge_netmask = 0.0.0.0
Sun Jan 15 11:39:28 2023 server_bridge_pool_start = 0.0.0.0
Sun Jan 15 11:39:28 2023 server_bridge_pool_end = 0.0.0.0
Sun Jan 15 11:39:28 2023 ifconfig_pool_defined = DISABLED
Sun Jan 15 11:39:28 2023 ifconfig_pool_start = 0.0.0.0
Sun Jan 15 11:39:28 2023 ifconfig_pool_end = 0.0.0.0
Sun Jan 15 11:39:28 2023 ifconfig_pool_netmask = 0.0.0.0
Sun Jan 15 11:39:28 2023 ifconfig_pool_persist_filename = '[UNDEF]'
Sun Jan 15 11:39:28 2023 ifconfig_pool_persist_refresh_freq = 600
Sun Jan 15 11:39:28 2023 ifconfig_ipv6_pool_defined = DISABLED
Sun Jan 15 11:39:28 2023 ifconfig_ipv6_pool_base = ::
Sun Jan 15 11:39:28 2023 ifconfig_ipv6_pool_netbits = 0
Sun Jan 15 11:39:28 2023 n_bcast_buf = 256
Sun Jan 15 11:39:28 2023 tcp_queue_limit = 64
Sun Jan 15 11:39:28 2023 real_hash_size = 256
Sun Jan 15 11:39:28 2023 virtual_hash_size = 256
Sun Jan 15 11:39:28 2023 client_connect_script = '[UNDEF]'
Sun Jan 15 11:39:28 2023 learn_address_script = '[UNDEF]'
Sun Jan 15 11:39:28 2023 client_disconnect_script = '[UNDEF]'
Sun Jan 15 11:39:28 2023 client_config_dir = '[UNDEF]'
Sun Jan 15 11:39:28 2023 ccd_exclusive = DISABLED
Sun Jan 15 11:39:28 2023 tmp_dir = 'C:\Users\cgillman\AppData\Local\Temp\'
Sun Jan 15 11:39:28 2023 push_ifconfig_defined = DISABLED
Sun Jan 15 11:39:28 2023 push_ifconfig_local = 0.0.0.0
Sun Jan 15 11:39:28 2023 push_ifconfig_remote_netmask = 0.0.0.0
Sun Jan 15 11:39:28 2023 push_ifconfig_ipv6_defined = DISABLED
Sun Jan 15 11:39:28 2023 push_ifconfig_ipv6_local = ::/0
Sun Jan 15 11:39:28 2023 push_ifconfig_ipv6_remote = ::
Sun Jan 15 11:39:28 2023 enable_c2c = DISABLED
Sun Jan 15 11:39:28 2023 duplicate_cn = DISABLED
Sun Jan 15 11:39:28 2023 cf_max = 0
Sun Jan 15 11:39:28 2023 cf_per = 0
Sun Jan 15 11:39:28 2023 max_clients = 1024
Sun Jan 15 11:39:28 2023 max_routes_per_client = 256
Sun Jan 15 11:39:28 2023 auth_user_pass_verify_script = '[UNDEF]'
Sun Jan 15 11:39:28 2023 auth_user_pass_verify_script_via_file = DISABLED
Sun Jan 15 11:39:28 2023 auth_token_generate = DISABLED
Sun Jan 15 11:39:28 2023 auth_token_lifetime = 0
Sun Jan 15 11:39:28 2023 auth_token_secret_file = '[UNDEF]'
Sun Jan 15 11:39:28 2023 vlan_tagging = DISABLED
Sun Jan 15 11:39:28 2023 vlan_accept = all
Sun Jan 15 11:39:28 2023 vlan_pvid = 1
Sun Jan 15 11:39:28 2023 client = ENABLED
Sun Jan 15 11:39:28 2023 pull = ENABLED
Sun Jan 15 11:39:28 2023 auth_user_pass_file = '[UNDEF]'
Sun Jan 15 11:39:28 2023 show_net_up = DISABLED
Sun Jan 15 11:39:28 2023 route_method = 3
Sun Jan 15 11:39:28 2023 block_outside_dns = DISABLED
Sun Jan 15 11:39:28 2023 ip_win32_defined = DISABLED
Sun Jan 15 11:39:28 2023 ip_win32_type = 3
Sun Jan 15 11:39:28 2023 dhcp_masq_offset = 0
Sun Jan 15 11:39:28 2023 dhcp_lease_time = 31536000
Sun Jan 15 11:39:28 2023 tap_sleep = 0
Sun Jan 15 11:39:28 2023 dhcp_options = DISABLED
Sun Jan 15 11:39:28 2023 dhcp_renew = DISABLED
Sun Jan 15 11:39:28 2023 dhcp_pre_release = DISABLED
Sun Jan 15 11:39:28 2023 domain = '[UNDEF]'
Sun Jan 15 11:39:28 2023 netbios_scope = '[UNDEF]'
Sun Jan 15 11:39:28 2023 netbios_node_type = 0
Sun Jan 15 11:39:28 2023 disable_nbt = DISABLED
Sun Jan 15 11:39:28 2023 OpenVPN 2.5.8 [git:none/0357ceb877687faa] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 2 2022
Sun Jan 15 11:39:28 2023 Windows version 10.0 (Windows 10 or greater) 64bit
Sun Jan 15 11:39:28 2023 library versions: OpenSSL 1.1.1s 1 Nov 2022, LZO 2.10
Sun Jan 15 11:39:28 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Jan 15 11:39:28 2023 Need hold release from management interface, waiting...
Sun Jan 15 11:39:29 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Jan 15 11:39:29 2023 MANAGEMENT: CMD 'state on'
Sun Jan 15 11:39:29 2023 MANAGEMENT: CMD 'log on all'
Sun Jan 15 11:39:29 2023 MANAGEMENT: CMD 'echo on all'
Sun Jan 15 11:39:29 2023 MANAGEMENT: CMD 'bytecount 5'
Sun Jan 15 11:39:29 2023 MANAGEMENT: CMD 'state'
Sun Jan 15 11:39:29 2023 MANAGEMENT: CMD 'hold off'
Sun Jan 15 11:39:29 2023 MANAGEMENT: CMD 'hold release'
Sun Jan 15 11:39:29 2023 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sun Jan 15 11:39:29 2023 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 AF:14/121 ]
Sun Jan 15 11:39:29 2023 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,auth [null-digest],keysize 128,key-method 2,tls-client'
Sun Jan 15 11:39:29 2023 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,auth [null-digest],keysize 128,key-method 2,tls-server'
Sun Jan 15 11:39:29 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]73.208.229.90:1194
Sun Jan 15 11:39:29 2023 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Jan 15 11:39:29 2023 UDPv4 link local: (not bound)
Sun Jan 15 11:39:29 2023 UDPv4 link remote: [AF_INET]73.208.229.90:1194
Sun Jan 15 11:39:29 2023 MANAGEMENT: >STATE:1673804369,WAIT,,,,,,

On the router:

Code:

Server Log:
19691231 18:00:47 W Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
19691231 18:00:47 W --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
19691231 18:00:47 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
19691231 18:00:47 Current Parameter Settings:
19691231 18:00:47 config = '/tmp/openvpn/openvpn.conf'
19691231 18:00:47 mode = 1
19691231 18:00:47 NOTE: --mute triggered...
19691231 18:00:47 242 variation(s) on previous 3 message(s) suppressed by --mute
19691231 18:00:47 I OpenVPN 2.5.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 9 2023
19691231 18:00:47 I library versions: OpenSSL 1.1.1s 1 Nov 2022 LZO 2.10
19691231 18:00:47 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
19691231 18:00:47 W WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
19691231 18:00:47 net_route_v4_best_gw query: dst 0.0.0.0
19691231 18:00:47 net_route_v4_best_gw result: via 0.0.0.0 dev
19691231 18:00:47 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19691231 18:00:47 W WARNING: Your certificate is not yet valid!
19691231 18:00:47 ECDH curve secp384r1 added
19691231 18:00:47 TLS-Auth MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
19691231 18:00:47 I TUN/TAP device tun2 opened
19691231 18:00:47 do_ifconfig ipv4=1 ipv6=0
19691231 18:00:47 I net_iface_mtu_set: mtu 1500 for tun2
19691231 18:00:47 I net_iface_up: set tun2 up
19691231 18:00:47 I net_addr_v4_add: 10.8.0.1/24 dev tun2
19691231 18:00:48 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
19691231 18:00:48 Socket Buffers: R=[262144->262144] S=[262144->262144]
19691231 18:00:48 I UDPv4 link local (bound): [AF_INET][undef]:1194
19691231 18:00:48 I UDPv4 link remote: [AF_UNSPEC]
19691231 18:00:48 MULTI: multi_init called r=256 v=256
19691231 18:00:48 IFCONFIG POOL IPv4: base=10.8.0.2 size=253
19691231 18:00:48 I Initialization Sequence Completed
20230115 11:30:17 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230115 11:30:17 D MANAGEMENT: CMD 'state'
20230115 11:30:17 MANAGEMENT: Client disconnected
20230115 11:30:17 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230115 11:30:17 D MANAGEMENT: CMD 'state'
20230115 11:30:17 MANAGEMENT: Client disconnected
20230115 11:30:17 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230115 11:30:17 D MANAGEMENT: CMD 'state'
20230115 11:30:17 MANAGEMENT: Client disconnected
20230115 11:30:17 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230115 11:30:17 MANAGEMENT: Client disconnected
20230115 11:30:17 NOTE: --mute triggered...
20230115 11:30:17 1 variation(s) on previous 3 message(s) suppressed by --mute
20230115 11:30:17 D MANAGEMENT: CMD 'status 2'
20230115 11:30:17 MANAGEMENT: Client disconnected
20230115 11:30:17 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230115 11:30:17 D MANAGEMENT: CMD 'status 2'
20230115 11:30:17 MANAGEMENT: Client disconnected
20230115 11:30:17 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230115 11:30:17 D MANAGEMENT: CMD 'log 500'
20230115 11:30:17 MANAGEMENT: Client disconnected
20230115 11:41:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230115 11:41:43 D MANAGEMENT: CMD 'state'
20230115 11:41:43 MANAGEMENT: Client disconnected
20230115 11:41:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230115 11:41:43 D MANAGEMENT: CMD 'state'
20230115 11:41:43 MANAGEMENT: Client disconnected
20230115 11:41:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230115 11:41:43 D MANAGEMENT: CMD 'state'
20230115 11:41:43 MANAGEMENT: Client disconnected
20230115 11:41:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230115 11:41:43 MANAGEMENT: Client disconnected
20230115 11:41:43 NOTE: --mute triggered...
20230115 11:41:43 1 variation(s) on previous 3 message(s) suppressed by --mute
20230115 11:41:43 D MANAGEMENT: CMD 'status 2'
20230115 11:41:43 MANAGEMENT: Client disconnected
20230115 11:41:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230115 11:41:43 D MANAGEMENT: CMD 'status 2'
20230115 11:41:43 MANAGEMENT: Client disconnected
20230115 11:41:43 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230115 11:41:43 D MANAGEMENT: CMD 'log 500'

Client Configuration

Code:

#This is beta build 0.08, use it with care
#OpenVPN client config generated, check if settings are correct see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398, made by egc
client
#windows-driver wintun # only for Windows 10 OpenVPN 2.5.x
verb 4
nobind
persist-key
persist-tun
float
remote-cert-tls server
auth-nocache
tun-mtu 1500 # lowered default can be commented to let OpenVPN decide
#Replace remote address with actual WAN or DDNS address
remote IP HIDDEN 1194
dev tun
proto udp4
auth none
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC
#Block IPv6, newer clients could default to IPv6
pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"
block-ipv6
#key-direction 1
keepalive 10 60
<ca>
-----BEGIN CERTIFICATE-----
Cert Hidden
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
Cert Hidden
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
Key hidden
-----END PRIVATE KEY-----
</key>

Router Configuration

Firewall Rule

Code:

iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE

Sponsor

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12917
Location: Netherlands

Posted: Sun Jan 15, 2023 18:38 Post subject:

I do not have time to study it in detail but disable tls auth key on the server.

It looks like you are not using it on the client and it is not necessary to use either.

Edit: the nat rule you have added is redundant.

I will move this thread to the appropriate forum, the documentation is a sticky in that forum
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12917
Location: Netherlands

Posted: Sun Jan 15, 2023 18:49 Post subject:

Necessary documentation is a sticky in this forum
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

usaf-lt-g
DD-WRT Novice

Joined: 16 Mar 2012
Posts: 43

Posted: Sun Jan 15, 2023 19:34 Post subject:

I removed the redundant firewall rule. The firewall is now empty.

I also changed: TLS / Static Key Choice - to None.

I get the same results.

On the server side still receiving:

Code:

20230115 13:33:42 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230115 13:33:42 D MANAGEMENT: CMD 'state'
20230115 13:33:42 MANAGEMENT: Client disconnected
20230115 13:33:42 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230115 13:33:42 D MANAGEMENT: CMD 'state'
20230115 13:33:42 MANAGEMENT: Client disconnected
20230115 13:33:42 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230115 13:33:42 D MANAGEMENT: CMD 'state'
20230115 13:33:42 MANAGEMENT: Client disconnected
20230115 13:33:42 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230115 13:33:42 MANAGEMENT: Client disconnected
20230115 13:33:42 NOTE: --mute triggered...
20230115 13:33:42 1 variation(s) on previous 3 message(s) suppressed by --mute
20230115 13:33:42 D MANAGEMENT: CMD 'status 2'
20230115 13:33:42 MANAGEMENT: Client disconnected
20230115 13:33:42 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230115 13:33:42 D MANAGEMENT: CMD 'status 2'
20230115 13:33:42 MANAGEMENT: Client disconnected
20230115 13:33:42 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20230115 13:33:42 D MANAGEMENT: CMD 'log 500'
19691231 18:00:00

usaf-lt-g
DD-WRT Novice

Joined: 16 Mar 2012
Posts: 43

Posted: Sun Jan 15, 2023 23:46 Post subject:

egc wrote:

Necessary documentation is a sticky in this forum

I used the documentation from this forum when I configured it. Looking for some expert troubleshooting advice here. I've been messing it with it for a week straight.

usaf-lt-g
DD-WRT Novice

Joined: 16 Mar 2012
Posts: 43

Posted: Sun Jan 15, 2023 23:58 Post subject:

Still not working:

Updated Current Server Configuration

Updated Client Side Configuration
*inline certs / keys are hidden*

Code:

client
dev tun
windows-driver wintun
# Use for Windows 10/11 and OpenVPN 2.5.x
proto udp4
remote hidden 1194
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
#tun-mtu 1400 # lowered default can be commented to let OpenVPN decide
auth none #For use with GCM or Chacha ciphers and not using tls-auth otherwise remove
#cipher AES-256-CBC #use AES-256-CBC for older (android) clients
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC
# to block IPv6, necessary on newer clients which otherwise default to IPv6
pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"
block-ipv6

I can confirm I am trying to connect from outside my home network (using cellular network hot spot to test with).

OpenVPN Client log

Code:

Sun Jan 15 17:53:24 2023 pkcs11_private_mode = 00000000
Sun Jan 15 17:53:24 2023 pkcs11_private_mode = 00000000
Sun Jan 15 17:53:24 2023 pkcs11_private_mode = 00000000
Sun Jan 15 17:53:24 2023 pkcs11_private_mode = 00000000
Sun Jan 15 17:53:24 2023 pkcs11_private_mode = 00000000
Sun Jan 15 17:53:24 2023 pkcs11_private_mode = 00000000
Sun Jan 15 17:53:24 2023 pkcs11_private_mode = 00000000
Sun Jan 15 17:53:24 2023 pkcs11_private_mode = 00000000
Sun Jan 15 17:53:24 2023 pkcs11_private_mode = 00000000
Sun Jan 15 17:53:24 2023 pkcs11_private_mode = 00000000
Sun Jan 15 17:53:24 2023 pkcs11_private_mode = 00000000
Sun Jan 15 17:53:24 2023 pkcs11_private_mode = 00000000
Sun Jan 15 17:53:24 2023 pkcs11_private_mode = 00000000
Sun Jan 15 17:53:24 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 17:53:24 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 17:53:24 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 17:53:24 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 17:53:24 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 17:53:24 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 17:53:24 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 17:53:24 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 17:53:24 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 17:53:24 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 17:53:24 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 17:53:24 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 17:53:24 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 17:53:24 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 17:53:24 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 17:53:24 2023 pkcs11_cert_private = DISABLED
Sun Jan 15 17:53:24 2023 pkcs11_pin_cache_period = -1
Sun Jan 15 17:53:24 2023 pkcs11_id = '[UNDEF]'
Sun Jan 15 17:53:24 2023 pkcs11_id_management = DISABLED
Sun Jan 15 17:53:24 2023 server_network = 0.0.0.0
Sun Jan 15 17:53:24 2023 server_netmask = 0.0.0.0
Sun Jan 15 17:53:24 2023 server_network_ipv6 = ::
Sun Jan 15 17:53:24 2023 server_netbits_ipv6 = 0
Sun Jan 15 17:53:24 2023 server_bridge_ip = 0.0.0.0
Sun Jan 15 17:53:24 2023 server_bridge_netmask = 0.0.0.0
Sun Jan 15 17:53:24 2023 server_bridge_pool_start = 0.0.0.0
Sun Jan 15 17:53:24 2023 server_bridge_pool_end = 0.0.0.0
Sun Jan 15 17:53:24 2023 ifconfig_pool_defined = DISABLED
Sun Jan 15 17:53:24 2023 ifconfig_pool_start = 0.0.0.0
Sun Jan 15 17:53:24 2023 ifconfig_pool_end = 0.0.0.0
Sun Jan 15 17:53:24 2023 ifconfig_pool_netmask = 0.0.0.0
Sun Jan 15 17:53:24 2023 ifconfig_pool_persist_filename = '[UNDEF]'
Sun Jan 15 17:53:24 2023 ifconfig_pool_persist_refresh_freq = 600
Sun Jan 15 17:53:24 2023 ifconfig_ipv6_pool_defined = DISABLED
Sun Jan 15 17:53:24 2023 ifconfig_ipv6_pool_base = ::
Sun Jan 15 17:53:24 2023 ifconfig_ipv6_pool_netbits = 0
Sun Jan 15 17:53:24 2023 n_bcast_buf = 256
Sun Jan 15 17:53:24 2023 tcp_queue_limit = 64
Sun Jan 15 17:53:24 2023 real_hash_size = 256
Sun Jan 15 17:53:24 2023 virtual_hash_size = 256
Sun Jan 15 17:53:24 2023 client_connect_script = '[UNDEF]'
Sun Jan 15 17:53:24 2023 learn_address_script = '[UNDEF]'
Sun Jan 15 17:53:24 2023 client_disconnect_script = '[UNDEF]'
Sun Jan 15 17:53:24 2023 client_config_dir = '[UNDEF]'
Sun Jan 15 17:53:24 2023 ccd_exclusive = DISABLED
Sun Jan 15 17:53:24 2023 tmp_dir = 'C:\Users\cgillman\AppData\Local\Temp\'
Sun Jan 15 17:53:24 2023 push_ifconfig_defined = DISABLED
Sun Jan 15 17:53:24 2023 push_ifconfig_local = 0.0.0.0
Sun Jan 15 17:53:24 2023 push_ifconfig_remote_netmask = 0.0.0.0
Sun Jan 15 17:53:24 2023 push_ifconfig_ipv6_defined = DISABLED
Sun Jan 15 17:53:24 2023 push_ifconfig_ipv6_local = ::/0
Sun Jan 15 17:53:24 2023 push_ifconfig_ipv6_remote = ::
Sun Jan 15 17:53:24 2023 enable_c2c = DISABLED
Sun Jan 15 17:53:24 2023 duplicate_cn = DISABLED
Sun Jan 15 17:53:24 2023 cf_max = 0
Sun Jan 15 17:53:24 2023 cf_per = 0
Sun Jan 15 17:53:24 2023 max_clients = 1024
Sun Jan 15 17:53:24 2023 max_routes_per_client = 256
Sun Jan 15 17:53:24 2023 auth_user_pass_verify_script = '[UNDEF]'
Sun Jan 15 17:53:24 2023 auth_user_pass_verify_script_via_file = DISABLED
Sun Jan 15 17:53:24 2023 auth_token_generate = DISABLED
Sun Jan 15 17:53:24 2023 auth_token_lifetime = 0
Sun Jan 15 17:53:24 2023 auth_token_secret_file = '[UNDEF]'
Sun Jan 15 17:53:24 2023 vlan_tagging = DISABLED
Sun Jan 15 17:53:24 2023 vlan_accept = all
Sun Jan 15 17:53:24 2023 vlan_pvid = 1
Sun Jan 15 17:53:24 2023 client = ENABLED
Sun Jan 15 17:53:24 2023 pull = ENABLED
Sun Jan 15 17:53:24 2023 auth_user_pass_file = '[UNDEF]'
Sun Jan 15 17:53:24 2023 show_net_up = DISABLED
Sun Jan 15 17:53:24 2023 route_method = 3
Sun Jan 15 17:53:24 2023 block_outside_dns = DISABLED
Sun Jan 15 17:53:24 2023 ip_win32_defined = DISABLED
Sun Jan 15 17:53:24 2023 ip_win32_type = 1
Sun Jan 15 17:53:24 2023 dhcp_masq_offset = 0
Sun Jan 15 17:53:24 2023 dhcp_lease_time = 31536000
Sun Jan 15 17:53:24 2023 tap_sleep = 0
Sun Jan 15 17:53:24 2023 dhcp_options = DISABLED
Sun Jan 15 17:53:24 2023 dhcp_renew = DISABLED
Sun Jan 15 17:53:24 2023 dhcp_pre_release = DISABLED
Sun Jan 15 17:53:24 2023 domain = '[UNDEF]'
Sun Jan 15 17:53:24 2023 netbios_scope = '[UNDEF]'
Sun Jan 15 17:53:24 2023 netbios_node_type = 0
Sun Jan 15 17:53:24 2023 disable_nbt = DISABLED
Sun Jan 15 17:53:24 2023 OpenVPN 2.5.8 [git:none/0357ceb877687faa] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 2 2022
Sun Jan 15 17:53:24 2023 Windows version 10.0 (Windows 10 or greater) 64bit
Sun Jan 15 17:53:24 2023 library versions: OpenSSL 1.1.1s 1 Nov 2022, LZO 2.10
Sun Jan 15 17:53:24 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Jan 15 17:53:24 2023 Need hold release from management interface, waiting...
Sun Jan 15 17:53:24 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Jan 15 17:53:24 2023 MANAGEMENT: CMD 'state on'
Sun Jan 15 17:53:24 2023 MANAGEMENT: CMD 'log on all'
Sun Jan 15 17:53:25 2023 MANAGEMENT: CMD 'echo on all'
Sun Jan 15 17:53:25 2023 MANAGEMENT: CMD 'bytecount 5'
Sun Jan 15 17:53:25 2023 MANAGEMENT: CMD 'state'
Sun Jan 15 17:53:25 2023 MANAGEMENT: CMD 'hold off'
Sun Jan 15 17:53:25 2023 MANAGEMENT: CMD 'hold release'
Sun Jan 15 17:53:25 2023 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sun Jan 15 17:53:25 2023 MANAGEMENT: >STATE:1673826805,RESOLVE,,,,,,
Sun Jan 15 17:53:25 2023 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 AF:14/121 ]
Sun Jan 15 17:53:25 2023 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,auth [null-digest],keysize 128,key-method 2,tls-client'
Sun Jan 15 17:53:25 2023 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,auth [null-digest],keysize 128,key-method 2,tls-server'
Sun Jan 15 17:53:25 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]hidden:1194
Sun Jan 15 17:53:25 2023 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Jan 15 17:53:25 2023 UDPv4 link local: (not bound)
Sun Jan 15 17:53:25 2023 UDPv4 link remote: [AF_INET]hidden:1194
Sun Jan 15 17:53:25 2023 MANAGEMENT: >STATE:1673826805,WAIT,,,,,,
[color=red]Sun Jan 15 17:54:25 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Jan 15 17:54:25 2023 TLS Error: TLS handshake failed[/color]
Sun Jan 15 17:54:25 2023 TCP/UDP: Closing socket
Sun Jan 15 17:54:25 2023 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 15 17:54:25 2023 MANAGEMENT: >STATE:1673826865,RECONNECTING,tls-error,,,,,
Sun Jan 15 17:54:25 2023 Restart pause, 5 second(s)
Sun Jan 15 17:54:30 2023 Re-using SSL/TLS context
Sun Jan 15 17:54:30 2023 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sun Jan 15 17:54:30 2023 MANAGEMENT: >STATE:1673826870,RESOLVE,,,,,,
Sun Jan 15 17:54:30 2023 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 AF:14/121 ]
Sun Jan 15 17:54:30 2023 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,auth [null-digest],keysize 128,key-method 2,tls-client'
Sun Jan 15 17:54:30 2023 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,auth [null-digest],keysize 128,key-method 2,tls-server'
Sun Jan 15 17:54:30 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]73.208.229.90:1194
Sun Jan 15 17:54:30 2023 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Jan 15 17:54:30 2023 UDPv4 link local: (not bound)
Sun Jan 15 17:54:30 2023 UDPv4 link remote: [AF_INET]hidden:1194
Sun Jan 15 17:54:30 2023 MANAGEMENT: >STATE:1673826870,WAIT,,,,,,

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12917
Location: Netherlands

Posted: Mon Jan 16, 2023 11:05 Post subject:

usaf-lt-g wrote:

I removed the redundant firewall rule. The firewall is now empty.

I also changed: TLS / Static Key Choice - to None.

I get the same results.

On the server side still receiving:

Code:

What you are showing is not very useful, the client in this case is the router connecting to the OpenVPN servers management interface, each time you look at the Status/OpenVPN tab this is happening.

It has no relation to a Client connecting to your OpenVPN server.

if the server has started it shows: Server: CONNECTED SUCCESS

To be sure show a screenshot of the Status OpenVPN page (whole page), and show output of (Command Line interface e.g. telnet/Putty/SSH): grep -i openvpn /var/log/messages

But first lets get some more information, add in the Additional Configuration:
verb 5.
Also do this on the client side.

However I do not think the problem is in your server setup.

Your latest post on the client shows this:

Quote:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

From the VPN troubleshooting guide:

Quote:

TLS Error: TLS key negotiation failed to occur within 60 seconds
Server is not reachable i.e. you have a network connection error (unless you are using TLS-crypt which is not setup correctly):
• Check server address/DDNS
• Check DDNS,
• Check if your WAN has an IPv4 CGNAT address (IP address starting with 100) or Dual stack Lite,
• Check port,
• Check Port Forward if server is not on the primary router.
• Check /disable firewall
• Sometimes an ISP blocks often used ports, Check with your ISP and/or use TCP port 443, this is not blocked.
• Older DDWRT version block UDP ports when SFE is enabled, so when in doubt disable SFE or CTF.

To check if you can reach the server from the client you can use the ping utility.
Beware not all servers answer to ping.

From the Windows cmd, the Fing app on your phone or ping from the CLI (telnet/Putty) if your client is a DDWRT or other router use:
ping ip-server-address
e.g. ping 8.8.8.8

If your server is a DDWRT router then by default it does not answer to ping so for this test you should disable/uncheck "Block Anonymous WAN Requests (ping)" on the Security tab of the DDWRT OpenVPN server.

In laymen's terms it looks like you cannot reach your server from the client side.
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Display posts from previous:

Page 1 of 1

DD-WRT Forum Index -> Advanced Networking

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Log in

R9000 - OpenVPN Can't Connect - Could use some help

Quick Links

Log in