Posted: Fri Dec 31, 2021 22:04 Post subject: [SOLVED] OpenVPN client not connecting to server
It has been a long time since I setup openvpn, and really hacked away at it then. I used the current guides on this site, and tried to follow them exactly (well other than ip addresses). I thought that when the openvpn server started it started a 'tun' device which could be seen with ipconfig. but not this time. and when I go to web page "status/openvpn" on the server I don't see anything, so maybe I am more busted than I think. Build is 47925 and I am trying to use R7450 routers (the new version of the r7800) to do this.
below is server-config from cli for both server and client along with associated logs.
-----------server config -----------
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 443
proto udp4
data-ciphers CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
tls-server
duplicate-cn
client-to-client
push "redirect-gateway def1"
fast-io
tun-mtu 1400
mtu-disc yes
server 192.168.62.0 255.255.255.0
dev tun2
dh none
ecdh-curve secp384r1
route-up /tmp/openvpn/route-up.sh
route-pre-down /tmp/openvpn/route-down.sh
verb 5
#only for site to site
push "dhcp-option DNS 192.168.61.1" #push serves DNSMasq
push "dhcp-option DOMAIN cottage" #push servers DOMAIN
route 192.168.71.0 255.255.255.0 vpn gateway #route to client
data-ciphers-fallback AES-256-CBC
-------------------server messages
Dec 31 16:38:55 cottage user.info : [openvpn] : OpenVPN daemon (Server) starting/restarting...
Dec 31 16:38:55 cottage daemon.warn openvpn[2547]: Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
Dec 31 16:38:55 cottage daemon.warn openvpn[2547]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Dec 31 16:38:55 cottage daemon.notice openvpn[2547]: Current Parameter Settings:
Dec 31 16:38:55 cottage daemon.notice openvpn[2547]: config = '/tmp/openvpn/openvpn.conf'
Dec 31 16:38:55 cottage daemon.notice openvpn[2547]: mode = 1
Dec 31 16:38:55 cottage daemon.notice openvpn[2547]: NOTE: --mute triggered...
Dec 31 16:38:55 cottage daemon.notice openvpn[2547]: 244 variation(s) on previous 3 message(s) suppressed by --mute
Dec 31 16:38:55 cottage daemon.notice openvpn[2547]: OpenVPN 2.5.5 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 28 2021
Dec 31 16:38:55 cottage daemon.notice openvpn[2547]: library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.09
Dec 31 16:38:55 cottage daemon.notice openvpn[2549]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
Dec 31 16:38:55 cottage daemon.warn openvpn[2549]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Dec 31 16:38:55 cottage daemon.notice openvpn[2549]: net_route_v4_best_gw query: dst 0.0.0.0
Dec 31 16:38:55 cottage daemon.notice openvpn[2549]: net_route_v4_best_gw result: via 192.168.2.1 dev vlan2
Dec 31 16:38:55 cottage daemon.warn openvpn[2549]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 31 16:38:55 cottage daemon.notice openvpn[2549]: ECDH curve secp384r1 added
Dec 31 16:38:55 cottage daemon.warn openvpn[2549]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Dec 31 16:38:55 cottage daemon.notice openvpn[2549]: TLS-Auth MTU parms [ L:1521 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Dec 31 16:38:55 cottage daemon.notice openvpn[2549]: net_route_v4_best_gw query: dst 0.0.0.0
Dec 31 16:38:55 cottage daemon.notice openvpn[2549]: net_route_v4_best_gw result: via 192.168.2.1 dev vlan2
Dec 31 16:38:55 cottage daemon.err openvpn[2549]: RESOLVE: Cannot resolve host address: vpn: (Name does not resolve)
------------------------------------------------------
client messages follow
Dec 31 16:35:43 cottage_client daemon.notice openvpn[3317]: TCP/UDP: Preserving recently used remote address: [AF_INET]174.92.190.147:443
Dec 31 16:35:43 cottage_client daemon.notice openvpn[3317]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Dec 31 16:35:43 cottage_client daemon.notice openvpn[3317]: UDPv4 link local: (not bound)
Dec 31 16:35:43 cottage_client daemon.notice openvpn[3317]: UDPv4 link remote: [AF_INET]174.92.190.147:443
Dec 31 16:36:43 cottage_client daemon.err openvpn[3317]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 31 16:36:43 cottage_client daemon.err openvpn[3317]: TLS Error: TLS handshake failed
Dec 31 16:36:43 cottage_client daemon.notice openvpn[3317]: SIGUSR1[soft,tls-error] received, process restarting
Dec 31 16:36:43 cottage_client daemon.notice openvpn[3317]: Restart pause, 300 second(s)
Dec 31 16:41:43 cottage_client daemon.warn openvpn[3317]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 31 16:41:43 cottage_client daemon.warn openvpn[3317]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Dec 31 16:41:43 cottage_client daemon.notice openvpn[3317]: TCP/UDP: Preserving recently used remote address: [AF_INET]174.92.190.147:443
Dec 31 16:41:43 cottage_client daemon.notice openvpn[3317]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Dec 31 16:41:43 cottage_client daemon.notice openvpn[3317]: UDPv4 link local: (not bound)
Dec 31 16:41:43 cottage_client daemon.notice openvpn[3317]: UDPv4 link remote: [AF_INET]174.92.190.147:443
Dec 31 16:42:43 cottage_client daemon.err openvpn[3317]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 31 16:42:43 cottage_client daemon.err openvpn[3317]: TLS Error: TLS handshake failed
Dec 31 16:42:43 cottage_client daemon.notice openvpn[3317]: SIGUSR1[soft,tls-error] received, process restarting
Dec 31 16:42:43 cottage_client daemon.notice openvpn[3317]: Restart pause, 300 second(s)
Dec 31 16:47:43 cottage_client daemon.warn openvpn[3317]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 31 16:47:43 cottage_client daemon.warn openvpn[3317]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Posted: Fri Dec 31, 2021 23:06 Post subject: working a little better, still not good, Client not working
Still broken, but a little better...
may be something with certs, I don't know...
I commented out lines
#only for site to site
# push "dhcp-option DNS 192.168.61.1" #push serves DNSMasq
# push "dhcp-option DOMAIN cottage" #push servers DOMAIN
# route 192.168.71.0 255.255.255.0 vpn gateway #route to client
now the server comes up,,,, I think
Dec 31 17:45:11 cottage_client daemon.notice openvpn[1999]: TCP/UDP: Preserving recently used remote address: [AF_INET]174.92.190.147:443
Dec 31 17:45:11 cottage_client daemon.notice openvpn[1999]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Dec 31 17:45:11 cottage_client daemon.notice openvpn[1999]: UDPv4 link local: (not bound)
Dec 31 17:45:11 cottage_client daemon.notice openvpn[1999]: UDPv4 link remote: [AF_INET]174.92.190.147:443
Dec 31 17:45:54 cottage_client authpriv.info dropbear[2645]: Child connection from 192.168.71.194:52357
Dec 31 17:46:04 cottage_client authpriv.notice dropbear[2645]: Password auth succeeded for 'root' from 192.168.71.194:52357
Dec 31 17:46:11 cottage_client daemon.err openvpn[1999]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 31 17:46:11 cottage_client daemon.err openvpn[1999]: TLS Error: TLS handshake failed
Dec 31 17:46:11 cottage_client daemon.notice openvpn[1999]: SIGUSR1[soft,tls-error] received, process restarting
Dec 31 17:46:11 cottage_client daemon.notice openvpn[1999]: Restart pause, 5 second(s)
Dec 31 17:46:16 cottage_client daemon.warn openvpn[1999]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 31 17:46:16 cottage_client daemon.warn openvpn[1999]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Dec 31 17:46:16 cottage_client daemon.notice openvpn[1999]: TCP/UDP: Preserving recently used remote address: [AF_INET]174.92.190.147:443
Dec 31 17:46:16 cottage_client daemon.notice openvpn[1999]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Dec 31 17:46:16 cottage_client daemon.notice openvpn[1999]: UDPv4 link local: (not bound)
Dec 31 17:46:16 cottage_client daemon.notice openvpn[1999]: UDPv4 link remote: [AF_INET]174.92.190.147:443
----------------------------client config follows
root@cottage_client:/tmp/openvpncl# cat openvpn.conf
ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
management 127.0.0.1 16
management-log-cache 100
verb 3
mute 3
syslog
writepid /var/run/openvpncl.pid
resolv-retry infinite
nobind
script-security 2
client
dev tun1
proto udp4
cipher AES-256-CBC
auth sha512
data-ciphers AES-256-CBC:AES-128-GCM:AES-256-GCM
remote pellancam.no-ip.org 443
tun-mtu 1400
mtu-disc yes
remote-cert-tls server
fast-io
route-up /tmp/openvpncl/route-up.sh
route-pre-down /tmp/openvpncl/route-down.sh
----------------server status
State
Server: CONNECTED SUCCESS
Local Address: 192.168.62.1
Remote Address: 192.168.62.1
---------------- server log
Serverlog:
19691231 19:00:19 W Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
19691231 19:00:19 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
19691231 19:00:19 Current Parameter Settings:
19691231 19:00:19 config = '/tmp/openvpn/openvpn.conf'
19691231 19:00:19 mode = 1
19691231 19:00:19 NOTE: --mute triggered...
19691231 19:00:19 241 variation(s) on previous 3 message(s) suppressed by --mute
19691231 19:00:19 I OpenVPN 2.5.5 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 28 2021
19691231 19:00:19 I library versions: OpenSSL 1.1.1l 24 Aug 2021 LZO 2.09
19691231 19:00:19 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
19691231 19:00:19 W WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
19691231 19:00:19 net_route_v4_best_gw query: dst 0.0.0.0
19691231 19:00:19 net_route_v4_best_gw result: via 0.0.0.0 dev
19691231 19:00:19 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19691231 19:00:19 W WARNING: Your certificate is not yet valid!
19691231 19:00:19 ECDH curve secp384r1 added
19691231 19:00:19 W WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400)
19691231 19:00:19 TLS-Auth MTU parms [ L:1521 D:1212 EF:38 EB:0 ET:0 EL:3 ]
19691231 19:00:19 I TUN/TAP device tun2 opened
19691231 19:00:19 do_ifconfig ipv4=1 ipv6=0
19691231 19:00:19 I net_iface_mtu_set: mtu 1400 for tun2
19691231 19:00:19 I net_iface_up: set tun2 up
19691231 19:00:19 I net_addr_v4_add: 192.168.62.1/24 dev tun2
19691231 19:00:19 Data Channel MTU parms [ L:1521 D:1450 EF:121 EB:389 ET:0 EL:3 ]
19691231 19:00:19 Socket Buffers: R=[163840->163840] S=[163840->163840]
19691231 19:00:19 I UDPv4 link local (bound): [AF_INET][undef]:443
19691231 19:00:19 I UDPv4 link remote: [AF_UNSPEC]
19691231 19:00:19 MULTI: multi_init called r=256 v=256
19691231 19:00:19 IFCONFIG POOL IPv4: base=192.168.62.2 size=253
19691231 19:00:19 I Initialization Sequence Completed
20211231 17:53:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20211231 17:53:28 D MANAGEMENT: CMD 'state'
20211231 17:53:28 MANAGEMENT: Client disconnected
20211231 17:53:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20211231 17:53:28 D MANAGEMENT: CMD 'state'
20211231 17:53:28 MANAGEMENT: Client disconnected
20211231 17:53:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20211231 17:53:28 D MANAGEMENT: CMD 'state'
20211231 17:53:28 MANAGEMENT: Client disconnected
20211231 17:53:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20211231 17:53:28 MANAGEMENT: Client disconnected
20211231 17:53:28 NOTE: --mute triggered...
20211231 17:53:28 1 variation(s) on previous 3 message(s) suppressed by --mute
20211231 17:53:28 D MANAGEMENT: CMD 'status 2'
20211231 17:53:28 MANAGEMENT: Client disconnected
20211231 17:53:28 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20211231 17:53:28 D MANAGEMENT: CMD 'status 2'
20211231 17:53:28 MANAGEMENT: Client disconnected
20211231 17:53:29 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20211231 17:53:29 D MANAGEMENT: CMD 'log 500'
20211231 17:53:29 MANAGEMENT: Client disconnected
20211231 17:55:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20211231 17:55:25 D MANAGEMENT: CMD 'state'
20211231 17:55:25 MANAGEMENT: Client disconnected
20211231 17:55:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20211231 17:55:25 D MANAGEMENT: CMD 'state'
20211231 17:55:25 MANAGEMENT: Client disconnected
20211231 17:55:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20211231 17:55:25 D MANAGEMENT: CMD 'state'
20211231 17:55:25 MANAGEMENT: Client disconnected
20211231 17:55:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20211231 17:55:25 MANAGEMENT: Client disconnected
20211231 17:55:25 NOTE: --mute triggered...
20211231 17:55:25 1 variation(s) on previous 3 message(s) suppressed by --mute
20211231 17:55:25 D MANAGEMENT: CMD 'status 2'
20211231 17:55:25 MANAGEMENT: Client disconnected
20211231 17:55:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20211231 17:55:25 D MANAGEMENT: CMD 'status 2'
20211231 17:55:25 MANAGEMENT: Client disconnected
20211231 17:55:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20211231 17:55:25 D MANAGEMENT: CMD 'log 500'
19691231 19:00:00
------------------- server config follows from /tmp/
root@cottage:/tmp/openvpn# cat openvpn.conf
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 443
proto udp4
data-ciphers CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
tls-server
duplicate-cn
client-to-client
push "redirect-gateway def1"
fast-io
tun-mtu 1400
mtu-disc yes
server 192.168.62.0 255.255.255.0
dev tun2
dh none
ecdh-curve secp384r1
route-up /tmp/openvpn/route-up.sh
route-pre-down /tmp/openvpn/route-down.sh
verb 5
#only for site to site
# push "dhcp-option DNS 192.168.61.1" #push serves DNSMasq
# push "dhcp-option DOMAIN cottage" #push servers DOMAIN
# route 192.168.71.0 255.255.255.0 vpn gateway #route to client
data-ciphers-fallback AES-256-CBC
--------------------------------
as you can see above took out the above 3 lines and I then got
Server: CONNECTED SUCCESS
---------------------------------------
still no tun device when I run ifconfig
Client still cannot resolv DNS
it may be because of the following line in the log... but I have waited a day after I created them with EasyRSA ver 3
19691231 19:00:19 W WARNING: Your certificate is not yet valid!
Joined: 18 Mar 2014 Posts: 12885 Location: Netherlands
Posted: Sat Jan 01, 2022 9:03 Post subject:
The server does not start because this line is wrong:
Quote:
route 192.168.71.0 255.255.255.0 vpn gateway #route to client
You should use vpn_gateway (note the underscore)
Those rules you commented out are only for site-to-site setup.
On the server side remove the:
data-ciphers-fallback AES-256-CBC
It looks like you control both sides and using newer ciphers e.g. CHACHA-POLY is preferable
On the client side also set Ciphers according to guide so use CHACHA20-POLY1305, AES-128-GCM, AES-256-GCM
However this does not account for the TLS error, this error points to a network error i.e. your client cannot reach your server.
Things to do:
Reboot server and client
Instead of the DDNS address in the client use the IP address of the server
See for further tips the VPN troubleshooting guide:
Quote:
TLS Error: TLS key negotiation failed to occur within 60 seconds
Server is not reachable i.e. you have a network connection error (unless you are using TLS-crypt which is not setup correctly):
• Check server address/DDNS
• Check DDNS,
• Check port,
• Check Port Forward if server is not on the primary router.
• Check /disable firewall
• Sometimes an ISP blocks often used ports, Check with your ISP and/or use TCP port 443, this is not blocked.
• Older DDWRT version block UDP ports when SFE is enabled, so when in doubt disable SFE
To check if you can reach the server from the client you can use the ping utility.
Beware not all servers answer to ping.
From the Windows cmd, the Fing app on your phone or ping from the CLI (telnet/Putty) if your client is a DDWRT or other router use:
ping ip-server-address
e.g. ping 8.8.8.8
If your server is a DDWRT router then by default it does not answer to ping so for this test you should disable/uncheck "Block Anonymous WAN Requests (ping)" on the Security tab.
fixed.
You are totally awesome..
I used a tethered connection thru a phone and an ethernet adapter, and fixed my stupid fingercheck, and "Bob is your Uncle".
Much easier with a set of docs like you produced very well done.