VPN was working, server changed IP, now broken

[stevebiggs]

Hi,

I have a VPN that was working. The server is at my home and our broadband connection has a dynamic IP from our ISP. However, I have a dynamic DNS system set-up so that my domain automatically updates to the new IP.

The problem is that since the IP changed, I can still connect to the VPN (and then ssh into the server using it's LAN IP for example) but I cannot ping the DNS server (i.e. our broadband router) on my LAN or get any internet access via ping, browser or otherwise.

I have tried re-starting the server and the router but that makes no difference. Nothing else has changed and it was working before so I am rather confused. Also, as a relative beginner with VPNs, I don't really know how to diagnose (and thus solve) the problem.

Can any one help with this please?

Thanks

Here's my client config:

Code: Select all

    client
    dev tun
    proto tcp
    remote mydomain.com 443
    resolv-retry infinite
    nobind
    user nobody
    group nogroup
    persist-key
    persist-tun
    ca /etc/openvpn/ca.crt
    cert /etc/openvpn/client_hostname.crt
    key /etc/openvpn/client_hostname.key
    ns-cert-type server
    comp-lzo
    verb 3
    script-security 2
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf

And my server config:

Code: Select all

    port 443
    proto tcp
    dev tun
    ca /etc/openvpn/ca.crt
    cert /etc/openvpn/server.crt
    key /etc/openvpn/server.key  # This file should be kept secret
    dh /etc/openvpn/dh1024.pem
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "route 10.66.77.0 255.255.255.0"
    push "redirect-gateway def1"
    push "dhcp-option DNS 10.66.77.1"
    keepalive 10 120
    comp-lzo
    user nobody
    group nogroup
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3

[TinCanTech]

I have a dynamic DNS system set-up so that my domain automatically updates to the new IP

Does that work .. ?

[stevebiggs]

Yes. For one, I can connect to the VPN, I just can't connect to devices beyond the server. For two, the server is also hosting a website that can be accessed successfully. So the dynamic DNS is definitely working. You're right to ask though, as this is the only thing that has changed.

[TinCanTech]

Please post your openvpn logs.

[stevebiggs]

No log on client. Log on server is empty. I'll have to try the connection again to see if that logs something. I can't do that till Monday. Please check back then. Cheers

[stevebiggs]

Here's the logs then. The "real address" (123.45.678.9) is made up but the actual numbers for this in the log are just the public IP address of the internet connection at the client end. The bit after the colon is real though. What's that about? Is that a port number or something? Is that a problem?

Also, I notice in the routing table that there is no mention of the DNS server (my home broadband router) which should be at 10.66.77.1. Is that a problem?

Many thanks

Code: Select all

OpenVPN CLIENT LIST
Updated,Mon Feb  6 09:24:40 2017
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
client_hostname,123.45.678.9:41183,45856,61662,Mon Feb  6 09:20:24 2017
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.10,client_hostname,123.45.678.9:41183,Mon Feb  6 09:24:39 2017
GLOBAL STATS
Max bcast/mcast queue length,0
END

[TinCanTech]

See --log & --verb in The Manual v24x

[stevebiggs]

Ah ha, OK, here we go then. This is with verb=3.

Again, IP addresses, hostnames, mac addresses, etc have been changed (but matching ones changed to the same thing, obv).

Notice on the server log that it appears there were a few hack attempts but they don't seem to have got anywhere. Should I be worried about this?

As for why I can't ping my DNS server (broadband router) on 10.66.77.1... I don't know. Any ideas? There are a couple of successful connections in the server log from my laptop (client_hostname).

Notice that there is an IP somewhere that begins 10.66.xx.yy which is that same start as my home subnet, 10.66.77.0, although the third bit is different (my home subnet uses 77 while theirs is something else). Presumably this is not a problem?

Client log:

Code: Select all

Tue Feb  7 09:38:00 2017 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Tue Feb  7 09:38:00 2017 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Feb  7 09:38:00 2017 WARNING: file '/etc/openvpn/client_hostname.key' is group or others accessible
Tue Feb  7 09:38:00 2017 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Feb  7 09:38:00 2017 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Tue Feb  7 09:38:00 2017 Attempting to establish TCP connection with [AF_INET]98.765.432.109:443 [nonblock]
Tue Feb  7 09:38:01 2017 TCP connection established with [AF_INET]98.765.432.109:443
Tue Feb  7 09:38:01 2017 TCPv4_CLIENT link local: [undef]
Tue Feb  7 09:38:01 2017 TCPv4_CLIENT link remote: [AF_INET]98.765.432.109:443
Tue Feb  7 09:38:01 2017 TLS: Initial packet from [AF_INET]98.765.432.109:443, sid=88e240f7 ba14985c
Tue Feb  7 09:38:02 2017 VERIFY OK: depth=1, C=UK, ST=County, L=City, O=Organisation, OU=Unit, CN=server_hostname, name=MyHomeVpnKey, emailAddress=me@email.com
Tue Feb  7 09:38:02 2017 VERIFY OK: nsCertType=SERVER
Tue Feb  7 09:38:02 2017 VERIFY OK: depth=0, C=UK, ST=County, L=City, O=Organisation, OU=Unit, CN=server, name=MyHomeVpnKey, emailAddress=me@email.com
Tue Feb  7 09:38:04 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb  7 09:38:04 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  7 09:38:04 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb  7 09:38:04 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  7 09:38:04 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Feb  7 09:38:04 2017 [server] Peer Connection Initiated with [AF_INET]98.765.432.109:443
Tue Feb  7 09:38:06 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Feb  7 09:38:06 2017 PUSH: Received control message: 'PUSH_REPLY,route 10.66.77.0 255.255.255.0,redirect-gateway def1,dhcp-option DNS 10.66.77.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9'
Tue Feb  7 09:38:06 2017 OPTIONS IMPORT: timers and/or timeouts modified
Tue Feb  7 09:38:06 2017 OPTIONS IMPORT: --ifconfig/up options modified
Tue Feb  7 09:38:06 2017 OPTIONS IMPORT: route options modified
Tue Feb  7 09:38:06 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Feb  7 09:38:06 2017 ROUTE_GATEWAY 10.66.8.1/255.255.252.0 IFACE=wlan1 HWADDR=1a:2b:3c:4d:5e:6f
Tue Feb  7 09:38:06 2017 TUN/TAP device tun0 opened
Tue Feb  7 09:38:06 2017 TUN/TAP TX queue length set to 100
Tue Feb  7 09:38:06 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Feb  7 09:38:06 2017 /sbin/ip link set dev tun0 up mtu 1500
Tue Feb  7 09:38:06 2017 /sbin/ip addr add dev tun0 local 10.8.0.10 peer 10.8.0.9
Tue Feb  7 09:38:06 2017 /etc/openvpn/update-resolv-conf tun0 1500 1544 10.8.0.10 10.8.0.9 init
dhcp-option DNS 10.66.77.1
Tue Feb  7 09:38:08 2017 /sbin/ip route add 98.765.432.109/32 via 10.66.8.1
Tue Feb  7 09:38:08 2017 /sbin/ip route add 0.0.0.0/1 via 10.8.0.9
Tue Feb  7 09:38:08 2017 /sbin/ip route add 128.0.0.0/1 via 10.8.0.9
Tue Feb  7 09:38:08 2017 /sbin/ip route add 10.66.77.0/24 via 10.8.0.9
Tue Feb  7 09:38:08 2017 /sbin/ip route add 10.8.0.1/32 via 10.8.0.9
Tue Feb  7 09:38:08 2017 GID set to nogroup
Tue Feb  7 09:38:08 2017 UID set to nobody
Tue Feb  7 09:38:08 2017 Initialization Sequence Completed

Server log:

Code: Select all

Thu Nov 19 09:56:49 2015 OpenVPN 2.2.1 arm-linux-gnueabihf [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec  1 2014
Thu Nov 19 09:56:49 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Nov 19 09:56:49 2015 Diffie-Hellman initialized with 1024 bit key
Thu Nov 19 09:56:49 2015 TLS-Auth MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Nov 19 09:56:49 2015 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Nov 19 09:56:49 2015 ROUTE: default_gateway=UNDEF
Thu Nov 19 09:56:49 2015 TUN/TAP device tun0 opened
Thu Nov 19 09:56:49 2015 TUN/TAP TX queue length set to 100
Thu Nov 19 09:56:49 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Nov 19 09:56:49 2015 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Thu Nov 19 09:56:49 2015 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Thu Nov 19 09:56:49 2015 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Nov 19 09:56:49 2015 GID set to nogroup
Thu Nov 19 09:56:49 2015 UID set to nobody
Thu Nov 19 09:56:49 2015 Listening for incoming TCP connection on [undef]
Thu Nov 19 09:56:49 2015 TCPv4_SERVER link local (bound): [undef]
Thu Nov 19 09:56:49 2015 TCPv4_SERVER link remote: [undef]
Thu Nov 19 09:56:49 2015 MULTI: multi_init called, r=256 v=256
Thu Nov 19 09:56:49 2015 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Thu Nov 19 09:56:49 2015 ifconfig_pool_read(), in='some_other_client_hostname,10.8.0.4', TODO: IPv6
Thu Nov 19 09:56:49 2015 succeeded -> ifconfig_pool_set()
Thu Nov 19 09:56:49 2015 IFCONFIG POOL LIST
Thu Nov 19 09:56:49 2015 some_other_client_hostname,10.8.0.4
Thu Nov 19 09:56:49 2015 MULTI: TCP INIT maxclients=1024 maxevents=1028
Thu Nov 19 09:56:49 2015 Initialization Sequence Completed
Mon Feb  6 12:56:49 2017 MULTI: multi_create_instance called
Mon Feb  6 12:56:49 2017 Re-using SSL/TLS context
Mon Feb  6 12:56:49 2017 LZO compression initialized
Mon Feb  6 12:56:49 2017 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon Feb  6 12:56:49 2017 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Feb  6 12:56:49 2017 Local Options hash (VER=V4): 'c0103fa8'
Mon Feb  6 12:56:49 2017 Expected Remote Options hash (VER=V4): '69109d17'
Mon Feb  6 12:56:49 2017 TCP connection established with [AF_INET]555.666.369.13:11240
Mon Feb  6 12:56:49 2017 TCPv4_SERVER link local: [undef]
Mon Feb  6 12:56:49 2017 TCPv4_SERVER link remote: [AF_INET]555.666.369.13:11240
Mon Feb  6 12:56:51 2017 555.666.369.13:11240 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mon Feb  6 12:56:51 2017 555.666.369.13:11240 Connection reset, restarting [0]
Mon Feb  6 12:56:51 2017 555.666.369.13:11240 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mon Feb  6 12:56:51 2017 TCP/UDP: Closing socket
Mon Feb  6 17:57:10 2017 MULTI: multi_create_instance called
Mon Feb  6 17:57:10 2017 Re-using SSL/TLS context
Mon Feb  6 17:57:10 2017 LZO compression initialized
Mon Feb  6 17:57:10 2017 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon Feb  6 17:57:10 2017 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Feb  6 17:57:10 2017 Local Options hash (VER=V4): 'c0103fa8'
Mon Feb  6 17:57:10 2017 Expected Remote Options hash (VER=V4): '69109d17'
Mon Feb  6 17:57:10 2017 TCP connection established with [AF_INET]321.654.753.159:38336
Mon Feb  6 17:57:10 2017 TCPv4_SERVER link local: [undef]
Mon Feb  6 17:57:10 2017 TCPv4_SERVER link remote: [AF_INET]321.654.753.159:38336
Mon Feb  6 17:57:10 2017 321.654.753.159:38336 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Mon Feb  6 17:57:10 2017 321.654.753.159:38336 Connection reset, restarting [0]
Mon Feb  6 17:57:10 2017 321.654.753.159:38336 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mon Feb  6 17:57:10 2017 TCP/UDP: Closing socket
Mon Feb  6 19:49:41 2017 MULTI: multi_create_instance called
Mon Feb  6 19:49:41 2017 Re-using SSL/TLS context
Mon Feb  6 19:49:41 2017 LZO compression initialized
Mon Feb  6 19:49:41 2017 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon Feb  6 19:49:41 2017 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Feb  6 19:49:41 2017 Local Options hash (VER=V4): 'c0103fa8'
Mon Feb  6 19:49:41 2017 Expected Remote Options hash (VER=V4): '69109d17'
Mon Feb  6 19:49:41 2017 TCP connection established with [AF_INET]69.666.999.333:43291
Mon Feb  6 19:49:41 2017 TCPv4_SERVER link local: [undef]
Mon Feb  6 19:49:41 2017 TCPv4_SERVER link remote: [AF_INET]69.666.999.333:43291
Mon Feb  6 19:49:42 2017 69.666.999.333:43291 TLS: Initial packet from [AF_INET]69.666.999.333:43291, sid=28ca3ee9 e7080935
Mon Feb  6 19:49:44 2017 69.666.999.333:43291 VERIFY OK: depth=1, /C=UK/ST=County/L=City/O=Organisation/OU=Unit/CN=server_hostname/name=MyHomeVpnKey/emailAddress=me@email.com
Mon Feb  6 19:49:44 2017 69.666.999.333:43291 VERIFY OK: depth=0, /C=UK/ST=County/L=City/O=Organisation/OU=Unit/CN=client_hostname/name=MyHomeVpnKey/emailAddress=me@email.com
Mon Feb  6 19:49:45 2017 69.666.999.333:43291 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Feb  6 19:49:45 2017 69.666.999.333:43291 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb  6 19:49:45 2017 69.666.999.333:43291 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Feb  6 19:49:45 2017 69.666.999.333:43291 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb  6 19:49:45 2017 69.666.999.333:43291 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Feb  6 19:49:45 2017 69.666.999.333:43291 [client_hostname] Peer Connection Initiated with [AF_INET]69.666.999.333:43291
Mon Feb  6 19:49:45 2017 client_hostname/69.666.999.333:43291 MULTI_sva: pool returned IPv4=10.8.0.10, IPv6=6081:f5b6:24e2:f9b6:c3:986c:1:0
Mon Feb  6 19:49:45 2017 client_hostname/69.666.999.333:43291 MULTI: Learn: 10.8.0.10 -> client_hostname/69.666.999.333:43291
Mon Feb  6 19:49:45 2017 client_hostname/69.666.999.333:43291 MULTI: primary virtual IP for client_hostname/69.666.999.333:43291: 10.8.0.10
Mon Feb  6 19:49:47 2017 client_hostname/69.666.999.333:43291 PUSH: Received control message: 'PUSH_REQUEST'
Mon Feb  6 19:49:47 2017 client_hostname/69.666.999.333:43291 send_push_reply(): safe_cap=960
Mon Feb  6 19:49:47 2017 client_hostname/69.666.999.333:43291 SENT CONTROL [client_hostname]: 'PUSH_REPLY,route 10.66.77.0 255.255.255.0,redirect-gateway def1,dhcp-option DNS 10.66.77.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9' (status=1)
Mon Feb  6 19:55:48 2017 client_hostname/69.666.999.333:43291 Connection reset, restarting [0]
Mon Feb  6 19:55:48 2017 client_hostname/69.666.999.333:43291 SIGUSR1[soft,connection-reset] received, client-instance restarting
Mon Feb  6 19:55:48 2017 TCP/UDP: Closing socket
Tue Feb  7 05:11:21 2017 MULTI: multi_create_instance called
Tue Feb  7 05:11:21 2017 Re-using SSL/TLS context
Tue Feb  7 05:11:21 2017 LZO compression initialized
Tue Feb  7 05:11:21 2017 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb  7 05:11:21 2017 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Feb  7 05:11:21 2017 Local Options hash (VER=V4): 'c0103fa8'
Tue Feb  7 05:11:21 2017 Expected Remote Options hash (VER=V4): '69109d17'
Tue Feb  7 05:11:21 2017 TCP connection established with [AF_INET]54.46.31.10:58928
Tue Feb  7 05:11:21 2017 TCPv4_SERVER link local: [undef]
Tue Feb  7 05:11:21 2017 TCPv4_SERVER link remote: [AF_INET]54.46.31.10:58928
Tue Feb  7 05:11:21 2017 54.46.31.10:58928 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Tue Feb  7 05:11:21 2017 54.46.31.10:58928 Connection reset, restarting [0]
Tue Feb  7 05:11:21 2017 54.46.31.10:58928 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Feb  7 05:11:21 2017 TCP/UDP: Closing socket
Tue Feb  7 09:38:05 2017 MULTI: multi_create_instance called
Tue Feb  7 09:38:05 2017 Re-using SSL/TLS context
Tue Feb  7 09:38:05 2017 LZO compression initialized
Tue Feb  7 09:38:05 2017 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb  7 09:38:05 2017 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Feb  7 09:38:05 2017 Local Options hash (VER=V4): 'c0103fa8'
Tue Feb  7 09:38:05 2017 Expected Remote Options hash (VER=V4): '69109d17'
Tue Feb  7 09:38:05 2017 TCP connection established with [AF_INET]123.45.678.9:41167
Tue Feb  7 09:38:05 2017 TCPv4_SERVER link local: [undef]
Tue Feb  7 09:38:05 2017 TCPv4_SERVER link remote: [AF_INET]123.45.678.9:41167
Tue Feb  7 09:38:06 2017 123.45.678.9:41167 TLS: Initial packet from [AF_INET]123.45.678.9:41167, sid=74c71876 1bba298c
Tue Feb  7 09:38:07 2017 123.45.678.9:41167 VERIFY OK: depth=1, /C=UK/ST=County/L=City/O=Organisation/OU=Unit/CN=server_hostname/name=MyHomeVpnKey/emailAddress=me@email.com
Tue Feb  7 09:38:07 2017 123.45.678.9:41167 VERIFY OK: depth=0, /C=UK/ST=County/L=City/O=Organisation/OU=Unit/CN=client_hostname/name=MyHomeVpnKey/emailAddress=me@email.com
Tue Feb  7 09:38:08 2017 123.45.678.9:41167 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb  7 09:38:08 2017 123.45.678.9:41167 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  7 09:38:08 2017 123.45.678.9:41167 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb  7 09:38:08 2017 123.45.678.9:41167 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  7 09:38:08 2017 123.45.678.9:41167 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Feb  7 09:38:08 2017 123.45.678.9:41167 [client_hostname] Peer Connection Initiated with [AF_INET]123.45.678.9:41167
Tue Feb  7 09:38:08 2017 client_hostname/123.45.678.9:41167 MULTI_sva: pool returned IPv4=10.8.0.10, IPv6=6081:f5b6:74bd:f9b6:c3:986c:1:0
Tue Feb  7 09:38:08 2017 client_hostname/123.45.678.9:41167 MULTI: Learn: 10.8.0.10 -> client_hostname/123.45.678.9:41167
Tue Feb  7 09:38:08 2017 client_hostname/123.45.678.9:41167 MULTI: primary virtual IP for client_hostname/123.45.678.9:41167: 10.8.0.10
Tue Feb  7 09:38:10 2017 client_hostname/123.45.678.9:41167 PUSH: Received control message: 'PUSH_REQUEST'
Tue Feb  7 09:38:10 2017 client_hostname/123.45.678.9:41167 send_push_reply(): safe_cap=960
Tue Feb  7 09:38:10 2017 client_hostname/123.45.678.9:41167 SENT CONTROL [client_hostname]: 'PUSH_REPLY,route 10.66.77.0 255.255.255.0,redirect-gateway def1,dhcp-option DNS 10.66.77.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9' (status=1)

[TinCanTech]

Client:

OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014

Server:

OpenVPN 2.2.1 arm-linux-gnueabihf [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014

You must get these up to date.

it appears there were a few hack attempts but they don't seem to have got anywhere. Should I be worried about this?

If you mean this:

Mon Feb 6 12:56:51 2017 555.666.369.13:11240 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

It is probably just your client trying to connect. Get it working and then if you notice a lot of problems like this post a new thread with details and we will take a look.

As for why I can't ping my DNS server (broadband router) on 10.66.77.1... I don't know. Any ideas?

You need either iptables to spoof your client source address or routing.

What iptables rules are you using ?

[stevebiggs]

What iptables rules are you using?

Ah... This reminds me. I did set up iptables. However, I did not make them so that they would be re-instated on reboot. When the external IP address of my OpenVPN server changed, I didn't realise that's what had happened at first so I rebooted. So then when I fixed the IP problem, there was also the iptables problem but I didn't realise that. Now that I have made the iptables re-instate on reboot, it's all working again. So, nice one. Thanks

As for the out-of-date versions, I will re-build from source (those were the latest version available in the repositories I have access to).

And I do mean that bit as the hack attempts. That definitely wasn't me because I know I didn't try to connect at those times. I will keep an eye out and make a new topic as you suggest if necessary.

Thanks again

[TinCanTech]

I have made the iptables re-instate on reboot, it's all working again. So, nice one. Thanks

Good

the out-of-date versions

OpenVPN repos:
https://community.openvpn.net/openvpn/w ... twareRepos

If you prefer to build the source that is also good.

And I do mean that bit as the hack attempts. That definitely wasn't me because I know I didn't try to connect at those times

As you have a dynamic IP it may be that your IP address was in use by somebody else using openvpn and they have not noticed their IP change.

However, you are using a 1024bit PKI, I strongly advise you create a new 2048bit PKI.

Also, for better server security I advise you to use --tls-auth.

[stevebiggs]

As you have a dynamic IP it may be that your IP address was in use by somebody else using openvpn and they have not noticed their IP change.

Definitely possible. I think I probably did the same to some other poor sucker.

However, you are using a 1024bit PKI, I strongly advise you create a new 2048bit PKI.

Also, for better server security I advise you to use --tls-auth.

Good tips. I will do that.

Thanks again