Open VPN Server on Ubuntu 11.0 Cannot Connect from External

[wizkid_rajesh]

Hello

I have installed Open Vpn on Ubuntu 11.0 and it is up and working fine, I count connect to the vpn server from my internal network (i.e) 192.168.1.3 to 192.168.1.252:1194, it works perfectly fine bu t when I use a static Internet IP say e.g 34.56.82.56 it says tls negotiation failed and retries. My configurations are as follows:

1. Server.conf

local 192.168.1.252
server 192.168.66.0 255.255.255.0
;up "/etc/openvpn/up.sh br0"
;down "/etc/openvpn/down.sh br0"
;up "/etc/openvpn/firewall.sh"
;tls-server
;proto tcp
proto udp
port 1194
dev tap0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
;server-bridge 192.168.1.252 255.255.255.0 192.168.1.65 192.168.1.200
push "route 192.168.1.254 255.255.255.0"
ifconfig-pool-persist ipp.txt
;tls-auth toys.key 0 # This file is secret
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
user nobody
group nogroup
log openvpn.log
log-append openvpn.log.append

2. Client.conf

client
dev tap
#dev tun
#dev-node MyTap
proto udp
;proto tcp

remote 37.107.27.68 1194
;remote 192.168.1.252 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert mohammed.crt
key mohammed.key
comp-lzo
verb 3
mute 20

FIREWALL.SH
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.1.0/24 -j ACCEPT


iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT

My router is Thomson TG585 v8 it has a game an application sharing port open to my loacl server 192.168.1.252 for port 1194

I persume that all my configurations are correct but still this doesn't work.
more over I have bricked a WRT54GL by installing tomatoe and openvpn for some reason it doestnot work.

kindly advice help with this problem of mine

Wizzy

[frankuit]

Did you verify that you've port-forwarded 1194 UDP to your server on your router ? by default that thompson is on TCP.

Regards,
Frank

[wizkid_rajesh]

I have opend my port on thomson as bellow

TCP 1194
UDP 1194


Home > Toolbox > Game & Application Sharing > OpenVpn Overview
Game & Application Sharing
OpenVpn

Game or Application Definition

A game or application is made of one or more TCP/UDP port ranges. Each incoming port range can be translated into a different internal (local network) port range. Port ranges can be statically assigned to devices or dynamically assigned using an outgoing trigger.


Protocol Port Range Translate To ... Trigger Protocol Trigger Port

TCP 1194 - 1194 1194 - 1194 Any 1194


UDP 1194 - 1194 1194 - 1194 Any 1194

I have assigned this port to my VPN Server Also

I have forwarded it to my vpn server also but no luck

Thank you

Wizzy

[wizkid_rajesh]

My client connection now says

push "route 192.168.1.254 255.255.255.0"

route not in same netmask

route dropped

advice

[ddog800]

If you're able to access it from your internal network, then I'd definitely reexamine the port forwarding configuration in your router. I know that many consumer routers often have multiple ways to configure port forwarding (D-Link is one of them). I'm not famiilar with the Thompson router, but with Dlinks they have a "virtual server" section which is basically port forwarding, and then another more generic port forwarding section. Since I've had issues with the virtual server stuff, I usually just stick with generic port forwarding. You may dig around and try and find a more generic port fowarding option in the router rather than using their "game or application" interface.

Once again, I have no idea if this is possible in the Thompson router, but thought I'd mention it.

[wizkid_rajesh]

Thank you verymuch for your response

It was actually the thomson router problem, thomson routers dont port forward udp not I got it up and working fine

now after connect I have a problem my clonputers beyond the openvpn server would'nt respond to my ping commands eventhough I hve iptables set as below

My Network

access server - 192.168.1.252
sub 255.255.255.0
gateway 192.168.1.1
dns 192.168.1.1

Client Side

System 192.168.0.2
sub 255.255.255.0
gateway 192.168.0.1
dns 192.168.0.1

ip address assigned by Openvpn Server 192.168.66.1 client 192.168.66.2


I have a sql server which I have to connect to by odbc which is on address 192.168.1.45


from 192.168.0.2 i am not able to ping 192.168.1.45

my iptables are as follows


iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.1.0/24 -j ACCEPT


iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT


What do I do to ping

advice

Wizzy

[wizkid_rajesh]

Thank you verymuch for your response

It was actually the thomson router problem, thomson routers dont port forward udp not I got it up and working fine

now after connect I have a problem my clonputers beyond the openvpn server would'nt respond to my ping commands eventhough I hve iptables set as below

My Network

access server - 192.168.1.252
sub 255.255.255.0
gateway 192.168.1.1
dns 192.168.1.1

Client Side

System 192.168.0.2
sub 255.255.255.0
gateway 192.168.0.1
dns 192.168.0.1

ip address assigned by Openvpn Server 192.168.66.1 client 192.168.66.2


I have a sql server which I have to connect to by odbc which is on address 192.168.1.45


from 192.168.0.2 i am not able to ping 192.168.1.45

my iptables are as follows


iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.1.0/24 -j ACCEPT


iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT


What do I do to ping

advice

Wizzy

[ddog800]

My first guess is that the rest of the computers on your network are not aware of the OpenVPN subnet which you have indicated is on the 192.168.66.0/24 subnet. If you have not either configured a route to the VPN network in your default gateway for the 192.168.1.0/24 network (or something along those lines), then you are going to have a problem.

Typically if there is no route set up, then the following will occur:

1. You connect successfully to the OpenVPN network (192.168.66.0/24) from your client-side network (192.168.0.0/24) and are able to ping the server on both it's VPN IP (192.168.66.1) and remote private network IP (192.168.1.252)

2. You then attempt to ping another machine on the remote network, for example your SQL server (192.168.1.45).

3. The SQL server (192.168.1.45) receives the ICMP 'ping' request from your VPN IP (192.168.66.2) and attempts to respond.

4. Because the remote PC subnet (192.168.66.0/24) is not on the same subnet as the SQL server (192.168.1.0/24) it instead routes it to the default gateway (192.168.1.1)

5. Since the gateway doesn't have a route configured for your VPN network (192.168.66.0/24) it will then forward it on to the WAN port default gateway, which leads out to the internet. Since you obviously won't be able to locate your 192.168.66.0/24 network from the raw internet, then your ping response from the SQL server never makes it back to your VPN client.


The bottom line is, you need to configure a static route in your default gateway on the 192.168.1.0/24 network so that any packets destined for the 192.168.66.0/24 network will be routed to the Access Server IP that is accessible from the 192.168.1.0/24 network, in this case that would be 192.168.1.252. Once you do that, then any ping responses (or any other TCP/IP response) destined for your VPN subnet will correctly route to the Access Server and back to your client.

Make sense?

[frankuit]

Did you do:

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward 

On your vpn server ? that enables forwarding of traffic on the server.
(be sure to be root when you run this)

Good luck,

Kind regards,
Frank Uittenbosch

[ddog800]

Yeah, excellent point there. Since this is the Access Server forum I assumed you were using that, but now that I look closer it looks like you're using a stock Ubuntu install with OpenVPN. If you're not using an AS image, then you'll definitely need to enable ip forwarding as well, i addition to ensuring a route has been setup per my previous post.