The issue here is that my OpenVPN .ovpn file on Android doesn't connect. It just times out. The client immediately errors out with a "Peer certificate verification failure" without any logs and the server has an error log that shows why.
server.conf
Code: Select all
port 1194
dev tun
tls-server
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/servername.crt
key /etc/openvpn/keys/servername.key
dh /etc/openvpn/keys/dh2048.pem
mode server
ifconfig 10.8.0.1 10.8.0.2
ifconfig-pool 10.8.0.4 10.8.0.255
push "route 10.8.0.1 255.255.255.255"
push "route 10.10.0.0 255.255.255.0"
push "dhcp-option DOMAIN example.com"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.6.6"
push "dhcp-option DNS 10.10.0.1"
push "dhcp-option WINS 10.10.0.1"
keepalive 10 60
inactive 600
route 10.8.0.0 255.255.255.0
user openvpn
group openvpn
persist-tun
persist-key
verb 4
log /var/log/openvpn/openvpn.log
Code: Select all
port 1194
dev tun
remote 10.10.10.10
tls-client
ca ca.crt
cert servername.crt
key servername.key
dh dh2048.pem
pull
verb 9
Code: Select all
PORT STATE SERVICE
XXX/udp open|filtered doesntmatter
Port forwarding is on.
When it doesn't work, it actually times out.
The server openvpn.log shows the following:
Code: Select all
Initialization Sequence Completed
Connection Attempt MULTI: multi_create_instance called
10.10.10.1:33314 Re-using SSL/TLS context
10.10.10.1:33314 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
10.10.10.1:33314 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Connection Attempt MULTI: multi_create_instance called
10.10.10.1:42437 Re-using SSL/TLS context
10.10.10.1:42437 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
10.10.10.1:42437 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Connection Attempt MULTI: multi_create_instance called
10.10.10.1:50514 Re-using SSL/TLS context
10.10.10.1:50514 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
10.10.10.1:50514 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
read UDPv4 [ECONNREFUSED]: Connection refused (fd=5,code=111)
read UDPv4 [ECONNREFUSED]: Connection refused (fd=5,code=111)
read UDPv4 [ECONNREFUSED]: Connection refused (fd=5,code=111)
read UDPv4 [ECONNREFUSED]: Connection refused (fd=5,code=111)
Code: Select all
enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.10 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 fd34:13d3:a6b0:f757:224:21ff:fe10:56fb prefixlen 64 scopeid 0x0<global>
inet6 fe80::224:21ff:fe10:56fb prefixlen 64 scopeid 0x20<link>
ether 00:24:21:10:56:fb txqueuelen 1000 (Ethernet)
RX packets 7001680 bytes 2985173458 (2.7 GiB)
RX errors 0 dropped 11 overruns 0 frame 0
TX packets 3103328 bytes 591783635 (564.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 789335 bytes 133357697 (127.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 789335 bytes 133357697 (127.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::d34d:a169:67cd:57cd prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 157 bytes 9320 (9.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:da:f1:02 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Code: Select all
# sysctl -p
fs.inotify.max_user_watches = 1048576
net.ipv4.ip_forward = 1
Code: Select all
# iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 3411 packets, 917K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 3411 packets, 917K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3628 packets, 223K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3628 packets, 223K bytes)
pkts bytes target prot opt in out source destination
466K 27M LIBVIRT_PRT all -- any any anywhere anywhere
0 0 MASQUERADE all -- any enp3s0 172.16.0.0/24 anywhere
Chain LIBVIRT_PRT (1 references)
pkts bytes target prot opt in out source destination
2 163 RETURN all -- any any 192.168.122.0/24 base-address.mcast.net/24
0 0 RETURN all -- any any 192.168.122.0/24 255.255.255.255
0 0 MASQUERADE tcp -- any any 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- any any 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- any any 192.168.122.0/24 !192.168.122.0/24
This server is totally accessible through other ports. I read all the help pages on this forum for it but none quite hit the spot for me. One person said "the error you see usually means that something blocks your traffic.."
Nothing is blocking my traffic that I can tell. When something blocks my traffic, it times out (trust me, I've spent eleventy billion hours on this). You can see logs on the server (not on the client), so something is going through.
I do not have a firewall. Yes, I admitted it. I did all the iptables stuff for the heck of it but there was really no need.
Any ideas? I can't keep reinstalling this again and again to have the same issue recur...