OpenVPN: Keeps restarting and/or Connection timeout

How to customize and extend your OpenVPN installation.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
buckan
OpenVpn Newbie
Posts: 7
Joined: Sun Nov 13, 2011 6:12 pm

OpenVPN: Keeps restarting and/or Connection timeout

Post by buckan » Sun Nov 13, 2011 6:40 pm

I'm a newbie and have scoured some of the forms and googled the error messages. :? Any help would be appreciated.
I believe there was a similar thread opened by russdyer w/ assistance from jnorthco and janjust.

Thanks in advance!

I've followed the tutorial multiple times at http://www.howtogeek.com/64433/how-to-i ... rt-router/

Here's my firewall -

Code: Select all

iptables -I INPUT 1 -p tcp -dport 1194 -j ACCEPT
iptables -I FORWARD 1 -source 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
Server config -

Code: Select all

push "route 192.168.1.0 255.255.255.0"
server 10.8.0.0 255.255.255.0

dev tun0
proto tcp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

management localhost 5001
Client Config -

Code: Select all

client
dev tun
proto tcp
remote XXXXXX.XXXX.XXX 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 4
When connecting from outside my LAN, I get a connection timeout, and when connecting from my network, I get a recurring connection reset. Here are the log files -

Connecting from the internet -

Code: Select all

Sun Nov 13 09:39:32 2011 us=406000 Current Parameter Settings:
Sun Nov 13 09:39:32 2011 us=406000   config = 'client.ovpn'
Sun Nov 13 09:39:32 2011 us=406000   mode = 0
Sun Nov 13 09:39:32 2011 us=406000   show_ciphers = DISABLED
Sun Nov 13 09:39:32 2011 us=406000   show_digests = DISABLED
Sun Nov 13 09:39:32 2011 us=406000   show_engines = DISABLED
Sun Nov 13 09:39:32 2011 us=406000   genkey = DISABLED
Sun Nov 13 09:39:32 2011 us=406000   key_pass_file = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=406000   show_tls_ciphers = DISABLED
Sun Nov 13 09:39:32 2011 us=406000 Connection profiles [default]:
Sun Nov 13 09:39:32 2011 us=406000   proto = tcp-client
Sun Nov 13 09:39:32 2011 us=406000   local = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=406000   local_port = 0
Sun Nov 13 09:39:32 2011 us=406000   remote = 'XXXXX.XXXXX.XX'
Sun Nov 13 09:39:32 2011 us=406000   remote_port = 1194
Sun Nov 13 09:39:32 2011 us=406000   remote_float = DISABLED
Sun Nov 13 09:39:32 2011 us=406000   bind_defined = DISABLED
Sun Nov 13 09:39:32 2011 us=406000   bind_local = DISABLED
Sun Nov 13 09:39:32 2011 us=406000   connect_retry_seconds = 5
Sun Nov 13 09:39:32 2011 us=406000   connect_timeout = 10
Sun Nov 13 09:39:32 2011 us=406000   connect_retry_max = 0
Sun Nov 13 09:39:32 2011 us=406000   socks_proxy_server = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=406000   socks_proxy_port = 0
Sun Nov 13 09:39:32 2011 us=406000   socks_proxy_retry = DISABLED
Sun Nov 13 09:39:32 2011 us=406000 Connection profiles END
Sun Nov 13 09:39:32 2011 us=406000   remote_random = DISABLED
Sun Nov 13 09:39:32 2011 us=406000   ipchange = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=406000   dev = 'tun'
Sun Nov 13 09:39:32 2011 us=406000   dev_type = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=406000   dev_node = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=406000   lladdr = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=406000   topology = 1
Sun Nov 13 09:39:32 2011 us=406000   tun_ipv6 = DISABLED
Sun Nov 13 09:39:32 2011 us=406000   ifconfig_local = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=406000   ifconfig_remote_netmask = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=406000   ifconfig_noexec = DISABLED
Sun Nov 13 09:39:32 2011 us=406000   ifconfig_nowarn = DISABLED
Sun Nov 13 09:39:32 2011 us=406000   shaper = 0
Sun Nov 13 09:39:32 2011 us=406000   tun_mtu = 1500
Sun Nov 13 09:39:32 2011 us=406000   tun_mtu_defined = ENABLED
Sun Nov 13 09:39:32 2011 us=406000   link_mtu = 1500
Sun Nov 13 09:39:32 2011 us=406000   link_mtu_defined = DISABLED
Sun Nov 13 09:39:32 2011 us=406000   tun_mtu_extra = 0
Sun Nov 13 09:39:32 2011 us=406000   tun_mtu_extra_defined = DISABLED
Sun Nov 13 09:39:32 2011 us=406000   fragment = 0
Sun Nov 13 09:39:32 2011 us=406000   mtu_discover_type = -1
Sun Nov 13 09:39:32 2011 us=406000   mtu_test = 0
Sun Nov 13 09:39:32 2011 us=406000   mlock = DISABLED
Sun Nov 13 09:39:32 2011 us=406000   keepalive_ping = 0
Sun Nov 13 09:39:32 2011 us=406000   keepalive_timeout = 0
Sun Nov 13 09:39:32 2011 us=406000   inactivity_timeout = 0
Sun Nov 13 09:39:32 2011 us=406000   ping_send_timeout = 0
Sun Nov 13 09:39:32 2011 us=406000   ping_rec_timeout = 0
Sun Nov 13 09:39:32 2011 us=406000   ping_rec_timeout_action = 0
Sun Nov 13 09:39:32 2011 us=406000   ping_timer_remote = DISABLED
Sun Nov 13 09:39:32 2011 us=406000   remap_sigusr1 = 0
Sun Nov 13 09:39:32 2011 us=406000   explicit_exit_notification = 0
Sun Nov 13 09:39:32 2011 us=406000   persist_tun = ENABLED
Sun Nov 13 09:39:32 2011 us=406000   persist_local_ip = DISABLED
Sun Nov 13 09:39:32 2011 us=406000   persist_remote_ip = DISABLED
Sun Nov 13 09:39:32 2011 us=406000   persist_key = ENABLED
Sun Nov 13 09:39:32 2011 us=406000   mssfix = 1450
Sun Nov 13 09:39:32 2011 us=406000   resolve_retry_seconds = 1000000000
Sun Nov 13 09:39:32 2011 us=406000   username = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=406000   groupname = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=406000   chroot_dir = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=406000   cd_dir = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=406000   writepid = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=656000   up_script = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=656000   down_script = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=656000   down_pre = DISABLED
Sun Nov 13 09:39:32 2011 us=656000   up_restart = DISABLED
Sun Nov 13 09:39:32 2011 us=656000   up_delay = DISABLED
Sun Nov 13 09:39:32 2011 us=656000   daemon = DISABLED
Sun Nov 13 09:39:32 2011 us=656000   inetd = 0
Sun Nov 13 09:39:32 2011 us=656000   log = DISABLED
Sun Nov 13 09:39:32 2011 us=656000   suppress_timestamps = DISABLED
Sun Nov 13 09:39:32 2011 us=656000   nice = 0
Sun Nov 13 09:39:32 2011 us=656000   verbosity = 4
Sun Nov 13 09:39:32 2011 us=656000   mute = 0
Sun Nov 13 09:39:32 2011 us=656000   gremlin = 0
Sun Nov 13 09:39:32 2011 us=656000   status_file = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=656000   status_file_version = 1
Sun Nov 13 09:39:32 2011 us=656000   status_file_update_freq = 60
Sun Nov 13 09:39:32 2011 us=656000   occ = ENABLED
Sun Nov 13 09:39:32 2011 us=656000   rcvbuf = 0
Sun Nov 13 09:39:32 2011 us=687000   sndbuf = 0
Sun Nov 13 09:39:32 2011 us=687000   sockflags = 0
Sun Nov 13 09:39:32 2011 us=687000   fast_io = DISABLED
Sun Nov 13 09:39:32 2011 us=687000   lzo = 7
Sun Nov 13 09:39:32 2011 us=687000   route_script = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=687000   route_default_gateway = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=687000   route_default_metric = 0
Sun Nov 13 09:39:32 2011 us=687000   route_noexec = DISABLED
Sun Nov 13 09:39:32 2011 us=687000   route_delay = 5
Sun Nov 13 09:39:32 2011 us=687000   route_delay_window = 30
Sun Nov 13 09:39:32 2011 us=687000   route_delay_defined = ENABLED
Sun Nov 13 09:39:32 2011 us=687000   route_nopull = DISABLED
Sun Nov 13 09:39:32 2011 us=687000   route_gateway_via_dhcp = DISABLED
Sun Nov 13 09:39:32 2011 us=687000   max_routes = 100
Sun Nov 13 09:39:32 2011 us=687000   allow_pull_fqdn = DISABLED
Sun Nov 13 09:39:32 2011 us=687000   management_addr = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=718000   management_port = 0
Sun Nov 13 09:39:32 2011 us=718000   management_user_pass = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=718000   management_log_history_cache = 250
Sun Nov 13 09:39:32 2011 us=718000   management_echo_buffer_size = 100
Sun Nov 13 09:39:32 2011 us=718000   management_write_peer_info_file = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=718000   management_client_user = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=718000   management_client_group = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=718000   management_flags = 0
Sun Nov 13 09:39:32 2011 us=718000   shared_secret_file = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=718000   key_direction = 0
Sun Nov 13 09:39:32 2011 us=718000   ciphername_defined = ENABLED
Sun Nov 13 09:39:32 2011 us=718000   ciphername = 'AES-128-CBC'
Sun Nov 13 09:39:32 2011 us=718000   authname_defined = ENABLED
Sun Nov 13 09:39:32 2011 us=718000   authname = 'SHA1'
Sun Nov 13 09:39:32 2011 us=718000   prng_hash = 'SHA1'
Sun Nov 13 09:39:32 2011 us=718000   prng_nonce_secret_len = 16
Sun Nov 13 09:39:32 2011 us=765000   keysize = 0
Sun Nov 13 09:39:32 2011 us=765000   engine = DISABLED
Sun Nov 13 09:39:32 2011 us=765000   replay = ENABLED
Sun Nov 13 09:39:32 2011 us=765000   mute_replay_warnings = DISABLED
Sun Nov 13 09:39:32 2011 us=765000   replay_window = 64
Sun Nov 13 09:39:32 2011 us=765000   replay_time = 15
Sun Nov 13 09:39:32 2011 us=765000   packet_id_file = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=765000   use_iv = ENABLED
Sun Nov 13 09:39:32 2011 us=765000   test_crypto = DISABLED
Sun Nov 13 09:39:32 2011 us=765000   tls_server = DISABLED
Sun Nov 13 09:39:32 2011 us=765000   tls_client = ENABLED
Sun Nov 13 09:39:32 2011 us=765000   key_method = 2
Sun Nov 13 09:39:32 2011 us=765000   ca_file = 'ca.crt'
Sun Nov 13 09:39:32 2011 us=765000   ca_path = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=765000   dh_file = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=765000   cert_file = 'client1.crt'
Sun Nov 13 09:39:32 2011 us=765000   priv_key_file = 'client1.key'
Sun Nov 13 09:39:32 2011 us=843000   pkcs12_file = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=843000   cryptoapi_cert = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=843000   cipher_list = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=843000   tls_verify = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=843000   tls_remote = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=843000   crl_file = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=843000   ns_cert_type = 64
Sun Nov 13 09:39:32 2011 us=843000   remote_cert_ku[i] = 0
Sun Nov 13 09:39:32 2011 us=843000   remote_cert_ku[i] = 0
Sun Nov 13 09:39:32 2011 us=843000   remote_cert_ku[i] = 0
Sun Nov 13 09:39:32 2011 us=843000   remote_cert_ku[i] = 0
Sun Nov 13 09:39:32 2011 us=843000   remote_cert_ku[i] = 0
Sun Nov 13 09:39:32 2011 us=843000   remote_cert_ku[i] = 0
Sun Nov 13 09:39:32 2011 us=843000   remote_cert_ku[i] = 0
Sun Nov 13 09:39:32 2011 us=843000   remote_cert_ku[i] = 0
Sun Nov 13 09:39:32 2011 us=843000   remote_cert_ku[i] = 0
Sun Nov 13 09:39:32 2011 us=890000   remote_cert_ku[i] = 0
Sun Nov 13 09:39:32 2011 us=890000   remote_cert_ku[i] = 0
Sun Nov 13 09:39:32 2011 us=890000   remote_cert_ku[i] = 0
Sun Nov 13 09:39:32 2011 us=890000   remote_cert_ku[i] = 0
Sun Nov 13 09:39:32 2011 us=890000   remote_cert_ku[i] = 0
Sun Nov 13 09:39:32 2011 us=890000   remote_cert_ku[i] = 0
Sun Nov 13 09:39:32 2011 us=890000   remote_cert_ku[i] = 0
Sun Nov 13 09:39:32 2011 us=890000   remote_cert_eku = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=890000   tls_timeout = 2
Sun Nov 13 09:39:32 2011 us=890000   renegotiate_bytes = 0
Sun Nov 13 09:39:32 2011 us=890000   renegotiate_packets = 0
Sun Nov 13 09:39:32 2011 us=890000   renegotiate_seconds = 3600
Sun Nov 13 09:39:32 2011 us=890000   handshake_window = 60
Sun Nov 13 09:39:32 2011 us=890000   transition_window = 3600
Sun Nov 13 09:39:32 2011 us=890000   single_session = DISABLED
Sun Nov 13 09:39:32 2011 us=890000   push_peer_info = DISABLED
Sun Nov 13 09:39:32 2011 us=921000   tls_exit = DISABLED
Sun Nov 13 09:39:32 2011 us=921000   tls_auth_file = '[UNDEF]'
Sun Nov 13 09:39:32 2011 us=921000   pkcs11_protected_authentication = DISABLED
Sun Nov 13 09:39:32 2011 us=921000   pkcs11_protected_authentication = DISABLED
Sun Nov 13 09:39:32 2011 us=921000   pkcs11_protected_authentication = DISABLED
Sun Nov 13 09:39:32 2011 us=921000   pkcs11_protected_authentication = DISABLED
Sun Nov 13 09:39:32 2011 us=921000   pkcs11_protected_authentication = DISABLED
Sun Nov 13 09:39:32 2011 us=921000   pkcs11_protected_authentication = DISABLED
Sun Nov 13 09:39:32 2011 us=921000   pkcs11_protected_authentication = DISABLED
Sun Nov 13 09:39:32 2011 us=921000   pkcs11_protected_authentication = DISABLED
Sun Nov 13 09:39:32 2011 us=921000   pkcs11_protected_authentication = DISABLED
Sun Nov 13 09:39:32 2011 us=921000   pkcs11_protected_authentication = DISABLED
Sun Nov 13 09:39:32 2011 us=921000   pkcs11_protected_authentication = DISABLED
Sun Nov 13 09:39:32 2011 us=968000   pkcs11_protected_authentication = DISABLED
Sun Nov 13 09:39:32 2011 us=968000   pkcs11_protected_authentication = DISABLED
Sun Nov 13 09:39:32 2011 us=968000   pkcs11_protected_authentication = DISABLED
Sun Nov 13 09:39:32 2011 us=968000   pkcs11_protected_authentication = DISABLED
Sun Nov 13 09:39:32 2011 us=968000   pkcs11_protected_authentication = DISABLED
Sun Nov 13 09:39:32 2011 us=968000   pkcs11_private_mode = 00000000
Sun Nov 13 09:39:32 2011 us=968000   pkcs11_private_mode = 00000000
Sun Nov 13 09:39:32 2011 us=968000   pkcs11_private_mode = 00000000
Sun Nov 13 09:39:32 2011 us=968000   pkcs11_private_mode = 00000000
Sun Nov 13 09:39:32 2011 us=968000   pkcs11_private_mode = 00000000
Sun Nov 13 09:39:32 2011 us=968000   pkcs11_private_mode = 00000000
Sun Nov 13 09:39:32 2011 us=968000   pkcs11_private_mode = 00000000
Sun Nov 13 09:39:32 2011 us=968000   pkcs11_private_mode = 00000000
Sun Nov 13 09:39:32 2011 us=968000   pkcs11_private_mode = 00000000
Sun Nov 13 09:39:33 2011   pkcs11_private_mode = 00000000
Sun Nov 13 09:39:33 2011   pkcs11_private_mode = 00000000
Sun Nov 13 09:39:33 2011   pkcs11_private_mode = 00000000
Sun Nov 13 09:39:33 2011   pkcs11_private_mode = 00000000
Sun Nov 13 09:39:33 2011   pkcs11_private_mode = 00000000
Sun Nov 13 09:39:33 2011   pkcs11_private_mode = 00000000
Sun Nov 13 09:39:33 2011   pkcs11_private_mode = 00000000
Sun Nov 13 09:39:33 2011   pkcs11_cert_private = DISABLED
Sun Nov 13 09:39:33 2011   pkcs11_cert_private = DISABLED
Sun Nov 13 09:39:33 2011   pkcs11_cert_private = DISABLED
Sun Nov 13 09:39:33 2011   pkcs11_cert_private = DISABLED
Sun Nov 13 09:39:33 2011   pkcs11_cert_private = DISABLED
Sun Nov 13 09:39:33 2011   pkcs11_cert_private = DISABLED
Sun Nov 13 09:39:33 2011   pkcs11_cert_private = DISABLED
Sun Nov 13 09:39:33 2011   pkcs11_cert_private = DISABLED
Sun Nov 13 09:39:33 2011   pkcs11_cert_private = DISABLED
Sun Nov 13 09:39:33 2011   pkcs11_cert_private = DISABLED
Sun Nov 13 09:39:33 2011 us=31000   pkcs11_cert_private = DISABLED
Sun Nov 13 09:39:33 2011 us=31000   pkcs11_cert_private = DISABLED
Sun Nov 13 09:39:33 2011 us=31000   pkcs11_cert_private = DISABLED
Sun Nov 13 09:39:33 2011 us=31000   pkcs11_cert_private = DISABLED
Sun Nov 13 09:39:33 2011 us=31000   pkcs11_cert_private = DISABLED
Sun Nov 13 09:39:33 2011 us=31000   pkcs11_cert_private = DISABLED
Sun Nov 13 09:39:33 2011 us=31000   pkcs11_pin_cache_period = -1
Sun Nov 13 09:39:33 2011 us=31000   pkcs11_id = '[UNDEF]'
Sun Nov 13 09:39:33 2011 us=31000   pkcs11_id_management = DISABLED
Sun Nov 13 09:39:33 2011 us=31000   server_network = 0.0.0.0
Sun Nov 13 09:39:33 2011 us=31000   server_netmask = 0.0.0.0
Sun Nov 13 09:39:33 2011 us=31000   server_bridge_ip = 0.0.0.0
Sun Nov 13 09:39:33 2011 us=31000   server_bridge_netmask = 0.0.0.0
Sun Nov 13 09:39:33 2011 us=31000   server_bridge_pool_start = 0.0.0.0
Sun Nov 13 09:39:33 2011 us=62000   server_bridge_pool_end = 0.0.0.0
Sun Nov 13 09:39:33 2011 us=62000   ifconfig_pool_defined = DISABLED
Sun Nov 13 09:39:33 2011 us=62000   ifconfig_pool_start = 0.0.0.0
Sun Nov 13 09:39:33 2011 us=62000   ifconfig_pool_end = 0.0.0.0
Sun Nov 13 09:39:33 2011 us=62000   ifconfig_pool_netmask = 0.0.0.0
Sun Nov 13 09:39:33 2011 us=62000   ifconfig_pool_persist_filename = '[UNDEF]'
Sun Nov 13 09:39:33 2011 us=62000   ifconfig_pool_persist_refresh_freq = 600
Sun Nov 13 09:39:33 2011 us=62000   n_bcast_buf = 256
Sun Nov 13 09:39:33 2011 us=62000   tcp_queue_limit = 64
Sun Nov 13 09:39:33 2011 us=62000   real_hash_size = 256
Sun Nov 13 09:39:33 2011 us=62000   virtual_hash_size = 256
Sun Nov 13 09:39:33 2011 us=62000   client_connect_script = '[UNDEF]'
Sun Nov 13 09:39:33 2011 us=62000   learn_address_script = '[UNDEF]'
Sun Nov 13 09:39:33 2011 us=62000   client_disconnect_script = '[UNDEF]'
Sun Nov 13 09:39:33 2011 us=62000   client_config_dir = '[UNDEF]'
Sun Nov 13 09:39:33 2011 us=78000   ccd_exclusive = DISABLED
Sun Nov 13 09:39:33 2011 us=78000   tmp_dir = '[UNDEF]'
Sun Nov 13 09:39:33 2011 us=78000   push_ifconfig_defined = DISABLED
Sun Nov 13 09:39:33 2011 us=78000   push_ifconfig_local = 0.0.0.0
Sun Nov 13 09:39:33 2011 us=78000   push_ifconfig_remote_netmask = 0.0.0.0
Sun Nov 13 09:39:33 2011 us=78000   enable_c2c = DISABLED
Sun Nov 13 09:39:33 2011 us=78000   duplicate_cn = DISABLED
Sun Nov 13 09:39:33 2011 us=78000   cf_max = 0
Sun Nov 13 09:39:33 2011 us=78000   cf_per = 0
Sun Nov 13 09:39:33 2011 us=78000   max_clients = 1024
Sun Nov 13 09:39:33 2011 us=78000   max_routes_per_client = 256
Sun Nov 13 09:39:33 2011 us=78000   auth_user_pass_verify_script = '[UNDEF]'
Sun Nov 13 09:39:33 2011 us=78000   auth_user_pass_verify_script_via_file = DISABLED
Sun Nov 13 09:39:33 2011 us=78000   ssl_flags = 0
Sun Nov 13 09:39:33 2011 us=78000   client = ENABLED
Sun Nov 13 09:39:33 2011 us=109000   pull = ENABLED
Sun Nov 13 09:39:33 2011 us=109000   auth_user_pass_file = '[UNDEF]'
Sun Nov 13 09:39:33 2011 us=109000   show_net_up = DISABLED
Sun Nov 13 09:39:33 2011 us=109000   route_method = 0
Sun Nov 13 09:39:33 2011 us=109000   ip_win32_defined = DISABLED
Sun Nov 13 09:39:33 2011 us=109000   ip_win32_type = 3
Sun Nov 13 09:39:33 2011 us=109000   dhcp_masq_offset = 0
Sun Nov 13 09:39:33 2011 us=109000   dhcp_lease_time = 31536000
Sun Nov 13 09:39:33 2011 us=109000   tap_sleep = 0
Sun Nov 13 09:39:33 2011 us=109000   dhcp_options = DISABLED
Sun Nov 13 09:39:33 2011 us=109000   dhcp_renew = DISABLED
Sun Nov 13 09:39:33 2011 us=109000   dhcp_pre_release = DISABLED
Sun Nov 13 09:39:33 2011 us=109000   dhcp_release = DISABLED
Sun Nov 13 09:39:33 2011 us=109000   domain = '[UNDEF]'
Sun Nov 13 09:39:33 2011 us=109000   netbios_scope = '[UNDEF]'
Sun Nov 13 09:39:33 2011 us=109000   netbios_node_type = 0
Sun Nov 13 09:39:33 2011 us=156000   disable_nbt = DISABLED
Sun Nov 13 09:39:33 2011 us=156000 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov  8 2010
Sun Nov 13 09:39:33 2011 us=156000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Nov 13 09:39:33 2011 us=421000 LZO compression initialized
Sun Nov 13 09:39:33 2011 us=421000 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sun Nov 13 09:39:33 2011 us=421000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Nov 13 09:39:33 2011 us=437000 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Nov 13 09:39:33 2011 us=437000 Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun Nov 13 09:39:33 2011 us=437000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun Nov 13 09:39:33 2011 us=437000 Local Options hash (VER=V4): 'bc07730e'
Sun Nov 13 09:39:33 2011 us=437000 Expected Remote Options hash (VER=V4): 'b695cb4a'
Sun Nov 13 09:39:33 2011 us=437000 Attempting to establish TCP connection with XX.XX.XX.XX:1194
Sun Nov 13 09:39:54 2011 us=515000 TCP: connect to XX.XX.XX.XX:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Connecting from LAN -

Code: Select all

......
........
Sun Nov 13 09:37:46 2011 us=187000 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov  8 2010
Sun Nov 13 09:37:46 2011 us=187000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Nov 13 09:37:46 2011 us=437000 LZO compression initialized
Sun Nov 13 09:37:46 2011 us=437000 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sun Nov 13 09:37:46 2011 us=453000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Nov 13 09:37:46 2011 us=484000 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Nov 13 09:37:46 2011 us=484000 Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun Nov 13 09:37:46 2011 us=484000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun Nov 13 09:37:46 2011 us=484000 Local Options hash (VER=V4): 'bc07730e'
Sun Nov 13 09:37:46 2011 us=484000 Expected Remote Options hash (VER=V4): 'b695cb4a'
Sun Nov 13 09:37:46 2011 us=484000 Attempting to establish TCP connection with XX.XX.XX.XX:1194
Sun Nov 13 09:37:46 2011 us=484000 TCP connection established with XX.XX.XX.XX:1194
Sun Nov 13 09:37:46 2011 us=484000 TCPv4_CLIENT link local: [undef]
Sun Nov 13 09:37:46 2011 us=484000 TCPv4_CLIENT link remote: XX.XX.XX.XX:1194
Sun Nov 13 09:37:46 2011 us=500000 TLS: Initial packet from XX.XX.XX.XX:1194, sid=960e91a4 ebc4749f
Sun Nov 13 09:37:47 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=XXXXXX/O=XXXXX/CN=XXXXX/emailAddress=XXXXXX@domain.com
Sun Nov 13 09:37:47 2011 VERIFY OK: nsCertType=SERVER
Sun Nov 13 09:37:47 2011 VERIFY OK: depth=0, /C=US/ST=CA/O=XXXXX/CN=XXXXX/emailAddress=XXXXXX@domain.com
Sun Nov 13 09:37:47 2011 us=125000 Connection reset, restarting [0]
Sun Nov 13 09:37:47 2011 us=125000 TCP/UDP: Closing socket
Sun Nov 13 09:37:47 2011 us=125000 SIGUSR1[soft,connection-reset] received, process restarting
Sun Nov 13 09:37:47 2011 us=125000 Restart pause, 5 second(s)
Sun Nov 13 09:37:52 2011 us=125000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Nov 13 09:37:52 2011 us=125000 Re-using SSL/TLS context
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: OpenVPN: Keeps restarting and/or Connection timeout

Post by janjust » Sun Nov 13, 2011 10:18 pm

post the server log (esp with 'verb 5' added to the server config file); it should give a good hint why all connections are failing.
Top
buckan
OpenVpn Newbie
Posts: 7
Joined: Sun Nov 13, 2011 6:12 pm

Re: OpenVPN: Keeps restarting and/or Connection timeout

Post by buckan » Mon Nov 14, 2011 9:20 am

Thanks janjust. I've added verb 5 to the server config. Any help is appreciated!

Following is the server log (dd-wrt) when connecting from my LAN

Code: Select all

Nov 14 01:09:18 XXXXXXX daemon.notice openvpn[8896]: 192.168.1.103:53330 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 14 01:09:18 XXXXXXX daemon.notice openvpn[8896]: 192.168.1.103:53330 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 14 01:09:18 XXXXXXX daemon.notice openvpn[8896]: 192.168.1.103:53330 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 14 01:09:18 XXXXXXX daemon.notice openvpn[8896]: 192.168.1.103:53330 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 14 01:09:18 XXXXXXX daemon.notice openvpn[8896]: 192.168.1.103:53330 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Nov 14 01:09:18 XXXXXXX daemon.notice openvpn[8896]: 192.168.1.103:53330 [client1] Peer Connection Initiated with 192.168.1.103:53330
Nov 14 01:09:18 XXXXXXX daemon.notice openvpn[8896]: client1/192.168.1.103:53330 MULTI: Learn: 10.8.0.6 -> client1/192.168.1.103:53330
Nov 14 01:09:18 XXXXXXX daemon.notice openvpn[8896]: client1/192.168.1.103:53330 MULTI: primary virtual IP for client1/192.168.1.103:53330: 10.8.0.6
Nov 14 01:09:20 XXXXXXX daemon.notice openvpn[8896]: client1/192.168.1.103:53330 PUSH: Received control message: 'PUSH_REQUEST'
Nov 14 01:09:20 XXXXXXX daemon.notice openvpn[8896]: client1/192.168.1.103:53330 SENT CONTROL [client1]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Following is the server log when connecting from the internet -

Code: Select all

Nov 14 01:12:41 XXXXXXX daemon.notice openvpn[9502]: 192.168.1.103:53457 VERIFY OK: depth=1, /C=US/ST=CA/L=XXXXX/O=XXXXX/CN=XXXXX/emailAddress=XXXXXX@domain.com
Nov 14 01:12:41 XXXXXXX daemon.notice openvpn[9502]: 192.168.1.103:53457 VERIFY OK: depth=0, /C=US/ST=CA/O=XXXXX/CN=XXXXX/emailAddress=XXXXXX@domain.com
Nov 14 01:12:42 XXXXXXX daemon.notice openvpn[9502]: 192.168.1.103:53457 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 14 01:12:42 XXXXXXX daemon.notice openvpn[9502]: 192.168.1.103:53457 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 14 01:12:42 XXXXXXX daemon.notice openvpn[9502]: 192.168.1.103:53457 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 14 01:12:42 XXXXXXX daemon.notice openvpn[9502]: 192.168.1.103:53457 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 14 01:12:42 XXXXXXX daemon.notice openvpn[9502]: 192.168.1.103:53457 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Nov 14 01:12:42 XXXXXXX daemon.notice openvpn[9502]: 192.168.1.103:53457 [client1] Peer Connection Initiated with 192.168.1.103:53457
Nov 14 01:12:42 XXXXXXX daemon.notice openvpn[9502]: client1/192.168.1.103:53457 MULTI: Learn: 10.8.0.6 -> client1/192.168.1.103:53457
Nov 14 01:12:42 XXXXXXX daemon.notice openvpn[9502]: client1/192.168.1.103:53457 MULTI: primary virtual IP for client1/192.168.1.103:53457: 10.8.0.6
Nov 14 01:12:44 XXXXXXX daemon.notice openvpn[9502]: client1/192.168.1.103:53457 PUSH: Received control message: 'PUSH_REQUEST'
Nov 14 01:12:44 XXXXXXX daemon.notice openvpn[9502]: client1/192.168.1.103:53457 SENT CONTROL [client1]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: OpenVPN: Keeps restarting and/or Connection timeout

Post by janjust » Mon Nov 14, 2011 9:50 am

it looks like the client sees a disconnect (TCP) but the server does not see this? that's almost surely a firewall/iptables issue, but I would have expected the server to also see the TCP disconnect....
Top
buckan
OpenVpn Newbie
Posts: 7
Joined: Sun Nov 13, 2011 6:12 pm

Re: OpenVPN: Keeps restarting and/or Connection timeout

Post by buckan » Fri Nov 25, 2011 3:21 am

After numerous attempts and increasing the logging, I figured that there was an issue w/ the cipher specified within the client config file. Once removed, I was able to connect and maintain a VPN connection, but that was only from within my home network.

When accessed from the internet, the firewall drops/refuses the connection and hence I'm getting a

Code: Select all

TCP: connect to X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
The firewall log on my dd-wrt router indicates the following -

Code: Select all

Nov 24 17:45:37 XXXX user.warn kernel: DROP IN=vlan1 OUT= MAC=00:23:69:5b:78:28:00:01:5c:32:79:41:08:08:45:20:08:48 SRC=X.X.Y.Y DST=X.X.X.X LEN=64 TOS=0x00 PREC=0x20 TTL=62 ID=26235 DF PROTO=TCP SPT=58247 DPT=1194 SEQ=3194609285 ACK=0
WINDOW=65535 RES=0
Following is the firewall -

Code: Select all

iptables -I INPUT 1 -p tcp -dport 1194 -j ACCEPT
iptables -I FORWARD 1 -source 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
I'm sure I'm missing something obvious/basic. Help please. :(

Thanks in advance.
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: OpenVPN: Keeps restarting and/or Connection timeout

Post by janjust » Fri Nov 25, 2011 8:42 am

post the contents of

Code: Select all

iptables -L -n -v
iptables -t nat -L -n -v
and I am sure we can spot the iptables misconfiguration...
Top
buckan
OpenVpn Newbie
Posts: 7
Joined: Sun Nov 13, 2011 6:12 pm

Re: OpenVPN: Keeps restarting and/or Connection timeout

Post by buckan » Sat Nov 26, 2011 2:44 am

Here ya go janjust and thanks for the help -

iptables -nvL

Code: Select all

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 3744  373K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       udp  --  vlan1  *       0.0.0.0/0            0.0.0.0/0           udp dpt:520 
    0     0 DROP       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0           udp dpt:520 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520 
    1    28 logdrop    icmp --  vlan1  *       0.0.0.0/0            0.0.0.0/0           
    0     0 logdrop    2    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW 
  744 58969 logaccept  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW 
  291 73167 logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  tun0   br0     0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  br0    tun0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     47   --  *      vlan1   192.168.1.0/24       0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      vlan1   192.168.1.0/24       0.0.0.0/0           tcp dpt:1723 
    0     0 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0           
  616 36596 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
 5506 1963K lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
 4747 1898K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 TRIGGER    0    --  vlan1  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0 
  759 65269 trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           
  759 65269 logaccept  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain OUTPUT (policy ACCEPT 4538 packets, 1893K bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_1 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_10 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_2 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_3 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_4 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_5 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_6 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_7 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_8 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_9 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_1 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_10 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_2 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_3 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_4 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_5 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_6 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_7 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_8 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_9 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain lan2wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain logaccept (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 1503  124K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain logdrop (4 references)
 pkts bytes target     prot opt in     out     source               destination         
  292 73195 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW LOG flags 7 level 4 prefix `DROP ' 
    0     0 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID LOG flags 7 level 4 prefix `DROP ' 
  292 73195 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 7 level 4 prefix `WEBDROP ' 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp reject-with tcp-reset 
Chain trigger_out (1 references)
 pkts bytes target     prot opt in     out     source               destination

iptables -t nat -nvL

Code: Select all

Chain PREROUTING (policy ACCEPT 1652 packets, 248K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    28 DNAT       icmp --  *      *       0.0.0.0/0            X.X.X.X       to:192.168.1.1 
  164 25901 TRIGGER    0    --  *      *       0.0.0.0/0            X.X.X.X       TRIGGER type:dnat match:0 relate:0 
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  681 58520 SNAT       0    --  *      vlan1   0.0.0.0/0            0.0.0.0/0           to:X.X.X.X 
    0     0 RETURN     0    --  *      br0     0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast 
    1   341 MASQUERADE  0    --  *      br0     192.168.1.0/24       192.168.1.0/24      
Chain OUTPUT (policy ACCEPT 385 packets, 28252 bytes)
 pkts bytes target     prot opt in     out     source               destination
Top
buckan
OpenVpn Newbie
Posts: 7
Joined: Sun Nov 13, 2011 6:12 pm

Re: OpenVPN: Keeps restarting and/or Connection timeout

Post by buckan » Sat Nov 26, 2011 7:42 pm

Help please...
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: OpenVPN: Keeps restarting and/or Connection timeout

Post by janjust » Sun Nov 27, 2011 11:06 pm

you're not allowing any inbound traffic in UDP port 1194, which is needed for OpenVPN; try adding

Code: Select all

iptables -I INPUT -p udp --dport 1194 -i vlan1 -j ACCEPT
Top
Post Reply

Return to “Scripting and Customizations”