OpenVPN Connect for Windows not working

Post Reply
McSanz
OpenVpn Newbie
Posts: 7
Joined: Mon Oct 22, 2018 11:29 am

OpenVPN Connect for Windows not working

Post by McSanz » Mon Oct 22, 2018 11:39 am

Dear community,

I recently set up an OpenVPN Access Server and now I'm testing all the functions. Everything works great so far.

Unfortunately, I have a small problem with the Connect Client for Windows. When I log in to the Web GUI and download the MSI installer, the Connect client cannot establishe a VPN tunnel after installation. The capi.log of the client contains the following:

Code: Select all

[XMLProxyQueryProtocol,client] DynamicClientBase: None: client/dyncli:90,internet/defer:744,python/failure:338,client/dyncli:128,internet/defer:744,python/failure:338,client/asxmlcli:100,internet/defer:744,python/failure:338,client/asxmlcli:129,internet/defer:744,python/failure:338,client/asxmlcli:190 (pyovpn.client.asxmlcli.NotXMLRPCServerError)
When I download the profile and import it into the Connect client, the VPN connection works perfectly.
I have already generated an MSI installer for the corresponding user via the sacli tool. Even so, the connection worked flawlessly.
Only if I download the installer from the web GUI, it will not work.

Any ideas what the problem can be or how to troubleshoot this?

Many thanks!

novaflash
I should be on the dev team.
Posts: 755
Joined: Fri Apr 13, 2012 8:43 pm

Re: OpenVPN Connect for Windows not working

Post by novaflash » Mon Oct 22, 2018 1:29 pm

By default the OpenVPN Connect Client uses a server-locked profile, which uses the web services of the Access Server to securely negotiate for a connection profile for any valid user account on the Access Server. This is different from using a user-locked profile which, as its name suggests, is locked to one specific user account. Auto-login is also user-locked but doesn't require credentials to log in.

> (pyovpn.client.asxmlcli.NotXMLRPCServerError)

This indicates that the web service the client is hitting is not an XML-RPC server, so it's some other service, maybe some web server or whatever. Make sure the web services of the Access Server are reachable and it should then function normally. Or manually load user-locked or auto-login type connection profiles into the client, that also works.

McSanz
OpenVpn Newbie
Posts: 7
Joined: Mon Oct 22, 2018 11:29 am

Re: OpenVPN Connect for Windows not working

Post by McSanz » Mon Oct 22, 2018 2:19 pm

Thank you for the feedback!

When I switch to auto-login, downloading, installing and connecting with the Connect Client works without any problems. Also manually loading the user-locked profile works.

But perfect would be, if can download, install and connect with the Connect Client with user-locked connections, no auto-login and no manually loading.

I use a reverse-proxy for accessing the Access Server. Could this cause any problems?
When I access the URL via web browser, the rewriting of the proxy works and I can login to the Access Server.

I'm wondering, why the MSI installer works, when I create it with the sacli tool. Could it be, that the web gui does not provide the right installer file for download?
Maybe I'm just thinking the wrong way...

novaflash
I should be on the dev team.
Posts: 755
Joined: Fri Apr 13, 2012 8:43 pm

Re: OpenVPN Connect for Windows not working

Post by novaflash » Mon Oct 22, 2018 2:24 pm

> But perfect would be, if can download, install and connect with the Connect Client with user-locked connections, no auto-login and no manually loading.

See documentation to learn how to create installers that contain user-locked profiles:
https://openvpn.net/vpn-server-resource ... nstallers/

> I use a reverse-proxy for accessing the Access Server. Could this cause any problems?

Yes.

> I'm wondering, why the MSI installer works, when I create it with the sacli tool. Could it be, that the web gui does not provide the right installer file for download?

Because then it is loaded with a user-locked profile or an auto-login profile, not with server-locked profile. Only the server-locked profile communicates through the web services. The web services are unreachable, apparently, so therefore there are problems when you use the default server-locked profile.

McSanz
OpenVpn Newbie
Posts: 7
Joined: Mon Oct 22, 2018 11:29 am

Re: OpenVPN Connect for Windows not working

Post by McSanz » Mon Oct 22, 2018 3:03 pm

I have read the documentation on how to create installers that contain user-locked profile. But I can't find a hint on how to provide such installers at the Client Web Service.
So I guess offering user-locked profile preconfigured within the installer, that can be downloaded via Client Web Service, is simply not possible, right? Or do I miss something?

I cannot really understand why XML-RPC is not working, since HTTPS works properly. Does it use a different port than 443?

Thanks a lot for your efforts!

novaflash
I should be on the dev team.
Posts: 755
Joined: Fri Apr 13, 2012 8:43 pm

Re: OpenVPN Connect for Windows not working

Post by novaflash » Mon Oct 22, 2018 3:27 pm

> So I guess offering user-locked profile preconfigured within the installer, that can be downloaded via Client Web Service, is simply not possible, right? Or do I miss something?

Correct. Server-locked profiles are used for ordinary users, auto-login profiles are used for auto-login users.

> I cannot really understand why XML-RPC is not working, since HTTPS works properly. Does it use a different port than 443?

I cannot answer that. I can only tell you that the client says that the web service it is hitting is apparently not an XML-RPC server. That's all I know. It seems likely that the reverse proxy stuff is causing this issue. Possibly if the ports on the outside are different than configured on the Access Server could explain this problem, but I just don't know your situation. I suggest you do some trial and error tests and run packet captures to see what's going on. I'd suggest removing the reverse proxy entirely and see if it works as expected then.

McSanz
OpenVpn Newbie
Posts: 7
Joined: Mon Oct 22, 2018 11:29 am

Re: OpenVPN Connect for Windows not working

Post by McSanz » Mon Oct 22, 2018 5:29 pm

Now I understand that, thanks a lot! :)

The problem really seems to be the reverse proxy, because without it everything works perfect.
But unforunately, using the ovpn-as without the proxy is no option for me.

I have now tried for hours to fix the proxy problem - without success.
I use an IIS as proxy. It seems that just the XML-RPC calls are not forwarded to the ovpn-as. Any ideas?
When I try to access the API via web browser (https://<myURL>/rest/GetUserlogin), I get a response with the whole user profile.

novaflash
I should be on the dev team.
Posts: 755
Joined: Fri Apr 13, 2012 8:43 pm

Re: OpenVPN Connect for Windows not working

Post by novaflash » Mon Oct 22, 2018 8:34 pm

I'm sorry, I don't know why it doesn't work. For that you'll have to check around to see if there's any work done on that with IIS as reverse proxy. We certainly do not support this, as we know that these type of problems can occur.

McSanz
OpenVpn Newbie
Posts: 7
Joined: Mon Oct 22, 2018 11:29 am

Re: OpenVPN Connect for Windows not working

Post by McSanz » Wed Oct 24, 2018 6:14 am

It was hard work, but I managed to clearly identify the problem now.

My reverse proxy is configured to redirect all requests from "vpn.mydomain.com" to ovpn-as. That works wonderful so far, but not for the RPC call from the Connect Client.
The reason for that is, that the client unfortunately does not call the RPC with the domain, but directly with the IP address and the addition "/RPC2". So, my redirect condition on the subdomain did not work for "https://myIP/RPC2" .

As a workaround, I have now added another condition that also redirects each URL with "/RPC2" to my ovpn-as and now everything works. :)

In my view, this is a small weakness in the software design of the Connect Client. Because a second application, which may also use the URL "/RPC2", can therefore not be handled with my proxy.

Please do not get me wrong, that should not be a reproach, but a well-intentioned constructive criticism.

Thank you so much for your support, that has put me on the right path.

novaflash
I should be on the dev team.
Posts: 755
Joined: Fri Apr 13, 2012 8:43 pm

Re: OpenVPN Connect for Windows not working

Post by novaflash » Wed Oct 24, 2018 10:18 am

Can you check in the log file that the client is connecting to the host name, and not the IP?

You may simply need to update your settings so your clients are instructed to use the hostname instead of IP.

McSanz
OpenVpn Newbie
Posts: 7
Joined: Mon Oct 22, 2018 11:29 am

Re: OpenVPN Connect for Windows not working

Post by McSanz » Thu Oct 25, 2018 6:06 am

I'm not exactly sure what you mean. Sorry!
I used request tracing on the reverse proxy to find out, that the Connect Client uses the IP address and not the hostname.

Where can I find this setting, to configure the clients to use the hostname instead of the IP?

novaflash
I should be on the dev team.
Posts: 755
Joined: Fri Apr 13, 2012 8:43 pm

Re: OpenVPN Connect for Windows not working

Post by novaflash » Thu Oct 25, 2018 6:44 am

It's the 'host name or IP address' setting in the network settings page in the admin UI.

Doesn't take effect on the client until it has been provided with a new copy of the connection profile.

novaflash
I should be on the dev team.
Posts: 755
Joined: Fri Apr 13, 2012 8:43 pm

Re: OpenVPN Connect for Windows not working

Post by novaflash » Thu Oct 25, 2018 6:45 am

Oh. But in any case, again, we do not support reverse proxy. So, sorry.

McSanz
OpenVpn Newbie
Posts: 7
Joined: Mon Oct 22, 2018 11:29 am

Re: OpenVPN Connect for Windows not working

Post by McSanz » Thu Oct 25, 2018 7:32 am

The "host name or IP address" setting ist configured to the hostname since the beginning of all my tests.
So for me it looks like this setting doesn't take any affect on the XML-RPC call, which I mean is not perfectly solved within the client. The VPN tunnel itself uses the hostname, so that is no problem.

However, additional URL rewriting on '/RPC2' is a small blemish, but for now, I can live with it... ;)

Post Reply