openvpn server behind cradlepoint nat

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
billsey
OpenVpn Newbie
Posts: 3
Joined: Tue Sep 10, 2019 11:14 pm

openvpn server behind cradlepoint nat

Post by billsey » Tue Sep 10, 2019 11:22 pm

My OpenVPN server is on a Mikrotik router, and the router is behind a CradlePoint CBA850 providing failover switching to a cell signal if the main fiber goes down. That puts my OpenVPN double NATed from the public address provided by either the fiber link or the wireless link. I've done what seems to be obvious in port forwarding 1194, but any attempts to connect to the VPN server just times out. Here is what I see on the client side:

Code: Select all

Tue Sep 10 16:18:38 2019 MANAGEMENT: >STATE:1568157518,WAIT,,,,,,
Tue Sep 10 16:19:38 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Sep 10 16:19:38 2019 TLS Error: TLS handshake failed
Tue Sep 10 16:19:38 2019 SIGUSR1[soft,tls-error] received, process restarting
I tried setting the Microtik as a DMZ on the CradlePoint without success in addition to just doing the port forward. Any ideas as to what I need to do to get this working? If I take the Cradlepoint out of the picture everything works as expected, but we lose the failover.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5920
Joined: Fri Jun 03, 2016 1:17 pm

Re: openvpn server behind cradlepoint nat

Post by TinCanTech » Tue Sep 10, 2019 11:32 pm

billsey wrote:
Tue Sep 10, 2019 11:22 pm
If I take the Cradlepoint out of the picture everything works as expected

billsey
OpenVpn Newbie
Posts: 3
Joined: Tue Sep 10, 2019 11:14 pm

Re: openvpn server behind cradlepoint nat

Post by billsey » Wed Sep 11, 2019 4:32 am

TinCanTech wrote:
Tue Sep 10, 2019 11:32 pm
billsey wrote:
Tue Sep 10, 2019 11:22 pm
If I take the Cradlepoint out of the picture everything works as expected
But we lose the failover. :(

User avatar
Pippin
OpenVPN Expert
Posts: 465
Joined: Wed Jul 01, 2015 8:03 am

Re: openvpn server behind cradlepoint nat

Post by Pippin » Wed Sep 11, 2019 5:28 pm

Your WAN side IP from cell is different than that from fiber.
Can Cradle thingy do DDNS?

billsey
OpenVpn Newbie
Posts: 3
Joined: Tue Sep 10, 2019 11:14 pm

Re: openvpn server behind cradlepoint nat

Post by billsey » Wed Sep 11, 2019 6:18 pm

Yes, that's not the problem. The problem is that any attempt to connect a VPN client to either of the outside addresses of the Cradlepoint times out, even though 1194 is port forwarded to the Mikrotik. My assumption is that the NAT happening at the Cradlepoint confuses the encryption negotiation.

Post Reply