Page 1 of 1

openvpn server behind cradlepoint nat

Posted: Tue Sep 10, 2019 11:22 pm
by billsey
My OpenVPN server is on a Mikrotik router, and the router is behind a CradlePoint CBA850 providing failover switching to a cell signal if the main fiber goes down. That puts my OpenVPN double NATed from the public address provided by either the fiber link or the wireless link. I've done what seems to be obvious in port forwarding 1194, but any attempts to connect to the VPN server just times out. Here is what I see on the client side:

Code: Select all

Tue Sep 10 16:18:38 2019 MANAGEMENT: >STATE:1568157518,WAIT,,,,,,
Tue Sep 10 16:19:38 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Sep 10 16:19:38 2019 TLS Error: TLS handshake failed
Tue Sep 10 16:19:38 2019 SIGUSR1[soft,tls-error] received, process restarting
I tried setting the Microtik as a DMZ on the CradlePoint without success in addition to just doing the port forward. Any ideas as to what I need to do to get this working? If I take the Cradlepoint out of the picture everything works as expected, but we lose the failover.

Re: openvpn server behind cradlepoint nat

Posted: Tue Sep 10, 2019 11:32 pm
by TinCanTech
billsey wrote:
Tue Sep 10, 2019 11:22 pm
If I take the Cradlepoint out of the picture everything works as expected

Re: openvpn server behind cradlepoint nat

Posted: Wed Sep 11, 2019 4:32 am
by billsey
TinCanTech wrote:
Tue Sep 10, 2019 11:32 pm
billsey wrote:
Tue Sep 10, 2019 11:22 pm
If I take the Cradlepoint out of the picture everything works as expected
But we lose the failover. :(

Re: openvpn server behind cradlepoint nat

Posted: Wed Sep 11, 2019 5:28 pm
by Pippin
Your WAN side IP from cell is different than that from fiber.
Can Cradle thingy do DDNS?

Re: openvpn server behind cradlepoint nat

Posted: Wed Sep 11, 2019 6:18 pm
by billsey
Yes, that's not the problem. The problem is that any attempt to connect a VPN client to either of the outside addresses of the Cradlepoint times out, even though 1194 is port forwarded to the Mikrotik. My assumption is that the NAT happening at the Cradlepoint confuses the encryption negotiation.