I am really interested about using openVPN throught its powerful potentialities.
Now, for my application, I am able to create a stable connection between server and client both connected toe the same wireless network with - summarizing - a udp connection on 1194 port.
BUt, I would like to use openVPN also across different networks, meaning only server public ip is known.
If I change remote server to the public and maintain the same configuration that works for "same network", on client side I get:
Code: Select all
Thu Jan 18 00:26:31 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Jan 18 00:26:31 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Jan 18 00:26:31 2018 Socket Buffers: R=[212992->131072] S=[212992->131072]
Thu Jan 18 00:26:31 2018 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Jan 18 00:26:31 2018 UDPv4 link local: [undef]
Thu Jan 18 00:26:31 2018 UDPv4 link remote: [AF_INET]133.34.33.141:80
Thu Jan 18 00:27:31 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jan 18 00:27:31 2018 TLS Error: TLS handshake failed
Thu Jan 18 00:27:31 2018 SIGUSR1[soft,tls-error] received, process restarting
Thu Jan 18 00:27:31 2018 Restart pause, 2 second(s)
Thu Jan 18 00:27:33 2018 Socket Buffers: R=[212992->131072] S=[212992->131072]
Thu Jan 18 00:27:33 2018 UDPv4 link local: [undef]
Thu Jan 18 00:27:33 2018 UDPv4 link remote: [AF_INET]133.34.33.141:80
Thu Jan 18 00:28:33 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jan 18 00:28:33 2018 TLS Error: TLS handshake failed
Thu Jan 18 00:28:33 2018 SIGUSR1[soft,tls-error] received, process restarting
Thu Jan 18 00:28:33 2018 Restart pause, 2 second(s)
Thu Jan 18 00:28:35 2018 Socket Buffers: R=[212992->131072] S=[212992->131072]
Trying all possible variations, nothing changes, but for one: tcp over port 80, on client side I get:
Code: Select all
Thu Jan 18 00:33:35 2018 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx:80 [nonblock]
Thu Jan 18 00:33:36 2018 TCP connection established with [AF_INET]xxx.xxx.xxx:80
Thu Jan 18 00:33:36 2018 TCPv4_CLIENT link local: [undef]
Thu Jan 18 00:33:36 2018 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx:80
Thu Jan 18 00:33:36 2018 WARNING: Bad encapsulated packet length from peer (15393), which must be > 0 and <= 1604 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Thu Jan 18 00:33:36 2018 Connection reset, restarting [0]
Thu Jan 18 00:33:36 2018 SIGUSR1[soft,connection-reset] received, process restarting
Thu Jan 18 00:33:36 2018 Restart pause, 5 second(s)
In particular, checking nmap on both sides:
Case 1) nmap ran on client side using remote public-ip server address with udp on 1194
Code: Select all
Nmap scan report for public-ip server
Host is up (0.0062s latency).
PORT STATE SERVICE
1194/udp closed openvpn
Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
Case 2): nmap ran on client side using remote public-ip server address with tcp on 80
Code: Select all
Nmap scan report for public-ip server
Host is up (0.019s latency).
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.62 seconds
Case 1) using remote public-ip server address with udp on 1194
Code: Select all
Nmap scan report for localhost
Host is up (0.0062s latency).
PORT STATE SERVICE
1194/udp open/filtered openvpn
Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
Code: Select all
Nmap scan report for localhost
Host is up (0.0062s latency).
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
Ran from server side
Code: Select all
Nmap scan report for localhost
Host is up (0.0062s latency).
PORT STATE SERVICE
1194/udp open/filtered openvpn
Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
Code: Select all
Nmap scan report for local-server-ip = 192.168.x.xxx
Host is up (0.0062s latency).
PORT STATE SERVICE
1194/udp open/filtered openvpn
Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
Also, because the common port 80, open for http, prints out better result but still no real connection realized because service is not openvpn on that port, I think.
I would be very happy to hear your opinion and/or suggestions about,also to learn more about OpenVPN.
If you want, I can provide iptables configuration, I didn't report here because modifications didn't lead to different results.
Thank you.
EDIT: here are the configuration files as requested.
Server configuration:
Code: Select all
[oconf=Client configuration]
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
port 1194
# TCP or UDP server?
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh4096.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# ifconfig-push 10.9.0.1 10.9.0.2
;learn-address ./script
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 127.0.1.1"
client-to-client
#duplicate-cn
keepalive 10 120
key-direction 0
tls-auth /etc/openvpn/ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
cipher AES-256-CBC
comp-lzo
;max-clients 100
user name_user
group name_group
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
;log /etc/openvpn/openvpn.log
;log-append /etc/openvpn/openvpn.log
verb 3
;mute 20
# Auth Digest
auth SHA512
# Limit Ciphers
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
Code: Select all
[oconf=Client config]
client
;dev tap
dev tun
;dev-node MyTap
;proto tcp
proto udp
;remote 192.168.x.xxx 1194
remote xxx.xx.xx.xxx 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
resolv-retry infinite
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
key-direction 1
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
# Authentication Digest
auth SHA512
# Cipher Restrictions
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA