connections good on lan but not wan

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
eelstrebor
OpenVPN User
Posts: 11
Joined: Thu Dec 28, 2017 1:31 am

connections good on lan but not wan

Post by eelstrebor » Wed Oct 17, 2018 4:37 pm

I had a working server prior to changing out a router but replaced the router with same make/model and installed dd-wrt on new router (old router had dd-wrt also). Using a Samsung Galaxy S7 with OpenVPN Connect to test. Configs look the same as before, port forwarding on the router looks good, port scan from the WAN shows open|filtered for UDP for that port, logs show attempted connection from WAN but TLS negotiation fails. The client ovpn files seem to be OK and matches ciphers, etc - the ovpn must be correct since connections on the LAN side are good? I have 2 remote settings in the ovpn file (just like in the past), 1 for the LAN IP and one for the domain name (for the WAN side). It is my understanding that this is acceptable and it has worked in the past. Anyway, I remarked out the remote setting for the LAN for testing and was able to connect from the LAN using the DN as the remote server setting but when I turned off the wifi on the phone and used the cell data, I could not connect.

From client ovpn:
client
dev tun
proto udp
remote <LAN IP> <PORT>
remote someplace.com <PORT>
nobind
user nobody
group nogroup
persist-key
persist-tun
cipher ###
auth ###
verb 5

WAN connection attempt result:
20181017 10:21:32 N 174.217.22.243:3644 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20181017 10:21:32 N 174.217.22.243:3644 TLS Error: TLS handshake failed
20181017 10:21:32 174.217.22.243:3644 SIGUSR1[soft tls-error] received client-instance restarting
20181017 10:21:32 MULTI: multi_create_instance called
20181017 10:21:32 174.217.22.243:3629 Re-using SSL/TLS context
20181017 10:21:32 174.217.22.243:3629 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
20181017 10:21:32 174.217.22.243:3629 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
20181017 10:21:32 174.217.22.243:3629 Local Options String (VER=V4): 'V4 dev-type tun link-mtu 1601 tun-mtu 1500 proto UDPv4 cipher ### auth ### keysize ### key-method 2 tls-server'
20181017 10:21:32 174.217.22.243:3629 Expected Remote Options String (VER=V4): 'V4 dev-type tun link-mtu 1601 tun-mtu 1500 proto UDPv4 cipher ### auth ### keysize ### key-method 2 tls-client'
20181017 10:21:32 174.217.22.243:3629 TLS: Initial packet from [AF_INET]174.217.22.243:3629 sid=b9dfc3b7 c00d3585
20181017 10:21:42 N 174.217.22.243:3625 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20181017 10:21:42 N 174.217.22.243:3625 TLS Error: TLS handshake failed
20181017 10:21:42 174.217.22.243:3625 SIGUSR1[soft tls-error] received client-instance restarting

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5021
Joined: Fri Jun 03, 2016 1:17 pm

Re: connections good on lan but not wan

Post by TinCanTech » Wed Oct 17, 2018 4:47 pm


eelstrebor
OpenVPN User
Posts: 11
Joined: Thu Dec 28, 2017 1:31 am

Re: connections good on lan but not wan

Post by eelstrebor » Fri Oct 19, 2018 4:14 pm

I edited this since I noticed that another client on the LAN side was connected during testing.

Router openvpn server log time stamp is UTC while client log is local time stamp.

root@router:~# uname -a
Linux router 4.9.133 #504 SMP PREEMPT Mon Oct 15 17:40:08 CEST 2018 armv7l DD-WRT
root@router:~# ifconfig
ath0 Link encap:Ethernet HWaddr 60:38:E0:BE:6A:12
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:51252 errors:0 dropped:0 overruns:0 frame:0
TX packets:105359 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11521782 (10.9 MiB) TX bytes:98464563 (93.9 MiB)

ath0.sta1 Link encap:Ethernet HWaddr 60:38:E0:BE:6A:12
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1955370 errors:0 dropped:0 overruns:0 frame:0
TX packets:4870496 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:288190623 (274.8 MiB) TX bytes:6707305385 (6.2 GiB)

ath0.sta2 Link encap:Ethernet HWaddr 60:38:E0:BE:6A:12
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:173270 errors:0 dropped:0 overruns:0 frame:0
TX packets:197677 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:46560920 (44.4 MiB) TX bytes:29505325 (28.1 MiB)

ath0.sta3 Link encap:Ethernet HWaddr 60:38:E0:BE:6A:12
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5076 errors:0 dropped:0 overruns:0 frame:0
TX packets:36768 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:307367 (300.1 KiB) TX bytes:55000272 (52.4 MiB)

ath1 Link encap:Ethernet HWaddr 60:38:E0:BE:6A:13
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13071 errors:0 dropped:0 overruns:0 frame:0
TX packets:36775 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3165211 (3.0 MiB) TX bytes:6299688 (6.0 MiB)

br0 Link encap:Ethernet HWaddr 60:38:E0:BE:6A:11 #LAN
inet addr:x.x.x.x Bcast:x.x.x.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3663913 errors:0 dropped:1317 overruns:0 frame:0
TX packets:3603910 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:331239230 (315.8 MiB) TX bytes:14781843750 (13.7 GiB)

br0:0 Link encap:Ethernet HWaddr 60:38:E0:BE:6A:11
inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0 Link encap:Ethernet HWaddr 60:38:E0:BE:6A:11 #WAN
inet addr:x.x.x.x Bcast:x.x.x.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10812723 errors:0 dropped:22082 overruns:0 frame:0
TX packets:3633295 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:15254249191 (14.2 GiB) TX bytes:375291140 (357.9 MiB)
Interrupt:36

eth1 Link encap:Ethernet HWaddr 60:38:E0:BE:6A:11
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2135783 errors:0 dropped:0 overruns:0 frame:0
TX packets:1463943 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:170958836 (163.0 MiB) TX bytes:8323332776 (7.7 GiB)
Interrupt:37

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
RX packets:481 errors:0 dropped:0 overruns:0 frame:0
TX packets:481 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:85249 (83.2 KiB) TX bytes:85249 (83.2 KiB)

tun2 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:x.x.x.x P-t-P:x.x.x.x Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:38 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:2547 (2.4 KiB)

server config: (Linksys WRT3200ACM router running dd-wrt Firmware 37405)

dh /tmp/mnt/sda3/dh.pem
ca /tmp/mnt/sda3/ca.crt
cert /tmp/mnt/sda3/cert.pem
key /tmp/mnt/sda3/key.pem
keepalive 10 120
verb 5
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1197
proto udp4
cipher aes-256-cbc
auth sha512
client-connect /tmp/mnt/sda3/clcon.sh
client-disconnect /tmp/mnt/sda3/cldiscon.sh
client-config-dir /tmp/mnt/sda3/ccd
ifconfig-pool-persist /tmp/mnt/sda3/ip-pool 86400
client-to-client
push "redirect-gateway def1"
fast-io
tun-mtu 1500
mtu-disc yes
server x.x.x.x 255.255.255.0
dev tun2
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"

server log:

Oct 19 18:14:20 router daemon.notice openvpn[13982]: MULTI: multi_create_instance called
Oct 19 18:14:20 router daemon.notice openvpn[13982]: 174.217.39.152:6180 Re-using SSL/TLS context
Oct 19 18:14:20 router daemon.notice openvpn[13982]: 174.217.39.152:6180 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Oct 19 18:14:20 router daemon.notice openvpn[13982]: 174.217.39.152:6180 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Oct 19 18:14:20 router daemon.notice openvpn[13982]: 174.217.39.152:6180 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Oct 19 18:14:20 router daemon.notice openvpn[13982]: 174.217.39.152:6180 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Oct 19 18:14:20 router daemon.notice openvpn[13982]: 174.217.39.152:6180 TLS: Initial packet from [AF_INET]174.217.39.152:6180, sid=53617e86 706ab6df
Oct 19 18:14:30 router daemon.notice openvpn[13982]: MULTI: multi_create_instance called
Oct 19 18:14:30 router daemon.notice openvpn[13982]: 174.217.39.152:6194 Re-using SSL/TLS context
Oct 19 18:14:30 router daemon.notice openvpn[13982]: 174.217.39.152:6194 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Oct 19 18:14:30 router daemon.notice openvpn[13982]: 174.217.39.152:6194 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Oct 19 18:14:30 router daemon.notice openvpn[13982]: 174.217.39.152:6194 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Oct 19 18:14:30 router daemon.notice openvpn[13982]: 174.217.39.152:6194 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Oct 19 18:14:30 router daemon.notice openvpn[13982]: 174.217.39.152:6194 TLS: Initial packet from [AF_INET]174.217.39.152:6194, sid=fd4f5105 915779ff
Oct 19 18:14:40 router daemon.notice openvpn[13982]: MULTI: multi_create_instance called
Oct 19 18:14:40 router daemon.notice openvpn[13982]: 174.217.39.152:6200 Re-using SSL/TLS context
Oct 19 18:14:40 router daemon.notice openvpn[13982]: 174.217.39.152:6200 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Oct 19 18:14:40 router daemon.notice openvpn[13982]: 174.217.39.152:6200 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Oct 19 18:14:40 router daemon.notice openvpn[13982]: 174.217.39.152:6200 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Oct 19 18:14:40 router daemon.notice openvpn[13982]: 174.217.39.152:6200 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Oct 19 18:14:40 router daemon.notice openvpn[13982]: 174.217.39.152:6200 TLS: Initial packet from [AF_INET]174.217.39.152:6200, sid=4e561c45 da397450
Oct 19 18:14:50 router daemon.notice openvpn[13982]: MULTI: multi_create_instance called
Oct 19 18:14:50 router daemon.notice openvpn[13982]: 174.217.39.152:6176 Re-using SSL/TLS context
Oct 19 18:14:50 router daemon.notice openvpn[13982]: 174.217.39.152:6176 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Oct 19 18:14:50 router daemon.notice openvpn[13982]: 174.217.39.152:6176 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Oct 19 18:14:50 router daemon.notice openvpn[13982]: 174.217.39.152:6176 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Oct 19 18:14:50 router daemon.notice openvpn[13982]: 174.217.39.152:6176 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Oct 19 18:14:50 router daemon.notice openvpn[13982]: 174.217.39.152:6176 TLS: Initial packet from [AF_INET]174.217.39.152:6176, sid=185773e4 b01c9a48
Oct 19 18:15:00 router daemon.notice openvpn[13982]: MULTI: multi_create_instance called
Oct 19 18:15:00 router daemon.notice openvpn[13982]: 174.217.39.152:6201 Re-using SSL/TLS context
Oct 19 18:15:00 router daemon.notice openvpn[13982]: 174.217.39.152:6201 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Oct 19 18:15:00 router daemon.notice openvpn[13982]: 174.217.39.152:6201 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Oct 19 18:15:00 router daemon.notice openvpn[13982]: 174.217.39.152:6201 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Oct 19 18:15:00 router daemon.notice openvpn[13982]: 174.217.39.152:6201 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Oct 19 18:15:00 router daemon.notice openvpn[13982]: 174.217.39.152:6201 TLS: Initial packet from [AF_INET]174.217.39.152:6201, sid=c1b2fa35 a7a63800

client config: (Samsung Galaxy S7 running OpenVPN Connect)

client
dev tun
proto udp4
remote somewhere.com 1197
nobind
user nobody
group nogroup
persist-key
persist-tun
cipher AES-256-CBC
auth sha512
verb 5
<ca>

</ca>
<key>

</key>
<cert>

</cert>

client log:

12:14:18.874 -- ----- OpenVPN Start -----

12:14:18.880 -- EVENT: CORE_THREAD_ACTIVE

12:14:18.928 -- Frame=512/2048/512 mssfix-ctrl=1250

12:14:18.929 -- UNUSED OPTIONS
4 [nobind]
5 [user] [nobody]
6 [group] [nogroup]
7 [persist-key]
8 [persist-tun]
11 [verb] [5]


12:14:18.930 -- EVENT: RESOLVE

12:14:19.229 -- Contacting x.x.x.x:1197 via UDP

12:14:19.230 -- EVENT: WAIT

12:14:19.260 -- Connecting to [somewhere.com]:1197 (x.x.x.x) via UDPv4

12:14:28.883 -- Server poll timeout, trying next remote entry...

12:14:28.884 -- EVENT: RECONNECTING

12:14:28.894 -- EVENT: RESOLVE

12:14:28.904 -- Contacting x.x.x.x:1197 via UDP

12:14:28.905 -- EVENT: WAIT

12:14:28.953 -- Connecting to [somewhere.com]:1197 (x.x.x.x) via UDPv4

12:14:38.890 -- Server poll timeout, trying next remote entry...

12:14:38.892 -- EVENT: RECONNECTING

12:14:38.910 -- EVENT: RESOLVE

12:14:38.927 -- Contacting x.x.x.x:1197 via UDP

12:14:38.929 -- EVENT: WAIT

12:14:38.961 -- Connecting to [somewhere.com]:1197 (x.x.x.x) via UDPv4

12:14:48.898 -- Server poll timeout, trying next remote entry...

12:14:48.901 -- EVENT: RECONNECTING

12:14:48.915 -- EVENT: RESOLVE

12:14:48.931 -- Contacting x.x.x.x:1197 via UDP

12:14:48.932 -- EVENT: WAIT

12:14:48.945 -- Connecting to [somewhere.com]:1197 (x.x.x.x) via UDPv4

12:14:58.902 -- Server poll timeout, trying next remote entry...

12:14:58.905 -- EVENT: RECONNECTING

12:14:58.918 -- EVENT: RESOLVE

12:14:58.951 -- Contacting x.x.x.x:1197 via UDP

12:14:58.952 -- EVENT: WAIT

12:14:58.977 -- Connecting to [somewhere.com]:1197 (x.x.x.x) via UDPv4

12:15:00.791 -- EVENT: DISCONNECTED

12:15:00.798 -- EVENT: CORE_THREAD_INACTIVE

12:15:00.799 -- Tunnel bytes per CPU second: 0

12:15:00.800 -- ----- OpenVPN Stop -----
Last edited by eelstrebor on Fri Oct 19, 2018 6:23 pm, edited 1 time in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5021
Joined: Fri Jun 03, 2016 1:17 pm

Re: connections good on lan but not wan

Post by TinCanTech » Fri Oct 19, 2018 4:58 pm

You client is only waiting for ~10 seconds to connect, this is, evidently, not long enough.

I have no idea how you have managed to do that ..

eelstrebor
OpenVPN User
Posts: 11
Joined: Thu Dec 28, 2017 1:31 am

Re: connections good on lan but not wan

Post by eelstrebor » Fri Oct 19, 2018 7:22 pm

None of my clients are connecting from the WAN side. Some are smartphones running OpenVPN Connect while others are laptops configured with NetworkManager (Ubuntu 18.04.1 - Bionic)

Android OpenVPN Connect version 3.0.5

Ubuntu OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 5 2018
library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08)

DD-WRT OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 16 2018
library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.09

eelstrebor
OpenVPN User
Posts: 11
Joined: Thu Dec 28, 2017 1:31 am

Re: connections good on lan but not wan

Post by eelstrebor » Fri Oct 19, 2018 8:11 pm

Interesting, I changed from udp to tcp and now it works on both the lan and the wan. I don't understand why since udp worked fine in the past and it makes me wonder why udp worked ok on the lan but not the wan. Not only that, I had port forwarding set for udp only and then I turned off the port forward and all devices still connected! Either my knowledge of networking is woefully inadequate or maybe there's a bug in the dd-wrt firmware. For now, I'm satisfied with the results. I'm changing the port since it wasn't my ultimate setup anyway.

doman
OpenVPN User
Posts: 13
Joined: Mon Mar 20, 2017 2:51 pm

Re: connections good on lan but not wan

Post by doman » Fri Oct 26, 2018 9:43 am

LoL, i have very similar problems with TAP and bridge mode ...
viewtopic.php?f=6&t=27253

... but i didnt consider switching to TCP. This is the first thing ill try when ill return to home.

doman
OpenVPN User
Posts: 13
Joined: Mon Mar 20, 2017 2:51 pm

Re: connections good on lan but not wan

Post by doman » Fri Oct 26, 2018 4:34 pm

Ohhhh yeaaaah! Its alive!!! Finally after all these days it works on TCP. Thanks eelstrebor soo much!

But still i wondering why on LAN side it works with UDP, but on WAN only with TCP? Both my routers have redirection port set to ALL/BOTH so they pass TCP and UDP. My ISP also claims that he dont block neither of them.

eelstrebor
OpenVPN User
Posts: 11
Joined: Thu Dec 28, 2017 1:31 am

Re: connections good on lan but not wan

Post by eelstrebor » Fri Oct 26, 2018 8:48 pm

doman wrote:
Fri Oct 26, 2018 4:34 pm
Ohhhh yeaaaah! Its alive!!! Finally after all these days it works on TCP. Thanks eelstrebor soo much!
you're welcome.
But still i wondering why on LAN side it works with UDP, but on WAN only with TCP? Both my routers have redirection port set to ALL/BOTH so they pass TCP and UDP. My ISP also claims that he dont block neither of them.
Same here.

Post Reply