[Resolved] VPN via local net ok, unable to connect via internet, ideas welcome

Samples of working configurations.
Post Reply
ramoun
OpenVpn Newbie
Posts: 4
Joined: Thu May 24, 2018 11:28 pm

[Resolved] VPN via local net ok, unable to connect via internet, ideas welcome

Post by ramoun » Fri May 25, 2018 12:29 am

Hi,

Apologies I'm sure this is an all to common question. I've googled it to death and read the docs many times but have had no luck.

I've loaded OpenVPN on an RPI using pivpn install, it works, can connect to it thru the local network with win7 client using openvpn GUI, tested both tcp and udp, with changes to the client and server configs. both protocols work ok via local network.

But I'm unable to connect to it from the net

I have a port fwd rule on the router for 1194, I'm using tcp as the port open port checker shows it is available (also gives some confidence), could not see port open using UDP.

In openvpn.log I can see port checker connecting etc. but nothing from the client !

I've included the server config and client output below in case there is a well tuned eye.

Any ideas or pointers, other ways to test would be very welcome.

CLIENT OUTPUT
==========
Fri May 25 10:10:35 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Fri May 25 10:10:35 2018 Windows version 6.1 (Windows 7) 64bit
Fri May 25 10:10:35 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Fri May 25 10:10:35 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Fri May 25 10:10:35 2018 Need hold release from management interface, waiting...
Fri May 25 10:10:35 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'state on'
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'log all on'
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'echo all on'
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'bytecount 5'
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'hold off'
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'hold release'
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'password [...]'
Fri May 25 10:10:35 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri May 25 10:10:35 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri May 25 10:10:35 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri May 25 10:10:35 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Fri May 25 10:10:35 2018 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri May 25 10:10:35 2018 Attempting to establish TCP connection with [AF_INET]x.x.x.x:1194 [nonblock]
Fri May 25 10:10:35 2018 MANAGEMENT: >STATE:1527207035,TCP_CONNECT,,,,,,
Fri May 25 10:12:35 2018 TCP: connect to [AF_INET]x.x.x.x:1194 failed: Unknown error
Fri May 25 10:12:35 2018 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Fri May 25 10:12:35 2018 MANAGEMENT: >STATE:1527207155,RECONNECTING,init_instance,,,,,
Fri May 25 10:12:35 2018 Restart pause, 5 second(s)
Fri May 25 10:12:40 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Fri May 25 10:12:40 2018 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri May 25 10:12:40 2018 Attempting to establish TCP connection with [AF_INET]x.x.x.x:1194 [nonblock]
Fri May 25 10:12:40 2018 MANAGEMENT: >STATE:1527207160,TCP_CONNECT,,,,,,


SERVER CONFIG
==============
dev tun
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_3vIdOYrZcIIyut1C.crt
key /etc/openvpn/easy-rsa/pki/private/server_3vIdOYrZcIIyut1C.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 10 120
remote-cert-tls client
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4421
Joined: Fri Jun 03, 2016 1:17 pm

Re: VPN via local net ok, unable to connect via internet, ideas welcome

Post by TinCanTech » Fri May 25, 2018 1:09 am

ramoun wrote:
Fri May 25, 2018 12:29 am
ideas welcome
Please see:
HOWTO: Request Help !

ramoun
OpenVpn Newbie
Posts: 4
Joined: Thu May 24, 2018 11:28 pm

Re: VPN via local net ok, unable to connect via internet, ideas welcome

Post by ramoun » Fri May 25, 2018 11:01 am

Thanks for the pointer ;-) shall do.

ramoun
OpenVpn Newbie
Posts: 4
Joined: Thu May 24, 2018 11:28 pm

Re: VPN via local net ok, unable to connect via internet, ideas welcome

Post by ramoun » Fri May 25, 2018 12:37 pm

Extra info.

Hi, I've spent a day or so testing and searching the web but have not been able to find anything to solve net connection issue, ideas suggestions would be very welcome.

I'm wondering if its the router or ISP (ISP say they dont block ports or shape OPTUS)

Recap

Client is Win7 SP1 64bit, running OpenVPN GUI V11.10.0.0
Server is RPI3 running Linux 4.14.34-v7+ (stretch), and OPENVPN 2.4.0-6+deb9u2

Client (W7SP1 64) and server connect ok on local network.
Once I use an external IP (client config adjusted) no connection
Router has rule for 1194, port checker indicates port open


SERVER CONFIG

dev tun
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_3vIdOYrZcIIyut1C.crt
key /etc/openvpn/easy-rsa/pki/private/server_3vIdOYrZcIIyut1C.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "block-outside-dns"
push "redirect-gateway def1"
client-to-client
keepalive 10 120
remote-cert-tls client
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3

Code: Select all

Fri May 25 22:14:49 2018   ifconfig_pool_persist_refresh_freq = 600
Fri May 25 22:14:49 2018   ifconfig_ipv6_pool_defined = DISABLED
Fri May 25 22:14:49 2018   ifconfig_ipv6_pool_base = ::
Fri May 25 22:14:49 2018   ifconfig_ipv6_pool_netbits = 0
Fri May 25 22:14:49 2018   n_bcast_buf = 256
Fri May 25 22:14:49 2018   tcp_queue_limit = 64
Fri May 25 22:14:49 2018   real_hash_size = 256
Fri May 25 22:14:49 2018   virtual_hash_size = 256
Fri May 25 22:14:49 2018   client_connect_script = '[UNDEF]'
Fri May 25 22:14:49 2018   learn_address_script = '[UNDEF]'
Fri May 25 22:14:49 2018   client_disconnect_script = '[UNDEF]'
Fri May 25 22:14:49 2018   client_config_dir = '[UNDEF]'
Fri May 25 22:14:49 2018   ccd_exclusive = DISABLED
Fri May 25 22:14:49 2018   tmp_dir = 'C:\Users\steve\AppData\Local\Temp\'
Fri May 25 22:14:49 2018   push_ifconfig_defined = DISABLED
Fri May 25 22:14:49 2018   push_ifconfig_local = 0.0.0.0
Fri May 25 22:14:49 2018   push_ifconfig_remote_netmask = 0.0.0.0
Fri May 25 22:14:49 2018   push_ifconfig_ipv6_defined = DISABLED
Fri May 25 22:14:49 2018   push_ifconfig_ipv6_local = ::/0
Fri May 25 22:14:49 2018   push_ifconfig_ipv6_remote = ::
Fri May 25 22:14:49 2018   enable_c2c = DISABLED
Fri May 25 22:14:49 2018   duplicate_cn = DISABLED
Fri May 25 22:14:49 2018   cf_max = 0
Fri May 25 22:14:49 2018   cf_per = 0
Fri May 25 22:14:49 2018   max_clients = 1024
Fri May 25 22:14:49 2018   max_routes_per_client = 256
Fri May 25 22:14:49 2018   auth_user_pass_verify_script = '[UNDEF]'
Fri May 25 22:14:49 2018   auth_user_pass_verify_script_via_file = DISABLED
Fri May 25 22:14:49 2018   auth_token_generate = DISABLED
Fri May 25 22:14:49 2018   auth_token_lifetime = 0
Fri May 25 22:14:49 2018   client = ENABLED
Fri May 25 22:14:49 2018   pull = ENABLED
Fri May 25 22:14:49 2018   auth_user_pass_file = '[UNDEF]'
Fri May 25 22:14:49 2018   show_net_up = DISABLED
Fri May 25 22:14:49 2018   route_method = 3
Fri May 25 22:14:49 2018   block_outside_dns = DISABLED
Fri May 25 22:14:49 2018   ip_win32_defined = DISABLED
Fri May 25 22:14:49 2018   ip_win32_type = 3
Fri May 25 22:14:49 2018   dhcp_masq_offset = 0
Fri May 25 22:14:49 2018   dhcp_lease_time = 31536000
Fri May 25 22:14:49 2018   tap_sleep = 0
Fri May 25 22:14:49 2018   dhcp_options = DISABLED
Fri May 25 22:14:49 2018   dhcp_renew = DISABLED
Fri May 25 22:14:49 2018   dhcp_pre_release = DISABLED
Fri May 25 22:14:49 2018   domain = '[UNDEF]'
Fri May 25 22:14:49 2018   netbios_scope = '[UNDEF]'
Fri May 25 22:14:49 2018   netbios_node_type = 0
Fri May 25 22:14:49 2018   disable_nbt = DISABLED
Fri May 25 22:14:49 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Fri May 25 22:14:49 2018 Windows version 6.1 (Windows 7) 64bit
Fri May 25 22:14:49 2018 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Fri May 25 22:14:49 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Fri May 25 22:14:49 2018 Need hold release from management interface, waiting...
Fri May 25 22:14:49 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Fri May 25 22:14:49 2018 MANAGEMENT: CMD 'state on'
Fri May 25 22:14:49 2018 MANAGEMENT: CMD 'log all on'
Fri May 25 22:14:49 2018 MANAGEMENT: CMD 'echo all on'
Fri May 25 22:14:49 2018 MANAGEMENT: CMD 'bytecount 5'
Fri May 25 22:14:49 2018 MANAGEMENT: CMD 'hold off'
Fri May 25 22:14:49 2018 MANAGEMENT: CMD 'hold release'
Fri May 25 22:14:49 2018 MANAGEMENT: CMD 'password [...]'
Fri May 25 22:14:49 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri May 25 22:14:49 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri May 25 22:14:49 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri May 25 22:14:49 2018 LZO compression initializing
Fri May 25 22:14:49 2018 Control Channel MTU parms [ L:1624 D:1170 EF:80 EB:0 ET:0 EL:3 ]
Fri May 25 22:14:49 2018 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Fri May 25 22:14:49 2018 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Fri May 25 22:14:49 2018 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Fri May 25 22:14:49 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Fri May 25 22:14:49 2018 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri May 25 22:14:49 2018 Attempting to establish TCP connection with [AF_INET]x.x.x.x:1194 [nonblock]
Fri May 25 22:14:49 2018 MANAGEMENT: >STATE:1527250489,TCP_CONNECT,,,,,,

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4421
Joined: Fri Jun 03, 2016 1:17 pm

Re: VPN via local net ok, unable to connect via internet, ideas welcome

Post by TinCanTech » Fri May 25, 2018 1:40 pm

ramoun wrote:
Fri May 25, 2018 12:37 pm
Client (W7SP1 64) and server connect ok on local network.
Once I use an external IP (client config adjusted) no connection
Go out to a cafe with wifi and try from there ..

Some routers will not allow you to connect from the LAN to the WAN IP.

ramoun
OpenVpn Newbie
Posts: 4
Joined: Thu May 24, 2018 11:28 pm

Re: VPN via local net ok, unable to connect via internet, ideas welcome

Post by ramoun » Fri May 25, 2018 10:59 pm

Thanks that was it.
For anyone else that reads the thread the router was a D-Link DSL-2870b

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4421
Joined: Fri Jun 03, 2016 1:17 pm

Re: VPN via local net ok, unable to connect via internet, ideas welcome

Post by TinCanTech » Fri May 25, 2018 11:11 pm

Thanks for letting us know 8-)

Post Reply