Client gets error when accessing the access server

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
xMRi
OpenVpn Newbie
Posts: 7
Joined: Tue Aug 02, 2022 12:38 pm

Client gets error when accessing the access server

Post by xMRi » Fri Aug 05, 2022 7:22 am

Overview:
------------
The goal is to replace our current VPN installation using PPTP with windows.

So what we want to do, is the same as we are doing with Windows VPN and PPTP
Users should access our company network (192.168.16.x/24) as if they were connected via a LAN cable. VPN Users should get an IP in the range of 192.168.16.64 to 192.168.16.80

That the status quo. Solved with Windows RRAS!

So this is the situation I installed:
- Router is reachable from extern via vpn.example.de (static IP).
- Open VPN Access Server has a NIC to the Router (IP 192.168.2.12)
- Router forwards required ports to VPN Access Server (Port 1194)
- Open VPN Access Server has a second NIC to the internal company network (IP 192.168.16.211)
- Open VPN Access Server is member of the current local network 192.168.16.211/24

In detail:
------------------
I installed the Access Server in a Hyper-V environment.

Attached two NICs
Internal 192.168.16.211/24, Gateway 192.168.16.205. DNS 192.168.16.201
Internet Router 192.168.2.12/24

The netplan file looks like this:

Code: Select all

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: no
      addresses: [192.168.16.211/24]
      gateway4: 192.168.16.205
      nameservers:
        addresses: [192.168.16.201]
    eth1:
      dhcp4: no
      addresses: [192.168.2.12/24]
Router is a Fritz!Box with a port 1194 forwarding to 192.128.2.12 fror TCP and UDP.
The router is definitively working with the other forwardings and reachable under a static IP.

I can access the WebAdmin from internal. Of course I can reach the server from external.

The OpenVPV Connect Client get an error when connecting from the outside.

Any ideas to track down the problem?

Here the data from the client log.

Code: Select all

⏎[Aug 5, 2022, 08:11:38] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Aug 5, 2022, 08:11:38] UNUSED OPTIONS
4 [nobind]
18 [sndbuf] [0]
19 [rcvbuf] [0]
22 [verb] [3]
34 [CLI_PREF_ALLOW_WEB_IMPORT] [True]
35 [CLI_PREF_BASIC_CLIENT] [False]
36 [CLI_PREF_ENABLE_CONNECT] [False]
37 [CLI_PREF_ENABLE_XD_PROXY] [True]
38 [WSHOST] [vpn.example.de:443]
39 [WEB_CA_BUNDLE] [-----BEGIN CERTIFICATE----- MIIDBjCCAe6gAwIBAgIEYuvTaTANBgkqhkiG...]
40 [IS_OPENVPN_WEB_CA] [1]
⏎[Aug 5, 2022, 08:11:38] EVENT: RESOLVE ⏎[Aug 5, 2022, 08:11:38] Contacting 92.x.y.z:1194 via UDP
⏎[Aug 5, 2022, 08:11:38] EVENT: WAIT ⏎[Aug 5, 2022, 08:11:38] WinCommandAgent: transmitting bypass route to 92.x.y.z
{
	"host" : "92.x.y.z",
	"ipv6" : false
}

⏎[Aug 5, 2022, 08:11:39] Connecting to [vpn.example.de]:1194 (92.x.y.z) via UDPv4
⏎[Aug 5, 2022, 08:11:42] Server poll timeout, trying next remote entry...
⏎[Aug 5, 2022, 08:11:42] EVENT: RECONNECTING ⏎[Aug 5, 2022, 08:11:42] EVENT: RESOLVE ⏎[Aug 5, 2022, 08:11:42] Contacting 92.x.y.z:1194 via UDP
⏎[Aug 5, 2022, 08:11:42] EVENT: WAIT ⏎[Aug 5, 2022, 08:11:42] WinCommandAgent: transmitting bypass route to 92.x.y.z
{
	"host" : "92.x.y.z",
	"ipv6" : false
}

⏎[Aug 5, 2022, 08:11:43] Connecting to [vpn.example.de]:1194 (92.x.y.z) via UDPv4
⏎[Aug 5, 2022, 08:11:46] Server poll timeout, trying next remote entry...
⏎[Aug 5, 2022, 08:11:46] EVENT: RECONNECTING ⏎[Aug 5, 2022, 08:11:46] EVENT: RESOLVE ⏎[Aug 5, 2022, 08:11:46] EVENT: WAIT ⏎[Aug 5, 2022, 08:11:46] WinCommandAgent: transmitting bypass route to 92.x.y.z
{
	"host" : "92.x.y.z",
	"ipv6" : false
}

⏎[Aug 5, 2022, 08:11:46] Connecting to [vpn.example.de]:443 (92.x.y.z) via TCPv4
⏎[Aug 5, 2022, 08:11:46] Transport Error: Transport error on 'vpn.example.de: TCP_SIZE_ERROR
⏎[Aug 5, 2022, 08:11:46] EVENT: TRANSPORT_ERROR Transport error on 'vpn.example.de: TCP_SIZE_ERROR⏎[Aug 5, 2022, 08:11:46] Client terminated, restarting in 5000 ms...
⏎[Aug 5, 2022, 08:11:51] EVENT: RECONNECTING ⏎[Aug 5, 2022, 08:11:51] EVENT: RESOLVE ⏎[Aug 5, 2022, 08:11:51] Contacting 92.x.y.z:1194 via UDP
⏎[Aug 5, 2022, 08:11:51] EVENT: WAIT ⏎[Aug 5, 2022, 08:11:51] WinCommandAgent: transmitting bypass route to 92.x.y.z
{
	"host" : "92.x.y.z",
	"ipv6" : false
}

⏎[Aug 5, 2022, 08:11:52] Connecting to [vpn.example.de]:1194 (92.x.y.z) via UDPv4
⏎[Aug 5, 2022, 08:11:55] Server poll timeout, trying next remote entry...
⏎[Aug 5, 2022, 08:11:55] EVENT: RECONNECTING ⏎[Aug 5, 2022, 08:11:55] EVENT: RESOLVE ⏎[Aug 5, 2022, 08:11:55] Contacting 92.x.y.z:1194 via UDP
⏎[Aug 5, 2022, 08:11:55] EVENT: WAIT ⏎[Aug 5, 2022, 08:11:55] WinCommandAgent: transmitting bypass route to 92.x.y.z
{
	"host" : "92.x.y.z",
	"ipv6" : false
}

⏎[Aug 5, 2022, 08:11:56] Connecting to [vpn.example.de]:1194 (92.x.y.z) via UDPv4
⏎[Aug 5, 2022, 08:11:59] Server poll timeout, trying next remote entry...
⏎[Aug 5, 2022, 08:11:59] EVENT: RECONNECTING ⏎[Aug 5, 2022, 08:11:59] EVENT: RESOLVE ⏎[Aug 5, 2022, 08:11:59] Contacting 92.x.y.z:1194 via UDP
⏎[Aug 5, 2022, 08:11:59] EVENT: WAIT ⏎[Aug 5, 2022, 08:11:59] WinCommandAgent: transmitting bypass route to 92.x.y.z
{
	"host" : "92.x.y.z",
	"ipv6" : false
}

⏎[Aug 5, 2022, 08:12:00] Connecting to [vpn.example.de]:1194 (92.x.y.z) via UDPv4
⏎[Aug 5, 2022, 08:12:03] Server poll timeout, trying next remote entry...
⏎[Aug 5, 2022, 08:12:03] EVENT: RECONNECTING ⏎[Aug 5, 2022, 08:12:03] EVENT: RESOLVE ⏎[Aug 5, 2022, 08:12:03] Contacting 92.x.y.z:1194 via UDP
⏎[Aug 5, 2022, 08:12:03] EVENT: WAIT ⏎[Aug 5, 2022, 08:12:03] WinCommandAgent: transmitting bypass route to 92.x.y.z
{
	"host" : "92.x.y.z",
	"ipv6" : false
}

⏎[Aug 5, 2022, 08:12:04] Connecting to [vpn.example.de]:1194 (92.x.y.z) via UDPv4
⏎[Aug 5, 2022, 08:12:07] Server poll timeout, trying next remote entry...
⏎[Aug 5, 2022, 08:12:07] EVENT: RECONNECTING ⏎[Aug 5, 2022, 08:12:07] EVENT: RESOLVE ⏎[Aug 5, 2022, 08:12:07] Contacting 92.x.y.z:1194 via UDP
⏎[Aug 5, 2022, 08:12:07] EVENT: WAIT ⏎[Aug 5, 2022, 08:12:07] WinCommandAgent: transmitting bypass route to 92.x.y.z
{
	"host" : "92.x.y.z",
	"ipv6" : false
}

⏎[Aug 5, 2022, 08:12:08] Connecting to [vpn.example.de]:1194 (92.x.y.z) via UDPv4
⏎[Aug 5, 2022, 08:12:11] Server poll timeout, trying next remote entry...
⏎[Aug 5, 2022, 08:12:11] EVENT: RECONNECTING ⏎[Aug 5, 2022, 08:12:11] EVENT: RESOLVE ⏎[Aug 5, 2022, 08:12:12] Contacting 92.x.y.z:1194 via UDP
⏎[Aug 5, 2022, 08:12:12] EVENT: WAIT ⏎[Aug 5, 2022, 08:12:12] WinCommandAgent: transmitting bypass route to 92.x.y.z
{
	"host" : "92.x.y.z",
	"ipv6" : false
}

⏎[Aug 5, 2022, 08:12:12] Connecting to [vpn.example.de]:1194 (92.x.y.z) via UDPv4
⏎[Aug 5, 2022, 08:12:15] Server poll timeout, trying next remote entry...
⏎[Aug 5, 2022, 08:12:15] EVENT: RECONNECTING ⏎[Aug 5, 2022, 08:12:15] EVENT: RESOLVE ⏎[Aug 5, 2022, 08:12:16] Contacting 92.x.y.z:1194 via UDP
⏎[Aug 5, 2022, 08:12:16] EVENT: WAIT ⏎[Aug 5, 2022, 08:12:16] WinCommandAgent: transmitting bypass route to 92.x.y.z
{
	"host" : "92.x.y.z",
	"ipv6" : false
}

⏎[Aug 5, 2022, 08:12:16] Connecting to [vpn.example.de]:1194 (92.x.y.z) via UDPv4
⏎[Aug 5, 2022, 08:12:19] Server poll timeout, trying next remote entry...
⏎[Aug 5, 2022, 08:12:19] EVENT: RECONNECTING ⏎[Aug 5, 2022, 08:12:19] EVENT: RESOLVE ⏎[Aug 5, 2022, 08:12:20] EVENT: WAIT ⏎[Aug 5, 2022, 08:12:20] WinCommandAgent: transmitting bypass route to 92.x.y.z
{
	"host" : "92.x.y.z",
	"ipv6" : false
}

⏎[Aug 5, 2022, 08:12:20] Connecting to [vpn.example.de]:443 (92.x.y.z) via TCPv4
⏎[Aug 5, 2022, 08:12:20] Transport Error: Transport error on 'vpn.example.de: TCP_SIZE_ERROR
⏎[Aug 5, 2022, 08:12:20] EVENT: TRANSPORT_ERROR Transport error on 'vpn.example.de: TCP_SIZE_ERROR⏎[Aug 5, 2022, 08:12:20] Client terminated, restarting in 5000 ms...
⏎[Aug 5, 2022, 08:12:25] EVENT: RECONNECTING ⏎[Aug 5, 2022, 08:12:25] EVENT: RESOLVE ⏎[Aug 5, 2022, 08:12:25] Contacting 92.x.y.z:1194 via UDP
⏎[Aug 5, 2022, 08:12:25] EVENT: WAIT ⏎[Aug 5, 2022, 08:12:25] WinCommandAgent: transmitting bypass route to 92.x.y.z
{
	"host" : "92.x.y.z",
	"ipv6" : false
}

⏎[Aug 5, 2022, 08:12:25] Connecting to [vpn.example.de]:1194 (92.x.y.z) via UDPv4
⏎[Aug 5, 2022, 08:12:29] Server poll timeout, trying next remote entry...
⏎[Aug 5, 2022, 08:12:29] EVENT: RECONNECTING ⏎[Aug 5, 2022, 08:12:29] EVENT: RESOLVE ⏎[Aug 5, 2022, 08:12:29] Contacting 92.x.y.z:1194 via UDP
⏎[Aug 5, 2022, 08:12:29] EVENT: WAIT ⏎[Aug 5, 2022, 08:12:29] WinCommandAgent: transmitting bypass route to 92.x.y.z
{
	"host" : "92.x.y.z",
	"ipv6" : false
}

⏎[Aug 5, 2022, 08:12:29] Connecting to [vpn.example.de]:1194 (92.x.y.z) via UDPv4
⏎[Aug 5, 2022, 08:12:33] Server poll timeout, trying next remote entry...
⏎[Aug 5, 2022, 08:12:33] EVENT: RECONNECTING ⏎[Aug 5, 2022, 08:12:33] EVENT: RESOLVE ⏎[Aug 5, 2022, 08:12:33] Contacting 92.x.y.z:1194 via UDP
⏎[Aug 5, 2022, 08:12:33] EVENT: WAIT ⏎[Aug 5, 2022, 08:12:33] WinCommandAgent: transmitting bypass route to 92.x.y.z
{
	"host" : "92.x.y.z",
	"ipv6" : false
}

⏎[Aug 5, 2022, 08:12:33] Connecting to [vpn.example.de]:1194 (92.x.y.z) via UDPv4
⏎[Aug 5, 2022, 08:12:37] Server poll timeout, trying next remote entry...
⏎[Aug 5, 2022, 08:12:37] EVENT: RECONNECTING ⏎[Aug 5, 2022, 08:12:37] EVENT: RESOLVE ⏎[Aug 5, 2022, 08:12:37] Contacting 92.x.y.z:1194 via UDP
⏎[Aug 5, 2022, 08:12:37] EVENT: WAIT ⏎[Aug 5, 2022, 08:12:37] WinCommandAgent: transmitting bypass route to 92.x.y.z
{
	"host" : "92.x.y.z",
	"ipv6" : false
}

⏎[Aug 5, 2022, 08:12:37] Connecting to [vpn.example.de]:1194 (92.x.y.z) via UDPv4
⏎[Aug 5, 2022, 08:12:38] EVENT: CONNECTION_TIMEOUT  BYTES_IN : 610
 BYTES_OUT : 2146
 PACKETS_IN : 2
 PACKETS_OUT : 51
 TRANSPORT_ERROR : 2
 TCP_SIZE_ERROR : 2
 CONNECTION_TIMEOUT : 1
 N_RECONNECT : 14
⏎[Aug 5, 2022, 08:12:38] EVENT: DISCONNECTED ⏎
(Edit: munged hostname and IP address)

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Client gets error when accessing the access server

Post by openvpn_inc » Fri Aug 05, 2022 10:39 am

Hi xmri,
xMRi wrote:
Fri Aug 05, 2022 7:22 am
Overview:
------------
The goal is to replace our current VPN installation using PPTP with windows.
Oh good, about time. PPTP is long past its "best if used by" date.
xMRi wrote:
Fri Aug 05, 2022 7:22 am
So what we want to do, is the same as we are doing with Windows VPN and PPTP
Users should access our company network (192.168.16.x/24) as if they were connected via a LAN cable. VPN Users should get an IP in the range of 192.168.16.64 to 192.168.16.80

That the status quo. Solved with Windows RRAS!
This requirement makes no sense. You can use different IP address ranges and connect them with routing (and NAT if desired. Since you want to emulate LAN connection, you probably do not want NAT.)
xMRi wrote:
Fri Aug 05, 2022 7:22 am
So this is the situation I installed:
- Router is reachable from extern via vpn.example.de (static IP).
- Open VPN Access Server has a NIC to the Router (IP 192.168.2.12)
- Router forwards required ports to VPN Access Server (Port 1194)
- Open VPN Access Server has a second NIC to the internal company network (IP 192.168.16.211)
- Open VPN Access Server is member of the current local network 192.168.16.211/24
Access Server should also have TCP port 443. This is important to help clients get around restrictive connections, such as routers with broken UDP or non-routing web proxy servers. Sure, you can use 1194/tcp instead of 443, but you lose this feature.

I see you already have HTTPS service on that IP address. Do you have a second IP address you could use? (From here it looks like you have a /22, so that should be no problem?)

I guess that the router, presumably 192.168.2.x, is not part of the LAN?
xMRi wrote:
Fri Aug 05, 2022 7:22 am
In detail:
------------------
I installed the Access Server in a Hyper-V environment.

Attached two NICs
Internal 192.168.16.211/24, Gateway 192.168.16.205. DNS 192.168.16.201
Internet Router 192.168.2.12/24

The netplan file looks like this:

Code: Select all

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: no
      addresses: [192.168.16.211/24]
      gateway4: 192.168.16.205
      nameservers:
        addresses: [192.168.16.201]
    eth1:
      dhcp4: no
      addresses: [192.168.2.12/24]
Router is a Fritz!Box with a port 1194 forwarding to 192.128.2.12 fror TCP and UDP.
The router is definitively working with the other forwardings and reachable under a static IP.

I can access the WebAdmin from internal. Of course I can reach the server from external.
I can't, but I suppose that could be a deliberate firewall limitation.
xMRi wrote:
Fri Aug 05, 2022 7:22 am
The OpenVPV Connect Client get an error when connecting from the outside.

Any ideas to track down the problem?

Here the data from the client log.

Code: Select all

⏎[Aug 5, 2022, 08:11:39] Connecting to [vpn.example.de]:1194 (92.x.y.z) via UDPv4
⏎[Aug 5, 2022, 08:11:42] Server poll timeout, trying next remote entry...
This means the initial packet was sent but no reply was received. Probably an issue with the port forwarding on the router. You could try debugging this with tcpdump(8) on the router and the Access Server. What about the Access Server's outbound access to the Internet, have you tested that? The router needs to do source NAT for the Access Server.
xMRi wrote:
Fri Aug 05, 2022 7:22 am

Code: Select all

⏎[Aug 5, 2022, 08:11:46] Connecting to [vpn.example.de]:443 (92.x.y.z) via TCPv4
⏎[Aug 5, 2022, 08:11:46] Transport Error: Transport error on 'vpn.example.de: TCP_SIZE_ERROR
⏎[Aug 5, 2022, 08:11:46] EVENT: TRANSPORT_ERROR Transport error on 'vpn.example.de: TCP_SIZE_ERROR⏎[Aug 5, 2022, 08:11:46] Client terminated, restarting in 5000 ms...
I've not seen this error before, but again it is surely an issue with the router.
xMRi wrote:
Fri Aug 05, 2022 7:22 am

Code: Select all

⏎[Aug 5, 2022, 08:12:38] EVENT: CONNECTION_TIMEOUT  BYTES_IN : 610
 BYTES_OUT : 2146
 PACKETS_IN : 2
 PACKETS_OUT : 51
 TRANSPORT_ERROR : 2
 TCP_SIZE_ERROR : 2
 CONNECTION_TIMEOUT : 1
 N_RECONNECT : 14
⏎[Aug 5, 2022, 08:12:38] EVENT: DISCONNECTED ⏎
The interesting part here in the summary is that you only got two packets back. Those were the TCP_SIZE_ERROR packets when TCP was tried. You sent out 51 packets in 14 individual connection attempts.

Do feel free to open a Support ticket at the link in my signature. We do support prospective customers and even free-tier Access Server users.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

xMRi
OpenVpn Newbie
Posts: 7
Joined: Tue Aug 02, 2022 12:38 pm

Re: Client gets error when accessing the access server

Post by xMRi » Mon Aug 08, 2022 6:15 am

My thanks for your detailed analysis!

I get it to run with just port 1194 open.
I removed the standard gateway 192.168.16.205 from the NIC 192.168.16.211.
And I added the direct router gateway 192.168.2.1 to the NIC 192.168.16.12.

Code: Select all

# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: no
      addresses: [192.168.16.211/24]
#      gateway4: 192.168.16.205
      nameservers:
        addresses: [192.168.16.201]
    eth1:
      dhcp4: no
      addresses: [192.168.2.12/24]
      gateway4: 192.168.2.1
This is confusing to me that it doesn't work with the default gateway on the standard network.
Finally 192.168.16.205 uses the router 192.168.2.1...

PS: Because Port 443 is already in use I also I changed the TCP port for the Access Server to 1194. Opened 1194 TCP on the Fritz!Box too.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Client gets error when accessing the access server

Post by openvpn_inc » Mon Aug 08, 2022 9:00 pm

Hi again,

You can have Access Server sharing a port 443/tcp with another service. By default it shares between TCP listening openvpn daemons and its own HTTPS client/admin web service. But it can share with a different HTTPS service if you prefer. There's nothing wrong with putting the Access Server's web interface on port 1194, except as noted in my last reply.

The fritzbox is going to have to forward both ports 1194 (tcp+udp) to the Access Server. That's not something you can fix on the Access Server side. You might be better off going for fritzbox support. I've never messed with one, but from what I understand it's just a Linux-based router/VoIP.

You're not thinking you were going to bridge this 192.168.16 segment, were you?
  • Bridging is almost never necessary
  • Bridging in Access Server is deprecated, if not entirely disabled
  • Just use routing and be happy.
regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply