I would like to ask the community about OpenVPN client debugging steps since there are several problems coinciding and I have quite limited access to all parties in creating vpn.
Below is my situation.
I have an account (access to the resources) in an institution where I had a project before and still maintain some activity.
They offer remote access via VPN and with various clients, which are different for Win and Linux.
For Linux, there is OpenVPN, I used it on my laptop.
For Windows, a GlobalProtect client should be used.
Now I work in another institution; they have their own corporate network.
I wanted to have access to the previous site simultaneously with the resources on my work.
My working PC with Windows can connect to the previous site with GlobalProtect, but the internal resources on the new site become inaccessible.
So I have to switch between two networks, but I'm looking for ways to have both networks at once on a single machine.
In VMWare, I created a virtual machine with Linux Mint, installed the OpenVPN client, and downloaded client.opvn, but the tunnel won't establish.
Here is the output:
Code: Select all
osboxes@osboxes:~/Documents/access$ sudo openvpn --config client.ovpn
[sudo] password for osboxes:
Fri Jan 20 07:14:08 2023 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021
Fri Jan 20 07:14:08 2023 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Enter Auth Username: iarosl82
Enter Auth Password: ************
Fri Jan 20 07:14:17 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:17 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:17 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:17 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Jan 20 07:14:17 2023 UDP link local: (not bound)
Fri Jan 20 07:14:17 2023 UDP link remote: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:21 2023 Server poll timeout, restarting
Fri Jan 20 07:14:21 2023 SIGUSR1[soft,server_poll] received, process restarting
Fri Jan 20 07:14:21 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:21 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:21 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:21 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Jan 20 07:14:21 2023 UDP link local: (not bound)
Fri Jan 20 07:14:21 2023 UDP link remote: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:25 2023 Server poll timeout, restarting
Fri Jan 20 07:14:25 2023 SIGUSR1[soft,server_poll] received, process restarting
Fri Jan 20 07:14:25 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:25 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:25 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]193.40.12.54:443
Fri Jan 20 07:14:25 2023 Socket Buffers: R=[131072->131072] S=[16384->16384]
Fri Jan 20 07:14:25 2023 Attempting to establish TCP connection with [AF_INET]193.40.12.54:443 [nonblock]
Fri Jan 20 07:14:26 2023 TCP connection established with [AF_INET]193.40.12.54:443
Fri Jan 20 07:14:26 2023 TCP_CLIENT link local: (not bound)
Fri Jan 20 07:14:26 2023 TCP_CLIENT link remote: [AF_INET]193.40.12.54:443
Fri Jan 20 07:14:26 2023 Connection reset, restarting [-1]
Fri Jan 20 07:14:26 2023 SIGUSR1[soft,connection-reset] received, process restarting
Fri Jan 20 07:14:26 2023 Restart pause, 5 second(s)
Fri Jan 20 07:14:31 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:31 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:31 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:31 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Jan 20 07:14:31 2023 UDP link local: (not bound)
Fri Jan 20 07:14:31 2023 UDP link remote: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:35 2023 Server poll timeout, restarting
Fri Jan 20 07:14:35 2023 SIGUSR1[soft,server_poll] received, process restarting
Fri Jan 20 07:14:35 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:35 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:35 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:35 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Jan 20 07:14:35 2023 UDP link local: (not bound)
Fri Jan 20 07:14:35 2023 UDP link remote: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:40 2023 Server poll timeout, restarting
Fri Jan 20 07:14:40 2023 SIGUSR1[soft,server_poll] received, process restarting
Fri Jan 20 07:14:40 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:40 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:40 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:40 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Jan 20 07:14:40 2023 UDP link local: (not bound)
Fri Jan 20 07:14:40 2023 UDP link remote: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:44 2023 Server poll timeout, restarting
Fri Jan 20 07:14:44 2023 SIGUSR1[soft,server_poll] received, process restarting
Fri Jan 20 07:14:44 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:44 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jan 20 07:14:44 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]193.40.12.54:1194
Fri Jan 20 07:14:44 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Jan 20 07:14:44 2023 UDP link local: (not bound)
Fri Jan 20 07:14:44 2023 UDP link remote: [AF_INET]193.40.12.54:1194
First, I assumed it was a problem with port forwarding and asked my IT helpdesk to create a bridge with my virtual machine, assigning static IP to my guest OS, so it would become visible to the outer world.
This, however, is not possible, and I started to think that some advanced port forwarding is required involving UDP port 1194
I tried adding settings to my client.ovpn file like
Code: Select all
proto tcp
Code: Select all
port xxxx
I also tried to connect to my previous site with OpenVPN from my laptop using wifi of the current corporate network - and I got the same failure output in the console.
With public wifi, there is no problem with the connection.
So first, I think there must be a firewall in a corporate network in my current institution.
I also don't have access to the OpenVPN server logs. This server is running somewhere on a remote site.
Perhaps I can get logs via helpdesk of my previous institution.
I need some algorithms to solve the issue step by step, taking into account that I need to explain my requests to helpdesks from the previous and the current institutions and demand clear and specific actions from them.
Can anybody suggest such steps here?
Code: Select all
[oconf=client.ovpn]
# Automatically generated OpenVPN client config file
# Generated on Tue Nov 29 16:17:07 2022 by tunnel
# Note: this config file contains inline private keys
# and therefore should be kept confidential!
# Certificate serial: 21055, certificate common name: iarosl82
# Expires 2032-11-26 16:17:07
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=iarosl82
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=iarosl82@tunnel.ut.ee
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=tunnel.ut.ee:443
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=0
# OVPN_ACCESS_SERVER_ORGANIZATION=VPN service of the University of Tartu
client
server-poll-timeout 4
nobind
proto tcp
remote tunnel.ut.ee 1194 udp
remote tunnel.ut.ee 1194 udp
remote tunnel.ut.ee 443 tcp
remote tunnel.ut.ee 1194 udp
remote tunnel.ut.ee 1194 udp
remote tunnel.ut.ee 1194 udp
remote tunnel.ut.ee 1194 udp
remote tunnel.ut.ee 1194 udp
dev tun
dev-type tun
remote-cert-tls server
tls-version-min 1.2
reneg-sec 604800
auth-user-pass
verb 3
push-peer-info
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
## -----BEGIN RSA SIGNATURE-----
## -----END RSA SIGNATURE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----