This is NOT a firewall issue

[benfell]

Hi all,

Seriously, this is NOT a firewall issue. The server does not even have iptables installed.

On the client side, I am seeing "TLS Error: TLS key negotiation failed to occur within 60 seconds." On the server side, I see nothing other than a successful start up.

This is on a Linode, which I am upgrading from a 32-bit Debian to a 64-bit Ubuntu. The upgrade is not going well; I feel like I am trying to put Humpty Dumpty's pieces back together again.

But openvpn was working on the 64-bit Ubuntu system before I rebooted it to take on additional IPv4 addresses (because this is a Linode, it needs to be rebooted for this). I've checked lsof on the server:

Code: Select all

openvpn   3215    nobody  cwd       DIR              202,0     4096     222076 /etc/openvpn
openvpn   3215    nobody  rtd       DIR              202,0     4096          2 /
openvpn   3215    nobody  txt       REG              202,0   545560    1505281 /usr/sbin/openvpn
openvpn   3215    nobody  mem       REG              202,0    51712      31952 /lib/libnss_files-2.12.1.so
openvpn   3215    nobody  mem       REG              202,0    43552      31484 /lib/libnss_nis-2.12.1.so
openvpn   3215    nobody  mem       REG              202,0    97256      32239 /lib/libnsl-2.12.1.so
openvpn   3215    nobody  mem       REG              202,0    35712      32234 /lib/libnss_compat-2.12.1.so
openvpn   3215    nobody  mem       REG              202,0    96816      32224 /lib/libz.so.1.2.3.4
openvpn   3215    nobody  mem       REG              202,0  1572232      32233 /lib/libc-2.12.1.so
openvpn   3215    nobody  mem       REG              202,0   136067      32243 /lib/libpthread-2.12.1.so
openvpn   3215    nobody  mem       REG              202,0    14696      32278 /lib/libdl-2.12.1.so
openvpn   3215    nobody  mem       REG              202,0   133176      75882 /usr/lib/liblzo2.so.2.0.0
openvpn   3215    nobody  mem       REG              202,0  1608192      31512 /lib/libcrypto.so.0.9.8
openvpn   3215    nobody  mem       REG              202,0   333904      32217 /lib/libssl.so.0.9.8
openvpn   3215    nobody  mem       REG              202,0   100920      76004 /usr/lib/libpkcs11-helper.so.1.0.0
openvpn   3215    nobody  mem       REG              202,0   141072      32279 /lib/ld-2.12.1.so
openvpn   3215    nobody    0u      CHR                1,3      0t0       2473 /dev/null
openvpn   3215    nobody    1u      CHR                1,3      0t0       2473 /dev/null
openvpn   3215    nobody    2u      CHR                1,3      0t0       2473 /dev/null
openvpn   3215    nobody    3u     unix 0xffff88003cd98900      0t0       6020 socket
openvpn   3215    nobody    4w      REG              202,0      232     222173 /etc/openvpn/openvpn-status.log
openvpn   3215    nobody    5u      REG              202,0      123     222077 /etc/openvpn/ipp.txt
openvpn   3215    nobody    6u     IPv4               9325      0t0        UDP 74.207.227.150:https
openvpn   3215    nobody    7u      CHR             10,200      0t0       3681 /dev/net/tun

The "https" is expected. I reconfigured openvpn to use port 443 a while ago hoping I could bypass any unfriendly network rules in my daily travels. That worked fine. I do run apache on the same server. I have attempted to configure it to carefully avoid openvpn's address while answering all my IPv6 addresses:

Code: Select all

apache2   3046      root    4u     IPv6               7797      0t0        TCP *:www (LISTEN)
apache2   3046      root    5u     IPv4               7800      0t0        TCP 10.8.0.1:https (LISTEN)
apache2   3046      root    6u     IPv4               7802      0t0        TCP 74.207.225.79:https (LISTEN)
apache2   3046      root    7u     IPv4               7804      0t0        TCP 173.230.137.73:https (LISTEN)
apache2   3046      root    8u     IPv4               7806      0t0        TCP 173.230.137.76:https (LISTEN)
apache2   3050  www-data    4u     IPv6               7797      0t0        TCP *:www (LISTEN)
apache2   3050  www-data    5u     IPv4               7800      0t0        TCP 10.8.0.1:https (LISTEN)
apache2   3050  www-data    6u     IPv4               7802      0t0        TCP 74.207.225.79:https (LISTEN)
apache2   3050  www-data    7u     IPv4               7804      0t0        TCP 173.230.137.73:https (LISTEN)
apache2   3050  www-data    8u     IPv4               7806      0t0        TCP 173.230.137.76:https (LISTEN)
apache2   3346  www-data    4u     IPv6               7797      0t0        TCP *:www (LISTEN)
apache2   3346  www-data    5u     IPv4               7800      0t0        TCP 10.8.0.1:https (LISTEN)
apache2   3346  www-data    6u     IPv4               7802      0t0        TCP 74.207.225.79:https (LISTEN)
apache2   3346  www-data    7u     IPv4               7804      0t0        TCP 173.230.137.73:https (LISTEN)
apache2   3346  www-data    8u     IPv4               7806      0t0        TCP 173.230.137.76:https (LISTEN)
apache2   3467  www-data    4u     IPv6               7797      0t0        TCP *:www (LISTEN)
apache2   3467  www-data    5u     IPv4               7800      0t0        TCP 10.8.0.1:https (LISTEN)
apache2   3467  www-data    6u     IPv4               7802      0t0        TCP 74.207.225.79:https (LISTEN)
apache2   3467  www-data    7u     IPv4               7804      0t0        TCP 173.230.137.73:https (LISTEN)
apache2   3467  www-data    8u     IPv4               7806      0t0        TCP 173.230.137.76:https (LISTEN)
apache2   3486  www-data    4u     IPv6               7797      0t0        TCP *:www (LISTEN)
apache2   3486  www-data    5u     IPv4               7800      0t0        TCP 10.8.0.1:https (LISTEN)
apache2   3486  www-data    6u     IPv4               7802      0t0        TCP 74.207.225.79:https (LISTEN)
apache2   3486  www-data    7u     IPv4               7804      0t0        TCP 173.230.137.73:https (LISTEN)
apache2   3486  www-data    8u     IPv4               7806      0t0        TCP 173.230.137.76:https (LISTEN)
apache2   3488  www-data    4u     IPv6               7797      0t0        TCP *:www (LISTEN)
apache2   3488  www-data    5u     IPv4               7800      0t0        TCP 10.8.0.1:https (LISTEN)
apache2   3488  www-data    6u     IPv4               7802      0t0        TCP 74.207.225.79:https (LISTEN)
apache2   3488  www-data    7u     IPv4               7804      0t0        TCP 173.230.137.73:https (LISTEN)
apache2   3488  www-data    8u     IPv4               7806      0t0        TCP 173.230.137.76:https (LISTEN)
apache2   3488  www-data   35u     IPv6              26344      0t0        TCP 74.207.225.79:www->66.249.71.187:50201 (ESTABLISHED)
apache2   3488  www-data   36u     IPv4              26366      0t0        TCP 10.8.0.1:40082->10.8.0.10:mysql (SYN_SENT)
apache2   3493  www-data    4u     IPv6               7797      0t0        TCP *:www (LISTEN)
apache2   3493  www-data    5u     IPv4               7800      0t0        TCP 10.8.0.1:https (LISTEN)
apache2   3493  www-data    6u     IPv4               7802      0t0        TCP 74.207.225.79:https (LISTEN)
apache2   3493  www-data    7u     IPv4               7804      0t0        TCP 173.230.137.73:https (LISTEN)
apache2   3493  www-data    8u     IPv4               7806      0t0        TCP 173.230.137.76:https (LISTEN)
apache2   3495  www-data    4u     IPv6               7797      0t0        TCP *:www (LISTEN)
apache2   3495  www-data    5u     IPv4               7800      0t0        TCP 10.8.0.1:https (LISTEN)
apache2   3495  www-data    6u     IPv4               7802      0t0        TCP 74.207.225.79:https (LISTEN)
apache2   3495  www-data    7u     IPv4               7804      0t0        TCP 173.230.137.73:https (LISTEN)
apache2   3495  www-data    8u     IPv4               7806      0t0        TCP 173.230.137.76:https (LISTEN)
apache2   3500  www-data    4u     IPv6               7797      0t0        TCP *:www (LISTEN)
apache2   3500  www-data    5u     IPv4               7800      0t0        TCP 10.8.0.1:https (LISTEN)
apache2   3500  www-data    6u     IPv4               7802      0t0        TCP 74.207.225.79:https (LISTEN)
apache2   3500  www-data    7u     IPv4               7804      0t0        TCP 173.230.137.73:https (LISTEN)
apache2   3500  www-data    8u     IPv4               7806      0t0        TCP 173.230.137.76:https (LISTEN)

I'm stumped. This is the server.conf with comments and blank lines stripped:

Code: Select all

local 74.207.227.150
port 443
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

And here is the client.conf, similarly mangled:

Code: Select all

client
dev tun
proto udp
remote 74.207.227.150 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert n4rky.crt
key n4rky.key
ns-cert-type server
comp-lzo
verb 3

I just don't know what to try. Can anyone help? Thanks!

[benfell]

As of now, it appears to be a routing problem unrelated to OpenVPN.

It finally occurred to me to try nmap, then ping, then traceroute. The server says the address is up, but nobody can reach it except the server itself. Linode support had me try this command from the server:

Code: Select all

arping -I eth0 -c3 -b -A 74.207.227.150

It didn't answer. So we seem to have a really unhappy router that's outside my control.

[benfell]

The next thing Linode support had me try was:

Code: Select all

ping -I 74.207.227.150 74.207.227.1

That seems to have resolved the issue. OpenVPN promptly came up.

[janjust]

Nice to hear that things are working , but it is weird: all the command

Code: Select all

ping -I 74.207.227.150 74.207.227.1

does is ping some interface (.1) using a source interface (.150, which is your LAN interface). If that triggered something to make OpenVPN work then I'd check the firewall on this .1 box and I'd check that your ARP tables are set up correctly.