Clients cannot connect to my server (config/logs posted)

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
gravedanger
OpenVpn Newbie
Posts: 10
Joined: Tue Jul 05, 2011 1:53 am

Clients cannot connect to my server (config/logs posted)

Post by gravedanger » Tue Jul 05, 2011 2:16 am

hi everyone, i am new to openvpn and i have been doing extensive reading of the howto as well as the comments in the sample configuration files, but i am still having problems getting clients to connect to my server. basically, i am trying to set up a gaming server that friends can connect to. using openvpn, we will be playing games that normally require us to be in the same lan. here are my server and client configuration files, stripped of all comments. i will also post the status/log messages from the server and the client trying to connect. all of your feedback would be greatly appreciated!

my operating system: windows 7

_____my server configuration file_____

Code: Select all

port (removed for security reasons, but this is the port i forwarded on my router)
proto udp
dev tap0
dev-node (this matches what i renamed my openvpn network adapter to)
ca "(here is an absolute path to my ca.crt file)"
cert "(here is an an absolute path to my server.crt file)"
key "(here is an absolute path to my server.key file)"
dh "(here is an asbolute path to my dh1024.pem file)"
server-bridge
client-to-client
keepalive 10 120
comp-lzo
max-clients 10
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20
_____client configuration file_____

Code: Select all

client
dev tap0
dev-node (name that the client renamed his network adapter to)
proto udp
remote (server's ip address) (port: this matches the first line of the server config file)
resolv-retry infinite
nobind
persist-key
persist-tun
ca "(absolute path to ca.crt)"
cert "(absolute path to this client's .crt file)"
key "(absolute path to this client's .key file)"
ns-cert-type server
comp-lzo
verb 3
_____here is what my server log looks like after i start the server from the gui_____

Code: Select all

Mon Jul 04 18:35:25 2011 OpenVPN 2.2.0 Win32-MSVC++ [SSL] [LZO2] built on Apr 26 2011
Mon Jul 04 18:35:25 2011 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Mon Jul 04 18:35:25 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Jul 04 18:35:25 2011 Diffie-Hellman initialized with 1024 bit key
Mon Jul 04 18:35:25 2011 TLS-Auth MTU parms [(removed some information here)]
Mon Jul 04 18:35:25 2011 Socket Buffers: (removed some information here)
Mon Jul 04 18:35:25 2011 TAP-WIN32 device [(removed name of adapter)] opened: (removed some information here)
Mon Jul 04 18:35:25 2011 TAP-Win32 Driver Version 9.8 
Mon Jul 04 18:35:25 2011 TAP-Win32 MTU=1500
Mon Jul 04 18:35:25 2011 Sleeping for 10 seconds...
Mon Jul 04 18:35:35 2011 NOTE: FlushIpNetTable failed on interface (removed some information here): Element not found.  
Mon Jul 04 18:35:35 2011 Data Channel MTU parms [(removed some information here)]
Mon Jul 04 18:35:35 2011 UDPv4 link local (bound): [undef]:(removed a port here)
Mon Jul 04 18:35:35 2011 UDPv4 link remote: [undef]
Mon Jul 04 18:35:35 2011 MULTI: multi_init called, (removed some information here)
Mon Jul 04 18:35:35 2011 Initialization Sequence Completed
_____finally, this is what the client's log looks like after it's started from the gui_____

Code: Select all

Mon Jul 04 18:58:32 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jul 04 18:58:32 2011 TLS Error: TLS handshake failed
Mon Jul 04 18:58:32 2011 TCP/UDP: Closing socket
Mon Jul 04 18:58:32 2011 SIGUSR1[soft,tls-error] received, process restarting
Mon Jul 04 18:58:32 2011 Restart pause, 2 second(s)
Mon Jul 04 18:58:34 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Jul 04 18:58:34 2011 Re-using SSL/TLS context
Mon Jul 04 18:58:34 2011 LZO compression initialized
Mon Jul 04 18:58:34 2011 Control Channel MTU parms [(removed some information here)]
Mon Jul 04 18:58:34 2011 Socket Buffers: (removed some information here)
Mon Jul 04 18:58:34 2011 Data Channel MTU parms [(removed some information here)]
Mon Jul 04 18:58:34 2011 Local Options hash (VER=V4): (removed some information here)
Mon Jul 04 18:58:34 2011 Expected Remote Options hash (VER=V4): (removed some information here)
Mon Jul 04 18:58:34 2011 UDPv4 link local: [undef]
Mon Jul 04 18:58:34 2011 UDPv4 link remote: (removed server address):(removed server port)
based on the information i've posted, what do you suppose could be wrong? why can't the client connect to my server? thanks!

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Clients cannot connect to my server (config/logs posted)

Post by maikcat » Tue Jul 05, 2011 7:38 am

hi there,

if you want to use bridging mode you must :

bridge openvpn adapter with local lan,
inside your conf remove this

>server-bridge

and add this

>server-bridge yourlanip 255.255.255.0 lanipfirstip laniplastaddr

try again

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

gravedanger
OpenVpn Newbie
Posts: 10
Joined: Tue Jul 05, 2011 1:53 am

Re: Clients cannot connect to my server (config/logs posted)

Post by gravedanger » Tue Jul 05, 2011 8:50 am

thanks for the fast reply maikcat. i did as you said and i bridged my openvpn adapter with the adapter that gives me internet access (this is what you meant, right?)

i also commented out server-bridge, but i don't know how to use the more complicated version of server-bridge because i don't know what yourlanip, lanipfirstip, and laniplastaddr are. do yourlanip, lanipfirstip, and laniplastaddr refer to the bridge, or do they refer to the the TAP-Win32 Adapter V9?

whichever one they refer to, how can i determine those 3 pieces of information? to be honest, i don't really know what i'm doing here (in fact, that's why i initially went for the simpler server-bridge command, to avoid having to know), so i will need a bit more detail.

i read the comments in the server configuration file, but i still don't know what's going on. for example, it says "then you must manually set the IP/netmask on the bridge interface, here we assume 10.8.0.4". i'm guessing based on this comment that yourlanip, lanipfirstip, and laniplastaddr refer to the bridge (right?), but i don't know how to manually set the IP/netmask on the bridge interface, or even how to determine what the IP/netmask on the bridge interface is. this means i'm in trouble if the ip on the bridge is something different from 10.8.0.4. nor do i know how to set the ip range. is the ip range something i have to set in windows, or is it just something i can set in the server configuration file? if it's just something i set in the configuration file, the first and last ips can be basically anything right? please help.

and most importantly, do you see any other mistakes in the server and client configuration files besides what you mentioned? i.e. if i fix server-bridge, nothing stands in the way of the client connecting, right?
Last edited by gravedanger on Tue Jul 05, 2011 11:18 pm, edited 2 times in total.

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Clients cannot connect to my server (config/logs posted)

Post by maikcat » Tue Jul 05, 2011 9:13 am

hi there,

when you post configs with your ips removed then ihave
no choice to write yourlanip lanipfirstip laniplastaddr stuff...

anyway

yourlanip is openvpn servers lan ip
lanipfirstip is the first ip that openvpn is give out to bridged client
laniplastaddr is the last ip that openvpn is give out to bridged client

when a client connects it gets an ip from your internal lan...

also you must enable ip forwarding on your openvpn server

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

gravedanger
OpenVpn Newbie
Posts: 10
Joined: Tue Jul 05, 2011 1:53 am

Re: Clients cannot connect to my server (config/logs posted)

Post by gravedanger » Tue Jul 05, 2011 9:24 am

i edited my last post to be more specific in my questions. sorry for the confusion, but i edited out the ips because i wasn't sure what was safe to post.

this is probably a stupid question, but how can i determine my openvpn server's lan ip? is it simply the ip address after "remote" in the client configuration file? or is it whatever i put after server-bridge? and how can i determine the first and last ip that it gives out to the bridged client? (where can i find this information?)

also i tried to find out how to enable ip forwarding for windows 7. i found this: http://openvpn.net/index.php/open-sourc ... rding.html

i read the kb article, which gives instructions on how to enable ip forwarding, but it does it for all adapters, not just openvpn, and it only works on windows xp. how would i enable ip forwarding only for the openvpn server, and in windows 7?

thanks

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Clients cannot connect to my server (config/logs posted)

Post by maikcat » Tue Jul 05, 2011 9:30 am

if you type ipconfig in a cmd on your win7 openvpn server,
what ips you get? (with openvpn service down)

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

gravedanger
OpenVpn Newbie
Posts: 10
Joined: Tue Jul 05, 2011 1:53 am

Re: Clients cannot connect to my server (config/logs posted)

Post by gravedanger » Tue Jul 05, 2011 9:45 am

about 20 ethernet adapters showed up. for some adapters, i see the connection-specific dns suffix, link-local ipv6 address, ipv4 address, subnet mask, and default gateway. for the others, where it says media state is "media disconnected", i see nothing.

the adapters are the bridge that i just made (according to your instructions in your first reply), a lot of local area connections (almost 20 of them?!), a 6t04 adapter, and two isataps.

what am i looking for?

when i had the setting "server" instead of server-bridge, openvpn gui actually told me my server ip, which i assume is what you were asking me for. but when i instead enabled the server-bridge line, the system tray icon no longer told me what my server ip was. isn't it simply what i put after server-bridge in the server configuration file?

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Clients cannot connect to my server (config/logs posted)

Post by maikcat » Tue Jul 05, 2011 10:05 am

hi there,

>about 20 ethernet adapters

eeeeh???
where are you man? NASA??? :lol:

i dont know how to help you here, (20 nics?!?!)

what else this server has on?

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

gravedanger
OpenVpn Newbie
Posts: 10
Joined: Tue Jul 05, 2011 1:53 am

Re: Clients cannot connect to my server (config/logs posted)

Post by gravedanger » Tue Jul 05, 2011 10:25 am

lol it's not as bad as it sounds. i think something is wrong with ipconfig because i only see a few under control panel/network and internet/network connections:

1. TAP-Win32 Adapter V9 (openvpn made this)
2. Local Area Connection (the one that gives me Internet access)
3. Network Bridge (this is the one you told me to make)

there are only 3 more. they're from stuff like vmware virtual machines and things unrelated to openvpn, so i really don't know why so many imaginary adapters are showing up under ipconfig.

i am totally confused and disillusioned right now. surely there must be a way to get this to work.

let's back up a few steps. i think this whole thread basically boils down to 4 major problems:

1. is it true that everything in my server and client configuration looks correct except that i used the simpler version of server-bridge?

2. how do i use the server-bridge command? i mean the more complicated version. here is the command as it appears by default: server-bridge yourlanip 255.255.255.0 lanfirstip lanlastip. can i just leave it that way? what determines the 3 parts of that command that you told me to find out anyways? the 3 parts are: yourlanip, lanfirstip, and lanlastip. does the server-bridge command alone set these for me? or do i have to hunt them down from some place in my computer and plug them in?

3. how do i enable ip forwarding in windows 7? can i do it for only one adapter, or do i have to do it for all?

4. are there any other problems besides #1-3 with my server configuration and client configuration?

sorry for being totally ignorant about these problems, but i really did my best to research before even posting here. i even started reading feilner and graf's "Beginning OpenVPN" book, but much of it has nothing to do with my problems. i read the entire howto at least 3 times, i googled all the information on openvpn i could find, and i spent days going over forum posts. i've wasted weeks of my life on this already, and i'm still apparently not smart enough to figure out how to set up a simple bridged network that i can play games over. i must be truly stupid if i did all this work and i still can't even get something that simple done. it's almost like the information i need doesn't exist. i could find no other books on the subject, nor any site that explained what i needed to do. this guy here makes it look so easy, but i did everything he said, combined it with the faq, and then found that it still didn't work: http://judebert.com/progress/permalink/GameVPN.html

that's why i posted here; to find out what i'm doing wrong. i know you can help. all i want is just to get this server successfully running so i can move on with my life! to just let it all go now means i've wasted all this time for nothing, but to keep going without help is equally pointless.
Last edited by gravedanger on Tue Jul 05, 2011 10:17 pm, edited 1 time in total.

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Clients cannot connect to my server (config/logs posted)

Post by maikcat » Tue Jul 05, 2011 10:35 am

ok ,here we go

to enable ip forwarding:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the following registry value:
Value Name: IPEnableRouter
Value type: REG_DWORD
Value Data: 1

-reboot-

the 2.local area is what we want ,so to give example,if your lan is 192.168.1.10 then

server-bridge 192.168.1.10 255.255.255.0 192.168.1.200 192.168.1.210 (the last 2 means that the first client will get 192.168.1.200 ip addr)

ip forwarding is global....

keep in mind that bridging setup is a little tricky,and i am NOT windows master...

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

gravedanger
OpenVpn Newbie
Posts: 10
Joined: Tue Jul 05, 2011 1:53 am

Re: Clients cannot connect to my server (config/logs posted)

Post by gravedanger » Tue Jul 05, 2011 10:42 am

hmm, yourlanip is simply the local address of my computer as i set it in my router? i know that i can set an address range in my router, and that i can also see what address in that range my computer has been assigned (the computer i'm talking about is just a personal laptop). the reason i'm asking is because the sample configuration file by default has something that starts with a 10. 10.x.x.x doesn't look like a typical router address like the example you gave (192.168.1.10), which is why i thought yourlanip is something that openvpn alone controls.

so all i had to do was bridge the my network adapter to openvpn's adapter, then put the information from my router into those fields?

and ip forwarding worries me. will this server work without it? it seems like a security risk.

my only goal has always been to play games over openvpn, nothing more!

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Clients cannot connect to my server (config/logs posted)

Post by maikcat » Tue Jul 05, 2011 10:48 am

>yourlanip is simply the local address of my computer as i set it in my router?

eeer?
what your router has to do with your lan ip address?...

10.x.x.x 172.16.x.x-172.31.x.x 192.168.x.x are ALL private ip subnets
cant quite follow your thoughts....

ip forwarding is simply ip forwarding,forwards packets from one interface to another,
nothing more,nothing less

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

gravedanger
OpenVpn Newbie
Posts: 10
Joined: Tue Jul 05, 2011 1:53 am

Re: Clients cannot connect to my server (config/logs posted)

Post by gravedanger » Tue Jul 05, 2011 10:51 am

well my router allowed me to set a range of private addresses. all the computers in my network that are connected to this router takes an address within that range automatically. the computer i'm talking about took such an address. it is with this address that i can forward ports. i thought this was what you meant by lan ip address; the private address that the computer was assigned by the router.

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Clients cannot connect to my server (config/logs posted)

Post by maikcat » Tue Jul 05, 2011 10:54 am

>the private address that the computer was assigned by the router.

yeap

simply set this ip as static...

Michael
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

gravedanger
OpenVpn Newbie
Posts: 10
Joined: Tue Jul 05, 2011 1:53 am

Re: Clients cannot connect to my server (config/logs posted)

Post by gravedanger » Tue Jul 05, 2011 10:58 am

ok, what about the last 2 parts of the server-bridge command? (i mean lanfirstip and lanlastip). the router allows me over 200 different local addresses to use. for example, if the router allowed me 192.168.50.2 to 192.168.50.254, can openvpn use just 192.168.50.40 to 192.168.50.60? i don't need that many clients anyways.

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Clients cannot connect to my server (config/logs posted)

Post by maikcat » Tue Jul 05, 2011 11:01 am

>can openvpn use just 192.168.50.40 to 192.168.50.60

yeap...

Michael
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

gravedanger
OpenVpn Newbie
Posts: 10
Joined: Tue Jul 05, 2011 1:53 am

Re: Clients cannot connect to my server (config/logs posted)

Post by gravedanger » Tue Jul 05, 2011 11:06 am

thanks, i will try this out and let you know how it goes. before i made these changes, i didn't even see the client's attempt to connect to me reflected in the logs. i thought openvpn should at least attempt internet access when my server appeared to be up successfully. the client said he could see openvpn trying to connect out, but i could see no such thing on the server side. i may as well have been using a word processor. i guess we will see what happens now.

by the way, how did you learn the information on ip forwarding? i looked everywhere! the howto only mentions ip forwarding 2 times. the first time it mentions ip forwarding, it was only in reference to using a routed vpn, not a bridged one. the second time it mentions ip forwarding, it was about including multiple client machines when, once again, using a routed (not bridged) vpn.

is there any way to become better at openvpn without going through the mindless trial and error i've been doing up to now? i have no doubt james yonan was a genius, but surely there is some way to learn to at least use his product. if openvpn is this hard to configure, i can't imagine how bad ipsec must be :o

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Clients cannot connect to my server (config/logs posted)

Post by maikcat » Tue Jul 05, 2011 12:38 pm

>by the way, how did you learn the information on ip forwarding? i looked everywhere!

not here.... 8-)
http://openvpn.net/index.php/open-sourc ... rding.html


janjust has written a book about openvpn,i heard its a good one!

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

gravedanger
OpenVpn Newbie
Posts: 10
Joined: Tue Jul 05, 2011 1:53 am

Re: Clients cannot connect to my server (config/logs posted)

Post by gravedanger » Tue Jul 05, 2011 6:34 pm

i found "tcpip" in the registry, but "parameters" does not exist.

edit: my mistake. i did find it, and i enabled ip forwarding as you describe, but that client is still unable to connect.

Post Reply