[resolved] Openvpn server suddenly stopped working

[euler24]

Hello,

I own a root server with 1 static ip which I use as an Internet gateway server. For three month my Openvpn server config was running properly but since a few days I cannot connect to the Openvpn anymore. I talked to the hosting company and they told me that their government is now blocking ICMP pings. The result is I cannot ping my server anymore. I tried to change the openvpn port but wasn't successful yet. I never get the "Initialization Sequence Complete" status message anymore, instead I see this:

Code: Select all

Sun Dec 19 03:23:17 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Dec 19 03:23:17 2011 TLS Error: TLS handshake failed

I'm totally clueless about the problem and I need some advice what to do now. How can I make the Openvpn server work again? Any help is highly appreciated.

Here is the server conf:

Code: Select all

server 10.8.0.0 255.255.255.0

dev tun
port 1194
proto udp

ca ca.crt
cert mycert.crt
key mykey.key
dh dh1024.pem

comp-lzo

push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222" #OpenDNS
push "dhcp-option DNS 208.67.220.220"

ping-timer-rem
keepalive 10 120

persist-key
persist-tun

verb 3
mute 50

And the client:

Code: Select all

client

remote <static-ip> 1194
proto udp
dev tun

comp-lzo

ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server

verb 3
mute 50

[Mimiko]

It's a firewall or routing issue. Your server is not accesible. Ping from client the server with server's public ip. Also make a traceroute. Is the serve behind a router? Is the port forwarded?

[euler24]

Hi Mimiko,

Is the serve behind a router?

I guess so but I'm not sure. I've never been there locally. Can I check this somehow?

Is the port forwarded?

You mean the openvpn port? I opened port 1194 on the firewall. Is that what you mean? As I mentioned the openvpn server was working perfectly well until now. I changed nothing, but when I was trying to troubleshoot the issue I tried some different ports... Even when I ssh into my server it is kind of slow now.

I remember I did this when I was configuring the openvpn server back then:

Code: Select all

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j SNAT --to XXX.XX.XX.XXX

I tried traceroute but it's also not working because it generates an ICMP echo request packet and this had been blocked recently. I guess the government of this country is blocking pings for my public IP address to render my vpn useless. So, I got no result when I try to traceroute from my client to the server.

Code: Select all

[USERNAME@HOSTNAME ~]$ traceroute -n XXX.XX.XX.XXX
 traceroute to XXX.XX.XX.XXX (XXX.XX.XX.XXX), 30 hops max, 60 byte packets
 1  <REDACTED>  2.303 ms  3.567 ms  3.761 ms
 2  <REDACTED>  20.289 ms  107.754 ms  107.912 ms
 3  <REDACTED>  23.157 ms  25.744 ms  26.005 ms
 4  <REDACTED>  32.542 ms  35.501 ms  36.166 ms
 5  <REDACTED>  40.060 ms <REDACTED>  40.313 ms  40.444 ms
 6  <REDACTED>  40.627 ms  38.923 ms <REDACTED>  39.126 ms
 7  <REDACTED>  48.808 ms  32.220 ms  34.330 ms
 8  <REDACTED>  46.642 ms <REDACTED>  52.055 ms <REDACTED>  47.993 ms
 9  <REDACTED>  120.384 ms <REDACTED>  123.479 ms <REDACTED>  122.344 ms
10  <REDACTED>  195.185 ms <REDACTED>  189.698 ms <REDACTED>  199.108 ms
11  <REDACTED>  197.881 ms  195.985 ms  192.131 ms
12  * * <REDACTED>  444.398 ms
13  <REDACTED>  454.728 ms * *
14  * <REDACTED>  453.376 ms *
15  <REDACTED>  498.935 ms *  495.270 ms
16  * <REDACTED>  495.940 ms *
17  <REDACTED>  478.728 ms * *
18  * <REDACTED>  483.698 ms  491.110 ms
19  * * <REDACTED>  494.315 ms
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

but other stuff works:

Code: Select all

ping yahoo.com
traceroute yahoo.com

[Mimiko]

Even when I ssh into my server it is kind of slow now

May be this slow connection doesnot permit to return responsces within the waiting time. Check the connection speed and latency to the internet of the server and client.

[euler24]

Hi Mimiko,

Magically, my problem resolved itself. I just updated my root server (no openvpn update) and then I stopped and started the openvpn server again. After this everything worked like before, no connection problems anymore.
So thanks anyway.