problem with connecting to OpenVpn

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
hdsali
OpenVpn Newbie
Posts: 4
Joined: Sun Apr 14, 2013 4:13 pm

problem with connecting to OpenVpn

Post by hdsali » Sun Apr 14, 2013 5:03 pm

Hi,

I recently configure an openvpn (On a openVZ VPS, Ubuntu 10.04, with TUN enabled).
I can't connect to the server from my PC client.(no firewall is enabled on my PC). I even changed default port 1194 to 1193.

with no success, still I receive following errors:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

this is the server.conf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
port 1193
proto udp
dev tun
;dev-node MyTap
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nogroup
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 4
;mute 20
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

I set up my iptables from topic7722.html
this is my IP Tables:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:1193

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.8.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

this is the openvpn log while a client try to connect to it:
openvpn /etc/openvpn/server.conf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Sun Apr 14 18:51:15 2013 us=623540 Current Parameter Settings:
Sun Apr 14 18:51:15 2013 us=623611 config = '/etc/openvpn/server.conf'
Sun Apr 14 18:51:15 2013 us=623622 mode = 1
Sun Apr 14 18:51:15 2013 us=623631 persist_config = DISABLED
Sun Apr 14 18:51:15 2013 us=623641 persist_mode = 1
Sun Apr 14 18:51:15 2013 us=623650 show_ciphers = DISABLED
Sun Apr 14 18:51:15 2013 us=623659 show_digests = DISABLED
Sun Apr 14 18:51:15 2013 us=623668 show_engines = DISABLED
Sun Apr 14 18:51:15 2013 us=623676 genkey = DISABLED
Sun Apr 14 18:51:15 2013 us=623682 key_pass_file = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=623687 show_tls_ciphers = DISABLED
Sun Apr 14 18:51:15 2013 us=623693 Connection profiles [default]:
Sun Apr 14 18:51:15 2013 us=623700 proto = udp
Sun Apr 14 18:51:15 2013 us=623706 local = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=623711 local_port = 1193
Sun Apr 14 18:51:15 2013 us=623716 remote = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=623722 remote_port = 1193
Sun Apr 14 18:51:15 2013 us=623731 remote_float = DISABLED
Sun Apr 14 18:51:15 2013 us=623737 bind_defined = DISABLED
Sun Apr 14 18:51:15 2013 us=623742 bind_local = ENABLED
Sun Apr 14 18:51:15 2013 us=623748 connect_retry_seconds = 5
Sun Apr 14 18:51:15 2013 us=623753 connect_timeout = 10
Sun Apr 14 18:51:15 2013 us=623758 connect_retry_max = 0
Sun Apr 14 18:51:15 2013 us=623764 socks_proxy_server = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=623769 socks_proxy_port = 0
Sun Apr 14 18:51:15 2013 us=623774 socks_proxy_retry = DISABLED
Sun Apr 14 18:51:15 2013 us=623781 Connection profiles END
Sun Apr 14 18:51:15 2013 us=623786 remote_random = DISABLED
Sun Apr 14 18:51:15 2013 us=623792 ipchange = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=623797 dev = 'tun'
Sun Apr 14 18:51:15 2013 us=623802 dev_type = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=623807 dev_node = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=623812 lladdr = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=623818 topology = 1
Sun Apr 14 18:51:15 2013 us=623823 tun_ipv6 = DISABLED
Sun Apr 14 18:51:15 2013 us=623828 ifconfig_local = '10.8.0.1'
Sun Apr 14 18:51:15 2013 us=623833 ifconfig_remote_netmask = '10.8.0.2'
Sun Apr 14 18:51:15 2013 us=623839 ifconfig_noexec = DISABLED
Sun Apr 14 18:51:15 2013 us=623844 ifconfig_nowarn = DISABLED
Sun Apr 14 18:51:15 2013 us=623849 shaper = 0
Sun Apr 14 18:51:15 2013 us=623854 tun_mtu = 1500
Sun Apr 14 18:51:15 2013 us=623860 tun_mtu_defined = ENABLED
Sun Apr 14 18:51:15 2013 us=623865 link_mtu = 1500
Sun Apr 14 18:51:15 2013 us=623870 link_mtu_defined = DISABLED
Sun Apr 14 18:51:15 2013 us=623875 tun_mtu_extra = 0
Sun Apr 14 18:51:15 2013 us=623881 tun_mtu_extra_defined = DISABLED
Sun Apr 14 18:51:15 2013 us=623886 fragment = 0
Sun Apr 14 18:51:15 2013 us=623891 mtu_discover_type = -1
Sun Apr 14 18:51:15 2013 us=623896 mtu_test = 0
Sun Apr 14 18:51:15 2013 us=623901 mlock = DISABLED
Sun Apr 14 18:51:15 2013 us=623907 keepalive_ping = 10
Sun Apr 14 18:51:15 2013 us=623912 keepalive_timeout = 120
Sun Apr 14 18:51:15 2013 us=623917 inactivity_timeout = 0
Sun Apr 14 18:51:15 2013 us=623922 ping_send_timeout = 10
Sun Apr 14 18:51:15 2013 us=623928 ping_rec_timeout = 240
Sun Apr 14 18:51:15 2013 us=623933 ping_rec_timeout_action = 2
Sun Apr 14 18:51:15 2013 us=623938 ping_timer_remote = DISABLED
Sun Apr 14 18:51:15 2013 us=623943 remap_sigusr1 = 0
Sun Apr 14 18:51:15 2013 us=623948 explicit_exit_notification = 0
Sun Apr 14 18:51:15 2013 us=623953 persist_tun = ENABLED
Sun Apr 14 18:51:15 2013 us=623958 persist_local_ip = DISABLED
Sun Apr 14 18:51:15 2013 us=623964 persist_remote_ip = DISABLED
Sun Apr 14 18:51:15 2013 us=623969 persist_key = ENABLED
Sun Apr 14 18:51:15 2013 us=623975 mssfix = 1450
Sun Apr 14 18:51:15 2013 us=623984 passtos = DISABLED
Sun Apr 14 18:51:15 2013 us=623994 resolve_retry_seconds = 1000000000
Sun Apr 14 18:51:15 2013 us=624001 username = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624006 groupname = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624011 chroot_dir = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624017 cd_dir = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624022 writepid = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624027 up_script = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624032 down_script = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624037 down_pre = DISABLED
Sun Apr 14 18:51:15 2013 us=624042 up_restart = DISABLED
Sun Apr 14 18:51:15 2013 us=624047 up_delay = DISABLED
Sun Apr 14 18:51:15 2013 us=624053 daemon = DISABLED
Sun Apr 14 18:51:15 2013 us=624058 inetd = 0
Sun Apr 14 18:51:15 2013 us=624063 log = DISABLED
Sun Apr 14 18:51:15 2013 us=624068 suppress_timestamps = DISABLED
Sun Apr 14 18:51:15 2013 us=624074 nice = 0
Sun Apr 14 18:51:15 2013 us=624079 verbosity = 4
Sun Apr 14 18:51:15 2013 us=624084 mute = 0
Sun Apr 14 18:51:15 2013 us=624089 gremlin = 0
Sun Apr 14 18:51:15 2013 us=624094 status_file = 'openvpn-status.log'
Sun Apr 14 18:51:15 2013 us=624100 status_file_version = 1
Sun Apr 14 18:51:15 2013 us=624105 status_file_update_freq = 60
Sun Apr 14 18:51:15 2013 us=624110 occ = ENABLED
Sun Apr 14 18:51:15 2013 us=624115 rcvbuf = 65536
Sun Apr 14 18:51:15 2013 us=624121 sndbuf = 65536
Sun Apr 14 18:51:15 2013 us=624126 sockflags = 0
Sun Apr 14 18:51:15 2013 us=624131 fast_io = DISABLED
Sun Apr 14 18:51:15 2013 us=624136 lzo = 7
Sun Apr 14 18:51:15 2013 us=624141 route_script = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624147 route_default_gateway = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624152 route_default_metric = 0
Sun Apr 14 18:51:15 2013 us=624157 route_noexec = DISABLED
Sun Apr 14 18:51:15 2013 us=624163 route_delay = 0
Sun Apr 14 18:51:15 2013 us=624168 route_delay_window = 30
Sun Apr 14 18:51:15 2013 us=624173 route_delay_defined = DISABLED
Sun Apr 14 18:51:15 2013 us=624179 route_nopull = DISABLED
Sun Apr 14 18:51:15 2013 us=624184 route_gateway_via_dhcp = DISABLED
Sun Apr 14 18:51:15 2013 us=624189 max_routes = 100
Sun Apr 14 18:51:15 2013 us=624195 allow_pull_fqdn = DISABLED
Sun Apr 14 18:51:15 2013 us=624200 route 10.8.0.0/255.255.255.0/nil/nil
Sun Apr 14 18:51:15 2013 us=624206 management_addr = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624211 management_port = 0
Sun Apr 14 18:51:15 2013 us=624216 management_user_pass = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624222 management_log_history_cache = 250
Sun Apr 14 18:51:15 2013 us=624227 management_echo_buffer_size = 100
Sun Apr 14 18:51:15 2013 us=624233 management_write_peer_info_file = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624238 management_client_user = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624244 management_client_group = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624249 management_flags = 0
Sun Apr 14 18:51:15 2013 us=624254 shared_secret_file = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624259 key_direction = 0
Sun Apr 14 18:51:15 2013 us=624265 ciphername_defined = ENABLED
Sun Apr 14 18:51:15 2013 us=624270 ciphername = 'BF-CBC'
Sun Apr 14 18:51:15 2013 us=624291 authname_defined = ENABLED
Sun Apr 14 18:51:15 2013 us=624298 authname = 'SHA1'
Sun Apr 14 18:51:15 2013 us=624303 prng_hash = 'SHA1'
Sun Apr 14 18:51:15 2013 us=624308 prng_nonce_secret_len = 16
Sun Apr 14 18:51:15 2013 us=624314 keysize = 0
Sun Apr 14 18:51:15 2013 us=624319 engine = DISABLED
Sun Apr 14 18:51:15 2013 us=624324 replay = ENABLED
Sun Apr 14 18:51:15 2013 us=624330 mute_replay_warnings = DISABLED
Sun Apr 14 18:51:15 2013 us=624335 replay_window = 64
Sun Apr 14 18:51:15 2013 us=624340 replay_time = 15
Sun Apr 14 18:51:15 2013 us=624345 packet_id_file = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624350 use_iv = ENABLED
Sun Apr 14 18:51:15 2013 us=624356 test_crypto = DISABLED
Sun Apr 14 18:51:15 2013 us=624361 tls_server = ENABLED
Sun Apr 14 18:51:15 2013 us=624366 tls_client = DISABLED
Sun Apr 14 18:51:15 2013 us=624371 key_method = 2
Sun Apr 14 18:51:15 2013 us=624377 ca_file = '/etc/openvpn/keys/ca.crt'
Sun Apr 14 18:51:15 2013 us=624382 ca_path = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624387 dh_file = '/etc/openvpn/keys/dh1024.pem'
Sun Apr 14 18:51:15 2013 us=624395 cert_file = '/etc/openvpn/keys/server.crt'
Sun Apr 14 18:51:15 2013 us=624401 priv_key_file = '/etc/openvpn/keys/server.key'
Sun Apr 14 18:51:15 2013 us=624406 pkcs12_file = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624412 cipher_list = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624417 tls_verify = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624422 tls_remote = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624427 crl_file = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624432 ns_cert_type = 0
Sun Apr 14 18:51:15 2013 us=624438 remote_cert_ku = 0
Sun Apr 14 18:51:15 2013 us=624443 remote_cert_ku = 0
Sun Apr 14 18:51:15 2013 us=624448 remote_cert_ku = 0
Sun Apr 14 18:51:15 2013 us=624453 remote_cert_ku = 0
Sun Apr 14 18:51:15 2013 us=624458 remote_cert_ku = 0
Sun Apr 14 18:51:15 2013 us=624463 remote_cert_ku = 0
Sun Apr 14 18:51:15 2013 us=624467 remote_cert_ku = 0
Sun Apr 14 18:51:15 2013 us=624473 remote_cert_ku = 0
Sun Apr 14 18:51:15 2013 us=624478 remote_cert_ku = 0
Sun Apr 14 18:51:15 2013 us=624483 remote_cert_ku = 0
Sun Apr 14 18:51:15 2013 us=624488 remote_cert_ku[i] = 0
Sun Apr 14 18:51:15 2013 us=624493 remote_cert_ku[i] = 0
Sun Apr 14 18:51:15 2013 us=624498 remote_cert_ku[i] = 0
Sun Apr 14 18:51:15 2013 us=624503 remote_cert_ku[i] = 0
Sun Apr 14 18:51:15 2013 us=624508 remote_cert_ku[i] = 0
Sun Apr 14 18:51:15 2013 us=624513 remote_cert_ku[i] = 0
Sun Apr 14 18:51:15 2013 us=624518 remote_cert_eku = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624523 tls_timeout = 2
Sun Apr 14 18:51:15 2013 us=624528 renegotiate_bytes = 0
Sun Apr 14 18:51:15 2013 us=624533 renegotiate_packets = 0
Sun Apr 14 18:51:15 2013 us=624539 renegotiate_seconds = 3600
Sun Apr 14 18:51:15 2013 us=624544 handshake_window = 60
Sun Apr 14 18:51:15 2013 us=624549 transition_window = 3600
Sun Apr 14 18:51:15 2013 us=624554 single_session = DISABLED
Sun Apr 14 18:51:15 2013 us=624559 tls_exit = DISABLED
Sun Apr 14 18:51:15 2013 us=624564 tls_auth_file = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=624570 pkcs11_protected_authentication = DISABLED
Sun Apr 14 18:51:15 2013 us=624575 pkcs11_protected_authentication = DISABLED
Sun Apr 14 18:51:15 2013 us=624580 pkcs11_protected_authentication = DISABLED
Sun Apr 14 18:51:15 2013 us=624586 pkcs11_protected_authentication = DISABLED
Sun Apr 14 18:51:15 2013 us=624591 pkcs11_protected_authentication = DISABLED
Sun Apr 14 18:51:15 2013 us=624596 pkcs11_protected_authentication = DISABLED
Sun Apr 14 18:51:15 2013 us=624601 pkcs11_protected_authentication = DISABLED
Sun Apr 14 18:51:15 2013 us=624607 pkcs11_protected_authentication = DISABLED
Sun Apr 14 18:51:15 2013 us=624612 pkcs11_protected_authentication = DISABLED
Sun Apr 14 18:51:15 2013 us=624617 pkcs11_protected_authentication = DISABLED
Sun Apr 14 18:51:15 2013 us=624847 pkcs11_protected_authentication = DISABLED
Sun Apr 14 18:51:15 2013 us=624856 pkcs11_protected_authentication = DISABLED
Sun Apr 14 18:51:15 2013 us=624861 pkcs11_protected_authentication = DISABLED
Sun Apr 14 18:51:15 2013 us=624867 pkcs11_protected_authentication = DISABLED
Sun Apr 14 18:51:15 2013 us=624874 pkcs11_protected_authentication = DISABLED
Sun Apr 14 18:51:15 2013 us=624879 pkcs11_protected_authentication = DISABLED
Sun Apr 14 18:51:15 2013 us=624885 pkcs11_private_mode = 00000000
Sun Apr 14 18:51:15 2013 us=624891 pkcs11_private_mode = 00000000
Sun Apr 14 18:51:15 2013 us=624896 pkcs11_private_mode = 00000000
Sun Apr 14 18:51:15 2013 us=624901 pkcs11_private_mode = 00000000
Sun Apr 14 18:51:15 2013 us=624907 pkcs11_private_mode = 00000000
Sun Apr 14 18:51:15 2013 us=624912 pkcs11_private_mode = 00000000
Sun Apr 14 18:51:15 2013 us=624917 pkcs11_private_mode = 00000000
Sun Apr 14 18:51:15 2013 us=624923 pkcs11_private_mode = 00000000
Sun Apr 14 18:51:15 2013 us=624928 pkcs11_private_mode = 00000000
Sun Apr 14 18:51:15 2013 us=624934 pkcs11_private_mode = 00000000
Sun Apr 14 18:51:15 2013 us=624939 pkcs11_private_mode = 00000000
Sun Apr 14 18:51:15 2013 us=624944 pkcs11_private_mode = 00000000
Sun Apr 14 18:51:15 2013 us=624949 pkcs11_private_mode = 00000000
Sun Apr 14 18:51:15 2013 us=624955 pkcs11_private_mode = 00000000
Sun Apr 14 18:51:15 2013 us=624960 pkcs11_private_mode = 00000000
Sun Apr 14 18:51:15 2013 us=624965 pkcs11_private_mode = 00000000
Sun Apr 14 18:51:15 2013 us=624970 pkcs11_cert_private = DISABLED
Sun Apr 14 18:51:15 2013 us=624978 pkcs11_cert_private = DISABLED
Sun Apr 14 18:51:15 2013 us=624988 pkcs11_cert_private = DISABLED
Sun Apr 14 18:51:15 2013 us=624997 pkcs11_cert_private = DISABLED
Sun Apr 14 18:51:15 2013 us=625028 pkcs11_cert_private = DISABLED
Sun Apr 14 18:51:15 2013 us=625036 pkcs11_cert_private = DISABLED
Sun Apr 14 18:51:15 2013 us=625042 pkcs11_cert_private = DISABLED
Sun Apr 14 18:51:15 2013 us=625047 pkcs11_cert_private = DISABLED
Sun Apr 14 18:51:15 2013 us=625052 pkcs11_cert_private = DISABLED
Sun Apr 14 18:51:15 2013 us=625058 pkcs11_cert_private = DISABLED
Sun Apr 14 18:51:15 2013 us=625063 pkcs11_cert_private = DISABLED
Sun Apr 14 18:51:15 2013 us=625068 pkcs11_cert_private = DISABLED
Sun Apr 14 18:51:15 2013 us=625073 pkcs11_cert_private = DISABLED
Sun Apr 14 18:51:15 2013 us=625079 pkcs11_cert_private = DISABLED
Sun Apr 14 18:51:15 2013 us=625084 pkcs11_cert_private = DISABLED
Sun Apr 14 18:51:15 2013 us=625089 pkcs11_cert_private = DISABLED
Sun Apr 14 18:51:15 2013 us=625094 pkcs11_pin_cache_period = -1
Sun Apr 14 18:51:15 2013 us=625099 pkcs11_id = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=625104 pkcs11_id_management = DISABLED
Sun Apr 14 18:51:15 2013 us=625110 server_network = 10.8.0.0
Sun Apr 14 18:51:15 2013 us=625117 server_netmask = 255.255.255.0
Sun Apr 14 18:51:15 2013 us=625122 server_bridge_ip = 0.0.0.0
Sun Apr 14 18:51:15 2013 us=625128 server_bridge_netmask = 0.0.0.0
Sun Apr 14 18:51:15 2013 us=625134 server_bridge_pool_start = 0.0.0.0
Sun Apr 14 18:51:15 2013 us=625140 server_bridge_pool_end = 0.0.0.0
Sun Apr 14 18:51:15 2013 us=625145 push_entry = 'redirect-gateway def1 bypass-dhcp'
Sun Apr 14 18:51:15 2013 us=625209 push_entry = 'dhcp-option DNS 10.8.0.1'
Sun Apr 14 18:51:15 2013 us=625220 push_entry = 'route 10.8.0.1'
Sun Apr 14 18:51:15 2013 us=625229 push_entry = 'topology net30'
Sun Apr 14 18:51:15 2013 us=625238 push_entry = 'ping 10'
Sun Apr 14 18:51:15 2013 us=625247 push_entry = 'ping-restart 120'
Sun Apr 14 18:51:15 2013 us=625257 ifconfig_pool_defined = ENABLED
Sun Apr 14 18:51:15 2013 us=625284 ifconfig_pool_start = 10.8.0.4
Sun Apr 14 18:51:15 2013 us=625295 ifconfig_pool_end = 10.8.0.251
Sun Apr 14 18:51:15 2013 us=625304 ifconfig_pool_netmask = 0.0.0.0
Sun Apr 14 18:51:15 2013 us=625312 ifconfig_pool_persist_filename = 'ipp.txt'
Sun Apr 14 18:51:15 2013 us=625320 ifconfig_pool_persist_refresh_freq = 600
Sun Apr 14 18:51:15 2013 us=625329 n_bcast_buf = 256
Sun Apr 14 18:51:15 2013 us=625339 tcp_queue_limit = 64
Sun Apr 14 18:51:15 2013 us=625348 real_hash_size = 256
Sun Apr 14 18:51:15 2013 us=625357 virtual_hash_size = 256
Sun Apr 14 18:51:15 2013 us=625366 client_connect_script = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=625375 learn_address_script = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=625386 client_disconnect_script = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=625395 client_config_dir = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=625403 ccd_exclusive = DISABLED
Sun Apr 14 18:51:15 2013 us=625412 tmp_dir = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=625421 push_ifconfig_defined = DISABLED
Sun Apr 14 18:51:15 2013 us=625429 push_ifconfig_local = 0.0.0.0
Sun Apr 14 18:51:15 2013 us=625438 push_ifconfig_remote_netmask = 0.0.0.0
Sun Apr 14 18:51:15 2013 us=625446 enable_c2c = DISABLED
Sun Apr 14 18:51:15 2013 us=625453 duplicate_cn = DISABLED
Sun Apr 14 18:51:15 2013 us=625461 cf_max = 0
Sun Apr 14 18:51:15 2013 us=625469 cf_per = 0
Sun Apr 14 18:51:15 2013 us=625477 max_clients = 1024
Sun Apr 14 18:51:15 2013 us=625486 max_routes_per_client = 256
Sun Apr 14 18:51:15 2013 us=625494 auth_user_pass_verify_script = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=625503 auth_user_pass_verify_script_via_file = DISABLED
Sun Apr 14 18:51:15 2013 us=625511 ssl_flags = 0
Sun Apr 14 18:51:15 2013 us=625519 port_share_host = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=625528 port_share_port = 0
Sun Apr 14 18:51:15 2013 us=625536 client = DISABLED
Sun Apr 14 18:51:15 2013 us=625544 pull = DISABLED
Sun Apr 14 18:51:15 2013 us=625553 auth_user_pass_file = '[UNDEF]'
Sun Apr 14 18:51:15 2013 us=625565 OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
Sun Apr 14 18:51:15 2013 us=625718 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Apr 14 18:51:15 2013 us=626931 Diffie-Hellman initialized with 1024 bit key
Sun Apr 14 18:51:15 2013 us=627410 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Sun Apr 14 18:51:15 2013 us=689417 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Apr 14 18:51:15 2013 us=689547 ROUTE: default_gateway=UNDEF
Sun Apr 14 18:51:15 2013 us=689706 TUN/TAP device tun0 opened
Sun Apr 14 18:51:15 2013 us=689721 TUN/TAP TX queue length set to 100
Sun Apr 14 18:51:15 2013 us=689756 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sun Apr 14 18:51:15 2013 us=702049 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sun Apr 14 18:51:15 2013 us=702891 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Apr 14 18:51:15 2013 us=702926 Socket Buffers: R=[245760->131072] S=[245760->131072]
Sun Apr 14 18:51:15 2013 us=702940 UDPv4 link local (bound): [undef]
Sun Apr 14 18:51:15 2013 us=702950 UDPv4 link remote: [undef]
Sun Apr 14 18:51:15 2013 us=702965 MULTI: multi_init called, r=256 v=256
Sun Apr 14 18:51:15 2013 us=703001 IFCONFIG POOL: base=10.8.0.4 size=62
Sun Apr 14 18:51:15 2013 us=703026 IFCONFIG POOL LIST
Sun Apr 14 18:51:15 2013 us=703051 Initialization Sequence Completed
Sun Apr 14 18:51:31 2013 us=709440 MULTI: multi_create_instance called
Sun Apr 14 18:51:31 2013 us=709481 X.X.X.X:63744 Re-using SSL/TLS context
Sun Apr 14 18:51:31 2013 us=709502 X.X.X.X:63744 LZO compression initialized
Sun Apr 14 18:51:31 2013 us=709570 X.X.X.X:63744 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Apr 14 18:51:31 2013 us=709580 X.X.X.X:63744 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Apr 14 18:51:31 2013 us=709603 X.X.X.X:63744 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun Apr 14 18:51:31 2013 us=709610 X.X.X.X:63744 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun Apr 14 18:51:31 2013 us=709626 X.X.X.X:63744 Local Options hash (VER=V4): '530fdded'
Sun Apr 14 18:51:31 2013 us=709635 X.X.X.X:63744 Expected Remote Options hash (VER=V4): '41690919'
Sun Apr 14 18:51:31 2013 us=709667 X.X.X.X:63744 TLS: Initial packet from [AF_INET]X.X.X.X:63744, sid=8b0490c6 1d13f424
Sun Apr 14 18:51:41 2013 us=639340 MULTI: multi_create_instance called
Sun Apr 14 18:51:41 2013 us=639396 X.X.X.X:63746 Re-using SSL/TLS context
Sun Apr 14 18:51:41 2013 us=639418 X.X.X.X:63746 LZO compression initialized
Sun Apr 14 18:51:41 2013 us=639494 X.X.X.X:63746 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Apr 14 18:51:41 2013 us=639508 X.X.X.X:63746 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Apr 14 18:51:41 2013 us=639540 X.X.X.X:63746 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun Apr 14 18:51:41 2013 us=639551 X.X.X.X:63746 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun Apr 14 18:51:41 2013 us=639569 X.X.X.X:63746 Local Options hash (VER=V4): '530fdded'
Sun Apr 14 18:51:41 2013 us=639584 X.X.X.X:63746 Expected Remote Options hash (VER=V4): '41690919'
Sun Apr 14 18:51:41 2013 us=639611 X.X.X.X:63746 TLS: Initial packet from [AF_INET]X.X.X.X:63746, sid=0413850f 4c46ecd3
Sun Apr 14 18:52:31 2013 us=167024 X.X.X.X:63744 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Apr 14 18:52:31 2013 us=167049 X.X.X.X:63744 TLS Error: TLS handshake failed
Sun Apr 14 18:52:31 2013 us=167129 X.X.X.X:63744 SIGUSR1[soft,tls-error] received, client-instance restarting
>>>>>>>>>>>>>>>>>>>>>>>>>>>>

I hope somebody can help me through this matter.

Thank you in advance.
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: problem with connecting to OpenVpn

Post by janjust » Mon Apr 15, 2013 10:49 am

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
means in 99.9% of the cases that there'a firewall or dodgy switch that's blocking traffic; check your firewalls/iptables on both ends and try again.
Top
hdsali
OpenVpn Newbie
Posts: 4
Joined: Sun Apr 14, 2013 4:13 pm

Re: problem with connecting to OpenVpn

Post by hdsali » Thu Apr 18, 2013 1:08 pm

Hi,

Thank you for reply.
I can Ping the server from my Client. I don't think there is a firewall between client and the server!
I also did a telnet to check availibility of the server on ports 22, 80 with successful result, however I could not telnet server on port 1194 nor 1193!

Could you please help me how I can make sure there is no firewall between client and the server.

Thank you
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: problem with connecting to OpenVpn

Post by janjust » Fri Apr 19, 2013 1:03 pm

openvpn uses UDP by default, so you won't be able to telnet to it.
Try using

Code: Select all

proto tcp
in both client and server configs to see if that helps (for debugging)
Top
hdsali
OpenVpn Newbie
Posts: 4
Joined: Sun Apr 14, 2013 4:13 pm

Re: problem with connecting to OpenVpn

Post by hdsali » Fri Apr 19, 2013 2:33 pm

Hi janjust,

I changed UDP to TCP, both in the server.conf and client.openvpn.
My attempt to connect to the server on 1193 port by Telnet was successful.
Then I tried to connect to the openvpn on the server (by using openvpn GUI on my PC client), which was Unsuccessful.

Here is the openvpn log on the server:
>>>>>>>>>>>>>>>>>>>>>>>>

Fri Apr 19 18:14:27 2013 us=210707 MULTI: multi_create_instance called
Fri Apr 19 18:14:27 2013 us=210756 Re-using SSL/TLS context
Fri Apr 19 18:14:27 2013 us=210777 LZO compression initialized
Fri Apr 19 18:14:27 2013 us=210876 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Apr 19 18:14:27 2013 us=210902 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Apr 19 18:14:27 2013 us=210941 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Apr 19 18:14:27 2013 us=210978 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Apr 19 18:14:27 2013 us=211003 Local Options hash (VER=V4): 'c0103fa8'
Fri Apr 19 18:14:27 2013 us=211017 Expected Remote Options hash (VER=V4): '69109d17'
Fri Apr 19 18:14:27 2013 us=211048 TCP connection established with [AF_INET]X.X.X.X:58039
Fri Apr 19 18:14:27 2013 us=211065 Socket Buffers: R=[131072->131072] S=[131072->131072]
Fri Apr 19 18:14:27 2013 us=211073 TCPv4_SERVER link local: [undef]
Fri Apr 19 18:14:27 2013 us=211080 TCPv4_SERVER link remote: [AF_INET] X.X.X.X:58039
Fri Apr 19 18:14:27 2013 us=212522 X.X.X.X:58039 TLS: Initial packet from [AF_INET] X.X.X.X:58039, sid=99d9603f b6907f0b
Fri Apr 19 18:15:10 2013 us=46379 X.X.X.X:58039 Connection reset, restarting [-1]
Fri Apr 19 18:15:10 2013 us=46413 X.X.X.X:58039 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Apr 19 18:15:10 2013 us=46478 TCP/UDP: Closing socket
Fri Apr 19 18:15:15 2013 us=339951 MULTI: multi_create_instance called
Fri Apr 19 18:15:15 2013 us=339991 Re-using SSL/TLS context
Fri Apr 19 18:15:15 2013 us=340008 LZO compression initialized
Fri Apr 19 18:15:15 2013 us=340064 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Apr 19 18:15:15 2013 us=340080 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Apr 19 18:15:15 2013 us=340102 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Apr 19 18:15:15 2013 us=340109 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Apr 19 18:15:15 2013 us=340120 Local Options hash (VER=V4): 'c0103fa8'
Fri Apr 19 18:15:15 2013 us=340129 Expected Remote Options hash (VER=V4): '69109d17'
Fri Apr 19 18:15:15 2013 us=340147 TCP connection established with [AF_INET] X.X.X.X:58062
Fri Apr 19 18:15:15 2013 us=340157 Socket Buffers: R=[131072->131072] S=[131072->131072]
Fri Apr 19 18:15:15 2013 us=340167 TCPv4_SERVER link local: [undef]
Fri Apr 19 18:15:15 2013 us=340177 TCPv4_SERVER link remote: [AF_INET] X.X.X.X:58062
Fri Apr 19 18:15:15 2013 us=342809 X.X.X.X:58062 TLS: Initial packet from [AF_INET] X.X.X.X:58062, sid=17e18372 7909b776
Fri Apr 19 18:15:17 2013 us=443979 X.X.X.X:58062 Connection reset, restarting [-1]
Fri Apr 19 18:15:17 2013 us=444010 X.X.X.X:58062 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Apr 19 18:15:17 2013 us=444117 TCP/UDP: Closing socket

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Here is the client openvpn log:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Fri Apr 19 18:46:35 2013 OpenVPN 2.3.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Mar 28 2013
Fri Apr 19 18:46:35 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Apr 19 18:46:35 2013 Need hold release from management interface, waiting...
Fri Apr 19 18:46:36 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Apr 19 18:46:36 2013 MANAGEMENT: CMD 'state on'
Fri Apr 19 18:46:36 2013 MANAGEMENT: CMD 'log all on'
Fri Apr 19 18:46:36 2013 MANAGEMENT: CMD 'hold off'
Fri Apr 19 18:46:36 2013 MANAGEMENT: CMD 'hold release'
Fri Apr 19 18:46:36 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Apr 19 18:46:36 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Apr 19 18:46:36 2013 Attempting to establish TCP connection with [AF_INET]X.X.X.X:1193
Fri Apr 19 18:46:36 2013 MANAGEMENT: >STATE:1366384596,TCP_CONNECT,,,
Fri Apr 19 18:46:36 2013 TCP connection established with [AF_INET] X.X.X.X:1193
Fri Apr 19 18:46:36 2013 TCPv4_CLIENT link local: [undef]
Fri Apr 19 18:46:36 2013 TCPv4_CLIENT link remote: [AF_INET] X.X.X.X:1193
Fri Apr 19 18:46:36 2013 MANAGEMENT: >STATE:1366384596,WAIT,,,
Fri Apr 19 18:46:37 2013 MANAGEMENT: >STATE:1366384597,AUTH,,,
Fri Apr 19 18:46:37 2013 TLS: Initial packet from [AF_INET] X.X.X.X:1193, sid=574f9b28 1443fa1e
Fri Apr 19 18:47:19 2013 Connection reset, restarting [-1]
Fri Apr 19 18:47:19 2013 SIGUSR1[soft,connection-reset] received, process restarting
Fri Apr 19 18:47:19 2013 MANAGEMENT: >STATE:1366384639,RECONNECTING,connection-reset,,
Fri Apr 19 18:47:19 2013 Restart pause, 5 second(s)

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
So we can conclude the issue doesn't come from firewall.
Now, How should I solve this issue?


Thanks.
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: problem with connecting to OpenVpn

Post by janjust » Fri Apr 19, 2013 3:07 pm

I still wouldn't rule out a firewall issue: the connection is dropped on both sides immediately after the first packet; this usually hints at a badly configured firewall at either endpoint, or in between, Can you try it with as many firewalls disabled as possible?
Top
hdsali
OpenVpn Newbie
Posts: 4
Joined: Sun Apr 14, 2013 4:13 pm

Re: problem with connecting to OpenVpn

Post by hdsali » Fri Apr 26, 2013 2:34 pm

Hi,

I checked PC client firewall. It didn't make any positive effects on the issue.
So, I think it's the server iptables (or maybe other network routing configurations of the server) that causes the issue.
I paste the iptable contents here for your consideration:(which I set up from topic7722.html)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:1193

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.8.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I also noticed in openvpn server log the some variables are 'UNDEF' such as :
local = '[UNDEF]'
dev_type = '[UNDEF]'
tls_auth_file = '[UNDEF]'

what's your idea about server side configurations and settings?(iptables, ....)

Thank you
Top
Post Reply

Return to “Routing and Firewall Scripts”