Can´t connect to openvpn server (stuck at pulling settings)

[highlite86]

Hi all,

I hope someone here can help me. I have several openvpn servers within Amazon AWS, all clients can connect expect android and ios with "OpenVPN Connect". The servers are configured to route all traffic through openvpn. The initialization seems to work fine but the android/ios clients getting stuck at "pulling settings from server". After 30 seconds iI get a timeout...

Client Log:

Code: Select all

...
Sending PUSH_REQUEST to Server...
Sending PUSH_REQUEST to Server...
Sending PUSH_REQUEST to Server...

Server Log:

Code: Select all

Fri May  2 11:33:57 2014 TCP connection established with [AF_INET]123.456.789.000:50662
Fri May  2 11:33:57 2014 TCPv4_SERVER link local (bound): [undef]
Fri May  2 11:33:57 2014 TCPv4_SERVER link remote: [AF_INET]123.456.789.000:50662
Fri May  2 11:33:57 2014 TLS: Initial packet from [AF_INET]123.456.789.000:50662, sid=199c535e 770eb1c8
Fri May  2 11:33:58 2014 VERIFY OK: depth=1, C=DE, ST=Bavaria, L=Rgbg, O=Daniel H., OU=VPN, CN=srv-vpn-eu, emailAddress=admin@xxx.de
Fri May  2 11:33:58 2014 VERIFY OK: depth=0, C=DE, ST=Bavaria, L=Rgbg, O=Daniel H., OU=VPN, CN=client_02_iphone, emailAddress=admin@xxx.de
Fri May  2 11:33:58 2014 WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 192.168.5.1 192.168.5.2'
Fri May  2 11:33:58 2014 Data Channel Encrypt: Cipher 'AES-192-CBC' initialized with 192 bit key
Fri May  2 11:33:58 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May  2 11:33:58 2014 Data Channel Decrypt: Cipher 'AES-192-CBC' initialized with 192 bit key
Fri May  2 11:33:58 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May  2 11:33:58 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri May  2 11:33:58 2014 [client_02_iphone] Peer Connection Initiated with [AF_INET]123.456.789.000:50662
Fri May  2 11:33:59 2014 Initialization Sequence Completed
Fri May  2 11:33:59 2014 PUSH: Received control message: 'PUSH_REQUEST'
Fri May  2 11:33:59 2014 send_push_reply(): safe_cap=940
Fri May  2 11:33:59 2014 SENT CONTROL [client_02_iphone]: 'PUSH_REPLY' (status=1)
Fri May  2 11:34:02 2014 PUSH: Received control message: 'PUSH_REQUEST'
Fri May  2 11:34:05 2014 PUSH: Received control message: 'PUSH_REQUEST'
Fri May  2 11:34:09 2014 PUSH: Received control message: 'PUSH_REQUEST'
Fri May  2 11:34:12 2014 PUSH: Received control message: 'PUSH_REQUEST'
Fri May  2 11:34:15 2014 PUSH: Received control message: 'PUSH_REQUEST'
Fri May  2 11:34:18 2014 PUSH: Received control message: 'PUSH_REQUEST'
Fri May  2 11:34:21 2014 PUSH: Received control message: 'PUSH_REQUEST'
Fri May  2 11:34:24 2014 PUSH: Received control message: 'PUSH_REQUEST'
Fri May  2 11:34:27 2014 PUSH: Received control message: 'PUSH_REQUEST'
Fri May  2 11:34:30 2014 PUSH: Received control message: 'PUSH_REQUEST'
Fri May  2 11:34:30 2014 send_push_reply(): safe_cap=940
Fri May  2 11:34:30 2014 SENT CONTROL [client_02_iphone]: 'PUSH_REPLY' (status=1)
Fri May  2 11:34:33 2014 PUSH: Received control message: 'PUSH_REQUEST'
Fri May  2 11:34:36 2014 PUSH: Received control message: 'PUSH_REQUEST'
Fri May  2 11:34:39 2014 PUSH: Received control message: 'PUSH_REQUEST'
Fri May  2 11:34:42 2014 PUSH: Received control message: 'PUSH_REQUEST'
Fri May  2 11:34:45 2014 PUSH: Received control message: 'PUSH_REQUEST'
Fri May  2 11:34:48 2014 PUSH: Received control message: 'PUSH_REQUEST'
Fri May  2 11:34:51 2014 PUSH: Received control message: 'PUSH_REQUEST'
Fri May  2 11:34:54 2014 PUSH: Received control message: 'PUSH_REQUEST'

Server Config:

Code: Select all

port 443
proto tcp-server
dev tun
tls-server
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/srv-vpn-eu.crt
key /etc/openvpn/keys/srv-vpn-eu.key
dh /etc/openvpn/keys/dh2048.pem
ifconfig 192.168.5.1 192.168.5.2
keepalive 10 120
cipher AES-192-CBC
comp-lzo
persist-key
persist-tun
log /var/log/openvpn/openvpn.log
status /var/log/openvpn/openvpn-status.log
verb 3

Client Config:

Code: Select all

remote XXX.compute.amazonaws.com 443

ca ca.crt
cert client_02_iphone.crt
key client_02_iphone.key

cipher AES-192-CBC
client
dev tun
proto tcp
resolv-retry infinite
comp-lzo
nobind
persist-key
persist-tun
#reneg-sec 3600
dhcp-option DNS 8.8.8.8
redirect-gateway def1

I tested it with the Client option "reneg-sec 3600" and without, but always the same issue.
Hopefully this informations are enough...

Thanks
Daniel

[highlite86]

This thread can be closed, i found the solution by myself!

I changed my Server Config in

Code: Select all

port 443
proto tcp-server
dev tun
tls-server
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/srv-vpn-eu.crt
key /etc/openvpn/keys/srv-vpn-eu.key
dh /etc/openvpn/keys/dh2048.pem
server 192.168.5.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
client-config-dir /etc/openvpn/ccd
keepalive 10 120
cipher AES-192-CBC
comp-lzo
persist-key
persist-tun
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1"
log /var/log/openvpn/openvpn.log
status /var/log/openvpn/openvpn-status.log
verb 3

So new is "server" instead of "ifconfig" and I´m using CCD now. In ccd-Directory I created for every single client a file, for example:
client_02_iphone:

Code: Select all

ifconfig-push 192.168.5.9 192.168.5.10

Also new is to push the dns and "redirect gateway" to the client, so this entries aren´t present in client conf any more...

- Daniel

[CharlieBrown]

I've got the same issue.
Please, can you show your client config file too ?

[highlite86]

Hi my client.conf looks like this:

Code: Select all

remote XXX.compute.amazonaws.com 443

ca ca.crt
cert client_02_iphone.crt
key client_02_iphone.key

cipher AES-192-CBC
client
dev tun
proto tcp
resolv-retry infinite
comp-lzo
nobind
persist-key
persist-tun

ipp.txt on server side is like this:

Code: Select all

client_01_mac,192.168.5.4
client_02_iphone,192.168.5.8
client_03_ipad,192.168.5.12
client_04_nexus7,192.168.5.16

- Daniel