Open VPN client cant connect , not even see a "syn" packet

[azalonely]

I have installed openvpn server in centos 7, below is my config :

Server config
---------------
;local a.b.c.d
proto tcp
;proto udp
;dev tap
dev tun
;dev-node MyTap
ca root.crt
cert vpnserver.crt
key vpnserver.key
dh dh2048.pem
;topology subnet
server 10.138.7.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
push "route 10.138.0.0 255.255.248.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 10.138.8.61"
;client-to-client
duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
;log-append openvpn.log
verb 9
;mute 20

------------------------------------
netstat -tanp | grep openvpn
tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 11110/openvpn


Client config
---------------------
vpnclient
dev tun
proto tcp
remote 10.138.0.20 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca "C:\\Program Files\\OpenVPN\\\config\\root.crt"
cert "C:\\Program Files\\OpenVPN\\\config\\vpnclient.crt"
key "C:\\Program Files\\OpenVPN\\\config\\vpnclient.key"


Symptom
----------
1) Server tcpdump, does not receive any incoming packet
2) client turn on wireshark, click connect, does not see any tcp sync packet, then finally the client connect fail
3) no log in client.log file

I believe the issue is on the client side, as it does not even send the "syn" packet to destination host ( client and server are in the same subnet, ping no problem ).

Appreciate if anyone here can give advise what should i troubleshoot next..

[maikcat]

logs please?

use log directive to create log file.

Michael.

[Traffic]

Your client is not even starting:

Client config
---------------------
vpnclient

try client ...

[azalonely]

thanks for response

there is client.log file, but no log being recorded after connect failed

i have tried "client" instead of "vpnclient" , it does not help any, still the same..


the client machine is 64 bit window 7

[maikcat]

use verb 5 and post the log here please.

Michael.

[azalonely]

Hi Thanks for response

I have tried verb 5 and verb 9, neither of them provide any log in client.log file after connect fail.

It does not even send a "syn" packet, does not even complete the layer 4 handshake, could it be related to network driver or what?

[maikcat]

if you do not post your logs i dont think that anyone can answer....

also post the output of sestatus command.

Michael.

[azalonely]

hi,

sestatus on server

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28


However i dont think the issue is on the server, as client does not send any traffic out..

Not i dont want to post it, it is actually nothing i can post, the client.log file, has zero content, and this is the only log file, or is there any other special thing i can do to generate a special log? something like debug openvpn client process?

[Traffic]

client machine is 64 bit window 7

Perhaps the problem is related to the Windows TAP driver.

Please post server and client logs.

[maikcat]

are you running openvpn with admin rights?

alternative you can run from a cli openvpn --config configfile

and post the output here

Michael.

[Traffic]

the client.log file, has zero content

add --log to your client config ..

See --log in The Manual v23x