TCP/UDP: Socket bind failed on local address

bhart · Post by **bhart** » Tue Feb 09, 2016 3:16 pm

Hello you all!

I'm a new at this but thought I could install openvpn myself on my Rpi (Raspian). Unfortunately, after following the tutorial on readwrite.com, I cannot connect to the server from my client computer. The error I get while connecting is:

Code: Select all

2016-02-09 15:48:08 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2016-02-09 15:48:08 TLS Error: TLS handshake failed

This is the error I get in the openvpn.log file:

Code: Select all

Tue Feb  9 14:27:13 2016 us=826311 TCP/UDP: Socket bind failed on local address [AF_INET]192.168.2.16:1194: Cannot assign requested address
Tue Feb  9 14:27:13 2016 us=826385 Exiting due to fatal error

This is the return of ifconfig of my pi:

Code: Select all

eth0      Link encap:Ethernet  HWaddr b8:27:eb:cc:a1:52  
          inet addr:192.168.2.16  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::39bd:5569:863a:c9a3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:132850 errors:0 dropped:2 overruns:0 frame:0
          TX packets:3977 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:20157767 (19.2 MiB)  TX bytes:635099 (620.2 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:200 errors:0 dropped:0 overruns:0 frame:0
          TX packets:200 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:16656 (16.2 KiB)  TX bytes:16656 (16.2 KiB)

This is my server.con file:

Code: Select all

local 192.168.2.16 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
dev tun
proto udp #Some people prefer to use tcp. Don't change it if you don't know.
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/Home.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/Home.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you changed to 2048, change that here!
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.2.16 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push "dhcp-option DNS 192.168.2.254" # This should already match your router address and not need to be changed.
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 5

This is my Default.txt file:

Code: Select all

Client
dev tun
proto udp
remote MY PUBLIC-IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20

Could anyone help me with this? Thank you so much!

Traffic · Post by **Traffic** » Tue Feb 09, 2016 3:42 pm

Make sure openvpn is not already running then start your server like so:

Code: Select all

$ sudo openvpn --config /path/to/server.conf

bhart · Post by **bhart** » Tue Feb 09, 2016 4:48 pm

Thank you. It was possible now to make the connection with the server. However, I could not connect to the internet through the vpn. Does anyone spot the error in my conf files?

Traffic · Post by **Traffic** » Tue Feb 09, 2016 5:05 pm

Please see the HOWTO:
HOWTO: Routing all client traffic (including web-traffic) through the VPN

Have you enabled IP_Forwarding on your server ?

bhart · Post by **bhart** » Tue Feb 09, 2016 5:17 pm

yes, this is my sysctl.conf file

Code: Select all

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

bengillam · Post by **bengillam** » Tue Feb 09, 2016 6:46 pm

Hey bhart, exact same issue with mine, I find restarting the service solves it. Only happens on first boot. Not had time to look into why but suggests port in use already.

I used

Code: Select all

sudo service openvpn restart

And it then starts up fine for me

If you have just followed a raspi openvpn Guide be sure to check out my post in this forum as most guides give you a dodgy route instruction which won't allow you to see your local subnet the other side of VPN which Traffic kindly helped me fix

Sent from my iPhone using Tapatalk

Traffic · Post by **Traffic** » Tue Feb 09, 2016 8:11 pm

bengillam wrote:be sure to check out my post in this forum

That would be here

bhart · Post by **bhart** » Wed Feb 10, 2016 5:59 pm

Thank you both. I tried restarting it, stop and start it and configured the server.con file as discussed in the other topic:

Code: Select all

local 192.168.2.16 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
dev tun
proto udp #Some people prefer to use tcp. Don't change it if you don't know.
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/Home.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/Home.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you changed to 2048, change that here!
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.2.0 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push "dhcp-option DNS 192.168.2.245" # This should already match your router address and not need to$
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 5

This is my client log

Code: Select all

2016-02-10 18:44:36 *Tunnelblick: openvpnstart starting OpenVPN
2016-02-10 18:44:36 *Tunnelblick: OS X 10.11.3; Tunnelblick 3.5.5 (build 4270.4461)
2016-02-10 18:44:36 *Tunnelblick: Attempting connection with Bas1; Set nameserver = 1; monitoring connection
2016-02-10 18:44:36 *Tunnelblick: openvpnstart start Bas1.tblk 1338 1 0 3 0 16688 -ptADGNWradsgnw 2.3.6
2016-02-10 18:44:38 *Tunnelblick: openvpnstart log:
     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
     
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.6/openvpn
          --daemon
          --log
          /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-SBas1.tblk-SContents-SResources-Sconfig.ovpn.1_0_3_0_16688.1338.openvpn.log
          --cd
          /Library/Application Support/Tunnelblick/Shared/Bas1.tblk/Contents/Resources
          --config
          /Library/Application Support/Tunnelblick/Shared/Bas1.tblk/Contents/Resources/config.ovpn
          --cd
          /Library/Application Support/Tunnelblick/Shared/Bas1.tblk/Contents/Resources
          --management
          127.0.0.1
          1338
          --management-query-passwords
          --management-hold
          --script-security
          2
          --up
          /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -d -f -m -w -ptADGNWradsgnw
          --down
          /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -d -f -m -w -ptADGNWradsgnw

2016-02-10 18:44:37 OpenVPN 2.3.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Dec  4 2015
2016-02-10 18:44:37 library versions: OpenSSL 1.0.1q 3 Dec 2015, LZO 2.08
2016-02-10 18:44:38 *Tunnelblick: Established communication with OpenVPN
2016-02-10 18:44:38 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2016-02-10 18:44:44 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2016-02-10 18:44:44 Control Channel Authentication: tls-auth using INLINE static key file
2016-02-10 18:44:44 UDPv4 link local: [undef]
2016-02-10 18:44:44 UDPv4 link remote: [AF_INET]MYINETIP:1194
2016-02-10 18:44:51 [Home] Peer Connection Initiated with [AF_INET]MYINETIP:1194
2016-02-10 18:44:53 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2016-02-10 18:44:53 Opened utun device utun1
2016-02-10 18:44:53 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2016-02-10 18:44:53 /sbin/ifconfig utun1 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2016-02-10 18:44:53 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2016-02-10 18:44:53 /sbin/ifconfig utun1 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
2016-02-10 18:44:53 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -d -f -m -w -ptADGNWradsgnw utun1 1500 1558 10.8.0.6 10.8.0.5 init
                                        **********************************************
                                        Start of output from client.up.tunnelblick.sh
                                        Retrieved from OpenVPN: name server(s) [ 192.168.2.245 ], search domain(s) [  ] and SMB server(s) [  ] and using default domain name [ openvpn ]
                                        Not aggregating ServerAddresses because running on OS X 10.6 or higher
                                        Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually and 'Prepend domain name to search domains' was not selected
                                        Saved the DNS and SMB configurations so they can be restored
                                        Changed DNS ServerAddresses setting from '172.20.10.1' to '192.168.2.245'
                                        Changed DNS SearchDomains setting from '' to 'openvpn'
                                        Changed DNS DomainName setting from '' to 'openvpn'
                                        Did not change SMB NetBIOSName setting of ''
                                        Did not change SMB Workgroup setting of ''
                                        Did not change SMB WINSAddresses setting of ''
                                        DNS servers '192.168.2.245' will be used for DNS queries when the VPN is active
                                        The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
                                        Flushed the DNS cache via dscacheutil
                                        /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
                                        Notified mDNSResponder that the DNS cache was flushed
                                        Setting up to monitor system configuration with process-network-changes
                                        End of output from client.up.tunnelblick.sh
                                        **********************************************
                                        add net MYINETIP: gateway 172.20.10.1
                                        add net 0.0.0.0: gateway 10.8.0.5
                                        add net 128.0.0.0: gateway 10.8.0.5
                                        add net 10.8.0.1: gateway 10.8.0.5
                                        add net 10.8.0.0: gateway 10.8.0.5
                                        add net 192.168.2.0: gateway 10.8.0.5
                                        route: writing to routing socket: File exists
                                        add net 10.8.0.0: gateway 10.8.0.5: File exists
2016-02-10 18:44:57 Initialization Sequence Completed
2016-02-10 18:44:57 *Tunnelblick: No 'connected.sh' script to execute
2016-02-10 18:45:01 *Tunnelblick process-network-changes: A system configuration change was ignored
2016-02-10 18:45:38 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting.
2016-02-10 18:46:14 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's IP address after connecting.

This is my openvpn log file:

Code: Select all

Wed Feb 10 17:44:30 2016 us=502949 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Feb 10 17:44:30 2016 us=507340 GID set to nogroup
Wed Feb 10 17:44:30 2016 us=507743 UID set to nobody
Wed Feb 10 17:44:30 2016 us=507874 UDPv4 link local (bound): [AF_INET]192.168.2.16:1194
Wed Feb 10 17:44:30 2016 us=507966 UDPv4 link remote: [undef]
Wed Feb 10 17:44:30 2016 us=508054 MULTI: multi_init called, r=256 v=256
Wed Feb 10 17:44:30 2016 us=508555 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Wed Feb 10 17:44:30 2016 us=508807 Initialization Sequence Completed
Wed Feb 10 17:44:42 2016 us=356277 MULTI: multi_create_instance called
Wed Feb 10 17:44:42 2016 us=356828 143.179.67.21:21832 Re-using SSL/TLS context
Wed Feb 10 17:44:42 2016 us=357110 143.179.67.21:21832 LZO compression initialized
Wed Feb 10 17:44:42 2016 us=358474 143.179.67.21:21832 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Feb 10 17:44:42 2016 us=358631 143.179.67.21:21832 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Feb 10 17:44:42 2016 us=359015 143.179.67.21:21832 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,ke$
Wed Feb 10 17:44:42 2016 us=359108 143.179.67.21:21832 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,t$
Wed Feb 10 17:44:42 2016 us=359305 143.179.67.21:21832 Local Options hash (VER=V4): 'a2e63101'
Wed Feb 10 17:44:42 2016 us=359452 143.179.67.21:21832 Expected Remote Options hash (VER=V4): '272f1b58'
RWed Feb 10 17:44:42 2016 us=359723 143.179.67.21:21832 TLS: Initial packet from [AF_INET]143.179.67.21:21832, sid=70fa9e45 a6252187
Wed Feb 10 17:44:48 2016 us=784925 143.179.67.21:21832 VERIFY OK: depth=1, C=US, ST=CA, L=Sa$
Wed Feb 10 17:44:48 2016 us=786804 143.179.67.21:21832 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Bas1, name=EasyRSA, emailAddress=me@myhost.mydomain
Wed Feb 10 17:44:48 2016 us=925449 143.179.67.21:21832 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Feb 10 17:44:48 2016 us=925644 143.179.67.21:21832 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Feb 10 17:44:48 2016 us=925749 143.179.67.21:21832 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Feb 10 17:44:48 2016 us=925855 143.179.67.21:21832 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WWWRRRWed Feb 10 17:44:49 2016 us=3012 143.179.67.21:21832 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Feb 10 17:44:49 2016 us=3232 143.179.67.21:21832 [Bas1] Peer Connection Initiated with [AF_INET]143.179.67.21:21832
Wed Feb 10 17:44:49 2016 us=3425 Bas1/143.179.67.21:21832 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Wed Feb 10 17:44:49 2016 us=3760 Bas1/143.179.67.21:21832 MULTI: Learn: 10.8.0.6 -> Bas1/143.179.67.21:21832
Wed Feb 10 17:44:49 2016 us=3873 Bas1/143.179.67.21:21832 MULTI: primary virtual IP for Bas1/143.179.67.21:21832: 10.8.0.6
RWed Feb 10 17:44:51 2016 us=99827 Bas1/143.179.67.21:21832 PUSH: Received control message: 'PUSH_REQUEST'
Wed Feb 10 17:44:51 2016 us=100002 Bas1/143.179.67.21:21832 send_push_reply(): safe_cap=940
Wed Feb 10 17:44:51 2016 us=100330 Bas1/143.179.67.21:21832 SENT CONTROL [Bas1]: 'PUSH_REPLY,route 10.8.0.1 255.255.255.255,route 10.8.0.0 255.255.255.0,route 192.168.2.0 255.255.255.0,dhcp-option DNS 19
Wed Feb 10 17:50:59 2016 us=38875 Bas1/143.179.67.21:21832 SIGUSR1[soft,ping-restart] received, client-instance restarting

This is my /etc/network/interfaces file:

Code: Select all

# interfaces(5) file used by ifup(8) and ifdown(8)

# Please note that this file is written to be used with dhcpcd
# For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf'

# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

auto lo
iface lo inet loopback

iface eth0 inet manual
        pre-up /etc/firewall-openvpn-rules.sh

allow-hotplug wlan0
iface wlan0 inet manual
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

allow-hotplug wlan1
iface wlan1 inet manual
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

This is my /etc/firewall-openvpn-rules.sh file

Code: Select all

#!/bin/sh

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.2.16

What is the best way to go now?

thx!

bengillam · Post by **bengillam** » Thu Feb 11, 2016 7:34 pm

I'm I've read and indeed implemented myself, the top like that says local X.x.x.x , comment that line and mine now starts up fine and operates fine.

@Traffic could probably advise if that may have any ill effects but seems to work for me

Sent from my iPhone using Tapatalk

bhart · Post by **bhart** » Sat Feb 13, 2016 12:36 pm

Still not connected. I've reinstalled Rasbian and followed the previously mentioned bbc tutorial with adjustments by traffic

in the meanwhile I have tried this iptables tip from the internet:

Code: Select all

#!/bin/sh

iptables -A INPUT -p udp --dport 1194 -j ACCEPT

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -t nat -A POSTROUTING -s XXX.XXX.XXX.XXX -o eth0 -j MASQUERADE

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

and this:
http://stackoverflow.com/questions/3294 ... 1#35379841

But how do I get new rules integrated in the client-side config file?

It it probable the problems lies in the route or firewall?

bhart · Post by **bhart** » Mon Feb 15, 2016 9:17 am

any thoughts anyone?

lprasil · Post by **lprasil** » Thu Dec 22, 2016 9:46 pm

Try to comment out first line in configuration "local 192.168.2.16" in the /etc/openvpn/server.conf and restart RPi

OpenVPN Support Forum