[Solved] VPN connects but no traffic

potentialcustomer · Post by **potentialcustomer** » Mon Jul 18, 2016 7:07 pm

Hello,

I am building a server running Xen where OpenVPN server is installed on a guest OS (Ubuntu Xenial minimal install). I can successfully connect to the VPN using windows and android clients however I am not able to access the internet through the tunnel. I cannot ping server or tunnel while VPN is connected. I believe I have missed something when I created the routing rules. Can someone help correct my mistake?

Xen Dom0 network is bridged to DomU and I use openvswitch. I have created a MAC address for the Dom0 nic as a VIF parameter in the Xen guest config file and assigned a DHCP reservation by my external router so the DomU always has IP address 192.168.0.136.

My openVPN server creates a tunneling interface to the eth0 IP 192.168.0.136.

**************************** Server Config File ****************************
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/myVPNsrv.crt
key /etc/openvpn/myVPNsrv.key # This file should be kept secret
dh /etc/openvpn/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 60
tls-auth /etc/openvpn/ta.tlsauth 0
cipher BF-CBC
comp-lzo
max-clients 4
persist-key
persist-tun
persist-local-ip
status openvpn-status.log
verb 7

**************************** Client Config File ****************************
client
dev tun
dev-type tun
topology subnet
dev-node "Ethernet 3" # Windows name for TAP adapter
proto udp
remote 192.168.0.136 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\client1b.crt"
key "C:\\Program Files\\OpenVPN\\config\\client1b.key"
tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.tlsauth" 1
tls-remote "myVPNsrv"
ns-cert-type server
cipher BF-CBC
comp-lzo
verb 7

**************************** ifconfig ****************************
eth0 Link encap:Ethernet HWaddr 00:16:3e:67:00:e7
inet addr:192.168.0.136 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::216:3eff:fe67:e7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6534 errors:0 dropped:0 overruns:0 frame:0
TX packets:165 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1232035 (1.2 MB) TX bytes:35680 (35.6 KB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:172 errors:0 dropped:0 overruns:0 frame:0
TX packets:172 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:12560 (12.5 KB) TX bytes:12560 (12.5 KB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

**************************** netstat -rn ****************************
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 192.168.0.1 255.255.255.0 UG 0 0 0 eth0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

*********************** IPtable rules placed in /etc/rc.local ***********************

## Method 2 where routing and OpenVPN not running on default gateway
# https://community.openvpn.net/openvpn/w ... AndRouting
iptables -I FORWARD -i tun0 -o eth0 \
-s 10.8.0.0/24 -d 192.168.0.0/24 \
-m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT

# Rule suggested by https://secure-computing.net/wiki/index.php/Graph
route add -net 10.8.0.0/24 gw 192.168.0.1

iptables -A INPUT -i eth0 -m state -- state NEW -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT

# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun- -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

# NAT the VPN client traffic to the internet
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -0 eth0 -j MASQUERADE

exit 0

TinCanTech · Post by **TinCanTech** » Mon Jul 18, 2016 8:03 pm

potentialcustomer wrote: I cannot ping server or tunnel while VPN is connected

Looks like you have all the bases covered .. except this one:

potentialcustomer wrote:My openVPN server creates a tunneling interface to the eth0 IP 192.168.0.136

Because:
NOTE:

your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN

You are advised to change your server LAN to a more unique RFC1918 compliant subnet. f.e 192.168.143.0/24

And this one ..

Also, ensure IP forwarding is enabled on your server.

potentialcustomer · Post by **potentialcustomer** » Tue Jul 19, 2016 12:26 am

Thank you so much for your reply. I have no experience in network engineering so this is somewhat of a science project. I have do intend to harden the design and change port and IP addresses once I prove my system is functional. These typical addresses are used commonly in examples so I will use them until I am satisfied that everything works.

IPV4 forwarding is enabled in /etc/sysctl.conf since I have uncommented:
net.ipv4.ip_forward=1 # in the future I will add IPV6 support for mobile devices

Can you (or anyone) suggest methods to troubleshoot or resolve this issue?
Does the fact that I use Xen bridging from DomU to Dom0 create problems for using tunneling in Dom0 (where my OpenVPN server exists)?

TinCanTech · Post by **TinCanTech** » Tue Jul 19, 2016 1:51 am

potentialcustomer wrote: These typical addresses are used commonly in examples so I will use them until I am satisfied that everything works.

I would resolve probable subnet conflicts first.

It is such a common problem you can grep the openvpn source and find the warning hard coded ..

potentialcustomer · Post by **potentialcustomer** » Tue Jul 19, 2016 3:40 pm

Thank you again.

I have changed my server IP from 192.168.0.136 to 192.168.136.136 however it did not resolve my issue. In order to make this change I have modified the following:
1) My router only permits port forwarding on one subnet therefore I changed the router configuration for DHCP from 192.168.0.* to 192.168.136.* as well as updated port forwarding 192.168.0.136 1194 to 192.168.136.136 1194.
2) Modified OpenVPN server config with updated IP address
3) Modified /etc/rc.local IP table rules to support 192.168.136.136
4) I created new keys/certificates after the IP change (probably unnecessarily)

************ OpenVPN server.conf ***************
local 192.168.136.136
port 1194
management 127.0.0.1 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/MyVPNsrv.crt
key /etc/openvpn/MyVPNsrv.key # This file should be kept secret
dh /etc/openvpn/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 60
tls-auth /etc/openvpn/ta.tlsauth 0 # This file is secret
cipher BF-CBC # Blowfish (default)
comp-lzo
max-clients 4
persist-key
persist-tun
persist-local-ip
status openvpn-status.log
verb 7

************** OpenVPN Client config ***************
client
dev tun
dev-type tun
topology subnet
dev-node "Ethernet 3"
proto udp
remote 192.168.136.136 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\client1c.crt"
key "C:\\Program Files\\OpenVPN\\config\\client1c.key"
tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.tlsauth" 1
tls-remote "warconstVPNsrv"
ns-cert-type server
cipher BF-CBC # Blowfish (default)
comp-lzo
verb 7

*************** netstat -rn ****************
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.136.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 192.168.136.1 255.255.255.0 UG 0 0 0 eth0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.136.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

************* iproute **********************
default via 192.168.136.1 dev eth0
10.8.0.0/24 via 192.168.136.1 dev eth0
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
192.168.136.0/24 dev eth0 proto kernel scope link src 192.168.136.136

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.136.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 192.168.136.1 255.255.255.0 UG 0 0 0 eth0
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
192.168.136.0 * 255.255.255.0 U 0 0 0 eth0

TinCanTech · Post by **TinCanTech** » Tue Jul 19, 2016 6:09 pm

You should only need --verb 4 for your logs .. change them both then post your client log.

potentialcustomer · Post by **potentialcustomer** » Tue Jul 19, 2016 6:29 pm

Thank you again @TinCanTech
I have changed log to verb 4 for both server and client.

********************** Client log ***************************
Tue Jul 19 14:20:42 2016 DEPRECATED OPTION: --tls-remote, please update your configuration
Tue Jul 19 14:20:42 2016 us=24261 Current Parameter Settings:
Tue Jul 19 14:20:42 2016 us=24261 config = 'MyVPNclient.ovpn'
Tue Jul 19 14:20:42 2016 us=24261 mode = 0
Tue Jul 19 14:20:42 2016 us=24261 show_ciphers = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 show_digests = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 show_engines = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 genkey = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 key_pass_file = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 show_tls_ciphers = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 Connection profiles [default]:
Tue Jul 19 14:20:42 2016 us=24261 proto = udp
Tue Jul 19 14:20:42 2016 us=24261 local = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 local_port = 0
Tue Jul 19 14:20:42 2016 us=24261 remote = '192.168.136.136'
Tue Jul 19 14:20:42 2016 us=24261 remote_port = 1194
Tue Jul 19 14:20:42 2016 us=24261 remote_float = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 bind_defined = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 bind_local = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 connect_retry_seconds = 5
Tue Jul 19 14:20:42 2016 us=24261 connect_timeout = 10
Tue Jul 19 14:20:42 2016 us=24261 connect_retry_max = 0
Tue Jul 19 14:20:42 2016 us=24261 socks_proxy_server = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 socks_proxy_port = 0
Tue Jul 19 14:20:42 2016 us=24261 socks_proxy_retry = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 tun_mtu = 1500
Tue Jul 19 14:20:42 2016 us=24261 tun_mtu_defined = ENABLED
Tue Jul 19 14:20:42 2016 us=24261 link_mtu = 1500
Tue Jul 19 14:20:42 2016 us=24261 link_mtu_defined = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 tun_mtu_extra = 0
Tue Jul 19 14:20:42 2016 us=24261 tun_mtu_extra_defined = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 mtu_discover_type = -1
Tue Jul 19 14:20:42 2016 us=24261 fragment = 0
Tue Jul 19 14:20:42 2016 us=24261 mssfix = 1450
Tue Jul 19 14:20:42 2016 us=24261 explicit_exit_notification = 0
Tue Jul 19 14:20:42 2016 us=24261 Connection profiles END
Tue Jul 19 14:20:42 2016 us=24261 remote_random = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 ipchange = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 dev = 'tun'
Tue Jul 19 14:20:42 2016 us=24261 dev_type = 'tun'
Tue Jul 19 14:20:42 2016 us=24261 dev_node = 'Ethernet 3'
Tue Jul 19 14:20:42 2016 us=24261 lladdr = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 topology = 3
Tue Jul 19 14:20:42 2016 us=24261 tun_ipv6 = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 ifconfig_local = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 ifconfig_remote_netmask = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 ifconfig_noexec = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 ifconfig_nowarn = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 ifconfig_ipv6_local = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 ifconfig_ipv6_netbits = 0
Tue Jul 19 14:20:42 2016 us=24261 ifconfig_ipv6_remote = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 shaper = 0
Tue Jul 19 14:20:42 2016 us=24261 mtu_test = 0
Tue Jul 19 14:20:42 2016 us=24261 mlock = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 keepalive_ping = 0
Tue Jul 19 14:20:42 2016 us=24261 keepalive_timeout = 0
Tue Jul 19 14:20:42 2016 us=24261 inactivity_timeout = 0
Tue Jul 19 14:20:42 2016 us=24261 ping_send_timeout = 0
Tue Jul 19 14:20:42 2016 us=24261 ping_rec_timeout = 0
Tue Jul 19 14:20:42 2016 us=24261 ping_rec_timeout_action = 0
Tue Jul 19 14:20:42 2016 us=24261 ping_timer_remote = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 remap_sigusr1 = 0
Tue Jul 19 14:20:42 2016 us=24261 persist_tun = ENABLED
Tue Jul 19 14:20:42 2016 us=24261 persist_local_ip = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 persist_remote_ip = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 persist_key = ENABLED
Tue Jul 19 14:20:42 2016 us=24261 passtos = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 resolve_retry_seconds = 1000000000
Tue Jul 19 14:20:42 2016 us=24261 username = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 groupname = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 chroot_dir = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 cd_dir = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 writepid = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 up_script = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 down_script = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 down_pre = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 up_restart = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 up_delay = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 daemon = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 inetd = 0
Tue Jul 19 14:20:42 2016 us=24261 log = ENABLED
Tue Jul 19 14:20:42 2016 us=24261 suppress_timestamps = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 nice = 0
Tue Jul 19 14:20:42 2016 us=24261 verbosity = 4
Tue Jul 19 14:20:42 2016 us=24261 mute = 0
Tue Jul 19 14:20:42 2016 us=24261 gremlin = 0
Tue Jul 19 14:20:42 2016 us=24261 status_file = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 status_file_version = 1
Tue Jul 19 14:20:42 2016 us=24261 status_file_update_freq = 60
Tue Jul 19 14:20:42 2016 us=24261 occ = ENABLED
Tue Jul 19 14:20:42 2016 us=24261 rcvbuf = 0
Tue Jul 19 14:20:42 2016 us=24261 sndbuf = 0
Tue Jul 19 14:20:42 2016 us=24261 sockflags = 0
Tue Jul 19 14:20:42 2016 us=24261 fast_io = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 lzo = 7
Tue Jul 19 14:20:42 2016 us=24261 route_script = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 route_default_gateway = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 route_default_metric = 0
Tue Jul 19 14:20:42 2016 us=24261 route_noexec = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 route_delay = 5
Tue Jul 19 14:20:42 2016 us=24261 route_delay_window = 30
Tue Jul 19 14:20:42 2016 us=24261 route_delay_defined = ENABLED
Tue Jul 19 14:20:42 2016 us=24261 route_nopull = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 route_gateway_via_dhcp = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 max_routes = 100
Tue Jul 19 14:20:42 2016 us=24261 allow_pull_fqdn = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 management_addr = '127.0.0.1'
Tue Jul 19 14:20:42 2016 us=24261 management_port = 25340
Tue Jul 19 14:20:42 2016 us=24261 management_user_pass = 'stdin'
Tue Jul 19 14:20:42 2016 us=24261 management_log_history_cache = 250
Tue Jul 19 14:20:42 2016 us=24261 management_echo_buffer_size = 100
Tue Jul 19 14:20:42 2016 us=24261 management_write_peer_info_file = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 management_client_user = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 management_client_group = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 management_flags = 6
Tue Jul 19 14:20:42 2016 us=24261 shared_secret_file = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 key_direction = 2
Tue Jul 19 14:20:42 2016 us=24261 ciphername_defined = ENABLED
Tue Jul 19 14:20:42 2016 us=24261 ciphername = 'BF-CBC'
Tue Jul 19 14:20:42 2016 us=24261 authname_defined = ENABLED
Tue Jul 19 14:20:42 2016 us=24261 authname = 'SHA1'
Tue Jul 19 14:20:42 2016 us=24261 prng_hash = 'SHA1'
Tue Jul 19 14:20:42 2016 us=24261 prng_nonce_secret_len = 16
Tue Jul 19 14:20:42 2016 us=24261 keysize = 0
Tue Jul 19 14:20:42 2016 us=24261 engine = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 replay = ENABLED
Tue Jul 19 14:20:42 2016 us=24261 mute_replay_warnings = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 replay_window = 64
Tue Jul 19 14:20:42 2016 us=24261 replay_time = 15
Tue Jul 19 14:20:42 2016 us=24261 packet_id_file = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 use_iv = ENABLED
Tue Jul 19 14:20:42 2016 us=24261 test_crypto = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 tls_server = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 tls_client = ENABLED
Tue Jul 19 14:20:42 2016 us=24261 key_method = 2
Tue Jul 19 14:20:42 2016 us=24261 ca_file = 'C:\Program Files\OpenVPN\config\ca.crt'
Tue Jul 19 14:20:42 2016 us=24261 ca_path = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 dh_file = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 cert_file = 'C:\Program Files\OpenVPN\config\client1c.crt'
Tue Jul 19 14:20:42 2016 us=24261 extra_certs_file = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 priv_key_file = 'C:\Program Files\OpenVPN\config\client1c.key'
Tue Jul 19 14:20:42 2016 us=24261 pkcs12_file = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 cryptoapi_cert = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 cipher_list = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 tls_verify = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 tls_export_cert = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 verify_x509_type = 259
Tue Jul 19 14:20:42 2016 us=24261 verify_x509_name = 'MyVPNsrv'
Tue Jul 19 14:20:42 2016 us=24261 crl_file = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 ns_cert_type = 1
Tue Jul 19 14:20:42 2016 us=24261 remote_cert_ku = 0
Tue Jul 19 14:20:42 2016 us=24261 remote_cert_ku = 0
Tue Jul 19 14:20:42 2016 us=24261 remote_cert_ku = 0
Tue Jul 19 14:20:42 2016 us=24261 remote_cert_ku = 0
Tue Jul 19 14:20:42 2016 us=24261 remote_cert_ku = 0
Tue Jul 19 14:20:42 2016 us=24261 remote_cert_ku = 0
Tue Jul 19 14:20:42 2016 us=24261 remote_cert_ku = 0
Tue Jul 19 14:20:42 2016 us=24261 remote_cert_ku = 0
Tue Jul 19 14:20:42 2016 us=24261 remote_cert_ku = 0
Tue Jul 19 14:20:42 2016 us=24261 remote_cert_ku = 0
Tue Jul 19 14:20:42 2016 us=24261 remote_cert_ku[i] = 0
Tue Jul 19 14:20:42 2016 us=24261 remote_cert_ku[i] = 0
Tue Jul 19 14:20:42 2016 us=24261 remote_cert_ku[i] = 0
Tue Jul 19 14:20:42 2016 us=24261 remote_cert_ku[i] = 0
Tue Jul 19 14:20:42 2016 us=24261 remote_cert_ku[i] = 0
Tue Jul 19 14:20:42 2016 us=24261 remote_cert_ku[i] = 0
Tue Jul 19 14:20:42 2016 us=24261 remote_cert_eku = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=24261 ssl_flags = 0
Tue Jul 19 14:20:42 2016 us=24261 tls_timeout = 2
Tue Jul 19 14:20:42 2016 us=24261 renegotiate_bytes = 0
Tue Jul 19 14:20:42 2016 us=24261 renegotiate_packets = 0
Tue Jul 19 14:20:42 2016 us=24261 renegotiate_seconds = 3600
Tue Jul 19 14:20:42 2016 us=24261 handshake_window = 60
Tue Jul 19 14:20:42 2016 us=24261 transition_window = 3600
Tue Jul 19 14:20:42 2016 us=24261 single_session = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 push_peer_info = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 tls_exit = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 tls_auth_file = 'C:\Program Files\OpenVPN\config\ta.tlsauth'
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_protected_authentication = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_protected_authentication = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_protected_authentication = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_protected_authentication = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_protected_authentication = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_protected_authentication = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_protected_authentication = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_protected_authentication = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_protected_authentication = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_protected_authentication = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_protected_authentication = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_protected_authentication = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_protected_authentication = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_protected_authentication = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_protected_authentication = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_protected_authentication = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_private_mode = 00000000
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_private_mode = 00000000
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_private_mode = 00000000
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_private_mode = 00000000
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_private_mode = 00000000
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_private_mode = 00000000
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_private_mode = 00000000
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_private_mode = 00000000
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_private_mode = 00000000
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_private_mode = 00000000
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_private_mode = 00000000
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_private_mode = 00000000
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_private_mode = 00000000
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_private_mode = 00000000
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_private_mode = 00000000
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_private_mode = 00000000
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_cert_private = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_cert_private = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_cert_private = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_cert_private = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_cert_private = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_cert_private = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_cert_private = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_cert_private = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_cert_private = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_cert_private = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_cert_private = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_cert_private = DISABLED
Tue Jul 19 14:20:42 2016 us=24261 pkcs11_cert_private = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 pkcs11_cert_private = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 pkcs11_cert_private = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 pkcs11_cert_private = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 pkcs11_pin_cache_period = -1
Tue Jul 19 14:20:42 2016 us=39886 pkcs11_id = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=39886 pkcs11_id_management = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 server_network = 0.0.0.0
Tue Jul 19 14:20:42 2016 us=39886 server_netmask = 0.0.0.0
Tue Jul 19 14:20:42 2016 us=39886 server_network_ipv6 = ::
Tue Jul 19 14:20:42 2016 us=39886 server_netbits_ipv6 = 0
Tue Jul 19 14:20:42 2016 us=39886 server_bridge_ip = 0.0.0.0
Tue Jul 19 14:20:42 2016 us=39886 server_bridge_netmask = 0.0.0.0
Tue Jul 19 14:20:42 2016 us=39886 server_bridge_pool_start = 0.0.0.0
Tue Jul 19 14:20:42 2016 us=39886 server_bridge_pool_end = 0.0.0.0
Tue Jul 19 14:20:42 2016 us=39886 ifconfig_pool_defined = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 ifconfig_pool_start = 0.0.0.0
Tue Jul 19 14:20:42 2016 us=39886 ifconfig_pool_end = 0.0.0.0
Tue Jul 19 14:20:42 2016 us=39886 ifconfig_pool_netmask = 0.0.0.0
Tue Jul 19 14:20:42 2016 us=39886 ifconfig_pool_persist_filename = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=39886 ifconfig_pool_persist_refresh_freq = 600
Tue Jul 19 14:20:42 2016 us=39886 ifconfig_ipv6_pool_defined = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 ifconfig_ipv6_pool_base = ::
Tue Jul 19 14:20:42 2016 us=39886 ifconfig_ipv6_pool_netbits = 0
Tue Jul 19 14:20:42 2016 us=39886 n_bcast_buf = 256
Tue Jul 19 14:20:42 2016 us=39886 tcp_queue_limit = 64
Tue Jul 19 14:20:42 2016 us=39886 real_hash_size = 256
Tue Jul 19 14:20:42 2016 us=39886 virtual_hash_size = 256
Tue Jul 19 14:20:42 2016 us=39886 client_connect_script = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=39886 learn_address_script = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=39886 client_disconnect_script = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=39886 client_config_dir = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=39886 ccd_exclusive = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 tmp_dir = 'C:\Users\me\AppData\Local\Temp\'
Tue Jul 19 14:20:42 2016 us=39886 push_ifconfig_defined = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 push_ifconfig_local = 0.0.0.0
Tue Jul 19 14:20:42 2016 us=39886 push_ifconfig_remote_netmask = 0.0.0.0
Tue Jul 19 14:20:42 2016 us=39886 push_ifconfig_ipv6_defined = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 push_ifconfig_ipv6_local = ::/0
Tue Jul 19 14:20:42 2016 us=39886 push_ifconfig_ipv6_remote = ::
Tue Jul 19 14:20:42 2016 us=39886 enable_c2c = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 duplicate_cn = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 cf_max = 0
Tue Jul 19 14:20:42 2016 us=39886 cf_per = 0
Tue Jul 19 14:20:42 2016 us=39886 max_clients = 1024
Tue Jul 19 14:20:42 2016 us=39886 max_routes_per_client = 256
Tue Jul 19 14:20:42 2016 us=39886 auth_user_pass_verify_script = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=39886 auth_user_pass_verify_script_via_file = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 client = ENABLED
Tue Jul 19 14:20:42 2016 us=39886 pull = ENABLED
Tue Jul 19 14:20:42 2016 us=39886 auth_user_pass_file = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=39886 show_net_up = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 route_method = 0
Tue Jul 19 14:20:42 2016 us=39886 block_outside_dns = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 ip_win32_defined = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 ip_win32_type = 3
Tue Jul 19 14:20:42 2016 us=39886 dhcp_masq_offset = 0
Tue Jul 19 14:20:42 2016 us=39886 dhcp_lease_time = 31536000
Tue Jul 19 14:20:42 2016 us=39886 tap_sleep = 0
Tue Jul 19 14:20:42 2016 us=39886 dhcp_options = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 dhcp_renew = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 dhcp_pre_release = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 dhcp_release = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 domain = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=39886 netbios_scope = '[UNDEF]'
Tue Jul 19 14:20:42 2016 us=39886 netbios_node_type = 0
Tue Jul 19 14:20:42 2016 us=39886 disable_nbt = DISABLED
Tue Jul 19 14:20:42 2016 us=39886 OpenVPN 2.3.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 10 2016
Tue Jul 19 14:20:42 2016 us=39886 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Jul 19 14:20:42 2016 us=39886 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09
Enter Management Password:
Tue Jul 19 14:20:42 2016 us=39886 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Jul 19 14:20:42 2016 us=39886 Need hold release from management interface, waiting...
Tue Jul 19 14:20:42 2016 us=149423 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Jul 19 14:20:42 2016 us=258840 MANAGEMENT: CMD 'state on'
Tue Jul 19 14:20:42 2016 us=258840 MANAGEMENT: CMD 'log all on'
Tue Jul 19 14:20:42 2016 us=602413 MANAGEMENT: CMD 'hold off'
Tue Jul 19 14:20:42 2016 us=602413 MANAGEMENT: CMD 'hold release'
Tue Jul 19 14:20:42 2016 us=977432 Control Channel Authentication: using 'C:\Program Files\OpenVPN\config\ta.tlsauth' as a OpenVPN static key file
Tue Jul 19 14:20:42 2016 us=977432 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 19 14:20:42 2016 us=977432 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 19 14:20:42 2016 us=977432 LZO compression initialized
Tue Jul 19 14:20:42 2016 us=977432 Control Channel MTU parms [ L:1542 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Tue Jul 19 14:20:42 2016 us=977432 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Jul 19 14:20:42 2016 us=977432 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Tue Jul 19 14:20:42 2016 us=977432 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Tue Jul 19 14:20:42 2016 us=977432 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Tue Jul 19 14:20:42 2016 us=977432 Local Options hash (VER=V4): '504e774e'
Tue Jul 19 14:20:42 2016 us=977432 Expected Remote Options hash (VER=V4): '14168603'
Tue Jul 19 14:20:42 2016 us=977432 UDPv4 link local: [undef]
Tue Jul 19 14:20:42 2016 us=977432 UDPv4 link remote: [AF_INET]192.168.136.136:1194
Tue Jul 19 14:20:42 2016 us=977432 MANAGEMENT: >STATE:1468952442,WAIT,,,
Tue Jul 19 14:20:42 2016 us=977432 MANAGEMENT: >STATE:1468952442,AUTH,,,
Tue Jul 19 14:20:42 2016 us=977432 TLS: Initial packet from [AF_INET]192.168.136.136:1194, sid=a7500b2a d7329c22
Tue Jul 19 14:20:43 2016 us=8685 VERIFY OK: depth=1, /C=US/ST=PA/L=Carlisle/O=MyName/OU=MyVPN/CN=MyVPNsrv/name=MyVPNsrv/emailAddress=My@pa.net
Tue Jul 19 14:20:43 2016 us=8685 VERIFY OK: nsCertType=SERVER
Tue Jul 19 14:20:43 2016 us=8685 VERIFY X509NAME OK: /C=US/ST=PA/L=Carlisle/O=MyName/OU=MyVPN/CN=MyVPNsrv/name=MyVPNsrv/emailAddress=My@pa.net
Tue Jul 19 14:20:43 2016 us=8685 VERIFY OK: depth=0, /C=US/ST=PA/L=Carlisle/O=MyName/OU=MyVPN/CN=MyVPNsrv/name=MyVPNsrv/emailAddress=My@pa.net
Tue Jul 19 14:20:43 2016 us=86820 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jul 19 14:20:43 2016 us=86820 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 19 14:20:43 2016 us=86820 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jul 19 14:20:43 2016 us=86820 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 19 14:20:43 2016 us=86820 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Jul 19 14:20:43 2016 us=86820 [MyVPNsrv] Peer Connection Initiated with [AF_INET]192.168.136.136:1194
Tue Jul 19 14:20:44 2016 us=196420 MANAGEMENT: >STATE:1468952444,GET_CONFIG,,,
Tue Jul 19 14:20:45 2016 us=305833 SENT CONTROL [MyVPNsrv]: 'PUSH_REQUEST' (status=1)
Tue Jul 19 14:20:45 2016 us=305833 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.0.3 255.255.255.0'
Tue Jul 19 14:20:45 2016 us=305833 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jul 19 14:20:45 2016 us=305833 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jul 19 14:20:45 2016 us=305833 OPTIONS IMPORT: route options modified
Tue Jul 19 14:20:45 2016 us=305833 OPTIONS IMPORT: route-related options modified
Tue Jul 19 14:20:45 2016 us=305833 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jul 19 14:20:45 2016 us=336928 ROUTE_GATEWAY 192.168.136.1/255.255.255.0 I=19 HWADDR=40:e2:30:1b:c1:d7
Tue Jul 19 14:20:45 2016 us=383963 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jul 19 14:20:45 2016 us=383963 MANAGEMENT: >STATE:1468952445,ASSIGN_IP,,10.8.0.3,
Tue Jul 19 14:20:45 2016 us=383963 open_tun, tt->ipv6=0
Tue Jul 19 14:20:45 2016 us=383963 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{49E6F44D-02DD-4740-88A3-3C209BB2A835}.tap
Tue Jul 19 14:20:45 2016 us=383963 TAP-Windows Driver Version 9.21
Tue Jul 19 14:20:45 2016 us=383963 TAP-Windows MTU=1500
Tue Jul 19 14:20:45 2016 us=383963 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.3/255.255.255.0 [SUCCEEDED]
Tue Jul 19 14:20:45 2016 us=383963 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.3/255.255.255.0 on interface {49E6F44D-02DD-4740-88A3-3C209BB2A835} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
Tue Jul 19 14:20:45 2016 us=383963 DHCP option string: 06080808 08080808 0404
Tue Jul 19 14:20:45 2016 us=399433 Successful ARP Flush on interface [21] {49E6F44D-02DD-4740-88A3-3C209BB2A835}
Tue Jul 19 14:20:50 2016 us=55914 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Tue Jul 19 14:20:50 2016 us=55914 C:\Windows\system32\route.exe ADD 192.168.136.136 MASK 255.255.255.255 192.168.136.1 IF 19
Tue Jul 19 14:20:50 2016 us=55914 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Tue Jul 19 14:20:50 2016 us=55914 Route addition via IPAPI succeeded [adaptive]
Tue Jul 19 14:20:50 2016 us=55914 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Jul 19 14:20:50 2016 us=55914 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue Jul 19 14:20:50 2016 us=55914 Route addition via IPAPI succeeded [adaptive]
Tue Jul 19 14:20:50 2016 us=55914 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Jul 19 14:20:50 2016 us=71540 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue Jul 19 14:20:50 2016 us=71540 Route addition via IPAPI succeeded [adaptive]
Tue Jul 19 14:20:50 2016 us=71540 Initialization Sequence Completed
Tue Jul 19 14:20:50 2016 us=71540 MANAGEMENT: >STATE:1468952450,CONNECTED,SUCCESS,10.8.0.3,192.168.136.136
Tue Jul 19 14:21:47 2016 us=940367 TCP/UDP: Closing socket
Tue Jul 19 14:21:47 2016 us=941370 C:\Windows\system32\route.exe DELETE 192.168.136.136 MASK 255.255.255.255 192.168.136.1
Tue Jul 19 14:21:47 2016 us=948390 Route deletion via IPAPI succeeded [adaptive]
Tue Jul 19 14:21:47 2016 us=948390 C:\Windows\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Jul 19 14:21:47 2016 us=957394 Route deletion via IPAPI succeeded [adaptive]
Tue Jul 19 14:21:47 2016 us=957394 C:\Windows\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Jul 19 14:21:47 2016 us=965405 Route deletion via IPAPI succeeded [adaptive]
Tue Jul 19 14:21:47 2016 us=965405 Closing TUN/TAP interface
Tue Jul 19 14:21:47 2016 us=988441 SIGTERM[hard,] received, process exiting
Tue Jul 19 14:21:47 2016 us=988441 MANAGEMENT: >STATE:1468952507,EXITING,SIGTERM,,

TinCanTech · Post by **TinCanTech** » Tue Jul 19, 2016 6:49 pm

According to the logs, everything is working as it should .. now you need to try from a remote location.

I presume you have enabled IP forwarding on the server ..

potentialcustomer · Post by **potentialcustomer** » Tue Jul 19, 2016 7:45 pm

I will try to access the server from a remote location. I assume I only need to modify the client IP to be the server public IP?

I tried using a non-windows client (an android phone connected to the LAN using wireless - not 4G) while I SSH into the server. I noticed a lot of packets dropped. I suspect this is the case with windows clients as well.

I did a little bit of searching for "multi bad source address from client packet dropped" and found a couple of promising solutions all pointing to routing problems. I am investigating those solutions now.

Here is a snippet of what I saw when I run systemctl status openvpn@MyVPNsrv

● openvpn@MyVPNsrv.service - OpenVPN connection to MyVPNsrv
Loaded: loaded (/etc/systemd/system/multi-user.target.wants/openvpn@MyVPNsrv.service; disabled; vendor preset: enabled)
Active: active (running) since Tue 2016-07-19 14:19:34 EDT; 55min ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/w ... n23ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 3800 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%
Main PID: 3804 (openvpn)
CGroup: /system.slice/system-openvpn.slice/openvpn@MyVPNsrv.service
└─3804 /usr/sbin/openvpn --daemon ovpn-MyVPNsrv --status /run/openvpn/MyVPNsrv.status 10 --cd /etc/openvpn --script-security 2 --confi

Jul 19 15:14:11 Mysrv ovpn-MyVPNsrv[3804]: client2c/192.168.136.112:46606 MULTI: bad source address from client [192.168.136.112], packet dropped
Jul 19 15:14:11 Mysrv ovpn-MyVPNsrv[3804]: client2c/192.168.136.112:46606 MULTI: bad source address from client [192.168.136.112], packet dropped
Jul 19 15:14:11 Mysrv ovpn-MyVPNsrv[3804]: client2c/192.168.136.112:46606 MULTI: bad source address from client [192.168.136.112], packet dropped
Jul 19 15:14:12 Mysrv ovpn-MyVPNsrv[3804]: client2c/192.168.136.112:46606 MULTI: bad source address from client [192.168.136.112], packet dropped
Jul 19 15:14:17 Mysrv ovpn-MyVPNsrv[3804]: client2c/192.168.136.112:46606 MULTI: bad source address from client [192.168.136.112], packet dropped
Jul 19 15:14:20 Mysrv ovpn-MyVPNsrv[3804]: client2c/192.168.136.112:46606 MULTI: bad source address from client [192.168.136.112], packet dropped
Jul 19 15:14:27 Mysrv ovpn-MyVPNsrv[3804]: client2c/192.168.136.112:46606 MULTI: bad source address from client [192.168.136.112], packet dropped
Jul 19 15:14:31 Mysrv ovpn-MyVPNsrv[3804]: client2c/192.168.136.112:46606 MULTI: bad source address from client [192.168.136.112], packet dropped
Jul 19 15:14:37 Mysrv ovpn-MyVPNsrv[3804]: client2c/192.168.136.112:46606 MULTI: bad source address from client [192.168.136.112], packet dropped
Jul 19 15:14:41 Mysrv ovpn-MyVPNsrv[3804]: client2c/192.168.136.112:46606 MULTI: bad source address from client [192.168.136.112], packet dropped

TinCanTech · Post by **TinCanTech** » Tue Jul 19, 2016 8:31 pm

For now you can ignore the dropped packets .. they are packets with the source address of your eth0 not tun0 but they are sent over the VPN. In time you can add --iroute's for them, if you actually need it.

See: HOWTO: Expanding the scope of the VPN to include additional machines

potentialcustomer · Post by **potentialcustomer** » Wed Jul 20, 2016 5:34 pm

This morning I was able to successfully connect to my VPN using my android phone and the 4G network. Unfortunately I was still not able to load any webpages through the phone's browser while the VPN was connected.

I took the following actions however could not determine that there was any problem. I appreciate any insight to the potential causes of internet traffic not loading.

1) I captured packets using tcpdump:
tcpdump -i eth0 udp port 1194
tcpdump -i tun0 udp
2) I ran traceroute to my phone's VPN IP address
3) Changed MTU from 1500 to 1000 for both eth0 and tun0 - made no difference

********************* tcpdump -i eth0 udp port 1194 ****************************
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:06:25.243789 IP 192.168.136.136.openvpn > 162.sub-XXX-XXX-XXX.myvzw.com.5121: UDP, length 53
12:06:29.186285 IP 162.sub-XXX-XXX-XXX.myvzw.com.5121 > 192.168.136.136.openvpn: UDP, length 53
12:06:35.225829 IP 192.168.136.136.openvpn > 162.sub-XXX-XXX-XXX.myvzw.com.5121: UDP, length 53
12:06:39.203721 IP 162.sub-XXX-XXX-XXX.myvzw.com.5121 > 192.168.136.136.openvpn: UDP, length 53
12:06:45.390503 IP 192.168.136.136.openvpn > 162.sub-XXX-XXX-XXX.myvzw.com.5121: UDP, length 53
12:06:49.187674 IP 162.sub-XXX-XXX-XXX.myvzw.com.5121 > 192.168.136.136.openvpn: UDP, length 53

******************** tcpdump -i tun0 udp **************************
tcpdump -i tun0 udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
12:07:39.767832 IP 10.8.0.5.60479 > google-public-dns-a.google.com.domain: 29202+ AAAA? lgemobilewidget.accu-weather.com. (50)
12:07:44.800368 IP 10.8.0.5.47192 > google-public-dns-b.google.com.domain: 29202+ AAAA? lgemobilewidget.accu-weather.com. (50)
12:07:49.783355 IP 10.8.0.5.48116 > google-public-dns-a.google.com.domain: 11120+ A? lgemobilewidget.accu-weather.com. (50)
12:07:54.775705 IP 10.8.0.5.41108 > google-public-dns-b.google.com.domain: 11120+ A? lgemobilewidget.accu-weather.com. (50)

********* Traceroute to my phone's VPN IP address ***************
traceroute to 10.8.0.5 (10.8.0.5), 30 hops max, 60 byte packets
1 192.168.136.1 (192.168.136.1) 0.689 ms 0.721 ms 1.023 ms
2 10.23.22.1 (10.23.22.1) 23.457 ms 24.814 ms 25.986 ms
3 G101-0-0-30.HRBGPA-LCR-21.verizon-gni.net (100.41.XXX.XXX) 28.219 ms !N * *

TinCanTech · Post by **TinCanTech** » Wed Jul 20, 2016 8:27 pm

You have read this carefully:
HOWTO: Routing all client traffic (including web-traffic) through the VPN

Also, try implementing the --iroute's for you client.

potentialcustomer · Post by **potentialcustomer** » Thu Jul 21, 2016 11:02 pm

@TinCanTech,
Thank you for all of your attention. I am away so I will be unable to modify any of my configuration files until next week.

I desire all traffic from each client be routed through the VPN server therefore I had included:
push "redirect-gateway def1"

I have also redirected traffic using NAT which was described in many of the tutorials:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Based upon the link you sent I noticed I had missed routing DNS queries through the OpenVPN server.
push "dhcp-option DNS 10.8.0.1"

I also noticed the note regarding slow web browsing. Hopefully "slow" does not equate to "time out."

I do not intend to use the VPN on my local LAN (but I was for testing) so I do not think I will need the iroute since I have now configured my DSL modem and router properly so I can test using my phone and 4G network.

potentialcustomer · Post by **potentialcustomer** » Mon Jul 25, 2016 2:45 pm

I have added the push "dhcp-option DNS 10.8.0.1" line to my server config file and I still cannot load webpages through VPN. Once again I tested the VPN using my android smartphone and 4G network.

I have not added any iroute's since there are no subnets behind any of my clients.

TinCanTech · Post by **TinCanTech** » Mon Jul 25, 2016 3:25 pm

potentialcustomer wrote:I have added the push "dhcp-option DNS 10.8.0.1" line to my server config file and I still cannot load webpages through VPN

Is 10.8.0.1 a DNS server ? .. if not then there is no point pushing that address for DNS.

potentialcustomer · Post by **potentialcustomer** » Mon Jul 25, 2016 4:17 pm

I have always passed google's Public DNS servers in my server config file:
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

No, 10.8.0.1 is not a DNS server and I did not believe it would resolve my traffic issue.

@TinCanTech is there something I am overlooking from the link you posted?
http://openvpn.net/index.php/open-sourc ... l#redirect

I still believe this is a routing problem however I am not certain where the problem exists. Here is a summary of my efforts to date:
2) I have configured ISP supplied modem/router/firewall as bridge.
3) I have configured my router properly with PPPoE in order to operate behind bridged modem.
4) I have internet access for my LAN (not using VPN) and I can establish VPN connection remotely connection (smart phone over 4G also remote wifi).
5) Port check tools tell me my WAN port is CLOSED ( checking public ip at vpn port). I am not certain why how my port could read closed when I can establish remote connection through it to establish VPN connection...
6) Routing remains as posted in prior posts.

Can anyone suggest something I am missing?

TinCanTech · Post by **TinCanTech** » Mon Jul 25, 2016 6:03 pm

Push google's DNS servers, as you do not run a DNS server yourself ..

Then try to ping 8.8.8.8 (by IP address) over the VPN.
Then try to ping google.com (by DNS name) over the VPN.

Also, please post the result of iptables-save and ifconfig of your server.

potentialcustomer · Post by **potentialcustomer** » Mon Jul 25, 2016 8:16 pm

I found my errors:
rc.local:
iptables -A INPUT -i eth0 -m state -- state NEW -p udp --dport 1194 -j ACCEPT
and
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -0 eth0 -j MASQUERADE

SHOULD BE:

iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
and
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

TinCanTech · Post by **TinCanTech** » Mon Jul 25, 2016 9:30 pm

So it is all fixed ?

potentialcustomer · Post by **potentialcustomer** » Thu Jul 28, 2016 12:51 pm

I have spent the last few days testing the VPN and tunneling with various clients and OS's. I am very pleased with the performance and everything is working.

@TinCanTech
Thank you for all of your assistance!

OpenVPN Support Forum

[Solved] VPN connects but no traffic

[Solved] VPN connects but no traffic

Re: VPN connects but no traffic

Re: VPN connects but no traffic

Re: VPN connects but no traffic

Re: VPN connects but no traffic

Re: VPN connects but no traffic

Re: VPN connects but no traffic

Re: VPN connects but no traffic

Re: VPN connects but no traffic

Re: VPN connects but no traffic

Re: VPN connects but no traffic

Re: VPN connects but no traffic

Re: VPN connects but no traffic

Re: VPN connects but no traffic

Re: VPN connects but no traffic

Re: VPN connects but no traffic

Re: VPN connects but no traffic

Re: VPN connects but no traffic

Re: VPN connects but no traffic

Re: VPN connects but no traffic