OpenVPN Support Forum

I'm a first time user of OpenVPN and am trying to set this up at home for multiple users, using certificates. I've carefully gone through the HowTo documentation, configured port-forwarding and turned off all firewalls. It works great locally. My client machine is Windows 7 and the server machine is Server 2008R2. When I try to access via WAN IP address, I can't connect. I get this instead (of course I altered the ip address for this message, so don't get too excited):

Tue Mar 12 21:47:18 2013 Warning: cannot open --log file: C:\Program Files\OpenVPN\log\client1.log: The process cannot access the file because it is being used by another process. (errno=32)
Tue Mar 12 21:47:18 2013 OpenVPN 2.3.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Feb 14 2013
Tue Mar 12 21:47:18 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Mar 12 21:47:18 2013 Need hold release from management interface, waiting...
Tue Mar 12 21:47:19 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Mar 12 21:47:19 2013 MANAGEMENT: CMD 'state on'
Tue Mar 12 21:47:19 2013 MANAGEMENT: CMD 'log all on'
Tue Mar 12 21:47:19 2013 MANAGEMENT: CMD 'hold off'
Tue Mar 12 21:47:19 2013 MANAGEMENT: CMD 'hold release'
Tue Mar 12 21:47:19 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 12 21:47:19 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Mar 12 21:47:19 2013 UDPv4 link local: [undef]
Tue Mar 12 21:47:19 2013 UDPv4 link remote: [AF_INET]161.42.38.61:1194
Tue Mar 12 21:47:19 2013 MANAGEMENT: >STATE:1363146439,WAIT,,,
Tue Mar 12 21:48:19 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 12 21:48:19 2013 TLS Error: TLS handshake failed
Tue Mar 12 21:48:19 2013 SIGUSR1[soft,tls-error] received, process restarting
Tue Mar 12 21:48:19 2013 MANAGEMENT: >STATE:1363146499,RECONNECTING,tls-error,,
Tue Mar 12 21:48:19 2013 Restart pause, 2 second(s)

When I run "netstat -an" on the server, I see this line referring to port 1194:

Proto Local Address Foreign Address State

UDP 0.0.0.0:1194 *:*

Here's my client1.opvn:

client
dev tun
dev-node MyTap
proto udp
remote 161.42.38.61 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "c:\\program files\\openvpn\\config\\ca.crt"
cert "c:\\program files\\openvpn\\config\\client1.crt"
key "c:\\program files\\openvpn\\config\\client1.key"
ns-cert-type server
comp-lzo
verb 3

Here's my server.opvn:

port 1194
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh1024.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 0


Any help would be greatly appreciated before I go totally bald.

~Steve

get a different internet connection on your client and try again

Michael.

Turn up the verbosity on the server, and check that log.

It works great locally. My client machine is Windows 7 and the server machine is Server 2008R2. When I try to access via WAN IP address, I can't connect

when i say:

get a different internet connection on your client and try again

is because some routers when they perform NAT they simply cant redirect correctly
traffic originating from their lan to their wan and back again to their lan....

if you do trying to connect to your wan ip while you are on the same lan as your openvpn server


get a different internet connection on your client and try again

Michael.

There are some things which strikes me:

Tue Mar 12 21:47:18 2013 Warning: cannot open --log file: C:\Program Files\OpenVPN\log\client1.log: The process cannot access the file because it is being used by another process. (errno=32)

Your client mentions the logfile is in use. On the other hand, this logfile is not mentioned in the client-config.

Tue Mar 12 21:47:19 2013 MANAGEMENT: >STATE:1363146439,WAIT,,,
Tue Mar 12 21:48:19 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 12 21:48:19 2013 TLS Error: TLS handshake failed

This line makes me think the client is waiting for some authentication to go through and exactly after 1 minute waiting, it failes it connection.

So please increase server-logging and see what's happening there.

maikat wrote:get a different internet connection on your client and try again

It might indeed even be possible your router is having problems routing traffic from inside via the external ip-address back to inside. So please do so.

Thanks guys. I'll increase the verbose on server logging and try this again from a Starbucks.

Also, I did notice it saying that the log was in use at the beginning. I have no idea what is using it, because I surely don't have it open.

I'll let you know if it works.

Hey I'm having the exact same issue as well. I'm using the same version of OpenVPN. I have other OpenVPN software installed on other machines in my office, but I'm attempting to do this reinstall with the latest (2.3.0) version of OpenVPN. I've spent all day puzzling over why this install is behaving this way. I'm running on Windows 2008 r2. I noticed that I can connect through local lan but if i attempt to connect from the internet I get this message. I have my firewall disabled and ports open.

Ok, so here is my server log:

Sat Mar 16 12:37:29 2013 us=182403 OpenVPN 2.3.0 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Feb 14 2013
Sat Mar 16 12:37:29 2013 us=182403 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Mar 16 12:37:29 2013 us=463653 Diffie-Hellman initialized with 1024 bit key
Sat Mar 16 12:37:29 2013 us=463653 TLS-Auth MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sat Mar 16 12:37:29 2013 us=463653 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Mar 16 12:37:29 2013 us=463653 TCP/UDP: Socket bind failed on local address [AF_INET]192.168.5.15:1723: Permission denied (WSAEACCES)
Sat Mar 16 12:37:29 2013 us=463653 Exiting due to fatal error


I had to switch to port 1723, because my stupid Actiontec PK5000 apparently doesn't think I should ever open port 1194, 5000, or 6000, or about a gazillion other ports ... but it will open TCP port 1723. So, I reconfigured it to work on TCP port 1723.

So, it looks like the problems lies in the Socket bind line, but I'm not sure what to do about that "Permission denied (WSAEACCES)"

Oh, and I did try this from a Starbucks. I'm thinking something is up with my router.

Ok, I'm good now. It was my Actiontec PK5000 modem/router that I got from CenturyLink. It wasn't opening ports, even though it looked like it was taking my inputs. I couldn't even bridge the modem. I just changed out my DSL modem with a cheap Netgear modem at BestBuy and now everything is working correctly now.

Just ran into another person who couldn't connect because of an Actiontec modem/router (an M1000 this time) that claimed to port-forward but didn't.

I may be drawing conclusions prematurely here, but Actiontec modem SUCK! Even if CenturyLink offers to give you one for free, I'd turn it down and go buy your own.

Actiontec seems to work fine for basic Internet usage, but all the advanced features appear to just be for show.