Connects, no data flow thru tunnel

[jcarerra]

Server is running in ASUS router with Merlin's firmware
OpenVPN Connect client on Samsung Tab 4.

When I log in, it goes to a connected status, but no data will flow through tunnel (no web page will open).

Below is server log from the router. Does anybody see why no data will flow?

Code: Select all

Mar 11 09:02:01 openvpn[17337]: 75.yy.yy.yy:49215 TLS: Initial packet from [AF_INET]75.yy.yy.yy:49215, sid=6978da58 e48fac02
Mar 11 09:02:02 openvpn[17337]: 75.yy.yy.yy:49215 VERIFY OK: depth=1, C=US, ST=FL, L=Orlando, O=OpenVPN, OU=IT, CN=CA, name=Stagecoach, emailAddress=me@mydomain.com
Mar 11 09:02:02 openvpn[17337]: 75.yy.yy.yy:49215 VERIFY OK: depth=0, C=US, ST=FL, L=Orlando, O=OpenVPN, OU=IT, CN=TabbB, name=TabbB, emailAddress=me@mydomain.com
Mar 11 09:02:03 openvpn[17337]: 75.yy.yy.yy:49215 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 11 09:02:03 openvpn[17337]: 75.yy.yy.yy:49215 TLS: Username/Password authentication succeeded for username 'gladiator' 
Mar 11 09:02:03 openvpn[17337]: 75.yy.yy.yy:49215 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mar 11 09:02:03 openvpn[17337]: 75.yy.yy.yy:49215 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 11 09:02:03 openvpn[17337]: 75.yy.yy.yy:49215 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mar 11 09:02:03 openvpn[17337]: 75.yy.yy.yy:49215 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 11 09:02:03 openvpn[17337]: 75.yy.yy.yy:49215 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mar 11 09:02:03 openvpn[17337]: 75.yy.yy.yy:49215 [TabbB] Peer Connection Initiated with [AF_INET]75.yy.yy.yy:49215
Mar 11 09:02:03 openvpn[17337]: TabbB/75.yy.yy.yy:49215 MULTI_sva: pool returned IPv4=10.xx.xx.xx, IPv6=(Not enabled)
Mar 11 09:02:03 openvpn[17337]: TabbB/75.yy.yy.yy:49215 MULTI: Learn: 10.xx.xx.xx -> TabbB/75.yy.yy.yy:49215
Mar 11 09:02:03 openvpn[17337]: TabbB/75.yy.yy.yy:49215 MULTI: primary virtual IP for TabbB/75.yy.yy.yy:49215: 10.xx.xx.xx
Mar 11 09:02:03 openvpn[17337]: TabbB/75.yy.yy.yy:49215 PUSH: Received control message: 'PUSH_REQUEST'
Mar 11 09:02:03 openvpn[17337]: TabbB/75.yy.yy.yy:49215 send_push_reply(): safe_cap=940
Mar 11 09:02:03 openvpn[17337]: TabbB/75.yy.yy.yy:49215 SENT CONTROL [TabbB]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.1,redirect-gateway def1,dhcp-option DNS 192.168.0.1,route 10.xx.xx.xx,topology net30,ping 15,ping-restart 60,ifconfig 10.xx.xx.xx 10.8.0.5' (status=1)
Mar 11 09:06:04 openvpn[17337]: TabbB/75.yy.yy.yy:49215 SIGTERM[soft,remote-exit] received, client-instance exiting
Mar 11 09:10:15 openvpn[17337]: 75.yy.yy.yy:38024 TLS: Initial packet from [AF_INET]75.yy.yy.yy:38024, sid=badb4f44 66dc6358
Mar 11 09:10:16 openvpn[17337]: 75.yy.yy.yy:38024 VERIFY OK: depth=1, C=US, ST=FL, L=Orlando, O=OpenVPN, OU=IT, CN=CA, name=Stagecoach, emailAddress=me@mydomain.com
Mar 11 09:10:16 openvpn[17337]: 75.yy.yy.yy:38024 VERIFY OK: depth=0, C=US, ST=FL, L=Orlando, O=OpenVPN, OU=IT, CN=TabbB, name=TabbB, emailAddress=me@mydomain.com
Mar 11 09:10:16 openvpn[17337]: 75.yy.yy.yy:38024 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 11 09:10:16 openvpn[17337]: 75.yy.yy.yy:38024 TLS: Username/Password authentication succeeded for username 'gladiator' 
Mar 11 09:10:16 openvpn[17337]: 75.yy.yy.yy:38024 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mar 11 09:10:16 openvpn[17337]: 75.yy.yy.yy:38024 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 11 09:10:16 openvpn[17337]: 75.yy.yy.yy:38024 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mar 11 09:10:16 openvpn[17337]: 75.yy.yy.yy:38024 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 11 09:10:17 openvpn[17337]: 75.yy.yy.yy:38024 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mar 11 09:10:17 openvpn[17337]: 75.yy.yy.yy:38024 [TabbB] Peer Connection Initiated with [AF_INET]75.yy.yy.yy:38024
Mar 11 09:10:17 openvpn[17337]: TabbB/75.yy.yy.yy:38024 MULTI_sva: pool returned IPv4=10.xx.xx.xx, IPv6=(Not enabled)
Mar 11 09:10:17 openvpn[17337]: TabbB/75.yy.yy.yy:38024 MULTI: Learn: 10.xx.xx.xx -> TabbB/75.yy.yy.yy:38024
Mar 11 09:10:17 openvpn[17337]: TabbB/75.yy.yy.yy:38024 MULTI: primary virtual IP for TabbB/75.yy.yy.yy:38024: 10.xx.xx.xx
Mar 11 09:10:17 openvpn[17337]: TabbB/75.yy.yy.yy:38024 PUSH: Received control message: 'PUSH_REQUEST'
Mar 11 09:10:17 openvpn[17337]: TabbB/75.yy.yy.yy:38024 send_push_reply(): safe_cap=940
Mar 11 09:10:17 openvpn[17337]: TabbB/75.yy.yy.yy:38024 SENT CONTROL [TabbB]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.1,redirect-gateway def1,dhcp-option DNS 192.168.0.1,route 10.xx.xx.xx,topology net30,ping 15,ping-restart 60,ifconfig 10.xx.xx.xx 10.8.0.5' (status=1)
Mar 11 09:11:51 openvpn[17337]: 75.yy.yy.yy:33415 TLS: Initial packet from [AF_INET]75.yy.yy.yy:33415, sid=c1134c28 4a147c60
Mar 11 09:11:57 openvpn[17337]: 75.yy.yy.yy:33415 VERIFY OK: depth=1, C=US, ST=FL, L=Orlando, O=OpenVPN, OU=IT, CN=CA, name=Stagecoach, emailAddress=me@mydomain.com
Mar 11 09:11:57 openvpn[17337]: 75.yy.yy.yy:33415 VERIFY OK: depth=0, C=US, ST=FL, L=Orlando, O=OpenVPN, OU=IT, CN=TabbB, name=TabbB, emailAddress=me@mydomain.com
Mar 11 09:11:58 openvpn[17337]: 75.yy.yy.yy:33415 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 11 09:11:58 openvpn[17337]: 75.yy.yy.yy:33415 TLS: Username/Password authentication succeeded for username 'gladiator' 
Mar 11 09:11:58 openvpn[17337]: 75.yy.yy.yy:33415 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mar 11 09:11:58 openvpn[17337]: 75.yy.yy.yy:33415 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 11 09:11:58 openvpn[17337]: 75.yy.yy.yy:33415 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mar 11 09:11:58 openvpn[17337]: 75.yy.yy.yy:33415 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 11 09:11:58 openvpn[17337]: 75.yy.yy.yy:33415 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mar 11 09:11:58 openvpn[17337]: 75.yy.yy.yy:33415 [TabbB] Peer Connection Initiated with [AF_INET]75.yy.yy.yy:33415
Mar 11 09:11:58 openvpn[17337]: TabbB/75.yy.yy.yy:33415 MULTI_sva: pool returned IPv4=10.xx.xx.xx0, IPv6=(Not enabled)
Mar 11 09:11:58 openvpn[17337]: TabbB/75.yy.yy.yy:33415 MULTI: Learn: 10.xx.xx.xx0 -> TabbB/75.yy.yy.yy:33415
Mar 11 09:11:58 openvpn[17337]: TabbB/75.yy.yy.yy:33415 MULTI: primary virtual IP for TabbB/75.yy.yy.yy:33415: 10.xx.xx.xx0
Mar 11 09:11:58 openvpn[17337]: TabbB/75.yy.yy.yy:33415 PUSH: Received control message: 'PUSH_REQUEST'
Mar 11 09:11:58 openvpn[17337]: TabbB/75.yy.yy.yy:33415 send_push_reply(): safe_cap=940
Mar 11 09:11:58 openvpn[17337]: TabbB/75.yy.yy.yy:33415 SENT CONTROL [TabbB]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.1,redirect-gateway def1,dhcp-option DNS 192.168.0.1,route 10.xx.xx.xx,topology net30,ping 15,ping-restart 60,ifconfig 10.xx.xx.xx0 10.8.0.9' (status=1)
Mar 11 09:12:46 openvpn[17337]: TabbB/75.yy.yy.yy:33415 SIGTERM[soft,remote-exit] received, client-instance exiting
Mar 11 09:13:36 openvpn[17337]: TabbB/75.yy.yy.yy:38024 [TabbB] Inactivity timeout (--ping-restart), restarting
Mar 11 09:13:36 openvpn[17337]: TabbB/75.yy.yy.yy:38024 SIGUSR1[soft,ping-restart] received, client-instance restarting
Mar 11 09:20:44 openvpn[17337]: 71.xx.xx.xx:34023 TLS: Initial packet from [AF_INET]71.xx.xx.xx:34023, sid=6204ba0b 78782642
Mar 11 09:20:45 openvpn[17337]: 71.xx.xx.xx:34023 VERIFY OK: depth=1, C=US, ST=FL, L=Orlando, O=OpenVPN, OU=IT, CN=CA, name=Stagecoach, emailAddress=me@mydomain.com
Mar 11 09:20:45 openvpn[17337]: 71.xx.xx.xx:34023 VERIFY OK: depth=0, C=US, ST=FL, L=Orlando, O=OpenVPN, OU=IT, CN=TabbB, name=TabbB, emailAddress=me@mydomain.com
Mar 11 09:20:45 openvpn[17337]: 71.xx.xx.xx:34023 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 11 09:20:45 openvpn[17337]: 71.xx.xx.xx:34023 TLS: Username/Password authentication succeeded for username 'gladiator' 
Mar 11 09:20:45 openvpn[17337]: 71.xx.xx.xx:34023 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mar 11 09:20:45 openvpn[17337]: 71.xx.xx.xx:34023 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 11 09:20:45 openvpn[17337]: 71.xx.xx.xx:34023 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mar 11 09:20:45 openvpn[17337]: 71.xx.xx.xx:34023 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 11 09:20:45 openvpn[17337]: 71.xx.xx.xx:34023 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mar 11 09:20:45 openvpn[17337]: 71.xx.xx.xx:34023 [TabbB] Peer Connection Initiated with [AF_INET]71.xx.xx.xx:34023
Mar 11 09:20:45 openvpn[17337]: TabbB/71.xx.xx.xx:34023 MULTI_sva: pool returned IPv4=10.xx.xx.xx, IPv6=(Not enabled)
Mar 11 09:20:45 openvpn[17337]: TabbB/71.xx.xx.xx:34023 MULTI: Learn: 10.xx.xx.xx -> TabbB/71.xx.xx.xx:34023
Mar 11 09:20:45 openvpn[17337]: TabbB/71.xx.xx.xx:34023 MULTI: primary virtual IP for TabbB/71.xx.xx.xx:34023: 10.xx.xx.xx
Mar 11 09:20:45 openvpn[17337]: TabbB/71.xx.xx.xx:34023 PUSH: Received control message: 'PUSH_REQUEST'
Mar 11 09:20:45 openvpn[17337]: TabbB/71.xx.xx.xx:34023 send_push_reply(): safe_cap=940
Mar 11 09:20:45 openvpn[17337]: TabbB/71.xx.xx.xx:34023 SENT CONTROL [TabbB]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.1,redirect-gateway def1,dhcp-option DNS 192.168.0.1,route 10.xx.xx.xx,topology net30,ping 15,ping-restart 60,ifconfig 10.xx.xx.xx 10.8.0.5' (status=1)
Mar 11 09:23:22 openvpn[17337]: TabbB/71.xx.xx.xx:34023 SIGTERM[soft,remote-exit] received, client-instance exiting

[Traffic]

Did you enable IP forwarding on your server ?

[jcarerra]

Don't know how to do that.

oops , no image ul; I did 3 images to show you the GUI interface I have for entering settings that determine the server config. I cannot access the config file directly--only through the GUI interface.

Will find a place to put the images of the interface and repost.

[jcarerra]

Images of the settings I can set and space at bottom for manual inputs...

[Traffic]

Are you aware of this:

• NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

[jcarerra]

Are you aware of this:

• NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

No. I was not, but I don't think that is the cause here as I have tried the VPN connected to many different 'foreign' networks, including the public hotspots of our local internet provider, which I'm SURE does not use the 'home' range of public addresses.

Gads, I hate to think of changing the network number...static devices, hosts files in several machines, who knows where else. But if it is necessary, I will do it.

Again, that's not the current problem I need to solve.

[Traffic]

What does your client log show ?

[jcarerra]

What does your client log show ?

Shows "connection" steps--all successful; no indication of any problems or errors.

And the VPN app--VPN Connect--changes to the "Connected" state, its icon shows in the notification bar indicating connected and ready to go, then nothing more in log until I command the disconnect. The attempts to open web pages produce nothing in the log.

DO the settings in my images previously look correct?

[Traffic]

Gads, I hate to think of changing the network number...

If you intend using your VPN from public places then change your server LAN IP .. or be plagued by routing conflicts ..

As for your config..

Custom configuration:

• You are pushing your ovpn server (192.168.0.1) as DHCP server but you have disabled "Respond to DNS" on your server ..
  this is not the cause of the problem but you will want to consider this.
• Remove "route remote_host 255.255.255.255 net_gateway"

Until we see your client log there is not much else we can say.

[jcarerra]

OK, thanks much for those observations. The place I am traveling to in order to get onto a foreign net when I make a change in the config and need to test is a hotspot of the ISP; I am sure it is not using 192.168.0. So I will act on the network change after solving this.

> You are pushing your ovpn server (192.168.0.1) as DHCP server but you have disabled >"Respond to DNS" on your server ..
> this is not the cause of the problem but you will want to consider this.

Might it not be the cause--that DNS requests are never resolved? BButt I guess I would see THAT kind of display in the browser were that the case.

I will think about how to get the client log posted. It is viewed in the client of course--the tablet--inside the app (Menu>View log file), so I don't immediately see how to get a digital copy to post other than by transcribing.

[Traffic]

Re: DNS configuratiion
In time DNS resolution will be an issue - Hence "consider this"

However, this is not the cause of your problem .. your problem is the client "inactivity time out"
This is normally resolved with ping/ping-restart which you can see in your server log,
is being pushed successfully to your client.

The question is, what does the client do with that ?

Re: LOG
You can try using --log /{path}/client.log in your client config to define a specific log,
which you should be able to copy from the device.
{where path is a suitable path for your device}

See --log in The Manual v23x

[jcarerra]

OK, Here is an image of the client log. I think it is readable..

[Traffic]

Your client log looks normal.

From the client:

• Can you ping yourself on 10.8.0.6 ?
  Can you ping the server on 10.8.0.1 before the time out error ?

This may provide some useful information, in the server custom config try using:

Code: Select all

verb 4
push "verb 4"

Finally, did you enable cipher AES-256-CBC on the client ?
If you cannot do that then try changing the server back to
--cipher BF-CBC (Blowfish-CBC: OpenVPN Default)

[jcarerra]

>.Finally, did you enable cipher AES-256-CBC on the client ?
>If you cannot do that then try changing the server back to
--cipher BF-CBC (Blowfish-CBC: OpenVPN Default)

The only option I have relaed to such in the client preferences is "Force AES-CBC ciphersuites--this sometimes helps connecting to legacy servers." That is OFF. Hmmm...maybe that might be it!

But wouldn't selecting AES-256-CBC in the server cause it to put into the client .ovpn...
(which is exported from the server config GUI export button, and I then move the file onto the client--after pasting in the certs, keys etc)
...whatever commands are necessary to tell the client what the encryption is?

Have errands to do for a couple of hours will be back later.

This image shows the encryptions I can select in the server GUI...is one of them 'preferable?"
But I would like to get this working before changing, UNLESS that is the problem. Change one thing at a time.

[Traffic]

wouldn't selecting AES-256-CBC in the server cause it to put into the client .ovpn...
(which is exported from the server config GUI export button

sure .. but that is a function of your router firmware not OpenVPN. Maybe it is buggy ..

[jcarerra]

wouldn't selecting AES-256-CBC in the server cause it to put into the client .ovpn...
(which is exported from the server config GUI export button

sure .. but that is a function of your router firmware not OpenVPN. Maybe it is buggy ..

It =is= OpenVPN server that is IN the router firmware.
See the OpenVPN area on this page:
https://github.com/RMerl/asuswrt-merlin/wiki

[Traffic]

The export function is not written by the OpenVPN devs,
it is a product of the router firmware devs.

Not only that but you are subsequently importing that file to another machine and OS.

Check that the client config file, created by your router firmware, is:

• A. Correct .. has the directives you need
  B. Is compatible with your client

Note:

• Using a server side export function means you may need to re-export the client config file if you change the server ..

The only option I have relaed to such in the client preferences is "Force AES-CBC ciphersuites--this sometimes helps connecting to legacy servers." That is OFF. Hmmm...maybe that might be it!

I would leave it off and set the server to the default specified above. BF-CBC

[jcarerra]

I would leave it off and set the server to the default specified above. BF-CBC

I assume that would mean I would have to recreate the certs and keys and put them in the server and in three client ovpn's. I will do that if you think this is the cause of the no data flow that I am trying to solve, I'd prefer to do it AFTER getting the problem solved otherwise. It seems like we are moving into making it 'better' before making it 'work.' Or am I misreading this?

[jcarerra]

Here is the client config

Code: Select all

client
dev tun
proto udp
remote 50.xxxxxxx 1194
float
cipher AES-256-CBC
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
MIIElTCC...yw==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIE2..mmr7iQ=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEv...A8w==
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
458...743
-----END OpenVPN Static key V1-----
</tls-auth>
resolv-retry infinite
nobind

[Traffic]

Your current PKI appears to be fine .: do not delete your current certs and keys please.