[Resolved] VPN via local net ok, unable to connect via internet, ideas welcome
Posted: Fri May 25, 2018 12:29 am
Hi,
Apologies I'm sure this is an all to common question. I've googled it to death and read the docs many times but have had no luck.
I've loaded OpenVPN on an RPI using pivpn install, it works, can connect to it thru the local network with win7 client using openvpn GUI, tested both tcp and udp, with changes to the client and server configs. both protocols work ok via local network.
But I'm unable to connect to it from the net
I have a port fwd rule on the router for 1194, I'm using tcp as the port open port checker shows it is available (also gives some confidence), could not see port open using UDP.
In openvpn.log I can see port checker connecting etc. but nothing from the client !
I've included the server config and client output below in case there is a well tuned eye.
Any ideas or pointers, other ways to test would be very welcome.
CLIENT OUTPUT
==========
Fri May 25 10:10:35 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Fri May 25 10:10:35 2018 Windows version 6.1 (Windows 7) 64bit
Fri May 25 10:10:35 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Fri May 25 10:10:35 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Fri May 25 10:10:35 2018 Need hold release from management interface, waiting...
Fri May 25 10:10:35 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'state on'
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'log all on'
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'echo all on'
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'bytecount 5'
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'hold off'
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'hold release'
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'password [...]'
Fri May 25 10:10:35 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri May 25 10:10:35 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri May 25 10:10:35 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri May 25 10:10:35 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Fri May 25 10:10:35 2018 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri May 25 10:10:35 2018 Attempting to establish TCP connection with [AF_INET]x.x.x.x:1194 [nonblock]
Fri May 25 10:10:35 2018 MANAGEMENT: >STATE:1527207035,TCP_CONNECT,,,,,,
Fri May 25 10:12:35 2018 TCP: connect to [AF_INET]x.x.x.x:1194 failed: Unknown error
Fri May 25 10:12:35 2018 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Fri May 25 10:12:35 2018 MANAGEMENT: >STATE:1527207155,RECONNECTING,init_instance,,,,,
Fri May 25 10:12:35 2018 Restart pause, 5 second(s)
Fri May 25 10:12:40 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Fri May 25 10:12:40 2018 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri May 25 10:12:40 2018 Attempting to establish TCP connection with [AF_INET]x.x.x.x:1194 [nonblock]
Fri May 25 10:12:40 2018 MANAGEMENT: >STATE:1527207160,TCP_CONNECT,,,,,,
SERVER CONFIG
==============
dev tun
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_3vIdOYrZcIIyut1C.crt
key /etc/openvpn/easy-rsa/pki/private/server_3vIdOYrZcIIyut1C.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 10 120
remote-cert-tls client
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
Apologies I'm sure this is an all to common question. I've googled it to death and read the docs many times but have had no luck.
I've loaded OpenVPN on an RPI using pivpn install, it works, can connect to it thru the local network with win7 client using openvpn GUI, tested both tcp and udp, with changes to the client and server configs. both protocols work ok via local network.
But I'm unable to connect to it from the net
I have a port fwd rule on the router for 1194, I'm using tcp as the port open port checker shows it is available (also gives some confidence), could not see port open using UDP.
In openvpn.log I can see port checker connecting etc. but nothing from the client !
I've included the server config and client output below in case there is a well tuned eye.
Any ideas or pointers, other ways to test would be very welcome.
CLIENT OUTPUT
==========
Fri May 25 10:10:35 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Fri May 25 10:10:35 2018 Windows version 6.1 (Windows 7) 64bit
Fri May 25 10:10:35 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Fri May 25 10:10:35 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Fri May 25 10:10:35 2018 Need hold release from management interface, waiting...
Fri May 25 10:10:35 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'state on'
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'log all on'
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'echo all on'
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'bytecount 5'
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'hold off'
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'hold release'
Fri May 25 10:10:35 2018 MANAGEMENT: CMD 'password [...]'
Fri May 25 10:10:35 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri May 25 10:10:35 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri May 25 10:10:35 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri May 25 10:10:35 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Fri May 25 10:10:35 2018 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri May 25 10:10:35 2018 Attempting to establish TCP connection with [AF_INET]x.x.x.x:1194 [nonblock]
Fri May 25 10:10:35 2018 MANAGEMENT: >STATE:1527207035,TCP_CONNECT,,,,,,
Fri May 25 10:12:35 2018 TCP: connect to [AF_INET]x.x.x.x:1194 failed: Unknown error
Fri May 25 10:12:35 2018 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Fri May 25 10:12:35 2018 MANAGEMENT: >STATE:1527207155,RECONNECTING,init_instance,,,,,
Fri May 25 10:12:35 2018 Restart pause, 5 second(s)
Fri May 25 10:12:40 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Fri May 25 10:12:40 2018 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri May 25 10:12:40 2018 Attempting to establish TCP connection with [AF_INET]x.x.x.x:1194 [nonblock]
Fri May 25 10:12:40 2018 MANAGEMENT: >STATE:1527207160,TCP_CONNECT,,,,,,
SERVER CONFIG
==============
dev tun
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_3vIdOYrZcIIyut1C.crt
key /etc/openvpn/easy-rsa/pki/private/server_3vIdOYrZcIIyut1C.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 10 120
remote-cert-tls client
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io