Fail to connect when using local in config

How to customize and extend your OpenVPN installation.
Post Reply
CYberCowboy
OpenVpn Newbie
Posts: 4
Joined: Mon Oct 07, 2019 8:15 pm

Fail to connect when using local in config

Post by CYberCowboy » Wed Oct 09, 2019 7:05 pm

I'm trying to route all of my torrenting on a linux (Fedora 27) box with dual NIC (192.168.1.25, 192.168.1.28)

NordVPN is whom I'm using to connect, an unmodified config:

Code: Select all

client
dev tun
proto udp
remote 185.229.59.130 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no

remote-cert-tls server

auth-user-pass
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512

<ca>
-----trimming off certificates-----
key-direction 1
<tls-auth>
Connects just fine, however if I comment out the nobind and add 'local 192.168.1.28' I hang with the following message:

Code: Select all

openvpn test.ovpn
Wed Oct  9 14:04:03 2019 WARNING: file 'pass.txt' is group or others accessible
Wed Oct  9 14:04:03 2019 OpenVPN 2.4.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
Wed Oct  9 14:04:03 2019 library versions: OpenSSL 1.1.0i-fips  14 Aug 2018, LZO 2.08
Wed Oct  9 14:04:03 2019 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Wed Oct  9 14:04:03 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Oct  9 14:04:03 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Oct  9 14:04:03 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]185.229.59.130:1194
Wed Oct  9 14:04:03 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Oct  9 14:04:03 2019 UDP link local (bound): [AF_INET]192.168.1.28:1194
Wed Oct  9 14:04:03 2019 UDP link remote: [AF_INET]185.229.59.130:1194
Wed Oct  9 14:04:03 2019 OpenVPN 2.4.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
Wed Oct  9 14:04:03 2019 library versions: OpenSSL 1.1.0i-fips  14 Aug 2018, LZO 2.08
Wed Oct  9 14:04:03 2019 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Wed Oct  9 14:04:03 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Oct  9 14:04:03 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Oct  9 14:04:03 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]185.229.59.130:1194
Wed Oct  9 14:04:03 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Oct  9 14:04:03 2019 UDP link local (bound): [AF_INET]192.168.1.28:1194
Wed Oct  9 14:04:03 2019 UDP link remote: [AF_INET]185.229.59.130:1194
Wed Oct  9 14:05:03 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Oct  9 14:05:03 2019 TLS Error: TLS handshake failed
Wed Oct  9 14:05:03 2019 SIGUSR1[soft,tls-error] received, process restarting
Wed Oct  9 14:05:03 2019 Restart pause, 5 second(s)
Wed Oct  9 14:05:08 2019 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Wed Oct  9 14:05:08 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]185.229.59.130:1194
Wed Oct  9 14:05:08 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Oct  9 14:05:08 2019 UDP link local (bound): [AF_INET]192.168.1.28:1194
Wed Oct  9 14:05:08 2019 UDP link remote: [AF_INET]185.229.59.130:1194

Any idea what would be the issue?

CYberCowboy
OpenVpn Newbie
Posts: 4
Joined: Mon Oct 07, 2019 8:15 pm

Re: Fail to connect when using local in config

Post by CYberCowboy » Wed Oct 09, 2019 7:08 pm

BTW here's my routing table:

netstat -afr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default router.heftihom 0.0.0.0 UG 0 0 0 eno1
default router.heftihom 0.0.0.0 UG 0 0 0 eno2
default router.heftihom 0.0.0.0 UG 0 0 0 eno1
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eno2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eno1

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6024
Joined: Fri Jun 03, 2016 1:17 pm

Re: Fail to connect when using local in config

Post by TinCanTech » Wed Oct 09, 2019 7:15 pm

See --nobind in the manual ..

Openvpn does not manage your client when it is a multihomed machine.
You have to setup routing correctly prior to running openvpn.

CYberCowboy
OpenVpn Newbie
Posts: 4
Joined: Mon Oct 07, 2019 8:15 pm

Re: Fail to connect when using local in config

Post by CYberCowboy » Wed Oct 09, 2019 7:22 pm

TinCanTech wrote:
Wed Oct 09, 2019 7:15 pm
See --nobind in the manual ..

Openvpn does not manage your client when it is a multihomed machine.
You have to setup routing correctly prior to running openvpn.
--nobind
Do not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the --remote option.

As I'm reading it, it's simply stating that I can't use nobind while also trying to bind to the ip address (which is logical) that's why I commented it out in my config that is failing. Am I misunderstanding something?

CYberCowboy
OpenVpn Newbie
Posts: 4
Joined: Mon Oct 07, 2019 8:15 pm

Re: Fail to connect when using local in config

Post by CYberCowboy » Wed Oct 09, 2019 7:24 pm

ah ok, that makes more sense off to play with route tables.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6024
Joined: Fri Jun 03, 2016 1:17 pm

Re: Fail to connect when using local in config

Post by TinCanTech » Wed Oct 09, 2019 8:03 pm

To be honest, openvpn may not be able to handle your specific use case ..

More accurately, openvpn handles clients differently to servers.
While servers can be complex and there are useful openvpn directives to make sure openvpn works correctly, on the client side, openvpn is less flexible. Which means, get your client network setup correctly and openvpn should work, otherwise there will probably be pain ..

Post Reply