Client unable to connect

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Nevo
OpenVpn Newbie
Posts: 3
Joined: Thu Jan 18, 2024 5:22 pm

Client unable to connect

Post by Nevo » Thu Jan 18, 2024 7:24 pm

I'm trying to set up an OpenVPN server on an EC2 instance to allow me access to my VPC.

Details:

VPC CIDR: 10.2.4.0/22
AZ1 subnet: 10.2.4.0/24
AZ2 subnet: 10.2.5/0/24
AZ3 subnet: 10.2.6.0/24

EC2 instance is at 10.2.5.168 in the private VPC.

EC2 instance has elastic IP assigned to it and DNS record 'my-openvpn-server.example.com' points to it.

I used my local laptop to create a CA with a self-signed cert, and then to create keys and certs for the client and for the server with that CA. I copied the server's cert, the server's private key, and the CA's cert to the server.

Server conf file:

Code: Select all

tls-server
key openvpn_privatekey.pem
cert openvpn_cert.pem
ca ca_cert.pem
dh dh2048.pem
remote-cert-eku "TLS Web Client Authentication"
dev openvpn-tunnel
dev-type tun
topology subnet

server 10.255.255.0 255.255.255.0
push "route 10.2.4.0 255.255.252.0"
Client conf file:

Code: Select all

tls-client
key /usr/bin/local-ca/openvpn-client/openvpn-client_privatekey.pem
cert /usr/bin/local-ca/openvpn-client/openvpn-client.pem
ca /usr/bin/local-ca/cacert.pem
remote-cert-eku "TSL Web Server Authentication"
dev openvpn-tunnel
dev-type tun
topology subnet
pull
remote my-openvpn-server.example.com
Server log:

Code: Select all

sudo openvpn ./openvpn-server.conf
<date> 17:01:38 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
<date> 17:01:38 WARNING: file 'openvpn_privatekey.pem' is group or others accessible
<date> 17:01:38 OpenVPN 2.5.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 29 2023
<date> 17:01:38 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
<date> 17:01:38 WARNING: --keepalive option is missing from server config
🔐 Enter Private Key Password: *******
<date> 17:01:40 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
<date> 17:01:40 TUN/TAP device openvpn-tunnel opened
<date> 17:01:40 net_iface_mtu_set: mtu 1500 for openvpn-tunnel
<date> 17:01:40 net_iface_up: set openvpn-tunnel up
<date> 17:01:40 net_addr_v4_add: 10.255.255.1/24 dev openvpn-tunnel
<date> 17:01:40 Could not determine IPv4/IPv6 protocol. Using AF_INET
<date> 17:01:40 UDPv4 link local (bound): [AF_INET][undef]:1194
<date> 17:01:40 UDPv4 link remote: [AF_UNSPEC]
<date> 17:01:40 Initialization Sequence Completed
<date> 17:11:35 47.185.112.95:53384 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
<date> 17:11:35 47.185.112.95:53384 TLS Error: TLS handshake failed
<date> 17:12:50 47.185.112.95:53384 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
<date> 17:12:50 47.185.112.95:53384 TLS Error: TLS handshake failed
<date> 17:14:27 47.185.112.95:53384 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
<date> 17:14:27 47.185.112.95:53384 TLS Error: TLS handshake failed
^C
<date> 17:30:02 event_wait : Interrupted system call (code=4)
<date> 17:30:02 net_addr_v4_del: 10.255.255.1 dev openvpn-tunnel
<date> 17:30:02 SIGINT[hard,] received, process exiting
Client log:

Code: Select all

[11:10:32] me@mymachine:~$ sudo openvpn ./openvpn-client.conf
<date> 11:10:34 2024 WARNING: file '/usr/bin/local-ca/openvpn-client/openvpn-client_privatekey.pem' is group or others accessible
<date> 11:10:34 2024 OpenVPN 2.4.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Aug 21 2023
<date> 11:10:34 2024 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Enter Private Key Password:
<date> 11:10:37 2024 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
<date> 11:10:37 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:10:37 2024 UDP link local (bound): [AF_INET][undef]:1194
<date> 11:10:37 2024 UDP link remote: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:10:37 2024 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
<date> 11:10:37 2024 TLS_ERROR: BIO read tls_read_plaintext error
<date> 11:10:37 2024 TLS Error: TLS object -> incoming plaintext read error
<date> 11:10:37 2024 TLS Error: TLS handshake failed
<date> 11:10:37 2024 SIGUSR1[soft,tls-error] received, process restarting
<date> 11:10:42 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:10:42 2024 UDP link local (bound): [AF_INET][undef]:1194
<date> 11:10:42 2024 UDP link remote: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:10:42 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:10:42 2024 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
<date> 11:10:42 2024 TLS_ERROR: BIO read tls_read_plaintext error
<date> 11:10:42 2024 TLS Error: TLS object -> incoming plaintext read error
<date> 11:10:42 2024 TLS Error: TLS handshake failed
<date> 11:10:42 2024 SIGUSR1[soft,tls-error] received, process restarting
<date> 11:10:47 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:10:47 2024 UDP link local (bound): [AF_INET][undef]:1194
<date> 11:10:47 2024 UDP link remote: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:10:47 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:10:48 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:10:50 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:10:51 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:10:54 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:10:56 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:11:03 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:11:07 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:11:13 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:11:18 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:11:47 2024 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
<date> 11:11:47 2024 TLS Error: TLS handshake failed
<date> 11:11:47 2024 SIGUSR1[soft,tls-error] received, process restarting
<date> 11:11:52 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:11:52 2024 UDP link local (bound): [AF_INET][undef]:1194
<date> 11:11:52 2024 UDP link remote: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:11:52 2024 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
<date> 11:11:52 2024 TLS_ERROR: BIO read tls_read_plaintext error
<date> 11:11:52 2024 TLS Error: TLS object -> incoming plaintext read error
<date> 11:11:52 2024 TLS Error: TLS handshake failed
<date> 11:11:52 2024 SIGUSR1[soft,tls-error] received, process restarting
<date> 11:11:57 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:11:57 2024 UDP link local (bound): [AF_INET][undef]:1194
<date> 11:11:57 2024 UDP link remote: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:11:57 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:11:57 2024 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
<date> 11:11:57 2024 TLS_ERROR: BIO read tls_read_plaintext error
<date> 11:11:57 2024 TLS Error: TLS object -> incoming plaintext read error
<date> 11:11:57 2024 TLS Error: TLS handshake failed
<date> 11:11:57 2024 SIGUSR1[soft,tls-error] received, process restarting
<date> 11:12:07 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:12:07 2024 UDP link local (bound): [AF_INET][undef]:1194
<date> 11:12:07 2024 UDP link remote: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:12:07 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:12:09 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:12:11 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:12:14 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:12:22 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:12:22 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:12:27 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_CONTROL_V1)
<date> 11:12:38 2024 TLS Error: Unroutable control packet received from [AF_INET]<my.openvpnserver.ip.address>:1194 (si=3 op=P_ACK_V1)
<date> 11:13:07 2024 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
<date> 11:13:07 2024 TLS Error: TLS handshake failed
<date> 11:13:07 2024 SIGUSR1[soft,tls-error] received, process restarting
<date> 11:13:28 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:13:28 2024 UDP link local (bound): [AF_INET][undef]:1194
<date> 11:13:28 2024 UDP link remote: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:13:28 2024 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
<date> 11:13:28 2024 TLS_ERROR: BIO read tls_read_plaintext error
<date> 11:13:28 2024 TLS Error: TLS object -> incoming plaintext read error
<date> 11:13:28 2024 TLS Error: TLS handshake failed
<date> 11:13:28 2024 SIGUSR1[soft,tls-error] received, process restarting
<date> 11:14:08 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:14:08 2024 UDP link local (bound): [AF_INET][undef]:1194
<date> 11:14:08 2024 UDP link remote: [AF_INET]<my.openvpnserver.ip.address>:1194
<date> 11:14:08 2024 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
<date> 11:14:08 2024 TLS_ERROR: BIO read tls_read_plaintext error
<date> 11:14:08 2024 TLS Error: TLS object -> incoming plaintext read error
<date> 11:14:08 2024 TLS Error: TLS handshake failed
<date> 11:14:08 2024 SIGUSR1[soft,tls-error] received, process restarting
^C
<date> 11:14:50 2024 SIGINT[hard,init_instance] received, process exiting
Is there enough here for someone to suggest what might be wrong?
Top
Nevo
OpenVpn Newbie
Posts: 3
Joined: Thu Jan 18, 2024 5:22 pm

Re: Client unable to connect

Post by Nevo » Thu Jan 18, 2024 8:15 pm

Aha! It appears the EKU on my certificates wasn't (weren't?) set. If I remove the eku verification from the conf files I no longer get errors in the output.

I still can't connect to a server on the other side of the VPN server, but not it at least appears that the client and server are connecting. More troubleshooting to come...
Top
Nevo
OpenVpn Newbie
Posts: 3
Joined: Thu Jan 18, 2024 5:22 pm

Re: Client unable to connect

Post by Nevo » Thu Jan 18, 2024 8:27 pm

Okay, I can't now get the client to connect to the server but I can't access a webserver on the other side of the VPN server from the client:

Code: Select all

[14:14:33] me@mylaptop:~$ wget http://10.2.5.123
--2024-01-18 14:16:50--  http://10.2.5.123/
Connecting to 10.2.5.123:80... failed: Connection timed out.
Retrying.

--2024-01-18 14:19:00--  (try: 2)  http://10.2.5.123/
Connecting to 10.2.5.123:80... failed: Network is unreachable.
But the route table looks right; the VPN server is at 10.255.255.1 and is routing 10.2.4.0/22 to my AWS VPC:

Code: Select all

[14:21:12] me@mylaptop:~$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         mylaptop        0.0.0.0         UG    0      0        0 eth0
10.2.4.0        10.255.255.1    255.255.252.0   UG    0      0        0 openvpn-tunnel
10.255.255.0    0.0.0.0         255.255.255.0   U     0      0        0 openvpn-tunnel
172.17.112.0    0.0.0.0         255.255.240.0   U     0      0        0 eth0
The logs show the server is pushing the config to the client:

Code: Select all

SENT CONTROL [openvpn-client.example.com]: 'PUSH_REPLY,route 10.2.4.0 255.255.252.0,route-gateway 10.255.255.1,topology subnet,ifconfig 10.255.255.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
The client is an Ubuntu WSL2 instance on Windows 10 which behaves as expected when OpenVPN isn't in the picture. I don't think this layer of abstraction is relevant but I'm mentioning it here just in case.

What next step am I missing here?
Top
Post Reply

Return to “Configuration”