OpenVPN Support Forum

Hello,

I'm so new on this and I've been spending hours to get this working which result in a nice headache
I found this tutorial and followed it exactly as it is:
http://library.linode.com/networking/op ... 0.04-lucid

This is my server conf file: I changed the port because I thought my isp is blocking 1194 port.

This is my client conf (on windows xp sp3) This is the log in my client: (a few attempts)
http://privatepaste.com/fcf61db074

Also the client was on and I went out of room for some mins, then I came back and it was connected. But I couldn't browse the web. I disconnected it and tried to connect again and it gave me the TLS error again. Unfortunately I don't have that log. But in the current log, on line 121 and 122 I seem to have VERIFY OK, but no success there too.

I tried with udp first but I was getting "connection reset by peer" error, and I changed it to TCP and opened port 11194 in iptables with this: Thanks for your time.
(I replaced my server ip address with *my_ip*.)

what does the server log show when the client connects? what happens if you increase the verbosity to 5 (on the server) ?
TLS handshake errors are either certificate errors (which should show up on either client or server side) OR they are firewall errors (which can be troubleshooted using 'iptables -j LOG ' on the server.

I changed verbose on the server to 5. Deleted the current openvpn.log on the server. Restarted the server and tried connecting. This is the new client log:

http://privatepaste.com/d933e11e00

And this is the server log: (changed client ip to *my_client_ip*)

http://privatepaste.com/7649d7c605

I've turned windows xp firewall off and there's no anti-virus running atm.
By running 'iptables -j LOG' I get this:
I'm using Ubuntu 8.04 as server btw.

that is odd - both client and server logs show that the connection was not established properly at all, which points at either a firewalling issue or a general TCP connectivity problem.

By running 'iptables -j LOG' I get this:

I was assuming that you were familiar with 'iptables' syntax. What I meant was something like this will log all connection attempts on TCP port 11194.

I put that syntax for logging, then I tried again. This time It connected but I couldn't browse the web through my lan. and I pressed "reconnected" and it went back to TLS error.

This is the client log for this new try:
http://www.privatepaste.com/b88cbc7fac

This is the server log: (user1 = makhmakh)
http://privatepaste.com/acfe46a7f7

Is the iptables log in /var/log/messages? and how do you cancel logging 11194 port?
I have a feeling that my client ISP has something to do with this.

the new server log shows interesting info:

first of all, you have tons of

MULTI: bad source address from client [192.168.1.10]

warnings; these *may* be harmless but you might want to look into them; is 192.168.1.10 the LAN IP address of the VPN client?

second of all, the warning

*my_client_ip*:11827 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers

suggests that the traffic is being tampered with - as you said, you suspect your ISP; can you reach the VPN server using SSH?

1. Yes, the IP address of the VPN client LAN is 192.168.1.10
Those bad source address from client are when I tried to open up some page via client browser to see if it is working. (when it said it connected)
2. Yes, I can connect to VPN server via SSH.

1. Yes, the IP address of the VPN client LAN is 192.168.1.10
Those bad source address from client are when I tried to open up some page via client browser to see if it is working. (when it said it connected)

hmmm , something funny is going on with routing then; your client should be using the LAN address to connect over the VPN.

2. Yes, I can connect to VPN server via SSH.

ah, then you can consider bypassing the ISP by
1) ssh to your vpn server using 2) add 'socks-proxy' support to your openvpn client config using this will ensure OpenVPN connects (in tcp mode) via the SSH SOCKS tunnel to your vpn server.

I'm really sorry. I didn't get this part:
Where should It go?
atm I use Putty to connect to my ubuntu server. (the VPN server)

configure PuTTY to use Tunneling, add a Dynamic port 1080; included is a sample for port 2000.
Open this PuTTY session, make sure it remains alive , then connect OpenVPN.

1.
Yea it connected. I tried twice in a row and both connected successfully. But after connection still I can't browse any website. My browsers always stays at "Looking up http://www.google.com ..." and then it fails. As soon as it connects, my internet becomes unavailable and can do nothing until I disconnect it. Are there any client configurations I have missed?

This is my client log:
http://privatepaste.com/de27ae02ea

This is my server log:
http://privatepaste.com/8733f540f3

2.
So back to the connection problem, it seems my ISP is doing something to openvpn. How many ways are there to mess with openvpn? I mean is it possible for change some settings like port (which I already did) in openvpn and bypass it? It seems they are blocking openvpn in a way but I have no idea how they are doing this.
Again, I don't feel comfortable opening up PuTTY each time I wanna connect specially what if I want to give username and pass to somebody else beside me?

3. How do you disable iptables log?
The one we did by this command: Thank you for carrying on with me.At least we made some progress

first of all, I assume means you've sanitized your server log file....

as for your questions:
* try adding to the client config file , where <server-IP> is the public IP address of your VPN server

* providers can monitor for OpenVPN traffic, which has an easily discernible signature; they can then block the traffic or mess in many other ways with it. Some cheapo home routers are also known to do this (but that's a bug )

* first make sure the VPN works via SSH; then at least you know your VPN setup is correct. As for always having to set up an SSH tunnel: that's not very practical, indeed, but you don't have to give out the password to other - you can use SSH public/private keys for that (but that is off topic for this forum).