0

We have a small office setup, currently due to pandemic employees need to work remotely therefore we are tying to configure OpenVPN so they can access internal applications. Using following tutorial I'm able to connect openvpn from inside the office network. However if I switch to diffrent internet connection other than office network VPN does not connect. Wireshark shows P_Control_Hard_Reset_Client_V2. Since I'm able to connect internally I don't think that there would be any issue on server side, however I think I am making some mistake while routing the UDP connection. We have a basic D-Link DIR-600M router where I have added internal server IP under Advanced and Private server option and port 1149 to be forwarded (All public IP request with UDP port 1194 to be route to 192.168.0.3 UDP 1194 port). I also checked with ISP and they said that the port 1194 UDP is open. However if I try to connect using our public IP, OpenVPN does not connect. My Configuration: I have installed VPN server and CA Cerver using KVM under one physical computer. They both are connected through bridge connection and have specific IP assigned. 192.168.0.2 for VPN and 192.168.0.3 for CA Any suggestions please?

I'm getting following error

    Sun Jul 19 09:35:42 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020
Sun Jul 19 09:35:42 2020 library versions: OpenSSL 1.1.1c FIPS  28 May 2019, LZO 2.08
Sun Jul 19 09:35:42 2020 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jul 19 09:35:42 2020 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jul 19 09:35:42 2020 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jul 19 09:35:42 2020 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jul 19 09:35:42 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]MY_PUBLIC_IP:1194
Sun Jul 19 09:35:42 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Jul 19 09:35:42 2020 UDP link local: (not bound)
Sun Jul 19 09:35:42 2020 UDP link remote: [AF_INET]MY_PUBLIC_IP:1194
Sun Jul 19 09:35:42 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sun Jul 19 09:36:42 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Jul 19 09:36:42 2020 TLS Error: TLS handshake failed
Sun Jul 19 09:36:42 2020 SIGUSR1[soft,tls-error] received, process restarting
Sun Jul 19 09:36:42 2020 Restart pause, 5 second(s)
Sun Jul 19 09:36:48 2020 RESOLVE: Cannot resolve host address: vpn.MY_SERVERE.net:1194 (Name or service not known)
Sun Jul 19 09:36:53 2020 RESOLVE: Cannot resolve host address: vpn.MY_SERVERE.net:1194 (Name or service not known)
Sun Jul 19 09:36:53 2020 Could not determine IPv4/IPv6 protocol
Sun Jul 19 09:36:53 2020 SIGUSR1[soft,init_instance] received, process restarting
Sun Jul 19 09:36:53 2020 Restart pause, 5 second(s)
Sun Jul 19 09:36:58 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]MY_PUBLIC_IP:1194
Sun Jul 19 09:36:58 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Jul 19 09:36:58 2020 UDP link local: (not bound)
Sun Jul 19 09:36:58 2020 UDP link remote: [AF_INET]MY_PUBLIC_IP:1194

However if I try from Office network it connects successfully

Sun Jul 19 10:05:27 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020
Sun Jul 19 10:05:27 2020 library versions: OpenSSL 1.1.1c FIPS  28 May 2019, LZO 2.08
Sun Jul 19 10:05:27 2020 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jul 19 10:05:27 2020 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jul 19 10:05:27 2020 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jul 19 10:05:27 2020 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jul 19 10:05:27 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.3:1194
Sun Jul 19 10:05:27 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Jul 19 10:05:27 2020 UDP link local: (not bound)
Sun Jul 19 10:05:27 2020 UDP link remote: [AF_INET]192.168.0.3:1194
Sun Jul 19 10:05:27 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sun Jul 19 10:05:27 2020 TLS: Initial packet from [AF_INET]192.168.0.3:1194, sid=5890c8ed 6c43a44a
Sun Jul 19 10:05:27 2020 VERIFY OK: depth=1, CN=plusplus.net
Sun Jul 19 10:05:27 2020 VERIFY KU OK
Sun Jul 19 10:05:27 2020 Validating certificate extended key usage
Sun Jul 19 10:05:27 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jul 19 10:05:27 2020 VERIFY EKU OK
Sun Jul 19 10:05:27 2020 VERIFY OK: depth=0, CN=vpn.plusplus.net
Sun Jul 19 10:05:27 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sun Jul 19 10:05:27 2020 [vpn.plusplus.net] Peer Connection Initiated with [AF_INET]192.168.0.3:1194
Sun Jul 19 10:05:28 2020 SENT CONTROL [vpn.plusplus.net]: 'PUSH_REQUEST' (status=1)
Sun Jul 19 10:05:28 2020 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Sun Jul 19 10:05:28 2020 OPTIONS IMPORT: timers and/or timeouts modified
Sun Jul 19 10:05:28 2020 OPTIONS IMPORT: --ifconfig/up options modified
Sun Jul 19 10:05:28 2020 OPTIONS IMPORT: route options modified
Sun Jul 19 10:05:28 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jul 19 10:05:28 2020 OPTIONS IMPORT: peer-id set
Sun Jul 19 10:05:28 2020 OPTIONS IMPORT: adjusting link_mtu to 1624
Sun Jul 19 10:05:28 2020 OPTIONS IMPORT: data channel crypto options modified
Sun Jul 19 10:05:28 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jul 19 10:05:28 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jul 19 10:05:28 2020 ROUTE_GATEWAY 192.168.0.111/255.255.255.0 IFACE=wlp1s0 HWADDR=a8:a7:95:67:0f:23
Sun Jul 19 10:05:28 2020 TUN/TAP device tun0 opened
Sun Jul 19 10:05:28 2020 TUN/TAP TX queue length set to 100
Sun Jul 19 10:05:28 2020 /sbin/ip link set dev tun0 up mtu 1500
Sun Jul 19 10:05:28 2020 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Sun Jul 19 10:05:28 2020 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Sun Jul 19 10:05:28 2020 GID set to nobody
Sun Jul 19 10:05:28 2020 UID set to nobody
Sun Jul 19 10:05:28 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jul 19 10:05:28 2020 Initialization Sequence Completed

Tried to Check UDP 1194

nc -v -u MY_PUBLIC_IP 1194
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to MY_PUBLIC_IP:1194.

Router Page 2

DAKSH
  • 127
  • 1
  • 5
  • Is that log from the client or the server? – Michael Hampton Jul 19 '20 at 04:11
  • @MichaelHampton The first one from client outside office network. The next one is client inside office network. – DAKSH Jul 19 '20 at 04:41
  • Did you forward the correct port? Your question indicates you forwarded the wrong port number. Is that a typo? Did you make the same typo in port forwarding? – Michael Hampton Jul 19 '20 at 04:44
  • I don't think there is any typo but I think I'm doing something wron on networking part. See the router page https://i.stack.imgur.com/GgpOL.jpg. https://www.ipvoid.com/udp-port-scan/ says 1194 UDP Open|filtered openvpn – DAKSH Jul 19 '20 at 04:56

0 Answers0