How to diagnose / fix an OpenVPN setup which works from inside of LAN but doesn not work from WAN side of router

Question

The firm I work for has decided to go with OpenVPN to replace heavy ssh usage ( The right vpn to replace heavy ssh usage )

I have attempted to setup OpenVPN for bridging connections. I can connect via machines on the same network as the VPN server. Unfortunately I can't connect to the vpn server from just outside of the LAN; Connections that come from the WAN port fail with an WSAETIMEDOUT error message.

I am forwarding port 1194 on my router (for both tcp and udp) to my OpenVPN server on port 1194.

Is there any tool I can use (e.g. Netcat) etc to help isolate the problem and troubleshoot my setup?

Configuration Details

Ubuntu 10.04 LTS OpenVPN "Server" Private Lan 192.168.10.0/24

Clients: Mostly Windows XP / Vista / Windows 7 machines.

/etc/network/interfaces

auto lo
iface lo inet loopback

auto br0
iface br0 inet static
    address 192.168.10.95
    network 192.168.10.0
    netmask 255.255.255.0
    broadcast 192.168.10.255
    gateway 192.168.10.1
    bridge_ports eth0
    bridge_fd 9
    bridge_hello 2
    bridge_maxage 12
    bridge_stp off

auto eth0
iface eth0 inet dhcp

/etc/openvpn/server.conf

port 1194
dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

server-bridge 192.168.10.95 255.255.255.0 192.168.10.50 192.168.10.80
tls-auth ta.key 0
user nobody
group nogroup

client-to-client
duplicate-cn
keepalive 10 120

cipher BF-CBC        # Blowfish (default)
comp-lzo

persist-key
persist-tun

status openvpn-status.log
verb 6
mute 20

up.sh #!/bin/sh

BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV

down.sh #!/bin/sh

BR=$1
DEV=$2

/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

client.ovpn

client
dev tap
remote 192.168.10.184:1194
ca ca.crt
cert maven-lunch.crt
key maven-lunch.key
tls-auth ta.key 1

ping 10
comp-lzo
verb 6
mute 10

**edit 9/20/2010 18:00 EDT (@Zoredache) **

I am using the wan address ( in this case 10.1.2.129 ).

I see connection attempts from my test client (10.1.10.112)

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
17:52:23.256396 IP 10.1.10.112.1638 > 192.168.10.184.1194: tcp 0
17:52:23.256415 IP 10.1.10.112.1638 > 192.168.10.184.1194: tcp 0

Looking at the syslog shows an dead connection from a disconnected test client on the local network:

tail -f /var/log/syslog

Sep 20 16:40:07 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 TUN WRITE [92]
Sep 20 16:40:07 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 TCPv4_SERVER WRITE [133] to [AF_INET]192.168.10.189:1754: P_DATA_V1 kid=0 DATA len=132
Sep 20 16:40:07 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 TCPv4_SERVER WRITE [181] to [AF_INET]192.168.10.189:1754: P_DATA_V1 kid=0 DATA len=180
Sep 20 16:40:08 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 TCPv4_SERVER READ [133] from [AF_INET]192.168.10.189:1754: P_DATA_V1 kid=0 DATA len=132
Sep 20 16:40:08 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 TUN WRITE [92]
Sep 20 16:40:08 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 TCPv4_SERVER WRITE [133] to [AF_INET]192.168.10.189:1754: P_DATA_V1 kid=0 DATA len=132
Sep 20 16:40:08 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 Connection reset, restarting [-1]
Sep 20 16:40:08 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 SIGUSR1[soft,connection-reset] received, client-instance restarting
Sep 20 16:40:08 MavenVPNBox ovpn-server[1369]: TCP/UDP: Closing socket

Did you eventually figure this out? If you did, then please consider adding what you figured out as an answer, and then accepting that. — Zoredache, Jan 27 '11 at 03:17

score 1 · Accepted Answer · answered Sep 20 '10 at 21:35

1

You have changed your client.ovpn to use the WAN address instead of 192.168.10.184 right?

Anyway, as to testing. On your server why not just do a tcpdump for udp/1194 tcpdump -qni any port 1194. and see if any connection attempts are actually getting to the server from the outside. If they are not something is wrong with your firewall or NAT settings on your border device.

Also check out your /var/log/syslog. Usually openvpn log entries will appear there when a client tries to connect.

answered Sep 20 '10 at 21:35

Zoredache

130,897
41
276
420

I have updated the body of my question to reflect your ideas and concerns. – Sindhudweep Sep 20 '10 at 21:53
I am accepting your answer as it introduced me to some useful tools and debugging steps. I ended up starting over from scratch and the setup magically worked. I did diff the /etc/network/interfaces file the openvpn configuration file and I didn't see any obvious differences. – Sindhudweep Feb 25 '11 at 23:32

How to diagnose / fix an OpenVPN setup which works from inside of LAN but doesn not work from WAN side of router

Configuration Details

1 Answers1