OpenVPN Client timing out

Question

I recently installed OpenVPN on my Ubuntu VPS. Whenenver I try to connect to it, I can establish a connection just fine.

However, everything I try to connect to times out.

If I try to ping something, it will resolve the IP, but will time out after resolving the IP. (So DNS Server seems to be working correctly)

My server.conf has this relevant information (At least I think it's relevant. I'm not sure if you need more or not)

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
;push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
;client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
status openvpn-status.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

I've tried on multiple computers by the way. The same result on all of them.

What could be wrong?

Thanks in advance, and if you need other information I'll gladly post it.

Information for new comments

root@vps:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 862K packets, 51M bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy ACCEPT 3 packets, 382 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 4641  298K ACCEPT     all  --  *      *       10.8.0.0/24          0.0.0.0/0   
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 1671K packets, 2378M bytes)
 pkts bytes target     prot opt in     out     source               destination

And

root@vps:~# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 17937 packets, 2013K bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain POSTROUTING (policy ACCEPT 8975 packets, 562K bytes)
 pkts bytes target     prot opt in     out     source               destination 
 1579  103K SNAT       all  --  *      *       10.8.0.0/24          0.0.0.0/0           to:SERVERIP

Chain OUTPUT (policy ACCEPT 8972 packets, 562K bytes)
 pkts bytes target     prot opt in     out     source               destination

Could you check that the routing is activated on your server ? Is the NAT correctely configured ? If there is no nat, could you check your back route too ? — Dom, Dec 13 '12 at 07:49
My suspicion is the NAT, too; could we see the outputs of `iptables -L -n -v` and `iptables -t nat -L -n -v`? — MadHatter, Dec 13 '12 at 07:51
@MadHatter I posted the outputs of what I think it is you want. — Austin, Dec 13 '12 at 07:54
Grumble. Not the NAT, then (well done you). Could we also get the output of `cat /proc/sys/net/ipv4/ip_forward`? — MadHatter, Dec 13 '12 at 07:59
@MadHatter The output is just `1`, which I believe means it's forwarding correct? — Austin, Dec 13 '12 at 08:01
Yep, another common problem that you don't have . I'm beginning to think GeekRide might be right. — MadHatter, Dec 13 '12 at 08:01
@MadHatter I have tried to change that line to any IP I believe could be the gateway, and it doesn't seem to matter. — Austin, Dec 13 '12 at 08:03
Just one question are you trying to establish this tunnel to China? — zordor, Dec 17 '12 at 21:05
@zordor No, It's in Romania. And MadHatter I'll get the logs posted soon. — Austin, Dec 18 '12 at 06:03
What is your exact SNAT rule? Can you iptables -t nat -F and try: iptables -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE — Michael, Dec 18 '12 at 14:07
You said it happens on everything you connect to. Seems to me that it may be networking issue. Did you try `echo "550" >> /proc/sys/net/ipv4/tcp_keepalive_time`? — grs, Dec 18 '12 at 23:32

score 5 · Answer 1 · answered Dec 13 '12 at 07:53

5

So, what you are missing in your conf is - Routing.

The entry like this:

;push "route 192.168.10.0 255.255.255.0"

is commented into your config file. That explains why you are getting the IP but not able to ping, as there is no route information in your config file.

Uncomment this line and replace the IP information with the IP of your gateway where you are running the openvpn server.

Once you do that, your problem should be fixed.

answered Dec 13 '12 at 07:53

Napster_X

3,373
18
20

How exactly would I find this? Is it just a matter of doing an `ifconfig`? Thanks – Austin Dec 13 '12 at 07:55
Yes, on your gateway. – Napster_X Dec 13 '12 at 08:00
It doesn't seem to be working for me, still getting timeout errors. – Austin Dec 13 '12 at 08:04
That's bad. Let me see if there could be anything else. – Napster_X Dec 13 '12 at 08:14
Can you check the value for ip forwarding in your machine. Use this command: # sudo sysctl -a | grep net.ipv4.ip_forward – Napster_X Dec 13 '12 at 08:28
I think it's the same value MadHatter was asking for before, but here's the output. `root@vps:~# sudo sysctl -a | grep net.ipv4.ip_forward error: permission denied on key 'vm.compact_memory' error: permission denied on key 'net.ipv4.route.flush' error: permission denied on key 'net.ipv4.route.flush' net.ipv4.ip_forward = 1 error: permission denied on key 'net.ipv6.route.flush' ` – Austin Dec 13 '12 at 08:31
I need some info from the client side. Can you please tell me which client (Operating system) you are using ? I will send the commands according to the same to test it. – Napster_X Dec 15 '12 at 06:59
I've tried with Linux, Windows 7 and Windows 8. – Austin Dec 15 '12 at 07:00
So, couple of things which could help 1. The logs on the client machine when you are trying to connect. It's available in both windows and Linux. 2. If you can send the route table for your client. I believe this command sud work `netstat -rn` for windows and `route -n` for linux – Napster_X Dec 15 '12 at 07:03
2

just fyi ... Please send the route table after connecting to the VPN. That way we could be sure that where exactly the issue is, Server or Client. – Napster_X Dec 15 '12 at 07:09

score 0 · Answer 2 · answered Oct 08 '21 at 14:37

I've got also connectivity problem. I was able to establish connection but still was getting timeouts on all the connections that I had.

On the web interface under admin ->

Configuration -> VPN Settings -> under "Specify the private subnets to which all clients should be given access"

I've got value which was equal to 10.0.16.0/20 (on of few that I had private subnet), however I was needing VPN established for all private subnets. In my case all of them could be covered with the number 10.0.0.0/16. And issue was resolved

OpenVPN Client timing out

2 Answers2