Cannot connect to OpenVPN from WAN

roflas · March 24, 2024, 3:03pm

Hello,

I spent so much time troubleshooting this... several days and this forum is the only hope for me. Here is the summary:

Trying to setup OpenVPN on main WAN router.
I have have done this numerous times in the past with success, but this time is a complete failure.
Main difference is that this router manages VLANs and main lan interface is also a VLAN.
Tried to recreate PKI numerous times.
Windows firewall (on client) is switched off.
Client can connect to OpenVPN from within the network, i.e. when remote IP is basically router's internal IP.
There is already another VPN router within the network and users can connect to that router from WAN (see port forward rule in the firewall setup). Users just cannot connect to OpenVPN installed on main WAN router.
Logs do not say a lot.

Thank you for anyone, who helps me It has really exahusted me.

/etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fddd:5142:0b4b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config device
	option name 'wan'
	option macaddr '26:f5:a2:2d:03:e8'
	option ipv6 '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'Guest'
	option proto 'static'
	option ipaddr '172.24.20.1'
	option netmask '255.255.255.0'
	option device 'br-lan.20'
	list dns '192.168.10.1'

config interface 'IoT'
	option proto 'static'
	option ipaddr '10.10.30.1'
	option netmask '255.255.255.0'
	option device 'br-lan.30'
	list dns '192.168.10.1'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan2:t'
	list ports 'lan3:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan2:t'
	list ports 'lan3:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'lan2'
	list ports 'lan3'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config device
	option name 'br-lan.20'
	option type '8021q'
	option ifname 'br-lan'
	option vid '20'
	option ipv6 '0'

config device
	option name 'br-lan.30'
	option type '8021q'
	option ifname 'br-lan'
	option vid '30'
	option ipv6 '0'

config interface 'TUN0'
	option proto 'none'
	option device 'tun0'

/etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list device 'tun0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'GuestZone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Guest'

config zone
	option name 'IoTZone'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IoT'

config forwarding
	option src 'lan'
	option dest 'IoTZone'

config forwarding
	option src 'GuestZone'
	option dest 'wan'

config rule
	option name 'Allow Guest DHCP and DNS '
	option src 'GuestZone'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'WAN to srv-openvpn'
	list proto 'udp'
	option src 'wan'
	option src_dport '1194'
	option dest_ip '192.168.10.15'
	option dest_port '1194'

config rule
	option name 'Allow TIG to WAN'
	option dest 'wan'
	option target 'ACCEPT'
	option src 'IoTZone'
	list src_ip '10.10.30.166'
	list src_ip '10.10.30.60'
	option enabled '0'

config rule
	option name 'Allow NAS to WAN'
	option src 'IoTZone'
	list src_ip '10.10.30.50'
	option dest 'wan'
	option target 'ACCEPT'

config rule
	option name 'Allow IoT to srv-openvpn'
	option src 'IoTZone'
	option dest 'lan'
	list dest_ip '192.168.10.15'
	option target 'ACCEPT'
	list src_ip '10.10.30.21'
	list src_ip '10.10.30.22'

config rule
	option name 'Allow-VPN'
	option src 'wan'
	option dest_port '1193'
	option target 'ACCEPT'
	list proto 'udp'

VPN server config (some options disabled as I reduced unknowns)

client-to-client
keepalive 10 120
user nobody

dev tun
port 1193
proto udp
push "route 192.168.10.0 255.255.255.0"
server 192.168.66.0 255.255.255.0

persist-key
persist-tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
dh /etc/openvpn/dh.pem
;crl-verify /etc/openvpn/crl.pem
key /etc/openvpn/server.key

;script-security 2
;auth-user-pass-verify /etc/openvpn/ovpnauth.sh via-file

ifconfig-pool-persist /tmp/ipp.txt

status /tmp/openvpn-status.log
log-append /tmp/openvpn.log

reneg-sec 0 

verb 7

VPN client config

client

dev tun
proto udp

remote ip 1193
; this one works: remote 192.168.10.1 1193

resolv-retry infinite
nobind

user nobody
;group nobody

persist-key
persist-tun

ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\user.crt"
key "C:\\Program Files\\OpenVPN\\config\\user.key"

remote-cert-tls server

cipher AES-256-CBC

;auth-user-pass
auth-nocache
reneg-sec 0 

verb 7

Cut from the log of OpenVPN windows app

....
2024-03-24 16:52:08 us=203000 Using device interface: \\?\ROOT#NET#0003#{cac88484-7515-4c03-82e6-71a87abac361}\ovpn-dco
2024-03-24 16:52:08 us=203000 ovpn-dco device [OpenVPN Data Channel Offload] opened
2024-03-24 16:52:08 us=203000 dco_create_socket
2024-03-24 16:52:08 us=203000 UDP link local: (not bound)
2024-03-24 16:52:08 us=203000 UDP link remote: [AF_INET]85.206.9.188:1193
2024-03-24 16:52:08 us=203000 MANAGEMENT: >STATE:1711291928,WAIT,,,,,,
2024-03-24 16:52:08 us=203000 UDP WRITE [14] to [AF_INET]85.206.9.188:1193: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
2024-03-24 16:52:10 us=281000 UDP WRITE [14] to [AF_INET]85.206.9.188:1193: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
2024-03-24 16:52:13 us=937000 PID packet_id_free
2024-03-24 16:52:13 us=937000 PID packet_id_free
2024-03-24 16:52:13 us=937000 PID packet_id_free
2024-03-24 16:52:13 us=937000 PID packet_id_free
2024-03-24 16:52:13 us=937000 PID packet_id_free
2024-03-24 16:52:13 us=937000 PID packet_id_free
2024-03-24 16:52:13 us=937000 PID packet_id_free
2024-03-24 16:52:13 us=937000 PID packet_id_free
2024-03-24 16:52:13 us=937000 Closing DCO interface
2024-03-24 16:52:13 us=937000 Attempting CancelIO on ovpn-dco adapter
2024-03-24 16:52:13 us=937000 Attempting close of overlapped read event on ovpn-dco adapter
2024-03-24 16:52:13 us=937000 Attempting close of overlapped write event on ovpn-dco adapter
2024-03-24 16:52:13 us=937000 Attempting CloseHandle on ovpn-dco adapter
2024-03-24 16:52:13 us=937000 PID packet_id_free
2024-03-24 16:52:13 us=937000 SIGTERM[hard,] received, process exiting
2024-03-24 16:52:13 us=937000 MANAGEMENT: >STATE:1711291933,EXITING,SIGTERM,,,,,
2024-03-24 16:52:13 us=937000 PKCS#11: Terminating openssl
2024-03-24 16:52:13 us=937000 PKCS#11: Removing providers
2024-03-24 16:52:13 us=937000 PKCS#11: Releasing sessions
2024-03-24 16:52:13 us=937000 PKCS#11: Terminating slotevent
2024-03-24 16:52:13 us=937000 PKCS#11: Marking as uninitialized

egc · March 24, 2024, 3:09pm

Try this, in the openvpn config add:
disable-dco
Reboot afterwards

roflas · March 24, 2024, 3:17pm

daemon.err openvpn(lan_server)[4318]: Options error: Unrecognized option or missing or extra parameter(s) in lan_server.ovpn:11: disable-dco (2.5.8)

I get that this flag is unrecognized. Could you explain me the reason of it?

Thank you

EDIT: did you mean /etc/config/openvpn?

egc · March 24, 2024, 3:31pm

Sorry I meant in the Client config, that is complaining about dco.

Maybe there is another config/app on your client which is connecting to your other OVPN server which is interfering?

roflas · March 24, 2024, 3:36pm

Well, I do have multiple configs of OpenVPN in the same folder at user. However, that second one is disconnected. But it does connect fine if needed.

Sun Mar 24 17:34:11 2024 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.10.1:1193[2], expected peer address: [AF_INET]<IP> (allow this incoming source address/port by removing --remote or adding --float)
Sun Mar 24 17:34:12 2024 UDPv4 READ [14] from [AF_INET]192.168.10.1:1193: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
Sun Mar 24 17:34:12 2024 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.10.1:1193[2], expected peer address: [AF_INET]<IP>:1193 (allow this incoming source address/port by removing --remote or adding --float)

Now it throws this one... I have received this one before, when trying multiple measures how to solve this issue.

Sechorda · March 24, 2024, 3:58pm

Could you please try to add float to the end of your .ovpn file?

also reboot

reneg-sec 0 

verb 7

float

"Essentially, --float tells OpenVPN to accept authenticated packets from any address, not only the address which was specified in the --remote option" - from docs

roflas · March 24, 2024, 4:02pm

It does work now... but I still do not understand. I have never ever used this flag for my previous installations. However, all my previous installations were based on VPN servers that are within the subnet and they are accessed by port-forwarding. But still... what is so different in this case?

P.S. I did not use dco disable flag.

Thanks.

EDIT: too quick to be happy.. connection times out

2024-03-24 18:04:24 Bad compression stub decompression header byte: 42
2024-03-24 18:04:34 Bad compression stub decompression header byte: 42
2024-03-24 18:04:44 Bad compression stub decompression header byte: 42
2024-03-24 18:04:54 Bad compression stub decompression header byte: 42
2024-03-24 18:05:04 Bad compression stub decompression header byte: 42
2024-03-24 18:05:14 Bad compression stub decompression header byte: 42
2024-03-24 18:05:23 Bad compression stub decompression header byte: 42
2024-03-24 18:05:34 Bad compression stub decompression header byte: 42
2024-03-24 18:05:44 Bad compression stub decompression header byte: 42
2024-03-24 18:05:54 Bad compression stub decompression header byte: 42
2024-03-24 18:06:04 Bad compression stub decompression header byte: 42
2024-03-24 18:06:13 [server] Inactivity timeout (--ping-restart), restarting
2024-03-24 18:06:13 SIGUSR1[soft,ping-restart] received, process restarting
2024-03-24 18:06:13 MANAGEMENT: >STATE:1711296373,RECONNECTING,ping-restart,,,,,
2024-03-24 18:06:13 Restart pause, 1 second(s)
2024-03-24 18:06:14 TCP/UDP: Preserving recently used remote address: [AF_INET]<IP>:1193
2024-03-24 18:06:14 Socket Buffers: R=[65536->65536] S=[65536->65536]
2024-03-24 18:06:14 UDPv4 link local: (not bound)
2024-03-24 18:06:14 UDPv4 link remote: [AF_INET]<IP>:1193
2024-03-24 18:06:14 MANAGEMENT: >STATE:1711296374,WAIT,,,,,,
2024-03-24 18:06:14 MANAGEMENT: >STATE:1711296374,AUTH,,,,,,
2024-03-24 18:06:14 TLS: Initial packet from [AF_INET]192.168.10.1:1193, sid=ffe2b67f 522d74c6

I switched to my WIFI hotspot (to check how it would connect from real external source) and it does not connect anymore. It fails at

Sun Mar 24 18:11:16 2024 MANAGEMENT: >STATE:1711296676,WAIT,,,,,,

Sechorda · March 24, 2024, 4:13pm

I'm leaning towards your vpn doesn't have a route or way out in response to the connection.

I will let more experienced admins weigh in.

Is your vpn client up to date on the host?

roflas · March 24, 2024, 4:17pm

Yes, it was just installed yesterday. v2.6.10 I believe.

egc · March 24, 2024, 4:34pm

If you are really using 2.6.10 then try this:
Add to the server config:
compat-mode 2.5

Alternatively upgrade your client to also 2.6.10

As always test with your client from outside

roflas · March 24, 2024, 4:58pm

I tried to strip down the config of a client and server until it is still working. Eventually, I removed disable-dco flag, also removed compression flags. So float is the only additional flag I added. It seems that connection from outside is now stable.

I double checked my other installations on OpenVPN and they seem to be v2.5.7. Windows client app is v2.6.10.

I still do not understand, why I need float flag this time? What is so special in this case, when I try to connect to main WAN router and access subnet instead of connecting to another VPN router inside the network via port forwarding? As I understand it is still connecting to main router, it forwards that request to that second router.

I was just wondering... could this be that my WAN is setup with DHCP option? Technically, my IP is somewhat fixed, but WAN itself it set as DHCP... is it possible that it could be the cause although remote IP does not change whatsoever.

It is really confusing...

system · April 3, 2024, 4:59pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.