Help with OpenVPN Server

topsbr · May 25, 2024, 1:03pm

Hello all...

I'm trying to reconfigure my OpneVPN server that was working correctly before, but I'm finding it difficult to connect my cell phone to the server...

I am following the official OpnVPN Server tutorial located here => https://openwrt.org/docs/guide-user/services/vpn/openvpn/server

My IP address is dynamic, but no.ip.com's DDNS is working correctly...

I believe it could be a firewall problem, because on the cell phone, I get the message "Getting client configuration", as we can see in the log below:

2024-05-25 09:46:06 official build 0.7.51 running on POCO M2102J20SG (vayu), Android 13 (TKQ1.221013.002) API 33, ABI arm64-v8a, (POCO/vayu_global/vayu:13/TKQ1.221013.002/V14.0.3.0.TJUMIXM:user/release-keys)
2024-05-25 09:46:06 Building configuration…
2024-05-25 09:46:06 Fetched VPN profile (CEL_POCOX3PRO_RR) triggered by main profile list
2024-05-25 09:46:06 Scheduling VPN keep alive for VPN CEL_POCOX3PRO_RR
2024-05-25 09:46:06 started Socket Thread
2024-05-25 09:46:06 P:WARNING: linker: Warning: "/data/app/~~p_u_fN_8ZvkwI4wbTW4RUQ==/de.blinkt.openvpn-tbg-h3GvsltG7nEO9EsZmw==/lib/arm64/libovpnexec.so" is not a directory (ignoring)
2024-05-25 09:46:06 Network Status: CONNECTED LTE to MOBILE zap.vivo.com.br
2024-05-25 09:46:06 Debug state info: CONNECTED LTE to MOBILE zap.vivo.com.br, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2024-05-25 09:46:06 Debug state info: CONNECTED LTE to MOBILE zap.vivo.com.br, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2024-05-25 09:46:06 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-05-25 09:46:06 Current Parameter Settings:
2024-05-25 09:46:06   config = 'stdin'
2024-05-25 09:46:06   mode = 0
2024-05-25 09:46:06   show_ciphers = DISABLED
2024-05-25 09:46:06   show_digests = DISABLED
2024-05-25 09:46:06   show_engines = DISABLED
2024-05-25 09:46:06   genkey = DISABLED
2024-05-25 09:46:06   genkey_filename = '[UNDEF]'
2024-05-25 09:46:06   key_pass_file = '[UNDEF]'
2024-05-25 09:46:06   show_tls_ciphers = DISABLED
2024-05-25 09:46:06   connect_retry_max = 0
2024-05-25 09:46:06 Connection profiles [0]:
2024-05-25 09:46:06   proto = udp
2024-05-25 09:46:06   local = '[UNDEF]'
2024-05-25 09:46:06   local_port = '[UNDEF]'
2024-05-25 09:46:06   remote = 'liva4.servebeer.com'
2024-05-25 09:46:06   remote_port = '1194'
2024-05-25 09:46:06   remote_float = DISABLED
2024-05-25 09:46:06   bind_defined = DISABLED
2024-05-25 09:46:06   bind_local = DISABLED
2024-05-25 09:46:06   bind_ipv6_only = DISABLED
2024-05-25 09:46:06   connect_retry_seconds = 2
2024-05-25 09:46:06   connect_timeout = 120
2024-05-25 09:46:06   socks_proxy_server = '[UNDEF]'
2024-05-25 09:46:06   socks_proxy_port = '[UNDEF]'
2024-05-25 09:46:06   tun_mtu = 1500
2024-05-25 09:46:06   tun_mtu_defined = ENABLED
2024-05-25 09:46:06   link_mtu = 1500
2024-05-25 09:46:06   link_mtu_defined = DISABLED
2024-05-25 09:46:06   tun_mtu_extra = 0
2024-05-25 09:46:06   tun_mtu_extra_defined = DISABLED
2024-05-25 09:46:06   tls_mtu = 1250
2024-05-25 09:46:06   mtu_discover_type = -1
2024-05-25 09:46:06   fragment = 0
2024-05-25 09:46:06   mssfix = 1492
2024-05-25 09:46:06   mssfix_encap = ENABLED
2024-05-25 09:46:06   mssfix_fixed = DISABLED
2024-05-25 09:46:06   explicit_exit_notification = 0
2024-05-25 09:46:06   tls_auth_file = '[UNDEF]'
2024-05-25 09:46:06   key_direction = not set
2024-05-25 09:46:06   tls_crypt_file = '[UNDEF]'
2024-05-25 09:46:06   tls_crypt_v2_file = '[INLINE]'
2024-05-25 09:46:06 Connection profiles END
2024-05-25 09:46:06   remote_random = DISABLED
2024-05-25 09:46:06   ipchange = '[UNDEF]'
2024-05-25 09:46:06   dev = 'tun'
2024-05-25 09:46:06   dev_type = '[UNDEF]'
2024-05-25 09:46:06   dev_node = '[UNDEF]'
2024-05-25 09:46:06   lladdr = '[UNDEF]'
2024-05-25 09:46:06   topology = 1
2024-05-25 09:46:06   ifconfig_local = '[UNDEF]'
2024-05-25 09:46:06   ifconfig_remote_netmask = '[UNDEF]'
2024-05-25 09:46:06   ifconfig_noexec = DISABLED
2024-05-25 09:46:06   ifconfig_nowarn = ENABLED
2024-05-25 09:46:06   ifconfig_ipv6_local = '[UNDEF]'
2024-05-25 09:46:06   ifconfig_ipv6_netbits = 0
2024-05-25 09:46:06   ifconfig_ipv6_remote = '[UNDEF]'
2024-05-25 09:46:06   shaper = 0
2024-05-25 09:46:06   mtu_test = 0
2024-05-25 09:46:06   mlock = DISABLED
2024-05-25 09:46:06   keepalive_ping = 0
2024-05-25 09:46:06   keepalive_timeout = 0
2024-05-25 09:46:06   ina

Below is the printout of the error:

topsbr · May 25, 2024, 1:04pm

Following the tutorial, we have a troubleshooting session with some commands, and when running, I obtain the following information:

01: # Restart services
service log restart; service openvpn restart; sleep 10
=> OK, executed smoothly!

02: # Log and status
logread -e openvpn; netstat -l -n -p | grep -e openvpn

root@horus:~# uci show network; uci show firewall; uci show openvpn
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd1b:2c5c:4a50::/48'
network.lan=interface
network.lan.device='eth1'
network.lan.proto='static'
network.lan.ip6assign='64'
network.lan.ipaddr='192.168.15.1/24'
network.@device[0]=device
network.@device[0].name='eth0'
network.wan=interface
network.wan.proto='pppoe'
network.wan.device='eth0'
network.wan.username='cliente@cliente'
network.wan.password='cliente'
network.wan.service='Vivo Fibra'
network.wan.ipv6='auto'
network.onu_VSol=interface
network.onu_VSol.proto='static'
network.onu_VSol.device='eth0'
network.onu_VSol.ipaddr='192.168.1.2/30'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='DROP'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].drop_invalid='1'
firewall.@defaults[0].flow_offloading='1'
firewall.@defaults[0].flow_offloading_hw='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.network='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.device='pppoe-wan' 'tun+'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='DROP'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.device='eth0'
firewall.wan.network='pppoe-wan' 'wan' 'onu_VSol'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].enabled='0'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
root@horus:~# logread -e openvpn; netstat -l -n -p | grep -e openvpn
Sat May 25 09:32:51 2024 daemon.err openvpn(server)[11753]: event_wait : Interrupted system call (code=4)
Sat May 25 09:32:51 2024 daemon.notice openvpn(server)[11753]: /usr/libexec/openvpn-hotplug route-pre-down server tun0 1500 1621 192.168.9.1 255.255.255.0 init
Sat May 25 09:32:51 2024 daemon.notice openvpn(server)[11753]: net_addr_v4_del: 192.168.9.1 dev tun0
Sat May 25 09:32:51 2024 daemon.warn openvpn(server)[11753]: sitnl_send: rtnl: generic error (-1): Operation not permitted
Sat May 25 09:32:51 2024 daemon.warn openvpn(server)[11753]: Linux can't del IP from iface tun0
Sat May 25 09:32:51 2024 daemon.notice openvpn(server)[11753]: /usr/libexec/openvpn-hotplug down server tun0 1500 1621 192.168.9.1 255.255.255.0 init
Sat May 25 09:32:51 2024 daemon.notice openvpn(server)[11753]: SIGTERM[hard,] received, process exiting
Sat May 25 09:32:51 2024 daemon.warn openvpn(server)[24992]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Sat May 25 09:32:51 2024 daemon.notice openvpn(server)[24992]: OpenVPN 2.5.8 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat May 25 09:32:51 2024 daemon.notice openvpn(server)[24992]: library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
Sat May 25 09:32:51 2024 daemon.warn openvpn(server)[24992]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat May 25 09:32:51 2024 daemon.notice openvpn(server)[24992]: TUN/TAP device tun0 opened
Sat May 25 09:32:51 2024 daemon.notice openvpn(server)[24992]: net_iface_mtu_set: mtu 1500 for tun0
Sat May 25 09:32:51 2024 daemon.notice openvpn(server)[24992]: net_iface_up: set tun0 up
Sat May 25 09:32:51 2024 daemon.notice openvpn(server)[24992]: net_addr_v4_add: 192.168.9.1/24 dev tun0
Sat May 25 09:32:51 2024 daemon.notice openvpn(server)[24992]: /usr/libexec/openvpn-hotplug up server tun0 1500 1621 192.168.9.1 255.255.255.0 init
Sat May 25 09:32:51 2024 daemon.warn openvpn(server)[24992]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat May 25 09:32:51 2024 daemon.notice openvpn(server)[24992]: UDPv4 link local (bound): [AF_INET][undef]:1194
Sat May 25 09:32:51 2024 daemon.notice openvpn(server)[24992]: UDPv4 link remote: [AF_UNSPEC]
Sat May 25 09:32:51 2024 daemon.notice openvpn(server)[24992]: GID set to nogroup
Sat May 25 09:32:51 2024 daemon.notice openvpn(server)[24992]: UID set to nobody
Sat May 25 09:32:51 2024 daemon.notice openvpn(server)[24992]: Initialization Sequence Completed
Sat May 25 09:36:46 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18190 peer info: IV_VER=2.7_master
Sat May 25 09:36:46 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18190 peer info: IV_PLAT=android
Sat May 25 09:36:46 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18190 peer info: IV_TCPNL=1
Sat May 25 09:36:46 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18190 peer info: IV_MTU=1600
Sat May 25 09:36:46 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18190 peer info: IV_NCP=2
Sat May 25 09:36:46 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18190 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Sat May 25 09:36:46 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18190 peer info: IV_PROTO=470
Sat May 25 09:36:46 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18190 peer info: IV_LZO_STUB=1
Sat May 25 09:36:46 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18190 peer info: IV_COMP_STUB=1
Sat May 25 09:36:46 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18190 peer info: IV_COMP_STUBv2=1
Sat May 25 09:36:46 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18190 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.51
Sat May 25 09:36:46 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18190 peer info: IV_SSO=openurl,webauth,crtext
Sat May 25 09:36:51 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18185 peer info: IV_VER=2.7_master
Sat May 25 09:36:51 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18185 peer info: IV_PLAT=android
Sat May 25 09:36:51 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18185 peer info: IV_TCPNL=1
Sat May 25 09:36:51 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18185 peer info: IV_MTU=1600
Sat May 25 09:36:51 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18185 peer info: IV_NCP=2
Sat May 25 09:36:51 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18185 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Sat May 25 09:36:51 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18185 peer info: IV_PROTO=470
Sat May 25 09:36:51 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18185 peer info: IV_LZO_STUB=1
Sat May 25 09:36:51 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18185 peer info: IV_COMP_STUB=1
Sat May 25 09:36:51 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18185 peer info: IV_COMP_STUBv2=1
Sat May 25 09:36:51 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18185 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.51
Sat May 25 09:36:51 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18185 peer info: IV_SSO=openurl,webauth,crtext
Sat May 25 09:36:56 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18201 peer info: IV_VER=2.7_master
Sat May 25 09:36:56 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18201 peer info: IV_PLAT=android
Sat May 25 09:36:56 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18201 peer info: IV_TCPNL=1
Sat May 25 09:36:56 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18201 peer info: IV_MTU=1600
Sat May 25 09:36:56 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18201 peer info: IV_NCP=2
Sat May 25 09:36:56 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18201 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Sat May 25 09:36:56 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18201 peer info: IV_PROTO=470
Sat May 25 09:36:56 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18201 peer info: IV_LZO_STUB=1
Sat May 25 09:36:56 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18201 peer info: IV_COMP_STUB=1
Sat May 25 09:36:56 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18201 peer info: IV_COMP_STUBv2=1
Sat May 25 09:36:56 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18201 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.51
Sat May 25 09:36:56 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18201 peer info: IV_SSO=openurl,webauth,crtext
Sat May 25 09:37:07 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18202 peer info: IV_VER=2.7_master
Sat May 25 09:37:07 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18202 peer info: IV_PLAT=android
Sat May 25 09:37:07 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18202 peer info: IV_TCPNL=1
Sat May 25 09:37:07 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18202 peer info: IV_MTU=1600
Sat May 25 09:37:07 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18202 peer info: IV_NCP=2
Sat May 25 09:37:07 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18202 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Sat May 25 09:37:07 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18202 peer info: IV_PROTO=470
Sat May 25 09:37:07 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18202 peer info: IV_LZO_STUB=1
Sat May 25 09:37:07 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18202 peer info: IV_COMP_STUB=1
Sat May 25 09:37:07 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18202 peer info: IV_COMP_STUBv2=1
Sat May 25 09:37:07 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18202 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.51
Sat May 25 09:37:07 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18202 peer info: IV_SSO=openurl,webauth,crtext
Sat May 25 09:37:14 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18205 peer info: IV_VER=2.7_master
Sat May 25 09:37:14 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18205 peer info: IV_PLAT=android
Sat May 25 09:37:14 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18205 peer info: IV_TCPNL=1
Sat May 25 09:37:14 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18205 peer info: IV_MTU=1600
Sat May 25 09:37:14 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18205 peer info: IV_NCP=2
Sat May 25 09:37:14 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18205 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Sat May 25 09:37:14 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18205 peer info: IV_PROTO=470
Sat May 25 09:37:14 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18205 peer info: IV_LZO_STUB=1
Sat May 25 09:37:14 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18205 peer info: IV_COMP_STUB=1
Sat May 25 09:37:14 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18205 peer info: IV_COMP_STUBv2=1
Sat May 25 09:37:14 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18205 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.51
Sat May 25 09:37:14 2024 daemon.notice openvpn(server)[24992]: 189.96.235.218:18205 peer info: IV_SSO=openurl,webauth,crtext
Sat May 25 09:37:46 2024 daemon.err openvpn(server)[24992]: 189.96.235.218:18190 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat May 25 09:37:46 2024 daemon.err openvpn(server)[24992]: 189.96.235.218:18190 TLS Error: TLS handshake failed
Sat May 25 09:37:51 2024 daemon.err openvpn(server)[24992]: 189.96.235.218:18185 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat May 25 09:37:51 2024 daemon.err openvpn(server)[24992]: 189.96.235.218:18185 TLS Error: TLS handshake failed
Sat May 25 09:37:56 2024 daemon.err openvpn(server)[24992]: 189.96.235.218:18201 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat May 25 09:37:56 2024 daemon.err openvpn(server)[24992]: 189.96.235.218:18201 TLS Error: TLS handshake failed
Sat May 25 09:38:07 2024 daemon.err openvpn(server)[24992]: 189.96.235.218:18202 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat May 25 09:38:07 2024 daemon.err openvpn(server)[24992]: 189.96.235.218:18202 TLS Error: TLS handshake failed
Sat May 25 09:38:13 2024 daemon.err openvpn(server)[24992]: 189.96.235.218:18205 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat May 25 09:38:13 2024 daemon.err openvpn(server)[24992]: 189.96.235.218:18205 TLS Error: TLS handshake failed
Sat May 25 09:46:05 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46538 peer info: IV_VER=2.7_master
Sat May 25 09:46:05 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46538 peer info: IV_PLAT=android
Sat May 25 09:46:05 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46538 peer info: IV_TCPNL=1
Sat May 25 09:46:05 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46538 peer info: IV_MTU=1600
Sat May 25 09:46:05 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46538 peer info: IV_NCP=2
Sat May 25 09:46:05 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46538 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Sat May 25 09:46:05 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46538 peer info: IV_PROTO=470
Sat May 25 09:46:05 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46538 peer info: IV_LZO_STUB=1
Sat May 25 09:46:05 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46538 peer info: IV_COMP_STUB=1
Sat May 25 09:46:05 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46538 peer info: IV_COMP_STUBv2=1
Sat May 25 09:46:05 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46538 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.51
Sat May 25 09:46:05 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46538 peer info: IV_SSO=openurl,webauth,crtext
Sat May 25 09:47:04 2024 daemon.err openvpn(server)[24992]: 177.26.252.122:46538 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat May 25 09:47:04 2024 daemon.err openvpn(server)[24992]: 177.26.252.122:46538 TLS Error: TLS handshake failed
Sat May 25 09:47:09 2024 daemon.notice openvpn(server)[24992]: 177.26.229.185:51485 peer info: IV_VER=2.7_master
Sat May 25 09:47:09 2024 daemon.notice openvpn(server)[24992]: 177.26.229.185:51485 peer info: IV_PLAT=android
Sat May 25 09:47:09 2024 daemon.notice openvpn(server)[24992]: 177.26.229.185:51485 peer info: IV_TCPNL=1
Sat May 25 09:47:09 2024 daemon.notice openvpn(server)[24992]: 177.26.229.185:51485 peer info: IV_MTU=1600
Sat May 25 09:47:09 2024 daemon.notice openvpn(server)[24992]: 177.26.229.185:51485 peer info: IV_NCP=2
Sat May 25 09:47:09 2024 daemon.notice openvpn(server)[24992]: 177.26.229.185:51485 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Sat May 25 09:47:09 2024 daemon.notice openvpn(server)[24992]: 177.26.229.185:51485 peer info: IV_PROTO=470
Sat May 25 09:47:09 2024 daemon.notice openvpn(server)[24992]: 177.26.229.185:51485 peer info: IV_LZO_STUB=1
Sat May 25 09:47:09 2024 daemon.notice openvpn(server)[24992]: 177.26.229.185:51485 peer info: IV_COMP_STUB=1
Sat May 25 09:47:09 2024 daemon.notice openvpn(server)[24992]: 177.26.229.185:51485 peer info: IV_COMP_STUBv2=1
Sat May 25 09:47:09 2024 daemon.notice openvpn(server)[24992]: 177.26.229.185:51485 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.51
Sat May 25 09:47:09 2024 daemon.notice openvpn(server)[24992]: 177.26.229.185:51485 peer info: IV_SSO=openurl,webauth,crtext
Sat May 25 09:48:09 2024 daemon.err openvpn(server)[24992]: 177.26.229.185:51485 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat May 25 09:48:09 2024 daemon.err openvpn(server)[24992]: 177.26.229.185:51485 TLS Error: TLS handshake failed
Sat May 25 09:48:14 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46537 peer info: IV_VER=2.7_master
Sat May 25 09:48:14 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46537 peer info: IV_PLAT=android
Sat May 25 09:48:14 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46537 peer info: IV_TCPNL=1
Sat May 25 09:48:14 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46537 peer info: IV_MTU=1600
Sat May 25 09:48:14 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46537 peer info: IV_NCP=2
Sat May 25 09:48:14 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46537 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Sat May 25 09:48:14 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46537 peer info: IV_PROTO=470
Sat May 25 09:48:14 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46537 peer info: IV_LZO_STUB=1
Sat May 25 09:48:14 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46537 peer info: IV_COMP_STUB=1
Sat May 25 09:48:14 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46537 peer info: IV_COMP_STUBv2=1
Sat May 25 09:48:14 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46537 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.51
Sat May 25 09:48:14 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46537 peer info: IV_SSO=openurl,webauth,crtext
Sat May 25 09:49:13 2024 daemon.err openvpn(server)[24992]: 177.26.252.122:46537 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat May 25 09:49:13 2024 daemon.err openvpn(server)[24992]: 177.26.252.122:46537 TLS Error: TLS handshake failed
Sat May 25 09:49:19 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30527 peer info: IV_VER=2.7_master
Sat May 25 09:49:19 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30527 peer info: IV_PLAT=android
Sat May 25 09:49:19 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30527 peer info: IV_TCPNL=1
Sat May 25 09:49:19 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30527 peer info: IV_MTU=1600
Sat May 25 09:49:19 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30527 peer info: IV_NCP=2
Sat May 25 09:49:19 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30527 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Sat May 25 09:49:19 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30527 peer info: IV_PROTO=470
Sat May 25 09:49:19 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30527 peer info: IV_LZO_STUB=1
Sat May 25 09:49:19 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30527 peer info: IV_COMP_STUB=1
Sat May 25 09:49:19 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30527 peer info: IV_COMP_STUBv2=1
Sat May 25 09:49:19 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30527 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.51
Sat May 25 09:49:19 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30527 peer info: IV_SSO=openurl,webauth,crtext
Sat May 25 09:50:20 2024 daemon.err openvpn(server)[24992]: 177.26.241.70:30527 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat May 25 09:50:20 2024 daemon.err openvpn(server)[24992]: 177.26.241.70:30527 TLS Error: TLS handshake failed
Sat May 25 09:50:23 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46547 peer info: IV_VER=2.7_master
Sat May 25 09:50:23 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46547 peer info: IV_PLAT=android
Sat May 25 09:50:23 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46547 peer info: IV_TCPNL=1
Sat May 25 09:50:23 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46547 peer info: IV_MTU=1600
Sat May 25 09:50:23 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46547 peer info: IV_NCP=2
Sat May 25 09:50:23 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46547 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Sat May 25 09:50:23 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46547 peer info: IV_PROTO=470
Sat May 25 09:50:23 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46547 peer info: IV_LZO_STUB=1
Sat May 25 09:50:23 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46547 peer info: IV_COMP_STUB=1
Sat May 25 09:50:23 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46547 peer info: IV_COMP_STUBv2=1
Sat May 25 09:50:23 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46547 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.51
Sat May 25 09:50:23 2024 daemon.notice openvpn(server)[24992]: 177.26.252.122:46547 peer info: IV_SSO=openurl,webauth,crtext
Sat May 25 09:51:23 2024 daemon.err openvpn(server)[24992]: 177.26.252.122:46547 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat May 25 09:51:23 2024 daemon.err openvpn(server)[24992]: 177.26.252.122:46547 TLS Error: TLS handshake failed
Sat May 25 09:51:25 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30520 peer info: IV_VER=2.7_master
Sat May 25 09:51:25 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30520 peer info: IV_PLAT=android
Sat May 25 09:51:25 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30520 peer info: IV_TCPNL=1
Sat May 25 09:51:25 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30520 peer info: IV_MTU=1600
Sat May 25 09:51:25 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30520 peer info: IV_NCP=2
Sat May 25 09:51:25 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30520 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Sat May 25 09:51:25 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30520 peer info: IV_PROTO=470
Sat May 25 09:51:25 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30520 peer info: IV_LZO_STUB=1
Sat May 25 09:51:25 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30520 peer info: IV_COMP_STUB=1
Sat May 25 09:51:25 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30520 peer info: IV_COMP_STUBv2=1
Sat May 25 09:51:25 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30520 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.51
Sat May 25 09:51:25 2024 daemon.notice openvpn(server)[24992]: 177.26.241.70:30520 peer info: IV_SSO=openurl,webauth,crtext
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           24992/openvpn
root@horus:~#

topsbr · May 25, 2024, 1:07pm

03: # Runtime configuration
pgrep -f -a openvpn
ip address show; ip route show table all
ip rule show; ip -6 rule show; nft list ruleset

=>pgrep -f -a openvpn

root@horus:~# pgrep -f -a openvpn
24992 /usr/sbin/openvpn --syslog openvpn(server) --status /var/run/openvpn.server.status --cd /etc/openvpn --config server.conf --up /usr/libexec/openvpn-hotplug up server --down /usr/libexec/openvpn-hotplug down server --route-up /usr/libexec/openvpn-hotplug route-up server --route-pre-down /usr/libexec/openvpn-hotplug route-pre-down server --script-security 2
root@horus:~#

=> ip address show; ip route show table all

root@horus:~# ip address show; ip route show table all
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 00:e0:4c:76:09:61 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/30 brd 192.168.1.3 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::2e0:4cff:fe76:961/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether b8:ae:ed:86:c5:06 brd ff:ff:ff:ff:ff:ff
    inet 192.168.15.1/24 brd 192.168.15.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 2804:7f0:7a00:4a92::1/64 scope global dynamic noprefixroute
       valid_lft 23695sec preferred_lft 23695sec
    inet6 fd1b:2c5c:4a50::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::baae:edff:fe86:c506/64 scope link
       valid_lft forever preferred_lft forever
5: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    link/ppp
    inet 201.13.73.8 peer 200.204.204.126/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
    inet6 2804:7f0:703c:2df:1d1d:b80a:8b04:66f1/64 scope global dynamic noprefixroute
       valid_lft 258069sec preferred_lft 171669sec
    inet6 fe80::1d1d:b80a:8b04:66f1/128 scope link
       valid_lft forever preferred_lft forever
10: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    link/[65534]
    inet 192.168.9.1/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::527b:957e:ca26:63f8/64 scope link flags 800
       valid_lft forever preferred_lft forever
default via 200.204.204.126 dev pppoe-wan
192.168.1.0/30 dev eth0 scope link  src 192.168.1.2
192.168.9.0/24 dev tun0 scope link  src 192.168.9.1
192.168.15.0/24 dev eth1 scope link  src 192.168.15.1
200.204.204.126 dev pppoe-wan scope link  src 201.13.73.8
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local 192.168.1.2 dev eth0 table local scope host  src 192.168.1.2
broadcast 192.168.1.3 dev eth0 table local scope link  src 192.168.1.2
local 192.168.9.1 dev tun0 table local scope host  src 192.168.9.1
broadcast 192.168.9.255 dev tun0 table local scope link  src 192.168.9.1
local 192.168.15.1 dev eth1 table local scope host  src 192.168.15.1
broadcast 192.168.15.255 dev eth1 table local scope link  src 192.168.15.1
local 201.13.73.8 dev pppoe-wan table local scope host  src 201.13.73.8
default from 2804:7f0:703c:2df::/64 via fe80::76e9:bfff:fea6:fc8e dev pppoe-wan  metric 512
default from 2804:7f0:7a00:4a92::/64 via fe80::76e9:bfff:fea6:fc8e dev pppoe-wan  metric 512
unreachable 2804:7f0:703c:2df::/64 dev lo  metric 2147483647
2804:7f0:7a00:4a92::/64 dev eth1  metric 1024
unreachable 2804:7f0:7a00:4a92::/64 dev lo  metric 2147483647
fd1b:2c5c:4a50::/64 dev eth1  metric 1024
unreachable fd1b:2c5c:4a50::/48 dev lo  metric 2147483647
fe80::1d1d:b80a:8b04:66f1 dev pppoe-wan  metric 256
fe80::76e9:bfff:fea6:fc8e dev pppoe-wan  metric 256
fe80::/64 dev eth1  metric 256
fe80::/64 dev eth0  metric 256
fe80::/64 dev tun0  metric 256
local ::1 dev lo table local  metric 0
anycast 2804:7f0:703c:2df:: dev pppoe-wan table local  metric 0
local 2804:7f0:703c:2df:1d1d:b80a:8b04:66f1 dev pppoe-wan table local  metric 0
anycast 2804:7f0:7a00:4a92:: dev eth1 table local  metric 0
local 2804:7f0:7a00:4a92::1 dev eth1 table local  metric 0
anycast fd1b:2c5c:4a50:: dev eth1 table local  metric 0
local fd1b:2c5c:4a50::1 dev eth1 table local  metric 0
anycast fe80:: dev eth1 table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev tun0 table local  metric 0
local fe80::2e0:4cff:fe76:961 dev eth0 table local  metric 0
local fe80::1d1d:b80a:8b04:66f1 dev pppoe-wan table local  metric 0
local fe80::527b:957e:ca26:63f8 dev tun0 table local  metric 0
local fe80::baae:edff:fe86:c506 dev eth1 table local  metric 0
multicast ff00::/8 dev eth1 table local  metric 256
multicast ff00::/8 dev eth0 table local  metric 256
multicast ff00::/8 dev pppoe-wan table local  metric 256
multicast ff00::/8 dev tun0 table local  metric 256
root@horus:~#

topsbr · May 25, 2024, 1:09pm

=> ip rule show; ip -6 rule show; nft list ruleset

root@horus:~# ip rule show; ip -6 rule show; nft list ruleset
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
0:      from all lookup local
32766:  from all lookup main
4200000000:     from 2804:7f0:7a00:4a92::1/64 iif eth1 lookup unspec unreachable
table inet fw4 {
        flowtable ft {
                hook ingress priority filter
                devices = { eth0, eth1, pppoe-wan }
                flags offload
                counter
        }

        chain input {
                type filter hook input priority filter; policy drop;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname "tun*" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname { "eth1", "pppoe-wan" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname { "eth0", "pppoe-wan" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                meta l4proto { tcp, udp } flow add @ft
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
                iifname "tun*" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname { "eth1", "pppoe-wan" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname { "eth0", "pppoe-wan" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                jump upnp_forward comment "Hook into miniupnpd forwarding chain"
                jump handle_reject
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
                ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
                oifname "tun*" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname { "eth1", "pppoe-wan" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname { "eth0", "pppoe-wan" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                iifname "tun*" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
                iifname { "eth1", "pppoe-wan" } jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_lan {
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump accept_from_lan
        }

        chain output_lan {
                jump accept_to_lan
        }

        chain forward_lan {
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                ct status dnat accept comment "!fw4: Accept port forwards"
                jump accept_to_lan
        }

        chain helper_lan {
        }

        chain accept_from_lan {
                iifname "tun*" counter packets 19 bytes 5555 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
                iifname { "eth1", "pppoe-wan" } counter packets 16924 bytes 1478957 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain accept_to_lan {
                oifname "tun*" counter packets 25 bytes 5999 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
                oifname { "eth1", "pppoe-wan" } counter packets 22692 bytes 10005540 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
                meta nfproto ipv4 meta l4proto igmp counter packets 190 bytes 6080 accept comment "!fw4: Allow-IGMP"
                meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 15 bytes 960 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                udp dport 1194 counter packets 0 bytes 0 accept comment "!fw4: Allow-OpenVPN"
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump drop_from_wan
        }

        chain output_wan {
                jump accept_to_wan
        }

        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
                ct status dnat accept comment "!fw4: Accept port forwards"
                jump reject_to_wan
        }

        chain accept_to_wan {
                meta nfproto ipv4 oifname { "eth0", "pppoe-wan" } ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
                oifname { "eth0", "pppoe-wan" } counter packets 2170 bytes 553132 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
        }

        chain reject_to_wan {
                oifname { "eth0", "pppoe-wan" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain drop_from_wan {
                iifname { "eth0", "pppoe-wan" } counter packets 0 bytes 0 drop comment "!fw4: drop wan IPv4/IPv6 traffic"
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
                iifname "tun*" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
                iifname { "eth1", "pppoe-wan" } jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
                iifname { "eth0", "pppoe-wan" } jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
                jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
                oifname "tun*" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
                oifname { "eth1", "pppoe-wan" } jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
                oifname { "eth0", "pppoe-wan" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
                jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
        }

        chain dstnat_lan {
                ip saddr 192.168.15.0/24 ip daddr { 192.168.1.2, 201.13.73.8 } udp dport 45000-65535 dnat ip to 192.168.15.10:45000-65535 comment "!fw4: NintendoSwitch_NAT_A (reflection)"
                ip saddr 192.168.15.0/24 ip daddr { 192.168.1.2, 201.13.73.8 } tcp dport 80 dnat ip to 192.168.15.1:8181 comment "!fw4: DDNS-8181 (reflection)"
        }

        chain srcnat_lan {
                ip saddr 192.168.15.0/24 ip daddr 192.168.15.10 udp dport 45000-65535 snat ip to 192.168.15.1 comment "!fw4: NintendoSwitch_NAT_A (reflection)"
                ip saddr 192.168.15.0/24 ip daddr 192.168.15.1 tcp dport 8181 snat ip to 192.168.15.1 comment "!fw4: DDNS-8181 (reflection)"
        }

        chain dstnat_wan {
                meta nfproto ipv4 udp dport 45000-65535 counter packets 183 bytes 11104 dnat ip to 192.168.15.10:45000-65535 comment "!fw4: NintendoSwitch_NAT_A"
                meta nfproto ipv4 tcp dport 80 counter packets 0 bytes 0 dnat ip to 192.168.15.1:8181 comment "!fw4: DDNS-8181"
        }

        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }

        chain raw_output {
                type filter hook output priority raw; policy accept;
        }

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
        }

        chain mangle_input {
                type filter hook input priority mangle; policy accept;
        }

        chain mangle_output {
                type route hook output priority mangle; policy accept;
        }

        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
                iifname { "eth0", "pppoe-wan" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
                oifname { "eth0", "pppoe-wan" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
        }

        chain upnp_forward {
                iif "pppoe-wan" th dport 54164 @nh,128,32 0xc0a80f4a @nh,72,8 0x11 accept
        }

        chain upnp_prerouting {
                iif "pppoe-wan" @nh,72,8 0x11 th dport 54164 dnat ip to 192.168.15.74:54164
        }

        chain upnp_postrouting {
        }
}
root@horus:~#

topsbr · May 25, 2024, 1:10pm

=>uci show network; uci show firewall; uci show openvpn

root@horus:~# uci show network; uci show firewall; uci show openvpn
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd1b:2c5c:4a50::/48'
network.lan=interface
network.lan.device='eth1'
network.lan.proto='static'
network.lan.ip6assign='64'
network.lan.ipaddr='192.168.15.1/24'
network.@device[0]=device
network.@device[0].name='eth0'
network.wan=interface
network.wan.proto='pppoe'
network.wan.device='eth0'
network.wan.username='cliente@cliente'
network.wan.password='cliente'
network.wan.service='Vivo Fibra'
network.wan.ipv6='auto'
network.onu_VSol=interface
network.onu_VSol.proto='static'
network.onu_VSol.device='eth0'
network.onu_VSol.ipaddr='192.168.1.2/30'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='DROP'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].drop_invalid='1'
firewall.@defaults[0].flow_offloading='1'
firewall.@defaults[0].flow_offloading_hw='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.network='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.device='pppoe-wan' 'tun+'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='DROP'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.device='eth0'
firewall.wan.network='pppoe-wan' 'wan' 'onu_VSol'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].enabled='0'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='NintendoSwitch_NAT_A'
firewall.@redirect[0].proto='udp'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='45000-65535'
firewall.@redirect[0].dest_ip='192.168.15.10'
firewall.@redirect[0].dest_port='45000-65535'
firewall.ovpn=rule
firewall.ovpn.name='Allow-OpenVPN'
firewall.ovpn.src='wan'
firewall.ovpn.dest_port='1194'
firewall.ovpn.proto='udp'
firewall.ovpn.target='ACCEPT'
firewall.@redirect[1]=redirect
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].name='DDNS-8181'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].src_dport='80'
firewall.@redirect[1].dest_ip='192.168.15.1'
firewall.@redirect[1].dest_port='8181'
firewall.@redirect[1].proto='tcp'
openvpn.server=openvpn
openvpn.server.enabled='1'
openvpn.server.config='/etc/openvpn/server.conf'
root@horus:~#

topsbr · May 25, 2024, 1:12pm

=> head -v -n -0 /etc/openvpn/*.conf

root@horus:~# uci show network; uci show firewall; uci show openvpn
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd1b:2c5c:4a50::/48'
network.lan=interface
network.lan.device='eth1'
network.lan.proto='static'
network.lan.ip6assign='64'
network.lan.ipaddr='192.168.15.1/24'
network.@device[0]=device
network.@device[0].name='eth0'
network.wan=interface
network.wan.proto='pppoe'
network.wan.device='eth0'
network.wan.username='cliente@cliente'
network.wan.password='cliente'
network.wan.service='Vivo Fibra'
network.wan.ipv6='auto'
network.onu_VSol=interface
network.onu_VSol.proto='static'
network.onu_VSol.device='eth0'
network.onu_VSol.ipaddr='192.168.1.2/30'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='DROP'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].drop_invalid='1'
firewall.@defaults[0].flow_offloading='1'
firewall.@defaults[0].flow_offloading_hw='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.network='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.device='pppoe-wan' 'tun+'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='DROP'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.device='eth0'
firewall.wan.network='pppoe-wan' 'wan' 'onu_VSol'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].enabled='0'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
root@horus:~# head -v -n -0 /etc/openvpn/*.conf
==> /etc/openvpn/server.conf <==
user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.9.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.9.1"
push "dhcp-option DOMAIN hsh"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAk3DaNjmfUHqM5fmsacvR7nJdBd9Ghj7vsK53WasRoXtzhO7IT+sx
A1jgJZwJZ6aHJs0pcRQeL2IW8Xpo6m9TPf9wkr9zh/WSNA371UsfF6lLUwj5ZPcY
lMuJ+E8S7+MBJgyjhtIKa7cz/5or9+RNCl9558v4UX932sgBLDFMINHYb2OywfMW
JJv5Rjss1f+SA2FmINNGmwS4ovLiEUEKPttVJBKtVxlP6GQTJlzGfPc8pMHyFEMg
KVY1DL/a6lW0kzDLL8lRRrNprQu46tIMFwEnoUmx5kARbhlJqoZiy3RJJ8IUckIn
vzRVf5iPxPTPxLug/0Q5MmmJ2e6lW5QftwIBAg==
-----END DH PARAMETERS-----
</dh>
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 server key-----
++E1aX1EPgUot3rCSQVOX8yeCNsaCS9nvomDM/qTAAa7s6XVNccI+9EFhquD6yHj
6kG/ticH0POgw9VB80LPGv4fWPcNZWDueNreldJ50X4GQJL3fg82+pL2S8G/H1Bh
LYdfdEt60UJ64e2p4XGY3oGkKsgg+3iKGtFBXoeBWLc=
-----END OpenVPN tls-crypt-v2 server key-----
</tls-crypt-v2>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQChxGkZ+s2L7UlJ
G4Qz3cxDAUKLjGJGBCHrqNwIJdTXofkPlmSg9ROFrSxTJax9a8W4T9H5/ldmf+Yu
VoFjdzNJ5ox00FXXCR7paCi7CJxFd2UwAMtcQm+tQvHjhNxkAssY+kgUf/L1f1B0
wgRhxaaGP9KRRvy9i2Dq0CoBP9wlhFNbs4+f6wjrEhQvIP4MEsYHAFjZxwyMFl9v
x6HU06RU1o9IXmsnrtgZeOylAGVggLtiJRewY0Kzu4bmpFuGHqByTExDzMpJRKIy
FH1dKOTBcFofFdF1FMLJDbpEnmIjSY6zKXwrBQDI8PuUX0noDxl5Zy7400fJ136+
NYzVUKhzAgMBAAECggEAB55W7tTLgmgJ+An2N3UeLhesmSLi6/Y83LrmpfGWLROh
RbUpBxWTtkt6F25iScPeG3iS5ImwdxDV99+2F0ehYD0d51B6gnaZAJgZtvlIVtMx
LkoTScSNOuU4vCThNkqVYxdCdsix2hMFaIJMr4gd+BugYJwtwgWC6nwkRkvKI/Ac
wEbbo4eiSE9eS4FcgMS9W/+ji5Upxsfhkzxy0/RMxMsn4N7cUJmCp/Dp+H/XeBf3
hQRBSsetcbuJjGgVu/N4/aPVmgvGuuBBtnVFQVo9k4Q2HioJGAEquTyfkMS/UOuM
6iIc4HI7kO18pV2TSn7WGNkyu0HzwXNX5TjxvB+EiQKBgQDZ9kkIRRmlKMa6SDFo
U/K2s5XZkjPm3Q4paPV5glDxJaGkCj1AAHhDuuKZDHFILAkvE+ZibbWR5pphgxXa
n61igdym2oGNHfo86ZWbBN5FMuXEKWMDJas4I3vmKSVsZZ8osIauYvXugWHv7UxG
aUwsX+kctGo/2bRo8HaC/nBOWwKBgQC9/43zr6USpYBCZggCsa1XN3b57qTTU73S
+/67wm4SBUkvFkGVXQ6UlLNySqaW2DMR98FbeRdByoSxxcpK/CftGmCyUZUooNyd
YCKtNd74fZjsb9vsdMwj+QWXHNCp9amVMGBInQthJNfcwuIGBN4qNl+KyQ9+gu+X
T9qUI6jZyQKBgD6yneeHGQ1tYV0Mj0nXfCYaGqzvZYavZ/d5fcNqPSZhENJDL8NN
X0r8Y1prPdro7+te6hK+RFCn6RjLwGmXLST8/h/xEvso+Ga1OpfRGq8FKRr4XMb2
+v23F1jp1R4NTW9C+DsJtHzbMvT1ac+HUqYhIMllDHs5gK//G9gqoNupAoGAHACd
MEwz3RKtW5vkFFmRfag8DcwBWPAfqwfe3Fdkl51V0u3JzrS/YGCmLfMYqGTG6iAE
zHGFXvn1IqpPDUwqqkRX+hASFsHWog84LSUibqc8MaSu2iPArpCWJVZm3pXJX6aY
mjsjITcn5W6Hl3GCOOB4pmDJutCbdUacpXa3/RkCgYEAkvLbAsKTsb247lYZVx8f
zxlh2lseMhAEtCWTzEipA5RVZIxlZbEkDcea4u1KLai4TKBmSKplOrwEd6iqPhc7
bHrGvcJAhgVl3T+Tii4vksw4gj8xlM3Lcpob31ExJ8k0RsKxcUffOi8d93R6i3KI
yG85Wsuk/VSwQQbjB1M6Y+M=
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
MIIDaDCCAlCgAwIBAgIRAL12rsPX5CI7UhLDIPCuJZswDQYJKoZIhvcNAQELBQAw
FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjQwNTI0MjIyNTM0WhcNMzQwNTIy
MjIyNTM0WjARMQ8wDQYDVQQDDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQChxGkZ+s2L7UlJG4Qz3cxDAUKLjGJGBCHrqNwIJdTXofkPlmSg
9ROFrSxTJax9a8W4T9H5/ldmf+YuVoFjdzNJ5ox00FXXCR7paCi7CJxFd2UwAMtc
Qm+tQvHjhNxkAssY+kgUf/L1f1B0wgRhxaaGP9KRRvy9i2Dq0CoBP9wlhFNbs4+f
6wjrEhQvIP4MEsYHAFjZxwyMFl9vx6HU06RU1o9IXmsnrtgZeOylAGVggLtiJRew
Y0Kzu4bmpFuGHqByTExDzMpJRKIyFH1dKOTBcFofFdF1FMLJDbpEnmIjSY6zKXwr
BQDI8PuUX0noDxl5Zy7400fJ136+NYzVUKhzAgMBAAGjgbUwgbIwCQYDVR0TBAIw
ADAdBgNVHQ4EFgQU9NCXpxTh8wO7xHvq+nZRFkcjsjQwUQYDVR0jBEowSIAUoLZi
o4FhINLaNIXX0zuaUuUTMrOhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghRw
W1gmn+hTS8rp/1c+JqTYkDOWVjATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8E
BAMCBaAwEQYDVR0RBAowCIIGc2VydmVyMA0GCSqGSIb3DQEBCwUAA4IBAQC22BbB
ksQNsXCYNxMTQPZ8TQuPp9jWkX9dfPZU5EXo7xCtF7zWdtmPgnrgLxmgQBgSsrdi
M8EhHD0/KevY9J5Wh5IhewMOcGjSYadn1MZ/kaKoTTjmirt0xQVApC2tlwh3rxbr
nuxckdWKugl4+j3yOVjPmp2AlFLXL9ikB4hL1SHNjHk9nfVIyK1Fsc+S5YygyxES
WyD7YpPKc/72dzYq3TRpm9DgXyFalMGJQ3dgChY8d5wkzqWQhn3xPng7YTVx85sj
4PyeGFuoIltTXGl5ZUc1NmZ2eoz/7FgCbrhgKB+J9H7zr709+B+BX+n0c+2MuXbQ
oduls6U4ibSGxH0Y
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIUcFtYJp/oU0vK6f9XPiak2JAzllYwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjQwNTI0MjIyNTIyWhcNMzQw
NTIyMjIyNTIyWjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAL5AOX1qG29bNTUSdToNHwSAzpnqwrR1vZR772LU
SRmN0gBg8RHiYXDTEmYm2htjvpJqmzvKEPWRlDeb0uEwtio1TAsKdjFWJSXGye8f
pkFC4g2Lp7/KTYX+C9JmGm8G1Hja/ClTTMWA1gkSEHQPNmmPmlrHLmC5/rtW6bgQ
LvKcMaTosIBWJ7wUCjesde0mInfCltCMTOBvQiqpPt8YBJ2uE5C8lhnSWftQUAy8
K81hqG3pHg/iEvKCUf1/TAs4zVITebrhJfTJPq8ZjIkHElfih6QV6xOj14M4e6Xz
FdY/lcgdLljIHSrO/PKDOqM4WRa1xfm/OTnFLAAdqCjFmfUCAwEAAaOBkDCBjTAM
BgNVHRMEBTADAQH/MB0GA1UdDgQWBBSgtmKjgWEg0to0hdfTO5pS5RMyszBRBgNV
HSMESjBIgBSgtmKjgWEg0to0hdfTO5pS5RMys6EapBgwFjEUMBIGA1UEAwwLRWFz
eS1SU0EgQ0GCFHBbWCaf6FNLyun/Vz4mpNiQM5ZWMAsGA1UdDwQEAwIBBjANBgkq
hkiG9w0BAQsFAAOCAQEAK70LTHeul+5oXBmw2/nBJwXjoxdCBV8q+XCTZA0UP+6a
FNafL7/1usd8c5X4F44NUon2TehJzhPQdwWe5ASusqqVQnehHKv90kuELQm3aypS
4+JiOsNLuOixG1EW1Wvn8aI2qti1sKvPXpR0hPQ9x+8qKpiXfjsADmYg7Wo/B6f9
NorBP2K2bsLUyGXmd+rAolz0Jue0NtTsdxqPjABR1fW/SSRhRJU49GlZrOAcHldd
mRLw89fFQe11A5ZKu43bBirK+ow21gesxvfBudRa5La+xhEFier1XarYjIZe1teH
D4Hlc7Vv+DPdhU6E7Ji66ltMAMiPZ953CDis3oDb+Q==
-----END CERTIFICATE-----
</ca>
root@horus:~#

topsbr · May 25, 2024, 1:12pm

I can start the configurations from scratch again on the router, but it is practically ready and operational.

Interestingly, even taking the oldest configurations I have in backup and replacing the files doesn't work.

I've completely removed OpenVPN and reinstalled it, generated new certificates, disconnected it, rebooted the router and nothing makes it work correctly again.

Sorry for the long post, but the logs are a bit long.

egc · May 25, 2024, 2:48pm

Thanks for your detailed description, I personally find it easier to just look at the configs instead of the UCI variables but that is just me

Just a guess, maybe your client does not know tls-cryptv2 yet as it is rather new.
So to simplify things remove tls-crypt, if it works you can try to put it back.

topsbr · May 25, 2024, 9:04pm

Fantastic @egc !!!

I edit the client .ovpn and I removed the tls section...

The client is conected in the same time!

Fantastic!

Now, I will study better this situation, how to implant the tls on VPN.

Thanks a lot.

egc · May 26, 2024, 5:37am

Great to hear you got it working.

You can try with the ordinary tls-crypt (v1) key, make a simple static key and use that for both server and client like:

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
XXXXXXXXXXXXXXXXXXXXX
-----END OpenVPN Static key V1-----
</tls-crypt>

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

system · June 5, 2024, 5:37am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.