OpenVPN configuration

tomk1s · January 20, 2024, 1:11pm

Hello together,

I need help with configuration of OpenVPN by luci. I configurated it by tutorial on youtube step by step, everything is OK but when client trying to connect it is timeouting (also on my LAN and on dataplan, tested via phone and computer). My router is connected behind GPON of Telekom via PPPoE (I do not have static IP, but I am using No-IP DDnS. Could there be a problem with port forwarding of Telekom GPON? Thank you. The DDnS is correctly configurated because the XX.XX.XX.XX is the IP of Telekom.

Sat Jan 20 13:59:53 2024 Note: '--allow-compression' is not set to 'no', disabling data channel offload.
Sat Jan 20 13:59:53 2024 OpenVPN 2.6.8 [git:v2.6.8/3b0d9489cc423da3] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Nov 17 2023
Sat Jan 20 13:59:53 2024 Windows version 10.0 (Windows 10 or greater), amd64 executable
Sat Jan 20 13:59:53 2024 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
Sat Jan 20 13:59:53 2024 DCO version: 1.0.0
Sat Jan 20 13:59:53 2024 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Sat Jan 20 13:59:53 2024 Need hold release from management interface, waiting...
Sat Jan 20 13:59:54 2024 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:58366
Sat Jan 20 13:59:54 2024 MANAGEMENT: CMD 'state on'
Sat Jan 20 13:59:54 2024 MANAGEMENT: CMD 'log on all'
Sat Jan 20 13:59:54 2024 MANAGEMENT: CMD 'echo on all'
Sat Jan 20 13:59:54 2024 MANAGEMENT: CMD 'bytecount 5'
Sat Jan 20 13:59:54 2024 MANAGEMENT: CMD 'state'
Sat Jan 20 13:59:54 2024 MANAGEMENT: CMD 'hold off'
Sat Jan 20 13:59:54 2024 MANAGEMENT: CMD 'hold release'
Sat Jan 20 13:59:54 2024 MANAGEMENT: >STATE:1705755594,RESOLVE,,,,,,
Sat Jan 20 13:59:54 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:7500
Sat Jan 20 13:59:54 2024 Socket Buffers: R=[65536->65536] S=[64512->64512]
Sat Jan 20 13:59:54 2024 Attempting to establish TCP connection with [AF_INET]xx.xx.xx.xx:7500
Sat Jan 20 13:59:54 2024 MANAGEMENT: >STATE:1705755594,TCP_CONNECT,,,,,,
**Sat Jan 20 14:01:54 2024 TCP: connect to [AF_INET]xx.xx.xx.xx:7500 failed: Unknown error**
Sat Jan 20 14:01:54 2024 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
Sat Jan 20 14:01:54 2024 MANAGEMENT: >STATE:1705755714,RECONNECTING,connection-failed,,,,,
Sat Jan 20 14:01:54 2024 Restart pause, 5 second(s)
Sat Jan 20 14:01:59 2024 MANAGEMENT: >STATE:1705755719,RESOLVE,,,,,,
Sat Jan 20 14:01:59 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:7500

bill888 · January 20, 2024, 1:26pm

What is the device and version of OpenWrt ?

fwiw, openvpn server guide here:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/server

openvpn client guide using luci here
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci#openvpn_client_using_luci

egc · January 20, 2024, 1:26pm

Are you trying to setup a OpenVPN server to connect to your home from outside?

What is the WAN IP address of the router, only give the first two octets and not the whole IP address, e.g.: aaa.bbb.

tomk1s · January 20, 2024, 1:46pm

Hi, maybe the problem can be because the double NAT, ip adress: 78.80.XX.XX.

tomk1s · January 20, 2024, 1:47pm

Hi, this device: https://openwrt.org/toh/tp-link/archer_c6_v3

and Luci

tomk1s · January 20, 2024, 1:50pm

And yes, I am trying to connect from outside network to my home

egc · January 20, 2024, 1:56pm

That looks like a public IPv4 address so should be reachable from outside (unless your ISP blocks it)

To be honest setting up WireGuard is much easier, have you considered using that:

For Luci setup:
https://r.obin.ch/blog/2022/08/05/set-up-wireguard-on-openwrt/

Not that it cannot be done with OpenVPN, my EA8500 is the VPN server and has both an OpenVPN and WG server running

tomk1s · January 20, 2024, 1:59pm

I can try, I just hope I send you the right IP. Because in the Overview there is protocol PPPoE and under is the IP adress Address: 100.65.XX.XX but on myip.com there is the 78.80.XX.XX.

egc · January 20, 2024, 2:06pm

That changes things I need the WAN ip address as reported by the router, you can view it on the Status > Overview, Network IPv4 upstream, which probably starts with 100.
This is a CGNAT and means you cannot be reached from outside via IPv4.

You can ask you provider for a real IPv4 address and if that is not available you might have an IPv6 address which you can use or research things like zerotier, tailscale, ngrok or use a virtual private server in the cloud as man in the middle or even some VPN providers support port forwarding via the VPN client

tomk1s · January 20, 2024, 2:22pm

Yes, the WAN Ip adress reported by Router is the 100... I can activate IPv4 instantly for 4€ / month, so nothing much. Thank you for advice.

system · January 30, 2024, 2:23pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.