I am trying to connect my (windows and apple) remote client to my home router so that I can remotely access servers and devices behind my firewall.
I have installed all of the components on both the client and server, I think that my problem is in the configuration.
I know that the certificate files are correct on both the client and server because this had been working at one point (I had to reset the router so the config and firewall files got wiped out because they weren't in the backup file list and I didn't have a copy off-router).
Results from logread on the openvpn/openwrt router:
Mon May 20 09:41:00 2019 daemon.notice openvpn(my_server)[808]: 185.245.86.12:49181 TLS: Initial packet from [AF_INET]185.245.86.12:49181, sid=46ae2e0d c9eff9ce
Mon May 20 09:41:00 2019 daemon.err openvpn(my_server)[808]: 185.245.86.12:49181 TLS Error: reading acknowledgement record from packet
Mon May 20 09:41:01 2019 daemon.err openvpn(my_server)[808]: 185.245.86.12:49181 TLS Error: reading acknowledgement record from packet
Mon May 20 09:41:06 2019 daemon.err openvpn(my_server)[808]: 185.245.86.12:49181 TLS Error: reading acknowledgement record from packet
Mon May 20 09:41:07 2019 daemon.err openvpn(my_server)[808]: 185.245.86.12:56886 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon May 20 09:41:07 2019 daemon.err openvpn(my_server)[808]: 185.245.86.12:56886 TLS Error: TLS handshake failed
Mon May 20 09:41:07 2019 daemon.notice openvpn(my_server)[808]: 185.245.86.12:56886 SIGUSR1[soft,tls-error] received, client-instance restarting
Here is my /etc/config/openvpn:
config openvpn 'my_server'
option enable '1'
option port '1194'
option proto 'udp'
option dev 'tap0'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/my-server.crt'
option key '/etc/openvpn/my-server.key'
option dh '/etc/openvpn/dh2048.pem'
option ifconfig_pool_persist '/tmp/ipp.txt'
option keepalive '10 120'
option 'comp_lzo' 'yes'
option persist_key '1'
option persist_tun '1'
option status '/tmp/openvpn-status.log'
option verb '3'
option server_bridge '192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.219'
list push 'redirect-gateway def1'
list push 'dhcp-option DNS 192.168.1.1'
option enabled '1'
Additional /etc/config/firewall settings:
config 'rule'
option 'target' 'ACCEPT'
option 'dest_port' '1194'
option 'src' 'wan'
option 'proto' 'tcpudp'
option 'family' 'ipv4'
Additional /etc/config/dhcp settings:
config dhcp 'lan'
option interface 'lan'
option ignore '0'
option start '50'
option limit '150'
Client (Macbook) .opvn:
client
dev tun
proto udp
fast-io
remote someplace-really-cool.com 1194
nobind
persist-key
persist-tun
verb 3
key-direction 1
cipher AES-128-CBC
auth SHA256
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4097 (0x1001)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=London, O=WWW Ltd.
Validity
Not Before: Jun 22 19:57:52 2018 GMT
Not After : Jun 19 19:57:52 2028 GMT
Subject: CN=my-client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature
X509v3 Extended Key Usage:
TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
auth-nocache
client
dev tun
proto udp
fast-io
remote someplace-really-cool.com 1194
remote-cert-tls server
nobind
persist-key
persist-tun
verb 3
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4097 (0x1001)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=London, O=WWW Ltd.
Validity
Not Before: Jun 22 19:57:52 2018 GMT
Not After : Jun 19 19:57:52 2028 GMT
Subject: CN=my-client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
...
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4097 (0x1001)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=London, O=WWW Ltd.
Validity
Not Before: Jun 22 19:57:52 2018 GMT
Not After : Jun 19 19:57:52 2028 GMT
Subject: CN=my-client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature
X509v3 Extended Key Usage:
TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>