OpenVPN Server - Connects from LAN but not WAN

pigeon35 · May 2, 2023, 12:26am

Hello,

Am stuck and would be great to have help please.

I've setup OpenVPN server on OpenWRT 22.0.3.2 on x86_64

Can connect ok using VPN client in Ubuntu to OpenVPN server on the router when going LAN to LAN.

But if I change the client config to use my public IP, the connection times out after 30 seconds.

This site claims the port I'm using (1914) is closed!

But I've added a Firewall Traffic rule to Allow TCP/UDP IPv4 and IPv6 From Any Zone to This Device, port 1914.

OpenVPN is running on 192.168.1.1 and listening to UDP port 1914. It works when connecting from LAN, but not via WAN.

Interfaces:

WAN + WAN_TETHERED (PPoE Internet and backup USB phone, change of IP triggers DDNS script).

LAN = 192.168.1.0/24 (primarily 2.4g & 5g wifi). Router 192.168.1.1

VPN = Static 10.3.3.1/32, device=tun0

Router Firewall Zones:

LAN = LAN interface.

WAN = WAN + WAN_TETHERED interfaces.

VPN = VPN interface.

LAN = Forward to WAN (Input=Accept, Output=Accept, Forward=Reject)
WAN = No forwards (Input=Drop, Output=Accept, Forward=Reject)
VM = Forward to WAN and VPN (Input=Reject, Output=Accept, Forward=Reject)
VPN = Forward to VM (Input=Reject, Output=Accept, Forward=Reject)

Firewall Traffic rule to Allow TCP/UDP IPv4 and IPv6 From Any Zone to This Device, port 1914.

I've run out of talent and hoping you can help

Thank you!

psherman · May 2, 2023, 12:27am

let's see your configs:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/openvpn

pigeon35 · May 2, 2023, 12:37am

Thank you!

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdde:8273:ca58::/48'
	option packet_steering '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.1'

config interface 'wan'
	option device 'eth0'
	option proto 'pppoe'
	option username 'redacted'
	option password 'redacted'
	option ipv6 'auto'

config device
	option name 'br-lan'
	option type 'bridge'
	option bridge_empty '1'
	list ports 'wlan0'
	list ports 'wlan1'
	list ports 'eth1'

config interface 'WAN_Tethered'
	option proto 'dhcp'
	option device 'usb0'
	option hostname '*'

config device
	option name 'wlan0-1'

config device
	option name 'wlan1-1'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'wlan0-1'
	list ports 'wlan1-1'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.15.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-vm'
	option bridge_empty '1'
	list ports 'vnet0'

config interface 'vm'
	option proto 'static'
	option device 'br-vm'
	option ipaddr '192.168.33.1'
	option netmask '255.255.255.0'

config device
	option name 'eth1'

config device
	option name 'vnet0'
	option macaddr 'redacted'
	option mtu '1500'

config interface 'VPN'
	option device 'tun0'
	option proto 'static'
	option ipaddr '10.3.3.1'
	option netmask '255.255.255.0'

root@Router:/tmp/log#

cat /etc/config/firewall

config defaults
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option input 'DROP'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	list network 'wan'
	list network 'WAN_Tethered'
	option log '1'
	option log_limit '1/second'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Drop'
	option target 'DROP'
	option src '*'
	list src_ip '85.217.144.0/24'
	option enabled '0'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	option name 'Drop-Ping'
	list icmp_type 'echo-request'
	option target 'DROP'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config include
	option path '/etc/firewall.cs'
	option enabled '1'
	option reload '1'

config zone 'guest'
	option name 'guest'
	option network 'guest'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Allow SMTP'
	list proto 'tcp'
	option target 'ACCEPT'
	option dest_port '25 587'
	option src '*'

config rule
	option target 'ACCEPT'
	option dest_port '995'
	option name 'Allow POP3s'
	option src '*'
	list proto 'tcp'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option src_port '68'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DNS-VM'
	option src 'vm'
	option dest_port '53'
	option target 'ACCEPT'

config zone
	option name 'vm'
	option input 'REJECT'
	option output 'ACCEPT'
	list network 'vm'
	option forward 'REJECT'

config forwarding
	option src 'vm'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-VM'
	list proto 'udp'
	option src 'vm'
	option src_port '68'
	option dest_port '67'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow OpenVPN'
	option dest_port '1914'
	option target 'ACCEPT'
	option src '*'
	list proto 'udp'

config zone
	option output 'ACCEPT'
	option name 'vpn'
	list network 'VPN'
	option log '1'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option dest 'vm'
	option src 'vpn'

config forwarding
	option src 'vm'
	option dest 'vpn'

config rule
	option name 'Allow SSH from VPN'
	option src 'vpn'
	option dest_port '3333'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option name 'Allow RDP from VPN to VM'
	option src 'vpn'
	option dest 'vm'
	option dest_port '3389'
	option target 'ACCEPT'

cat /etc/config/openvpn

config openvpn '365VPN'
	option config '/etc/openvpn/server/server.conf'
	option enabled '1'

cat /etc/openvpn/server/server.conf

local 192.168.1.1
port 1914
proto udp
dev tun

persist-key
persist-tun

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/365VPN.crt
crl-verify /etc/openvpn/server/crl.pem
dh /etc/openvpn/server/dh.pem
key /etc/openvpn/server/365VPN.key
tls-crypt /etc/openvpn/server/ta.key

auth SHA256

tls-version-min 1.3
reneg-sec 36000

tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
data-ciphers AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305

topology subnet
mode server
server 10.3.3.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn-ipp.txt 600

user nobody
group nogroup

max-clients 5

keepalive 38 160
push "route 192.168.33.0 255.255.255.0"
push "inactive 7200 500000"

status /var/log/openvpn-status.log

log-append  /var/log/openvpn.log

# Start at verb 6 for testing, then switch to 3 or 4
verb 6

mute 10

# If using Proto TCP, set to 0
explicit-exit-notify 1

psherman · May 2, 2023, 1:23am

wlan devices don't belong in /etc/config/network -- remove them.

pigeon35:

config device
	option name 'br-lan'
	option type 'bridge'
	option bridge_empty '1'
	list ports 'wlan0'
	list ports 'wlan1'
	list ports 'eth1'

...

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'wlan0-1'
	list ports 'wlan1-1'

Remove these, too...

Make tun0 unmanaged (OpenVPN will do what it needs... here it should be proto 'none')

config interface 'VPN'
	option device 'tun0'
	option proto 'none'

remove this:

pigeon35 · May 2, 2023, 9:28am

Hi psherman,

I've made these corrections and ran /etc/init.d/network restart and the end result was the same behaviour. So I restarted the router and its still the same in terms of I can connect client to VPN using the router LAN IP, but when I change the client config to use the routers public / wan IP, it times out.

If my client has openvpn ip set to the wan ip of router, but crucially the client is still on the wifi, i get some output on the openvpn.log of the router (but it still fails):

2023-05-02 10:22:08 us=277524 MULTI: multi_create_instance called
2023-05-02 10:22:08 us=277574 192.168.1.6:33286 Re-using SSL/TLS context
2023-05-02 10:22:08 us=277633 192.168.1.6:33286 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-05-02 10:22:08 us=277649 192.168.1.6:33286 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-05-02 10:22:08 us=277661 192.168.1.6:33286 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-05-02 10:22:08 us=277674 192.168.1.6:33286 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-05-02 10:22:08 us=277763 192.168.1.6:33286 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
2023-05-02 10:22:08 us=277779 192.168.1.6:33286 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2023-05-02 10:22:08 us=277809 192.168.1.6:33286 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1553,tun-mtu 1500,proto UDPv4,auth SHA256,keysize 128,key-method 2,tls-server'
2023-05-02 10:22:08 us=277821 192.168.1.6:33286 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1553,tun-mtu 1500,proto UDPv4,auth SHA256,keysize 128,key-method 2,tls-client'
2023-05-02 10:22:08 us=277844 192.168.1.6:33286 UDPv4 READ [54] from [AF_INET]192.168.1.6:33286: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=356 DATA len=40
2023-05-02 10:22:08 us=277860 192.168.1.6:33286 TLS: Initial packet from [AF_INET]192.168.1.6:33286, sid=9349676f 6456ffdf
2023-05-02 10:22:08 us=277887 192.168.1.6:33286 UDPv4 WRITE [66] to [AF_INET]192.168.1.6:33286: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=356 DATA len=52
2023-05-02 10:22:10 us=522807 192.168.1.6:33286 UDPv4 WRITE [54] to [AF_INET]192.168.1.6:33286: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=612 DATA len=40
2023-05-02 10:22:10 us=730024 192.168.1.6:33286 UDPv4 READ [54] from [AF_INET]192.168.1.6:33286: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=612 DATA len=40
2023-05-02 10:22:10 us=730212 192.168.1.6:33286 UDPv4 WRITE [62] to [AF_INET]192.168.1.6:33286: P_ACK_V1 kid=0 [ ]
2023-05-02 10:22:14 us=48199 192.168.1.6:33286 UDPv4 WRITE [54] to [AF_INET]192.168.1.6:33286: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=1124 DATA len=40
2023-05-02 10:22:14 us=319076 192.168.1.6:33286 UDPv4 READ [54] from [AF_INET]192.168.1.6:33286: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=868 DATA len=40
2023-05-02 10:22:14 us=319264 192.168.1.6:33286 UDPv4 WRITE [62] to [AF_INET]192.168.1.6:33286: P_ACK_V1 kid=0 [ ]

Whereas if I turn off the client wifi and use tethered mobile to get internet, there is nothing in the router openvpn server log (and it fails).
And the public ip of my client does not show up in router syslog of dropped connections.

Thanks again!

EDIT:

On the same client I have another OpenVPN config that points to another OpenVPN server I setup somewhere else (its basically the same setup, but one is Windows and the other on OpenWRT router). And that works. So I don't think its firewall related on the client.

flygarn12 · May 2, 2023, 9:36am

What does the log in the client say when trying to connect from wan side?

Do you really have a public WAN address or are you behind a ISP firewall?

pigeon35 · May 2, 2023, 10:41am

Hi Flygarn12,

Yes have public IP (router hosts exim smtp + dovecot pop3s also).

I ran dmesg on client and looked in ~/.openVPN and can't see a log file for client.
Perhaps because its Ubuntu using Network Manager, its in another location (which I will google shortly).

But I decided to run openvpn from the cli to get stdout and have some more interesting results. Including a successful connection!

Client output below

Failed - Connecting to WAN IP (while on the WiFi connection which is provided by the router OpenVPN runs on).

2023-05-02 10:57:30 us=919620 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
2023-05-02 10:57:30 us=919634 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
🔐 Enter Private Key Password: ***********             
2023-05-02 10:57:39 us=106108 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-05-02 10:57:39 us=106153 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-05-02 10:57:39 us=106175 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-05-02 10:57:39 us=106196 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-05-02 10:57:39 us=106341 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
2023-05-02 10:57:39 us=541601 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 AF:14/121 ]
2023-05-02 10:57:39 us=541683 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1553,tun-mtu 1500,proto UDPv4,auth SHA256,keysize 128,key-method 2,tls-client'
2023-05-02 10:57:39 us=541704 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1553,tun-mtu 1500,proto UDPv4,auth SHA256,keysize 128,key-method 2,tls-server'
2023-05-02 10:57:39 us=541944 TCP/UDP: Preserving recently used remote address: [AF_INET]9.9.9.9(actual ip redacted):1914
2023-05-02 10:57:39 us=541986 Socket Buffers: R=[212992->212992] S=[212992->212992]
2023-05-02 10:57:39 us=542005 UDP link local: (not bound)
2023-05-02 10:57:39 us=542030 UDP link remote: [AF_INET]9.9.9.9(actual ip redacted):1914
2023-05-02 10:57:39 us=542049 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2023-05-02 10:57:39 us=542134 UDP WRITE [54] to [AF_INET]9.9.9.9(actual ip redacted):1914: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=356 DATA len=40
2023-05-02 10:57:39 us=545157 UDP READ [66] from [AF_INET]192.168.1.1:1914: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=356 DATA len=52
2023-05-02 10:57:39 us=545196 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.1.1:1914[2], expected peer address: [AF_INET]9.9.9.9(actual ip redacted):1914 (allow this incoming source address/port by removing --remote or adding --float)
2023-05-02 10:57:41 us=551374 UDP WRITE [54] to [AF_INET]9.9.9.9(actual ip redacted):1914: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=612 DATA len=40
2023-05-02 10:57:41 us=553868 UDP READ [66] from [AF_INET]192.168.1.1:1914: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=612 DATA len=52
2023-05-02 10:57:41 us=553906 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.1.1:1914[2], expected peer address: [AF_INET]9.9.9.9(actual ip redacted):1914 (allow this incoming source address/port by removing --remote or adding --float)
2023-05-02 10:57:45 us=566142 UDP WRITE [54] to [AF_INET]9.9.9.9(actual ip redacted):1914: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=868 DATA len=40
2023-05-02 10:57:45 us=568718 UDP READ [66] from [AF_INET]192.168.1.1:1914: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=868 DATA len=52
2023-05-02 10:57:45 us=568755 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.1.1:1914[2], expected peer address: [AF_INET]9.9.9.9(actual ip redacted):1914 (allow this incoming source address/port by removing --remote or adding --float)

Worked - Connecting to WAN IP (while using 4g mobile tethered to same ubuntu client that failed above).

2023-05-02 11:03:20 us=6581 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
2023-05-02 11:03:20 us=6595 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
🔐 Enter Private Key Password: ***********             
2023-05-02 11:03:25 us=441988 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-05-02 11:03:25 us=442044 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-05-02 11:03:25 us=442074 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-05-02 11:03:25 us=442103 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-05-02 11:03:25 us=442252 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
2023-05-02 11:03:25 us=481589 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 AF:14/121 ]
2023-05-02 11:03:25 us=481636 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1553,tun-mtu 1500,proto UDPv4,auth SHA256,keysize 128,key-method 2,tls-client'
2023-05-02 11:03:25 us=481649 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1553,tun-mtu 1500,proto UDPv4,auth SHA256,keysize 128,key-method 2,tls-server'
2023-05-02 11:03:25 us=481795 TCP/UDP: Preserving recently used remote address: [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914
2023-05-02 11:03:25 us=481825 Socket Buffers: R=[212992->212992] S=[212992->212992]
2023-05-02 11:03:25 us=481835 UDP link local: (not bound)
2023-05-02 11:03:25 us=481845 UDP link remote: [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914
2023-05-02 11:03:25 us=481856 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2023-05-02 11:03:25 us=481917 UDP WRITE [54] to [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=356 DATA len=40
2023-05-02 11:03:25 us=504368 UDP READ [66] from [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=356 DATA len=52
2023-05-02 11:03:25 us=504395 TLS: Initial packet from [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914, sid=c6753d6b e8c13cc9
2023-05-02 11:03:25 us=504438 UDP WRITE [62] to [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_ACK_V1 kid=0 [ ]
2023-05-02 11:03:25 us=504504 UDP WRITE [275] to [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_CONTROL_V1 kid=0 [ ] pid=868 DATA len=261
2023-05-02 11:03:25 us=541445 UDP READ [1128] from [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_CONTROL_V1 kid=0 [ ] pid=612 DATA len=1114
2023-05-02 11:03:25 us=541750 UDP WRITE [62] to [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_ACK_V1 kid=0 [ ]
2023-05-02 11:03:25 us=541799 UDP READ [1116] from [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_CONTROL_V1 kid=0 [ ] pid=868 DATA len=1102
2023-05-02 11:03:25 us=541825 UDP WRITE [62] to [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_ACK_V1 kid=0 [ ]
2023-05-02 11:03:25 us=541853 UDP READ [1116] from [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_CONTROL_V1 kid=0 [ ] pid=1124 DATA len=1102
2023-05-02 11:03:25 us=541875 UDP WRITE [62] to [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_ACK_V1 kid=0 [ ]
2023-05-02 11:03:25 us=541902 UDP READ [1116] from [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_CONTROL_V1 kid=0 [ ] pid=1380 DATA len=1102
2023-05-02 11:03:25 us=543042 VERIFY OK: depth=1, C=UK, ST=zzzz, L=zzzz, O=MyDomain, OU=My Organizational Unit, CN=365VPN, emailAddress=postmaster@MyDomain.uk
2023-05-02 11:03:25 us=543295 VERIFY KU OK
2023-05-02 11:03:25 us=543305 Validating certificate extended key usage
2023-05-02 11:03:25 us=543310 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-05-02 11:03:25 us=543316 VERIFY EKU OK
2023-05-02 11:03:25 us=543321 VERIFY OK: depth=0, C=UK, ST=zzzz, L=zzzz, O=MyDomain, OU=My Organizational Unit, CN=365VPN, emailAddress=postmaster@MyDomain.uk
2023-05-02 11:03:25 us=543348 UDP WRITE [62] to [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_ACK_V1 kid=0 [ ]
2023-05-02 11:03:25 us=564302 UDP READ [507] from [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_CONTROL_V1 kid=0 [ ] pid=1636 DATA len=493
2023-05-02 11:03:25 us=573944 UDP WRITE [1128] to [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_CONTROL_V1 kid=0 [ ] pid=2148 DATA len=1114
2023-05-02 11:03:25 us=574007 UDP WRITE [1116] to [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_CONTROL_V1 kid=0 [ ] pid=2404 DATA len=1102
2023-05-02 11:03:25 us=574040 UDP WRITE [1116] to [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_CONTROL_V1 kid=0 [ ] pid=2660 DATA len=1102
2023-05-02 11:03:25 us=574070 UDP WRITE [1116] to [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_CONTROL_V1 kid=0 [ ] pid=2916 DATA len=1102
2023-05-02 11:03:25 us=606298 UDP READ [62] from [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_ACK_V1 kid=0 [ ]
2023-05-02 11:03:25 us=606360 UDP WRITE [493] to [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_CONTROL_V1 kid=0 [ ] pid=3172 DATA len=479
2023-05-02 11:03:25 us=606408 UDP READ [62] from [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_ACK_V1 kid=0 [ ]
2023-05-02 11:03:25 us=613310 UDP READ [62] from [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_ACK_V1 kid=0 [ ]
2023-05-02 11:03:25 us=615290 UDP READ [62] from [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_ACK_V1 kid=0 [ ]
2023-05-02 11:03:25 us=636290 UDP READ [224] from [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_CONTROL_V1 kid=0 [ ] pid=2916 DATA len=210
2023-05-02 11:03:25 us=636442 UDP WRITE [62] to [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_ACK_V1 kid=0 [ ]
2023-05-02 11:03:25 us=636490 UDP READ [256] from [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_CONTROL_V1 kid=0 [ ] pid=3172 DATA len=242
2023-05-02 11:03:25 us=636527 UDP WRITE [62] to [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_ACK_V1 kid=0 [ ]
2023-05-02 11:03:25 us=636555 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2023-05-02 11:03:25 us=636571 [365VPN] Peer Connection Initiated with [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914
2023-05-02 11:03:25 us=663316 UDP READ [266] from [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_CONTROL_V1 kid=0 [ ] pid=3428 DATA len=252
2023-05-02 11:03:25 us=663380 PUSH: Received control message: 'PUSH_REPLY,route 192.168.33.0 255.255.255.0,inactive 7200 500000,route-gateway 10.3.3.1,topology subnet,ping 38,ping-restart 160,ifconfig 10.3.3.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2023-05-02 11:03:25 us=663429 OPTIONS IMPORT: timers and/or timeouts modified
2023-05-02 11:03:25 us=663438 OPTIONS IMPORT: --ifconfig/up options modified
2023-05-02 11:03:25 us=663443 OPTIONS IMPORT: route options modified
2023-05-02 11:03:25 us=663448 OPTIONS IMPORT: route-related options modified
2023-05-02 11:03:25 us=663453 OPTIONS IMPORT: peer-id set
2023-05-02 11:03:25 us=663457 OPTIONS IMPORT: adjusting link_mtu to 1624
2023-05-02 11:03:25 us=663462 OPTIONS IMPORT: data channel crypto options modified
2023-05-02 11:03:25 us=663468 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-05-02 11:03:25 us=663485 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 AF:14/121 ]
2023-05-02 11:03:25 us=663552 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-05-02 11:03:25 us=663561 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-05-02 11:03:25 us=663578 net_route_v4_best_gw query: dst 0.0.0.0
2023-05-02 11:03:25 us=663631 sitnl_send: checking for received messages
2023-05-02 11:03:25 us=663644 sitnl_send: rtnl: received 848 bytes
2023-05-02 11:03:25 us=663667 net_route_v4_best_gw result: via 192.168.188.231 dev usb0
2023-05-02 11:03:25 us=663695 ROUTE_GATEWAY 192.168.188.231/255.255.255.0 IFACE=usb0 HWADDR=redacted
2023-05-02 11:03:25 us=663952 TUN/TAP device tun0 opened
2023-05-02 11:03:25 us=663970 do_ifconfig, ipv4=1, ipv6=0
2023-05-02 11:03:25 us=663992 net_iface_mtu_set: mtu 1500 for tun0
2023-05-02 11:03:25 us=664016 sitnl_send: checking for received messages
2023-05-02 11:03:25 us=664028 sitnl_send: rtnl: received 36 bytes
2023-05-02 11:03:25 us=664048 net_iface_up: set tun0 up
2023-05-02 11:03:25 us=664131 sitnl_send: checking for received messages
2023-05-02 11:03:25 us=664146 sitnl_send: rtnl: received 36 bytes
2023-05-02 11:03:25 us=664160 net_addr_v4_add: 10.3.3.2/24 dev tun0
2023-05-02 11:03:25 us=664262 sitnl_send: checking for received messages
2023-05-02 11:03:25 us=664276 sitnl_send: rtnl: received 36 bytes
2023-05-02 11:03:25 us=664300 net_route_v4_add: 192.168.33.0/24 via 10.3.3.1 dev [NULL] table 0 metric -1
2023-05-02 11:03:25 us=664335 sitnl_send: checking for received messages
2023-05-02 11:03:25 us=664346 sitnl_send: rtnl: received 36 bytes
2023-05-02 11:03:25 us=664365 GID set to nm-openvpn
2023-05-02 11:03:25 us=664380 UID set to nm-openvpn
2023-05-02 11:03:25 us=664398 Initialization Sequence Completed
2023-05-02 11:03:25 us=664416 UDP WRITE [62] to [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_ACK_V1 kid=0 [ ]
2023-05-02 11:04:03 us=633053 UDP READ [40] from [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_DATA_V2 kid=0 DATA len=39
2023-05-02 11:04:03 us=633135 UDP WRITE [40] to [AF_INET6]aa:aa::aa:aa(ip6 redacted):1914: P_DATA_V2 kid=0 DATA len=39

Failed - Having changed both the OpenVPN server.conf and client.conf files to use proto UDP4 instead of proto UDP (to try and stipulate IPv4 only):

2023-05-02 11:19:03 us=71286 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
2023-05-02 11:19:03 us=71296 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
🔐 Enter Private Key Password: ***********             
2023-05-02 11:19:10 us=426829 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-05-02 11:19:10 us=426872 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-05-02 11:19:10 us=426891 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-05-02 11:19:10 us=426926 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-05-02 11:19:10 us=427106 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
2023-05-02 11:19:10 us=433420 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 AF:14/121 ]
2023-05-02 11:19:10 us=433472 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1553,tun-mtu 1500,proto UDPv4,auth SHA256,keysize 128,key-method 2,tls-client'
2023-05-02 11:19:10 us=433493 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1553,tun-mtu 1500,proto UDPv4,auth SHA256,keysize 128,key-method 2,tls-server'
2023-05-02 11:19:10 us=433606 TCP/UDP: Preserving recently used remote address: [AF_INET]9.9.9.9(ipv4 redacted):1914
2023-05-02 11:19:10 us=433621 Socket Buffers: R=[212992->212992] S=[212992->212992]
2023-05-02 11:19:10 us=433628 UDPv4 link local: (not bound)
2023-05-02 11:19:10 us=433633 UDPv4 link remote: [AF_INET]9.9.9.9(ipv4 redacted):1914
2023-05-02 11:19:10 us=433638 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2023-05-02 11:19:10 us=433675 UDPv4 WRITE [54] to [AF_INET]9.9.9.9(ipv4 redacted):1914: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=356 DATA len=40
2023-05-02 11:19:12 us=518105 UDPv4 WRITE [54] to [AF_INET]9.9.9.9(ipv4 redacted):1914: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=612 DATA len=40
2023-05-02 11:19:16 us=686624 UDPv4 WRITE [54] to [AF_INET]9.9.9.9(ipv4 redacted):1914: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=868 DATA len=40
2023-05-02 11:19:24 us=533332 UDPv4 WRITE [54] to [AF_INET]9.9.9.9(ipv4 redacted):1914: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=1124 DATA len=40
2023-05-02 11:19:40 us=196450 UDPv4 WRITE [54] to [AF_INET]9.9.9.9(ipv4 redacted):1914: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=1380 DATA len=40
2023-05-02 11:20:10 us=920190 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2023-05-02 11:20:10 us=920234 TLS Error: TLS handshake failed
2023-05-02 11:20:10 us=920362 TCP/UDP: Closing socket
2023-05-02 11:20:10 us=920398 SIGUSR1[soft,tls-error] received, process restarting
2023-05-02 11:20:10 us=920424 Restart pause, 5 second(s)
2023-05-02 11:20:15 us=920537 Re-using SSL/TLS context
2023-05-02 11:20:15 us=920682 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-05-02 11:20:15 us=920715 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-05-02 11:20:15 us=920732 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-05-02 11:20:15 us=920752 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-05-02 11:20:15 us=920834 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
2023-05-02 11:20:15 us=928621 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 AF:14/121 ]
2023-05-02 11:20:15 us=928676 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1553,tun-mtu 1500,proto UDPv4,auth SHA256,keysize 128,key-method 2,tls-client'
2023-05-02 11:20:15 us=928691 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1553,tun-mtu 1500,proto UDPv4,auth SHA256,keysize 128,key-method 2,tls-server'
2023-05-02 11:20:15 us=928700 TCP/UDP: Preserving recently used remote address: [AF_INET]9.9.9.9(ipv4 redacted):1914
2023-05-02 11:20:15 us=928714 Socket Buffers: R=[212992->212992] S=[212992->212992]
2023-05-02 11:20:15 us=928720 UDPv4 link local: (not bound)
2023-05-02 11:20:15 us=928725 UDPv4 link remote: [AF_INET]9.9.9.9(ipv4 redacted):1914
2023-05-02 11:20:15 us=928751 UDPv4 WRITE [54] to [AF_INET]9.9.9.9(ipv4 redacted):1914: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=356 DATA len=40
2023-05-02 11:20:17 us=165269 UDPv4 WRITE [54] to [AF_INET]9.9.9.9(ipv4 redacted):1914: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=612 DATA len=40
^C2023-05-02 11:20:21 us=302613 event_wait : Interrupted system call (code=4)
2023-05-02 11:20:21 us=302831 TCP/UDP: Closing socket
2023-05-02 11:20:21 us=302879 SIGINT[hard,] received, process exiting

pigeon35 · May 2, 2023, 1:22pm

Do you think I should mark this solved?

I can connect from clients (both separate Windows and Ubuntu machines) to the OpenVPN server on OpenWRT router on WAN via 4g mobile tethered to machines. But only via IPv6.

I can connect from clients to the OpenVPN server going LAN to LAN using IPv4 and IPv6.

The main part being able to VPN in on the WAN remotely. Which I can now do, by setting the Windows + Linux client configs to use IPv6
So that's really great! Very happy chappy. Thank you for the suggestions of changes and places to look / check.

But should it not work via both IPv4 and IPv6?

As mentioned, have a Windows OpenVPN server (2.5.4) with basically the same setup. It just uses IPv4 and is fine.

So its just slightly niggly that I don't know why this is different. Are there things I could check?

Or should I just mark resolved?

Thanks again.

andyboeh · May 2, 2023, 2:04pm

In your failed UDPv4 log, it looks as if the client was waiting for an answer from the server and never gets a reply. Can you check and post the server log file?

egc · May 2, 2023, 2:11pm

Is the client also OpenVPN 2.5.x?

I have seen some weird UDP4/UDP6 behaviour on OpenVPN 2.6.
If you also have TCP port opened consider testing TCP4.

Furthermore I only test from outside the network e.g. from cellular otherwise you might run into strange routing issues.

pigeon35 · May 2, 2023, 8:03pm

I checked the versions of OpenVPN. Server = 2.5.7, Client = 2.5.5. So thought there could be something there egc.

Then was going to get the log data requested by andyboeh. This involved going into the client setup and removing the IPv6 Tun Link flag (because the last issue was not being able to use UDP4 over 4g cell/mobile).

So I got ready next to the log files, checked the contents and last modified datetimes to make sure I only copied and pasted the correct parts in relation to the error.
Clicked connect and ........the ***** thing connected

The only change (that I'm aware of) was ticking and then unticking the IPv6 option in NetworkManager.

So, there we go. All is working! I can connect to VPN via LAN to LAN WiFi, or by 4g cell/mobile to WAN, using IPv4 or IPv6.

Fingers crossed it survives a re-boot

Thank you very much for the help / suggestions / changes!

system · May 12, 2023, 8:03pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.