OpenVPN server - TLS key failed to occur within 60 secs

JW0914 · February 15, 2018, 12:24am

You cannot connect to your VPN while behind the router the VPN is running on... that's an entirely different VPN setup (gateway redirect).

192.168.1.1 is an IP address, of which is contained within the 192.168.1.0/24 (or 192.168.1.0/26) subnet.

192.168.1.0/24: 192.168.1.0 - 192.168.1.255 with a netmask of 255.255.255.0
192.168.1.0/26: 192.168.1.0 - 192.168.1.63 with a netmask of 255.255.255.192
See Subnet Mask Cheat Sheet

Thanks for catching this as well, it's been corrected with the 192.168.1.0/24 LAN subnet reflected in both the firewall and server config.

Ideally, they should be in the order listed under [Firewall] Create Rules

No, as the client log will show an IP assigned, as well as state "Connected,Success"

Client Log (Connect Successful)

Wed Feb 14 18:13:36 2018 us=368902 MANAGEMENT: >STATE:1518653616,ASSIGN_IP,,10.10.3.5,,,,
Wed Feb 14 18:13:41 2018 us=872302 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Wed Feb 14 18:13:41 2018 us=872302 MANAGEMENT: >STATE:1518653621,ADD_ROUTES,,,,,,
Wed Feb 14 18:13:41 2018 us=872302 C:\WINDOWS\system32\route.exe ADD 192.168.3.0 MASK 255.255.255.192 10.10.3.1
Wed Feb 14 18:13:41 2018 us=880308 Route addition via service succeeded
Wed Feb 14 18:13:41 2018 us=880308 Initialization Sequence Completed
Wed Feb 14 18:13:41 2018 us=880308 MANAGEMENT: >STATE:1518653621,CONNECTED,SUCCESS,10.10.3.5,<WAN IP>,<Port #>,,

JW0914 · February 15, 2018, 2:55am

I'm not sure where it is you're going wrong (see below), but that wiki does work as written, as I've tested it well over 5x when users have had issues to ensure there wasn't an error in the wiki.

Connection refused error is due to your firewall or you're trying to connect to the wrong port.

Your new server config is missing option dev tun

dev tun specifies it's a tun, not tap, configuration
dev tun0 specifies the vpn interface is tun0

This is why your client log shows no output after
TUN not specified

Wed Feb 14 20:51:31 2018 MANAGEMENT: >STATE:1518663091,RESOLVE,,,,,,
Wed Feb 14 20:51:31 2018 Data Channel MTU parms [ L:48124 D:48124 EF:124 EB:8156 ET:0 EL:3 ]
Wed Feb 14 20:51:31 2018 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 48104,tun-mtu 48000,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Wed Feb 14 20:51:31 2018 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 48104,tun-mtu 48000,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Wed Feb 14 20:51:31 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]<WAN IP>:<Port>
Wed Feb 14 20:51:31 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Feb 14 20:51:31 2018 Attempting to establish TCP connection with [AF_INET]<WAN IP>:<Port> [nonblock]
Wed Feb 14 20:51:31 2018 MANAGEMENT: >STATE:1518663091,TCP_CONNECT,,,,,,

TUN specified

 Wed Feb 14 20:57:48 2018 us=475062 MANAGEMENT: >STATE:1518663468,RESOLVE,,,,,,
 Wed Feb 14 20:57:48 2018 us=475062 Data Channel MTU parms [ L:48124 D:48124 EF:124 EB:8156 ET:0 EL:3 ]
 Wed Feb 14 20:57:48 2018 us=475062 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 48104,tun-mtu 48000,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
 Wed Feb 14 20:57:48 2018 us=475062 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 48104,tun-mtu 48000,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
 Wed Feb 14 20:57:48 2018 us=475062 TCP/UDP: Preserving recently used remote address: [AF_INET]<WAN IP>:<Port>
 Wed Feb 14 20:57:48 2018 us=475062 Socket Buffers: R=[65536->65536] S=[65536->65536]
 Wed Feb 14 20:57:48 2018 us=475062 Attempting to establish TCP connection with [AF_INET]<WAN IP>:<Port> [nonblock]
 Wed Feb 14 20:57:48 2018 us=475062 MANAGEMENT: >STATE:1518663468,TCP_CONNECT,,,,,,
 Wed Feb 14 20:57:49 2018 us=475155 TCP connection established with [AF_INET]<WAN IP>:<Port>
 Wed Feb 14 20:57:49 2018 us=475155 TCP_CLIENT link local: (not bound)
 Wed Feb 14 20:57:49 2018 us=475155 TCP_CLIENT link remote: [AF_INET]<WAN IP>:<Port>
 Wed Feb 14 20:57:49 2018 us=475155 MANAGEMENT: >STATE:1518663469,WAIT,,,,,,
 Wed Feb 14 20:57:49 2018 us=490727 MANAGEMENT: >STATE:1518663469,AUTH,,,,,,
 Wed Feb 14 20:57:49 2018 us=490727 TLS: Initial packet from [AF_INET]<WAN IP>:<Port>, sid=5e956861 fff84884
 Wed Feb 14 20:57:49 2018 us=705315 VERIFY OK: depth=2, C=US, ST=US, L=Davinci, O=Sophos UTM, OU=Sophos, CN=Sophos UTM CA
 Wed Feb 14 20:57:49 2018 us=706322 VERIFY OK: depth=1, C=US, ST=US, L=Davinci, O=Sophos UTM, OU=LEDE, CN=WRT1900AC ICA
 Wed Feb 14 20:57:49 2018 us=707305 Validating certificate extended key usage
 Wed Feb 14 20:57:49 2018 us=707305 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
 Wed Feb 14 20:57:49 2018 us=707305 VERIFY EKU OK
 Wed Feb 14 20:57:49 2018 us=707305 VERIFY OK: depth=0, C=US, ST=US, L=Davinci, O=WRT1900AC, OU=LEDE, CN=WRT1900AC VPN (Admin)
 Wed Feb 14 20:57:49 2018 us=858311 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
 Wed Feb 14 20:57:49 2018 us=858311 [WRT1900AC VPN (Admin)] Peer Connection Initiated with [AF_INET]<WAN IP>:<Port>
 Wed Feb 14 20:57:50 2018 us=952107 MANAGEMENT: >STATE:1518663470,GET_CONFIG,,,,,,
 Wed Feb 14 20:57:50 2018 us=952107 SENT CONTROL [WRT1900AC VPN (Admin)]: 'PUSH_REQUEST' (status=1)
 Wed Feb 14 20:57:51 2018 us=30213 PUSH: Received control message: 'PUSH_REPLY,route 192.168.3.0 255.255.255.192,dhcp-option    DNS 192.168.3.1,dhcp-option    WINS 192.168.3.1,dhcp-option    DNS 208.67.222.222,dhcp-option    DNS 208.67.220.220,dhcp-option    NTP 129.6.15.30,sndbuf 393216,rcvbuf 393216,route-gateway 10.10.3.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.10.3.5 255.255.255.248,peer-id 0,cipher AES-256-GCM'
 Wed Feb 14 20:57:51 2018 us=30213 OPTIONS IMPORT: timers and/or timeouts modified
 Wed Feb 14 20:57:51 2018 us=30213 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
 Wed Feb 14 20:57:51 2018 us=30213 Socket Buffers: R=[65536->393216] S=[65536->393216]
 Wed Feb 14 20:57:51 2018 us=30213 OPTIONS IMPORT: --ifconfig/up options modified
 Wed Feb 14 20:57:51 2018 us=30213 OPTIONS IMPORT: route options modified
 Wed Feb 14 20:57:51 2018 us=30213 OPTIONS IMPORT: route-related options modified
 Wed Feb 14 20:57:51 2018 us=30213 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
 Wed Feb 14 20:57:51 2018 us=30213 OPTIONS IMPORT: peer-id set
 Wed Feb 14 20:57:51 2018 us=30213 OPTIONS IMPORT: adjusting link_mtu to 48127
 Wed Feb 14 20:57:51 2018 us=30213 OPTIONS IMPORT: data channel crypto options modified
 Wed Feb 14 20:57:51 2018 us=30213 Data Channel: using negotiated cipher 'AES-256-GCM'
 Wed Feb 14 20:57:51 2018 us=30213 Data Channel MTU parms [ L:48055 D:48055 EF:55 EB:8156 ET:0 EL:3 ]
 Wed Feb 14 20:57:51 2018 us=30213 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
 Wed Feb 14 20:57:51 2018 us=30213 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
 Wed Feb 14 20:57:51 2018 us=30213 interactive service msg_channel=796
 Wed Feb 14 20:57:51 2018 us=45803 ROUTE_GATEWAY 192.168.200.60/255.255.255.192 I=14 HWADDR=f0:1f:af:67:b4:66
 Wed Feb 14 20:57:51 2018 us=45803 open_tun
 Wed Feb 14 20:57:51 2018 us=45803 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{996D8184-1BA5-4C63-A4FD-8EC46CE6E5EC}.tap
 Wed Feb 14 20:57:51 2018 us=45803 TAP-Windows Driver Version 9.21 
 Wed Feb 14 20:57:51 2018 us=45803 TAP-Windows MTU=1500
 Wed Feb 14 20:57:51 2018 us=45803 Set TAP-Windows TUN subnet mode network/local/netmask = 10.10.3.0/10.10.3.5/255.255.255.248 [SUCCEEDED]
 Wed Feb 14 20:57:51 2018 us=45803 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.10.3.5/255.255.255.248 on interface {996D8184-1BA5-4C63-A4FD-8EC46CE6E5EC} [DHCP-serv: 10.10.3.6, lease-time: 31536000]
 Wed Feb 14 20:57:51 2018 us=45803 DHCP option string: 060cc0a8 0301d043 deded043 dcdc2c04 c0a80301 2a048106 0f1e
 Wed Feb 14 20:57:51 2018 us=61438 Successful ARP Flush on interface [13] {996D8184-1BA5-4C63-A4FD-8EC46CE6E5EC}
 Wed Feb 14 20:57:51 2018 us=77061 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
 Wed Feb 14 20:57:51 2018 us=77061 MANAGEMENT: >STATE:1518663471,ASSIGN_IP,,10.10.3.5,,,,
 Wed Feb 14 20:57:56 2018 us=450774 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
 Wed Feb 14 20:57:56 2018 us=450774 MANAGEMENT: >STATE:1518663476,ADD_ROUTES,,,,,,
 Wed Feb 14 20:57:56 2018 us=450774 C:\WINDOWS\system32\route.exe ADD 192.168.3.0 MASK 255.255.255.192 10.10.3.1
 Wed Feb 14 20:57:56 2018 us=450774 Route addition via service succeeded
 Wed Feb 14 20:57:56 2018 us=450774 Initialization Sequence Completed
 Wed Feb 14 20:57:56 2018 us=450774 MANAGEMENT: >STATE:1518663476,CONNECTED,SUCCESS,10.10.3.5,<WAN IP>,<Port>,192.168.2.15,58294

psherman · February 15, 2018, 3:32am

@remenakb1 -- you cannot connect via UDP when your server is configured for option proto 'tcp'. It is one or the other. You can run 2 instances of the server, if you want. But any given instance will have defined a port and a protocol (tcp or udp).

JW0914 · February 15, 2018, 4:24am

They're using tcp currently for troubleshooting

remenakb1 · February 15, 2018, 1:12pm

First of all, thank you for sticking with me and helping me through this. I am learning and making progress. I trust that your wiki works and my problem is definitely something I did wrong. But debugging and struggling is how I learn.

Great catch on the dev tun option missing!

I went through all my setup files and checked for any inconsistencies. I have found some anomalies in the firewall. I am specifying some zones and forwarding configurations twice (not sure how, probably in the heat of debugging I copy pasted something wrong). I am going to clean up my firewall and see if this makes things work.

If I wanted to look at my server for logs to see why it would refuse the connection do I follow the steps you listed in the firewall logging tab item 3? Hopefully I won't need to after cleaning up the firewall.

I switched my server to udp and restarted it when I tried the UDP connection with my iphone.

JW0914 · February 15, 2018, 4:14pm

Yes, but that will simply log traffic going to the VPN port, and provided your firewall rules mirror those in the wiki, there should be no issue.

There is a simpler way to configure the rules for the VPN, which you may want to utilize, as, when I overhaul the wiki to put it inline with the new wiki guidelines, I'll be changing those rules to the ones below:

/etc/config/firewall

 # OpenVPN: Admin #
 #---------------------------------------------------
 config rule
     option  target          'ACCEPT'
     option  family          'ipv4'
     option  proto           'tcp udp'
     option  src             *
     option  dest_port       5000
     option  name            'Allow Forwarded OpenVPN Request -> <device>'

 config rule
     option  target          'ACCEPT'
     option  family          'ipv4'
     option  proto           'tcp udp'
     option  src             'vpn'
     option  src_ip          '10.1.0.0/28'
     option  dest_ip         '192.168.1.0/24'
     option  name            'Allow OpenVPN -> LAN'

 config rule
     option  target          'ACCEPT'
     option  family          'ipv4'
     option  proto           'tcp udp'
     option  src             'vpn'
     option  dest            *
     option  name            'Allow Forwarded OpenVPN -> <device>'

 config rule
     option  target          'ACCEPT'
     option  family          'ipv4'
     option  proto           'icmp'
     option  src             'vpn'
     option  src_ip          '10.1.0.0/28'
     option  dest            'lan'
     option  name            'Allow OpenVPN (ICMP) -> LAN'

 config rule
     option  target          'ACCEPT'
     option  family          'ipv4'
     option  proto           'icmp'
     list    icmp_type       'echo-request'
     option  src             'vpn'
     option  src_ip          '10.1.0.0/28'
     option  dest            'wan'
     option  name            'Allow OpenVPN (echo-request) -> WAN'

remenakb1 · February 16, 2018, 1:45am

Thank you for the updated firewall rules.

I now have everything matching the wiki and I still can not connect to the vpn server. Maybe I need to restore defaults on my device and start over. I did initially start with the guide here and then started over with your wiki, so maybe something was left over from that causing an issue.

remenakb1 · February 16, 2018, 8:12pm

I have a quick question. I am going through the wiki trying to understand things better than the first time and I am looking at the openssl.cnf file. One thing that I can not figure out is what the IP.1 address for the Certificate Authority Client. In the sample file it has it as:

[ alt_sophos ]
    IP.1                = 192.168.2.1
    IP.2                = 127.0.0.1
    DNS.1               = UTM.LEDE
    DNS.2               = your.ddns.com

Since the wiki doesn't say to modify this I assume I just leave it as is, but I keep wondering if that IP should match my router IP? I don't understand what this IP means, and have not been able to find anything with google searches or looking at openssl (probably looking in the wrong spot).

I also have the same question for the Intermediate Certificate Authority Clients.

[ alt_lede ]
    IP.1                = 192.168.2.2
    IP.2                = 127.0.0.1
    DNS.1               = LAN.LEDE

Are they just an alternate IP that the CA/ICA client could be on and if it isn't found there it goes to IP.2, the local host (127.0.0.1?

JW0914 · February 16, 2018, 8:42pm

IP.1 Should match the IP of the server it's being created for.
IP.2 Should be the loopback IP [127.0.0.1] if the server it's being created for has a WebUI, as this prevents browsers from barfing a certificate error when tunneling through SSH
- For example, any SSH session can be utilized to tunnel a connection to the WebAdmin (or any device for that matter).
  1. Doing so via PuTTY: Connection => SSH => Tunnels
    - Source port: 5000
      - This can be any arbitrary port
    - Destination: 192.168.1.1:443
      - IP address of WebUI, followed by port #
  2. Once connected via SSH, navigate to https://127.0.0.1:5000 which will load LuCI
DNS.1 should match the router's hostname.localdomain
- I believe the default hostname.localdomain is openwrt.lan (hostname may be wrong, but the default local domain is lan)
  - Hostname is garnished from /etc/config/system
  - Local Domain is garnished from /etc/config/dhcp

Certain OSes/servers require the CA and/or ICA to also have the loopback IP specified in their SAN (Sophos UTM / Sophos XG is one such OS), which is why it's in the SANs of the CA and ICA.

remenakb1 · February 18, 2018, 11:32am

Thank you for the information about what those mean.

I cleaned my router and started over a few times now. I tried the simple VPN server guide and JW's guide. I can't get either one to work. When trying to connect with my phone, on TCP I get a connection refused, and over UDP I get server poll timeout (using either guide).

I have learned a lot going through this, but I don't know ho to diagnose things any farther. I just wanted to update this thread. If anyone has any other ideas or things to try or ways to debug let me know.

Thanks for all the help.

JW0914 · February 18, 2018, 12:21pm

Please perform the steps under Troubleshooting

remenakb1 · February 18, 2018, 2:22pm

Server log:

Sun Feb 18 09:04:40 2018 us=931188 OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Feb 18 09:04:40 2018 us=931404 library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.10
Sun Feb 18 09:04:40 2018 us=934025 Diffie-Hellman initialized with 2048 bit key
Sun Feb 18 09:04:40 2018 us=934538 No valid translation found for TLS cipher '!aNULL'
Sun Feb 18 09:04:40 2018 us=934856 No valid translation found for TLS cipher '!eNULL'
Sun Feb 18 09:04:40 2018 us=935225 No valid translation found for TLS cipher '!3DES'
Sun Feb 18 09:04:40 2018 us=935633 No valid translation found for TLS cipher '!MD5'
Sun Feb 18 09:04:40 2018 us=935942 No valid translation found for TLS cipher '!SHA'
Sun Feb 18 09:04:40 2018 us=936681 No valid translation found for TLS cipher '!PSK'
Sun Feb 18 09:04:40 2018 us=937277 No valid translation found for TLS cipher '!DSS'
Sun Feb 18 09:04:40 2018 us=937603 No valid translation found for TLS cipher '!RC4'
Sun Feb 18 09:04:41 2018 us=65790 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Feb 18 09:04:41 2018 us=66222 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Feb 18 09:04:41 2018 us=66689 TLS-Auth MTU parms [ L:48124 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Sun Feb 18 09:04:41 2018 us=89526 TUN/TAP device tun0 opened
Sun Feb 18 09:04:41 2018 us=89816 TUN/TAP TX queue length set to 100
Sun Feb 18 09:04:41 2018 us=90075 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Feb 18 09:04:41 2018 us=90406 /sbin/ifconfig tun0 10.1.0.1 netmask 255.255.255.240 mtu 48000 broadcast 10.1.0.15
Sun Feb 18 09:04:41 2018 us=112067 Data Channel MTU parms [ L:48124 D:48124 EF:124 EB:8156 ET:0 EL:3 ]
Sun Feb 18 09:04:41 2018 us=113785 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Feb 18 09:04:41 2018 us=114062 Socket Buffers: R=[87380->327680] S=[16384->327680]
Sun Feb 18 09:04:41 2018 us=114329 Listening for incoming TCP connection on [AF_INET][undef]:xxxx
Sun Feb 18 09:04:41 2018 us=114608 TCPv4_SERVER link local (bound): [AF_INET][undef]:xxxx
Sun Feb 18 09:04:41 2018 us=114835 TCPv4_SERVER link remote: [AF_UNSPEC]
Sun Feb 18 09:04:41 2018 us=115074 GID set to nogroup
Sun Feb 18 09:04:41 2018 us=115321 UID set to nobody
Sun Feb 18 09:04:41 2018 us=115559 MULTI: multi_init called, r=256 v=256
Sun Feb 18 09:04:41 2018 us=115876 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0
Sun Feb 18 09:04:41 2018 us=116263 MULTI: TCP INIT maxclients=1024 maxevents=1028
Sun Feb 18 09:04:41 2018 us=135225 Initialization Sequence Completed

client log - screenshot from my phone

Client config:

# Config Type #
#------------------------------------------------
client
 
# Connection  #
#------------------------------------------------
dev tun
proto tcp
remote myddns.org xxxx
 
# Speed #
#------------------------------------------------
mssfix 0
#fragment 0
tun-mtu 48000
 
# Reliability #
#------------------------------------------------
float
nobind
comp-lzo
 
persist-key
persist-tun
resolv-retry infinite
 
    # Encryption #
#------------------------------------------------
auth SHA512
auth-nocache
 
# --- SSL --- #
cipher AES-256-CBC

<ca>
-----BEGIN CERTIFICATE-----
contents from OpenWrt-OpenVPN_ICA-Chain.crt.pem
-----END CERTIFICATE-----

</ca>
 
<cert>
-----BEGIN CERTIFICATE-----
contents from vpn-client2-bradiphone-VPN-bradiphone.crt.pem
-----END CERTIFICATE-----
</cert>
 
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
contents from vpn-client2-bradiphone-VPN-bradiphone-Hostname.key.pem
-----END ENCRYPTED PRIVATE KEY-----
</key>

 
# --- TLS --- #
key-direction 1
tls-version-min 1.2
 
#pkcs12 vpn-client3.p12
remote-cert-eku "TLS Web Server Authentication"
 
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
content from tls-auth.key
-----END OpenVPN Static key V1-----
</tls-auth>
 
# Logging #
#------------------------------------------------
verb 7

Server config:

config openvpn 'VPNserver'
    option  enabled             1
 
    # Protocol #
#------------------------------------------------
    option  dev                 'tun'
    option  dev                 'tun0'
    option  topology            'subnet'
    option  proto               'tcp'
    option  port                xxxx
 
    # Routes # 
#------------------------------------------------
    option  server              '10.1.0.0 255.255.255.240'
    option  ifconfig            '10.1.0.1 255.255.255.240'        
 
    # Client Config # 
#------------------------------------------------
    #   option  ccd_exclusive           1
    #   option  ifconfig_pool_persist   '/etc/openvpn/clients/ipp.txt'
    #   option  client_config_dir       '/etc/openvpn/clients/'
 
    # Pushed Routes # 
#------------------------------------------------
    list    push                'route 192.168.1.0 255.255.255.0'
    list    push                'dhcp-option    DNS 192.168.1.1'
    list    push                'dhcp-option    WINS 192.168.1.1'
    list    push                'dhcp-option    DNS 208.67.222.123'
    list    push                'dhcp-option    DNS 208.67.220.123'
    list    push                'dhcp-option    NTP 129.6.15.30'
 
    # Encryption # 
#------------------------------------------------
    # Diffie-Hellman:
    option  dh                  '/etc/ssl/openvpn/dh2048.pem'
 
    # PKCS12:
    option  pkcs12              '/etc/ssl/openvpn/vpn-server.p12'
 
    # SSL:
    option  cipher              AES-256-CBC
    option  auth                'SHA512'
    option  tls_auth            '/etc/ssl/openvpn/tls-auth.key 0'
 
    # TLS:
    option  tls_server          1
    option  tls_version_min     1.2
    option  tls_cipher          'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'
 
    # Logging # 
#------------------------------------------------
    option  log          '/tmp/openvpn.log'
    option  status              '/tmp/openvpn-status.log'
    option  verb                5
 
    # Connection Options # 
#------------------------------------------------
    option  keepalive           '10 120'
    option  comp_lzo            'yes'
 
    # Connection Reliability # 
#------------------------------------------------
    option  client_to_client    1
    option  persist_key         1
    option  persist_tun         1
 
    # Connection Speed # 
#------------------------------------------------
    option  sndbuf              393216
    option  rcvbuf              393216
    option  fragment            0
    option  mssfix              0
    option  tun_mtu             48000
 
    # Pushed Buffers # 
#------------------------------------------------
    list    push                'sndbuf 393216'
    list    push                'rcvbuf 393216'
 
    # Permissions # 
#------------------------------------------------
    option  user                'nobody'
    option  group               'nogroup'
 
 
    # chroot #
#------------------------------------------------
    # chroot should be utilized in case the VPN is ever exploited; however, most commercial
    # routers don't have internal flash storage large enough to support it.  An OpenVPN 
    # chroot would be ~11MB in size.
 
        # Modify if chroot is configured #
    #--------------------------------------------
        # option  ccd_exclusive             1
        # option  ifconfig_pool_persist     /var/chroot-openvpn/etc/openvpn/clients/ipp.txt
        # option  client_config_dir         /var/chroot-openvpn/etc/openvpn/clients
 
        # option  cipher                    AES-256-CBC
        # option  dh                        /var/chroot-openvpn/etc/ssl/openvpn/dh2048.pem
        # option  pkcs12                    /var/chroot-openvpn/etc/ssl/openvpn/vpn-server.p12
        # option  tls_auth                  '/var/chroot-openvpn/etc/ssl/openvpn/tls-auth.key 0'

JW0914 · February 18, 2018, 3:41pm

The client log in it's entirety is needed, and it has to be with a minimum verbosity of 7.

If utilizing Android, download OpenVPN for Android
- You can either change the verbosity directly in the client.ovpn; OR: in the log section of the app, select the arrow formed by three descending lines, then slide the slider all the way to right.
- Once connection fails, email the log to yourself via the share button, then edit the log to remove your WAN IP, DDNS, and port #.

If utilizing an iPhone:

Change the verbosity in the client.ovpn to 7, then reimport the config. Once connection fails, either email the log to yourself (similar to the above), select all text, then paste into a text editor (if possible), or you'll need to add the log option to your client config
- I believe it should be the same as in the server config, just without OpenWrt's prefacing option.
  - Add: log /path/to/user/storage/ovpn.log

JW0914 · February 21, 2018, 3:37am

Up the verbosity level to 9, then see if more info than this is provided:

TCP: connect to [AF_INET]x.x.x.x:XXXX failed: Unknown error

My guess is it's a firewall issue on your router... please post the relevant VPN rules from /etc/config/firewall

JW0914 · February 21, 2018, 3:32pm

Are you attempting to connect to your router's VPN while behind the router? If so, you cannot connect this way.

Before going forward, disconnect the client, remove the line break within the inline CA xml

<ca>
-----BEGIN CERTIFICATE-----
text contents of OpenWrt-OpenVPN_ICA-Chain.crt.pem
-----END CERTIFICATE-----
</ca>

Outside of that, you can try changing the server's verbosity to 7, however it's not likely to show anything beyond Initialization Sequence Completed since it appears you're not even making it past the firewall.

If my supposition is correct:
1. Please add the rules under Create Rules => Logging tab to /etc/firewall.user
2. cd /etc/init.d && ./firewall restart ; ./openvpn restart && logread -f
3. Disconnect, then connect, the VPN client (it must be disconnected, not reconnected)

Your configs are what they should be, and beyond minor cosmetic differences, match a known working OpenVPN server - client setup (minus the incorrect line break within the ca inline xml), there's nothing incorrect there.

At this point, you'll need to narrow it down to the least common denominator... remove all non-essentials from configs:

config openvpn 'VPNserver'
    option  enabled             1

    option  dev                 'tun'
    option  dev                 'tun0'
    option  topology            'subnet'
    option  proto               'tcp'
    option  port                xxxx

    option  server              '10.1.0.0 255.255.255.240'
    option  ifconfig            '10.1.0.1 255.255.255.240'        

    list    push                'route 192.168.1.0 255.255.255.0'
    list    push                'dhcp-option    DNS 192.168.1.1'

    option  dh                  '/etc/ssl/openvpn/dh2048.pem'

    option  pkcs12              '/etc/ssl/openvpn/vpn-server.p12'

    option  cipher              AES-256-CBC
    option  auth                'SHA256'
    option  tls_auth            '/etc/ssl/openvpn/tls-auth.key 0'

    option  tls_server          1

    option  log                 '/tmp/openvpn.log'
    option  status              '/tmp/openvpn-status.log'
    option  verb                7

    option  keepalive           '10 120'
    option  comp_lzo            'yes'

    option  client_to_client    1
    option  persist_key         1
    option  persist_tun         1

    option  user                'nobody'
    option  group               'nogroup'

client

dev tun
proto tcp
remote myddns.org xxxx

float
nobind
comp-lzo

persist-key
persist-tun
resolv-retry infinite

auth SHA256
auth-nocache

key-direction 1
cipher AES-256-CBC
remote-cert-eku "TLS Web Server Authentication"

<ca>
-----BEGIN CERTIFICATE-----
text contents of OpenWrt-OpenVPN_ICA-Chain.crt.pem
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
text contents of vpn-client2-bradiphone-VPN-bradiphone.crt.pem
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
text contents of vpn-client2-bradiphone-VPN-bradiphone-Hostname.key.pem
-----END ENCRYPTED PRIVATE KEY-----
</key>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
text contents of tls-auth.key
-----END OpenVPN Static key V1-----
</tls-auth>

verb 7

remenakb1 · February 22, 2018, 4:00pm

I wish I had better news, but things are still not working. Doesn't make sense because I am not doing anything odd or trying anything different than a normal VPN connection.

No I either try on my cell phone cellular network with wifi disabled, or on my network at work.

Removing the extra line break did not change anything.

I added the rules to firewall.user. Is there something I should be looking for in the output of that? I didn't see anything happening when I tried to connect from my phone. (I couldn't watch for activity while attempting to connect from my work network). Should I see tcp connection attempts or blocked attempts to my VPN with this? Or in the system or kernal log?

I did also change my configs to what you posted and I am not seeing any different behavior. Seems like something should be different or be able to see some activity.

Could my ISP be blocking this somehow?

Here is the log of my connection attempt with all the new (removed) settings from my work network:

Thu Feb 22 10:41:20 2018 us=139398 Current Parameter Settings:
Thu Feb 22 10:41:20 2018 us=140899   config = 'VPNTCPiPhone.ovpn'
Thu Feb 22 10:41:20 2018 us=140899   mode = 0
Thu Feb 22 10:41:20 2018 us=140899   show_ciphers = DISABLED
Thu Feb 22 10:41:20 2018 us=140899   show_digests = DISABLED
Thu Feb 22 10:41:20 2018 us=140899   show_engines = DISABLED
Thu Feb 22 10:41:20 2018 us=140899   genkey = DISABLED
Thu Feb 22 10:41:20 2018 us=140899   key_pass_file = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=140899   show_tls_ciphers = DISABLED
Thu Feb 22 10:41:20 2018 us=140899   connect_retry_max = 0
Thu Feb 22 10:41:20 2018 us=140899 Connection profiles [0]:
Thu Feb 22 10:41:20 2018 us=140899   proto = tcp-client
Thu Feb 22 10:41:20 2018 us=140899   local = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=140899   local_port = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=140899   remote = 'x.x.x.x'
Thu Feb 22 10:41:20 2018 us=140899   remote_port = 'XXXX'
Thu Feb 22 10:41:20 2018 us=140899   remote_float = ENABLED
Thu Feb 22 10:41:20 2018 us=140899   bind_defined = DISABLED
Thu Feb 22 10:41:20 2018 us=140899   bind_local = DISABLED
Thu Feb 22 10:41:20 2018 us=141400   bind_ipv6_only = DISABLED
Thu Feb 22 10:41:20 2018 us=141400   connect_retry_seconds = 5
Thu Feb 22 10:41:20 2018 us=141400   connect_timeout = 120
Thu Feb 22 10:41:20 2018 us=141400   socks_proxy_server = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=141400   socks_proxy_port = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=141400   tun_mtu = 1500
Thu Feb 22 10:41:20 2018 us=141400   tun_mtu_defined = ENABLED
Thu Feb 22 10:41:20 2018 us=141400   link_mtu = 1500
Thu Feb 22 10:41:20 2018 us=141400   link_mtu_defined = DISABLED
Thu Feb 22 10:41:20 2018 us=141400   tun_mtu_extra = 0
Thu Feb 22 10:41:20 2018 us=141400   tun_mtu_extra_defined = DISABLED
Thu Feb 22 10:41:20 2018 us=141400   mtu_discover_type = -1
Thu Feb 22 10:41:20 2018 us=141400   fragment = 0
Thu Feb 22 10:41:20 2018 us=141400   mssfix = 1450
Thu Feb 22 10:41:20 2018 us=141400   explicit_exit_notification = 0
Thu Feb 22 10:41:20 2018 us=141400 Connection profiles END
Thu Feb 22 10:41:20 2018 us=141400   remote_random = DISABLED
Thu Feb 22 10:41:20 2018 us=141400   ipchange = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=141400   dev = 'tun'
Thu Feb 22 10:41:20 2018 us=141400   dev_type = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=141400   dev_node = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=141400   lladdr = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=141400   topology = 1
Thu Feb 22 10:41:20 2018 us=141400   ifconfig_local = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=141400   ifconfig_remote_netmask = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=141400   ifconfig_noexec = DISABLED
Thu Feb 22 10:41:20 2018 us=141400   ifconfig_nowarn = DISABLED
Thu Feb 22 10:41:20 2018 us=141400   ifconfig_ipv6_local = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=141400   ifconfig_ipv6_netbits = 0
Thu Feb 22 10:41:20 2018 us=141400   ifconfig_ipv6_remote = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=141400   shaper = 0
Thu Feb 22 10:41:20 2018 us=141400   mtu_test = 0
Thu Feb 22 10:41:20 2018 us=141400   mlock = DISABLED
Thu Feb 22 10:41:20 2018 us=141906   keepalive_ping = 0
Thu Feb 22 10:41:20 2018 us=141906   keepalive_timeout = 0
Thu Feb 22 10:41:20 2018 us=141906   inactivity_timeout = 0
Thu Feb 22 10:41:20 2018 us=141906   ping_send_timeout = 0
Thu Feb 22 10:41:20 2018 us=141906   ping_rec_timeout = 0
Thu Feb 22 10:41:20 2018 us=141906   ping_rec_timeout_action = 0
Thu Feb 22 10:41:20 2018 us=141906   ping_timer_remote = DISABLED
Thu Feb 22 10:41:20 2018 us=141906   remap_sigusr1 = 0
Thu Feb 22 10:41:20 2018 us=141906   persist_tun = ENABLED
Thu Feb 22 10:41:20 2018 us=141906   persist_local_ip = DISABLED
Thu Feb 22 10:41:20 2018 us=141906   persist_remote_ip = DISABLED
Thu Feb 22 10:41:20 2018 us=141906   persist_key = ENABLED
Thu Feb 22 10:41:20 2018 us=141906   passtos = DISABLED
Thu Feb 22 10:41:20 2018 us=141906   resolve_retry_seconds = 1000000000
Thu Feb 22 10:41:20 2018 us=141906   resolve_in_advance = DISABLED
Thu Feb 22 10:41:20 2018 us=141906   username = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=141906   groupname = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=141906   chroot_dir = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=141906   cd_dir = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=141906   writepid = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=141906   up_script = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=141906   down_script = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=141906   down_pre = DISABLED
Thu Feb 22 10:41:20 2018 us=141906   up_restart = DISABLED
Thu Feb 22 10:41:20 2018 us=141906   up_delay = DISABLED
Thu Feb 22 10:41:20 2018 us=141906   daemon = DISABLED
Thu Feb 22 10:41:20 2018 us=141906   inetd = 0
Thu Feb 22 10:41:20 2018 us=141906   log = ENABLED
Thu Feb 22 10:41:20 2018 us=141906   suppress_timestamps = DISABLED
Thu Feb 22 10:41:20 2018 us=141906   machine_readable_output = DISABLED
Thu Feb 22 10:41:20 2018 us=141906   nice = 0
Thu Feb 22 10:41:20 2018 us=141906   verbosity = 7
Thu Feb 22 10:41:20 2018 us=141906   mute = 0
Thu Feb 22 10:41:20 2018 us=142400   gremlin = 0
Thu Feb 22 10:41:20 2018 us=142400   status_file = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=142400   status_file_version = 1
Thu Feb 22 10:41:20 2018 us=142400   status_file_update_freq = 60
Thu Feb 22 10:41:20 2018 us=142400   occ = ENABLED
Thu Feb 22 10:41:20 2018 us=142400   rcvbuf = 0
Thu Feb 22 10:41:20 2018 us=142400   sndbuf = 0
Thu Feb 22 10:41:20 2018 us=142400   sockflags = 0
Thu Feb 22 10:41:20 2018 us=142400   fast_io = DISABLED
Thu Feb 22 10:41:20 2018 us=142400   comp.alg = 2
Thu Feb 22 10:41:20 2018 us=142400   comp.flags = 1
Thu Feb 22 10:41:20 2018 us=142400   route_script = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=142400   route_default_gateway = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=142400   route_default_metric = 0
Thu Feb 22 10:41:20 2018 us=142400   route_noexec = DISABLED
Thu Feb 22 10:41:20 2018 us=142400   route_delay = 5
Thu Feb 22 10:41:20 2018 us=142400   route_delay_window = 30
Thu Feb 22 10:41:20 2018 us=142400   route_delay_defined = ENABLED
Thu Feb 22 10:41:20 2018 us=142400   route_nopull = DISABLED
Thu Feb 22 10:41:20 2018 us=142400   route_gateway_via_dhcp = DISABLED
Thu Feb 22 10:41:20 2018 us=142400   allow_pull_fqdn = DISABLED
Thu Feb 22 10:41:20 2018 us=142400   management_addr = '127.0.0.1'
Thu Feb 22 10:41:20 2018 us=142400   management_port = '25342'
Thu Feb 22 10:41:20 2018 us=142400   management_user_pass = 'stdin'
Thu Feb 22 10:41:20 2018 us=142400   management_log_history_cache = 250
Thu Feb 22 10:41:20 2018 us=142400   management_echo_buffer_size = 100
Thu Feb 22 10:41:20 2018 us=142400   management_write_peer_info_file = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=142400   management_client_user = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=142900   management_client_group = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=142900   management_flags = 6
Thu Feb 22 10:41:20 2018 us=142900   shared_secret_file = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=142900   key_direction = 2
Thu Feb 22 10:41:20 2018 us=142900   ciphername = 'AES-256-CBC'
Thu Feb 22 10:41:20 2018 us=142900   ncp_enabled = ENABLED
Thu Feb 22 10:41:20 2018 us=142900   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Thu Feb 22 10:41:20 2018 us=142900   authname = 'SHA256'
Thu Feb 22 10:41:20 2018 us=142900   prng_hash = 'SHA1'
Thu Feb 22 10:41:20 2018 us=142900   prng_nonce_secret_len = 16
Thu Feb 22 10:41:20 2018 us=142900   keysize = 0
Thu Feb 22 10:41:20 2018 us=142900   engine = DISABLED
Thu Feb 22 10:41:20 2018 us=142900   replay = ENABLED
Thu Feb 22 10:41:20 2018 us=142900   mute_replay_warnings = DISABLED
Thu Feb 22 10:41:20 2018 us=142900   replay_window = 64
Thu Feb 22 10:41:20 2018 us=142900   replay_time = 15
Thu Feb 22 10:41:20 2018 us=142900   packet_id_file = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=142900   use_iv = ENABLED
Thu Feb 22 10:41:20 2018 us=142900   test_crypto = DISABLED
Thu Feb 22 10:41:20 2018 us=142900   tls_server = DISABLED
Thu Feb 22 10:41:20 2018 us=142900   tls_client = ENABLED
Thu Feb 22 10:41:20 2018 us=142900   key_method = 2
Thu Feb 22 10:41:20 2018 us=142900   ca_file = '[[INLINE]]'
Thu Feb 22 10:41:20 2018 us=142900   ca_path = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=142900   dh_file = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=142900   cert_file = '[[INLINE]]'
Thu Feb 22 10:41:20 2018 us=142900   extra_certs_file = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=142900   priv_key_file = '[[INLINE]]'
Thu Feb 22 10:41:20 2018 us=142900   pkcs12_file = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=142900   cryptoapi_cert = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=142900   cipher_list = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=142900   tls_verify = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=142900   tls_export_cert = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=142900   verify_x509_type = 0
Thu Feb 22 10:41:20 2018 us=142900   verify_x509_name = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=142900   crl_file = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=142900   ns_cert_type = 0
Thu Feb 22 10:41:20 2018 us=142900   remote_cert_ku[i] = 0
Thu Feb 22 10:41:20 2018 us=142900   remote_cert_ku[i] = 0
Thu Feb 22 10:41:20 2018 us=142900   remote_cert_ku[i] = 0
Thu Feb 22 10:41:20 2018 us=142900   remote_cert_ku[i] = 0
Thu Feb 22 10:41:20 2018 us=142900   remote_cert_ku[i] = 0
Thu Feb 22 10:41:20 2018 us=142900   remote_cert_ku[i] = 0
Thu Feb 22 10:41:20 2018 us=142900   remote_cert_ku[i] = 0
Thu Feb 22 10:41:20 2018 us=142900   remote_cert_ku[i] = 0
Thu Feb 22 10:41:20 2018 us=142900   remote_cert_ku[i] = 0
Thu Feb 22 10:41:20 2018 us=142900   remote_cert_ku[i] = 0
Thu Feb 22 10:41:20 2018 us=142900   remote_cert_ku[i] = 0
Thu Feb 22 10:41:20 2018 us=142900   remote_cert_ku[i] = 0
Thu Feb 22 10:41:20 2018 us=142900   remote_cert_ku[i] = 0
Thu Feb 22 10:41:20 2018 us=142900   remote_cert_ku[i] = 0
Thu Feb 22 10:41:20 2018 us=142900   remote_cert_ku[i] = 0
Thu Feb 22 10:41:20 2018 us=142900   remote_cert_ku[i] = 0
Thu Feb 22 10:41:20 2018 us=142900   remote_cert_eku = 'TLS Web Server Authentication'
Thu Feb 22 10:41:20 2018 us=142900   ssl_flags = 0
Thu Feb 22 10:41:20 2018 us=143400   tls_timeout = 2
Thu Feb 22 10:41:20 2018 us=143400   renegotiate_bytes = -1
Thu Feb 22 10:41:20 2018 us=143400   renegotiate_packets = 0
Thu Feb 22 10:41:20 2018 us=143400   renegotiate_seconds = 3600
Thu Feb 22 10:41:20 2018 us=143400   handshake_window = 60
Thu Feb 22 10:41:20 2018 us=143400   transition_window = 3600
Thu Feb 22 10:41:20 2018 us=143400   single_session = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   push_peer_info = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   tls_exit = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   tls_auth_file = '[[INLINE]]'
Thu Feb 22 10:41:20 2018 us=143400   tls_crypt_file = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_protected_authentication = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_protected_authentication = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_protected_authentication = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_protected_authentication = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_protected_authentication = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_protected_authentication = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_protected_authentication = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_protected_authentication = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_protected_authentication = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_protected_authentication = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_protected_authentication = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_protected_authentication = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_protected_authentication = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_protected_authentication = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_protected_authentication = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_protected_authentication = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_private_mode = 00000000
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_private_mode = 00000000
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_private_mode = 00000000
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_private_mode = 00000000
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_private_mode = 00000000
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_private_mode = 00000000
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_private_mode = 00000000
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_private_mode = 00000000
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_private_mode = 00000000
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_private_mode = 00000000
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_private_mode = 00000000
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_private_mode = 00000000
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_private_mode = 00000000
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_private_mode = 00000000
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_private_mode = 00000000
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_private_mode = 00000000
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_cert_private = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_cert_private = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_cert_private = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_cert_private = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_cert_private = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_cert_private = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_cert_private = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_cert_private = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_cert_private = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_cert_private = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_cert_private = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_cert_private = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_cert_private = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_cert_private = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_cert_private = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_cert_private = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_pin_cache_period = -1
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_id = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=143400   pkcs11_id_management = DISABLED
Thu Feb 22 10:41:20 2018 us=143400   server_network = 0.0.0.0
Thu Feb 22 10:41:20 2018 us=143400   server_netmask = 0.0.0.0
Thu Feb 22 10:41:20 2018 us=143900   server_network_ipv6 = ::
Thu Feb 22 10:41:20 2018 us=143900   server_netbits_ipv6 = 0
Thu Feb 22 10:41:20 2018 us=143900   server_bridge_ip = 0.0.0.0
Thu Feb 22 10:41:20 2018 us=143900   server_bridge_netmask = 0.0.0.0
Thu Feb 22 10:41:20 2018 us=143900   server_bridge_pool_start = 0.0.0.0
Thu Feb 22 10:41:20 2018 us=143900   server_bridge_pool_end = 0.0.0.0
Thu Feb 22 10:41:20 2018 us=143900   ifconfig_pool_defined = DISABLED
Thu Feb 22 10:41:20 2018 us=143900   ifconfig_pool_start = 0.0.0.0
Thu Feb 22 10:41:20 2018 us=143900   ifconfig_pool_end = 0.0.0.0
Thu Feb 22 10:41:20 2018 us=143900   ifconfig_pool_netmask = 0.0.0.0
Thu Feb 22 10:41:20 2018 us=143900   ifconfig_pool_persist_filename = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=143900   ifconfig_pool_persist_refresh_freq = 600
Thu Feb 22 10:41:20 2018 us=143900   ifconfig_ipv6_pool_defined = DISABLED
Thu Feb 22 10:41:20 2018 us=143900   ifconfig_ipv6_pool_base = ::
Thu Feb 22 10:41:20 2018 us=143900   ifconfig_ipv6_pool_netbits = 0
Thu Feb 22 10:41:20 2018 us=143900   n_bcast_buf = 256
Thu Feb 22 10:41:20 2018 us=143900   tcp_queue_limit = 64
Thu Feb 22 10:41:20 2018 us=143900   real_hash_size = 256
Thu Feb 22 10:41:20 2018 us=143900   virtual_hash_size = 256
Thu Feb 22 10:41:20 2018 us=143900   client_connect_script = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=143900   learn_address_script = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=143900   client_disconnect_script = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=143900   client_config_dir = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=143900   ccd_exclusive = DISABLED
Thu Feb 22 10:41:20 2018 us=143900   tmp_dir = 'C:\Users\BRADRE~1\AppData\Local\Temp\'
Thu Feb 22 10:41:20 2018 us=143900   push_ifconfig_defined = DISABLED
Thu Feb 22 10:41:20 2018 us=143900   push_ifconfig_local = 0.0.0.0
Thu Feb 22 10:41:20 2018 us=143900   push_ifconfig_remote_netmask = 0.0.0.0
Thu Feb 22 10:41:20 2018 us=143900   push_ifconfig_ipv6_defined = DISABLED
Thu Feb 22 10:41:20 2018 us=143900   push_ifconfig_ipv6_local = ::/0
Thu Feb 22 10:41:20 2018 us=143900   push_ifconfig_ipv6_remote = ::
Thu Feb 22 10:41:20 2018 us=143900   enable_c2c = DISABLED
Thu Feb 22 10:41:20 2018 us=143900   duplicate_cn = DISABLED
Thu Feb 22 10:41:20 2018 us=143900   cf_max = 0
Thu Feb 22 10:41:20 2018 us=143900   cf_per = 0
Thu Feb 22 10:41:20 2018 us=143900   max_clients = 1024
Thu Feb 22 10:41:20 2018 us=143900   max_routes_per_client = 256
Thu Feb 22 10:41:20 2018 us=143900   auth_user_pass_verify_script = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=143900   auth_user_pass_verify_script_via_file = DISABLED
Thu Feb 22 10:41:20 2018 us=143900   auth_token_generate = DISABLED
Thu Feb 22 10:41:20 2018 us=143900   auth_token_lifetime = 0
Thu Feb 22 10:41:20 2018 us=143900   client = ENABLED
Thu Feb 22 10:41:20 2018 us=143900   pull = ENABLED
Thu Feb 22 10:41:20 2018 us=143900   auth_user_pass_file = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=143900   show_net_up = DISABLED
Thu Feb 22 10:41:20 2018 us=143900   route_method = 3
Thu Feb 22 10:41:20 2018 us=143900   block_outside_dns = DISABLED
Thu Feb 22 10:41:20 2018 us=143900   ip_win32_defined = DISABLED
Thu Feb 22 10:41:20 2018 us=143900   ip_win32_type = 3
Thu Feb 22 10:41:20 2018 us=143900   dhcp_masq_offset = 0
Thu Feb 22 10:41:20 2018 us=143900   dhcp_lease_time = 31536000
Thu Feb 22 10:41:20 2018 us=143900   tap_sleep = 0
Thu Feb 22 10:41:20 2018 us=143900   dhcp_options = DISABLED
Thu Feb 22 10:41:20 2018 us=143900   dhcp_renew = DISABLED
Thu Feb 22 10:41:20 2018 us=143900   dhcp_pre_release = DISABLED
Thu Feb 22 10:41:20 2018 us=143900   domain = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=143900   netbios_scope = '[UNDEF]'
Thu Feb 22 10:41:20 2018 us=143900   netbios_node_type = 0
Thu Feb 22 10:41:20 2018 us=143900   disable_nbt = DISABLED
Thu Feb 22 10:41:20 2018 us=144401 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Thu Feb 22 10:41:20 2018 us=144401 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Feb 22 10:41:20 2018 us=144401 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Enter Management Password:
Thu Feb 22 10:41:20 2018 us=149406 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Thu Feb 22 10:41:20 2018 us=149905 Need hold release from management interface, waiting...
Thu Feb 22 10:41:20 2018 us=497063 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
Thu Feb 22 10:41:20 2018 us=598522 MANAGEMENT: CMD 'state on'
Thu Feb 22 10:41:20 2018 us=599011 MANAGEMENT: CMD 'log all on'
Thu Feb 22 10:41:22 2018 us=845989 MANAGEMENT: CMD 'echo all on'
Thu Feb 22 10:41:22 2018 us=867508 MANAGEMENT: CMD 'hold off'
Thu Feb 22 10:41:22 2018 us=888042 MANAGEMENT: CMD 'hold release'
Thu Feb 22 10:41:23 2018 us=81575 MANAGEMENT: CMD 'password [...]'
Thu Feb 22 10:41:23 2018 us=86080 PRNG init md=SHA1 size=36
Thu Feb 22 10:41:23 2018 us=86080 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Feb 22 10:41:23 2018 us=86080 Outgoing Control Channel Authentication: HMAC KEY: 4943c2b0 ab09bef9 d00572ff 9bbb9d4a 0e9645ef 6cddc480 fe17c5a6 fcb708eb
Thu Feb 22 10:41:23 2018 us=86080 Outgoing Control Channel Authentication: HMAC size=32 block_size=32
Thu Feb 22 10:41:23 2018 us=86080 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Feb 22 10:41:23 2018 us=86080 Incoming Control Channel Authentication: HMAC KEY: 1c368686 64946601 1194fc44 7a4ef5a8 b764d1ac 5f15e4e5 452359d7 40e7420d
Thu Feb 22 10:41:23 2018 us=86080 Incoming Control Channel Authentication: HMAC size=32 block_size=32
Thu Feb 22 10:41:23 2018 us=86080 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Thu Feb 22 10:41:23 2018 us=86080 LZO compression initializing
Thu Feb 22 10:41:23 2018 us=86080 PID packet_id_init seq_backtrack=64 time_backtrack=15
Thu Feb 22 10:41:23 2018 us=86080 PID packet_id_init seq_backtrack=64 time_backtrack=15
Thu Feb 22 10:41:23 2018 us=86578 PID packet_id_init seq_backtrack=64 time_backtrack=15
Thu Feb 22 10:41:23 2018 us=86578 PID packet_id_init seq_backtrack=64 time_backtrack=15
Thu Feb 22 10:41:23 2018 us=86578 Control Channel MTU parms [ L:1624 D:1170 EF:80 EB:0 ET:0 EL:3 ]
Thu Feb 22 10:41:23 2018 us=86578 MTU DYNAMIC mtu=1450, flags=2, 1624 -> 1450
Thu Feb 22 10:41:23 2018 us=86578 RESOLVE_REMOTE flags=0x0101 phase=1 rrs=0 sig=-1 status=0
Thu Feb 22 10:41:23 2018 us=86578 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Thu Feb 22 10:41:23 2018 us=86578 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
Thu Feb 22 10:41:23 2018 us=86578 calc_options_string_link_mtu: link-mtu 1624 -> 1572
Thu Feb 22 10:41:23 2018 us=86578 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 68 bytes
Thu Feb 22 10:41:23 2018 us=86578 calc_options_string_link_mtu: link-mtu 1624 -> 1572
Thu Feb 22 10:41:23 2018 us=86578 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Thu Feb 22 10:41:23 2018 us=86578 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Thu Feb 22 10:41:23 2018 us=86578 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:XXXX
Thu Feb 22 10:41:23 2018 us=86578 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Feb 22 10:41:23 2018 us=86578 Attempting to establish TCP connection with [AF_INET]x.x.x.x:XXXX [nonblock]
Thu Feb 22 10:41:23 2018 us=87079 MANAGEMENT: >STATE:1519314083,TCP_CONNECT,,,,,,
Thu Feb 22 10:43:23 2018 us=273196 TCP: connect to [AF_INET]x.x.x.x:XXXX failed: Unknown error
Thu Feb 22 10:43:23 2018 us=274184 PID packet_id_free
Thu Feb 22 10:43:23 2018 us=274184 PID packet_id_free
Thu Feb 22 10:43:23 2018 us=274184 PID packet_id_free
Thu Feb 22 10:43:23 2018 us=274184 PID packet_id_free
Thu Feb 22 10:43:23 2018 us=274184 PID packet_id_free
Thu Feb 22 10:43:23 2018 us=275183 PID packet_id_free
Thu Feb 22 10:43:23 2018 us=275183 PID packet_id_free
Thu Feb 22 10:43:23 2018 us=275183 PID packet_id_free
Thu Feb 22 10:43:23 2018 us=275183 PID packet_id_free
Thu Feb 22 10:43:23 2018 us=275183 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Thu Feb 22 10:43:23 2018 us=276160 MANAGEMENT: >STATE:1519314203,RECONNECTING,init_instance,,,,,
Thu Feb 22 10:43:23 2018 us=276160 Restart pause, 5 second(s)
Thu Feb 22 10:43:27 2018 us=282164 PID packet_id_free
Thu Feb 22 10:43:27 2018 us=283129 SIGTERM[hard,init_instance] received, process exiting
Thu Feb 22 10:43:27 2018 us=283129 MANAGEMENT: >STATE:1519314207,EXITING,init_instance,,,,,
Thu Feb 22 10:43:27 2018 us=284125 PKCS#11: Terminating openssl
Thu Feb 22 10:43:27 2018 us=284125 PKCS#11: Removing providers
Thu Feb 22 10:43:27 2018 us=284125 PKCS#11: Releasing sessions
Thu Feb 22 10:43:27 2018 us=284125 PKCS#11: Terminating slotevent
Thu Feb 22 10:43:27 2018 us=284125 PKCS#11: Marking as uninitialized

JW0914 · February 22, 2018, 8:21pm

You should see a line in the kernel log (which is echoed in the system log) that's similar to
Thu Feb 22 14:13:59 2018 kern.warn kernel: [968414.578266] <[[--- VPN Traffic ---]]> : IN=

Port 5000 needs to be changed to your VPN port number, and if it's set to your port number and you receive no log lines like that, your vpn port number is mistyped in your configs, or there's something else going on as there's no issue with the VPN itself

No, I just wanted to ensure there wasn't an incompatible setting within the config for your iPhone, as I just learned the other day certain phones are not compatible with certain tuning options, such as the fragment option

With this being said, the fact you got the same result connecting from your iPhone and your PC indicates this is likely related to the router's firewall.

remenakb1 · February 25, 2018, 12:39pm

There must be something else going on. I have verified the port number is correct and tried multiple port numbers now and I see nothing in the logs. Any ideas on what could be going on?

I searched around for some tools and found nmap and netstat. I don't quite know what I am doing but I was able to verify my port was open and the server was listening.

Thank you for your help.

JW0914 · February 25, 2018, 2:58pm

Not a clue, but your issue is not with the VPN

remenakb1 · February 28, 2018, 1:44am

I got it working!

I ended up contacting my ISP and they told me a configuration was wrong on their end and everything now works. Thank you for all your help, it was quite the journey but I definitely know a lot more about networking than when I started.