Can't connect a roadwarrior to the VPN

Sepp1945 · December 31, 2023, 8:04am

NethServer Version: 7.9
Module: OpenVPN
The connection is arriving at the server but it is not accepted

Sun Dec 31 15:54:38 2023 222.127.90.247:57883 TLS: Initial packet from [AF_INET]222.127.90.247:57883 (via [AF_INET]192.168.100.102%em2), sid=0ba85504 85864e24
Sun Dec 31 15:54:41 2023 read UDPv4 [CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH]: No route to host (code=113)
Sun Dec 31 15:54:45 2023 read UDPv4 [CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH]: No route to host (code=113)
Sun Dec 31 15:54:46 2023 MANAGEMENT: Client connected from /var/spool/openvpn/host-to-net
Sun Dec 31 15:54:46 2023 MANAGEMENT: CMD ‘status 3’
Sun Dec 31 15:54:46 2023 MANAGEMENT: Client disconnected
Sun Dec 31 15:54:46 2023 MANAGEMENT: Client connected from /var/spool/openvpn/host-to-net
Sun Dec 31 15:54:46 2023 MANAGEMENT: CMD ‘status 3’
Sun Dec 31 15:54:46 2023 MANAGEMENT: Client disconnected
Sun Dec 31 15:54:46 2023 MANAGEMENT: Client connected from /var/spool/openvpn/host-to-net
Sun Dec 31 15:54:46 2023 MANAGEMENT: CMD ‘status 3’
Sun Dec 31 15:54:46 2023 MANAGEMENT: Client disconnected
Sun Dec 31 15:54:48 2023 read UDPv4 [CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH]: No route to host (code=113)
Sun Dec 31 15:54:48 2023 222.127.90.247:57884 TLS: Initial packet from [AF_INET]222.127.90.247:57884 (via [AF_INET]192.168.100.102%em2), sid=325135ae f7d863c2
Sun Dec 31 15:54:51 2023 read UDPv4 [CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH]: No route to host (code=113)
Sun Dec 31 15:54:55 2023 read UDPv4 [CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH]: No route to host (code=113)
Sun Dec 31 15:54:58 2023 read UDPv4 [CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH]: No route to host (code=113)
Sun Dec 31 15:54:58 2023 222.127.90.247:57885 TLS: Initial packet from [AF_INET]222.127.90.247:57885 (via [AF_INET]192.168.100.102%em2), sid=7f193961 7994136a
Sun Dec 31 15:55:01 2023 read UDPv4 [CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH]: No route to host (code=113)
Sun Dec 31 15:55:05 2023 read UDPv4 [CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH]: No route to host (code=113)
Sun Dec 31 15:55:08 2023 read UDPv4 [CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH|CMSG=8|EHOSTUNREACH]: No route to host (code=113)
Sun Dec 31 15:55:11 2023 read UDPv4 [CMSG=8|EHOSTUNREACH]: No route to host (code=113)
Sun Dec 31 15:55:15 2023 read UDPv4 [CMSG=8|EHOSTUNREACH]: No route to host (code=113)
Sun Dec 31 15:55:22 2023 read UDPv4 [CMSG=8|EHOSTUNREACH]: No route to host (code=113)
Sun Dec 31 15:55:31 2023 read UDPv4 [CMSG=8|EHOSTUNREACH]: No route to host (code=113)
Sun Dec 31 15:55:38 2023 222.127.90.247:57883 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Dec 31 15:55:38 2023 222.127.90.247:57883 TLS Error: TLS handshake failed
Sun Dec 31 15:55:38 2023 222.127.90.247:57883 SIGUSR1[soft,tls-error] received, client-instance restarting
Sun Dec 31 15:55:48 2023 222.127.90.247:57884 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Dec 31 15:55:48 2023 222.127.90.247:57884 TLS Error: TLS handshake failed
Sun Dec 31 15:55:48 2023 222.127.90.247:57884 SIGUSR1[soft,tls-error] received, client-instance restarting
Sun Dec 31 15:55:57 2023 MANAGEMENT: Client connected from /var/spool/openvpn/host-to-net
Sun Dec 31 15:55:57 2023 MANAGEMENT: CMD ‘status 3’
Sun Dec 31 15:55:57 2023 MANAGEMENT: Client disconnected
Sun Dec 31 15:55:58 2023 MANAGEMENT: Client connected from /var/spool/openvpn/host-to-net
Sun Dec 31 15:55:58 2023 222.127.90.247:57885 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Dec 31 15:55:58 2023 222.127.90.247:57885 TLS Error: TLS handshake failed
Sun Dec 31 15:55:58 2023 222.127.90.247:57885 SIGUSR1[soft,tls-error] received, client-instance restarting
Sun Dec 31 15:55:58 2023 MANAGEMENT: CMD ‘status 3’
Sun Dec 31 15:55:58 2023 MANAGEMENT: Client disconnected
Sun Dec 31 15:55:58 2023 MANAGEMENT: Client connected from /var/spool/openvpn/host-to-net
Sun Dec 31 15:55:58 2023 MANAGEMENT: CMD ‘status 3’
Sun Dec 31 15:55:58 2023 MANAGEMENT: Client disconnected
Sun Dec 31 15:56:17 2023 MANAGEMENT: Client connected from /var/spool/openvpn/host-to-net
Sun Dec 31 15:56:17 2023 MANAGEMENT: CMD ‘status 3’
Sun Dec 31 15:56:17 2023 MANAGEMENT: Client disconnected

Any help is very much appriciated

Sepp

stephdl · December 31, 2023, 8:31am

Your client does not know where is your vpn server

Problem of dns hostname bad set in your dns provider
Routing problem of the router in front of your vpn server

You should describe your infrastructure

Sepp1945 · December 31, 2023, 8:52am

Dear Stéphane,

It is very simple.

Router/Modem connected to iSP

External IP 222.127.x.x

Port 1194 forwarded Nethserver RED interface

SERVER IP 192.168.1.90

Since I have a log entry on the server showing the connection it is finding the server, it should know.

I am confused about this

Sun Dec 31 15:55:11 2023 read UDPv4 [CMSG=8|EHOSTUNREACH]: No route to host (code=113)
Sun Dec 31 15:55:15 2023 read UDPv4 [CMSG=8|EHOSTUNREACH]: No route to host (code=113)

How do I route to host from the RED interface??

Many thanks

Sepp

stephdl · December 31, 2023, 8:59am

In your ovpn configuration you set an IP to reach or a FQDN ?

Do you try to connect from the internal or the external

Can you connect from the external with a LTE/mobile broadband connexion ?

Sepp1945 · December 31, 2023, 9:50am

IP 222.127.x.x
EXTERNAL

2.INTERNAL

CONNECTED

THE EXTERNAL CONNECTION IS FROM A SECOND MODEM/ROUTER IP

CONNECT VIA MOBILE PHONE TO WORKSTATION

Thank you very much

Sepp

stephdl · December 31, 2023, 10:27am

You have two different issues

From internal : no route to host

From external : tls handshake failed and no route to hosts

Fun

Sepp1945 · December 31, 2023, 10:39am

Yes … lots of fun

Sepp

stephdl · December 31, 2023, 10:45am

Sepp1945:

I am confused about this

Sun Dec 31 15:55:11 2023 read UDPv4 [CMSG=8|EHOSTUNREACH]: No route to host (code=113)
Sun Dec 31 15:55:15 2023 read UDPv4 [CMSG=8|EHOSTUNREACH]: No route to host (code=113)

How do I route to host from the RED interface??

How did you install ns7 with only one NIC (green) or in a gateway with two NIC (red and green) ?

stephdl · December 31, 2023, 10:47am

Who is the 192.168.100.102 ?

stephdl · December 31, 2023, 10:49am

Defintively I do not understand your network like you can see the network does not are the same because we find your (supposed) client with 192.168.100.x/xx

Sepp1945 · December 31, 2023, 11:10am

Two RED & Green

Red is 192.166.100.102 the IP range of the Modem

Greens is 192.168.1.90 the iP range of my Fortinet router … who get its range from the modem 192.168.100.100

Sepp1945 · December 31, 2023, 11:10am

it is RED

Sepp1945 · December 31, 2023, 11:12am

Thank you
SEPP

stephdl · December 31, 2023, 11:17am

Well so

Routeur 192.168.100.0/x
   |
   |_________red ns7 192.168.100.2
   |                  |
   |                  green 192.168.1.0/x
   |___CLIENt

stephdl · December 31, 2023, 11:19am

What is the IP of the client ?

stephdl · December 31, 2023, 11:20am

Maybe you have swapped the red and the green not in the good network ?

stephdl · December 31, 2023, 11:22am

You should draw the map of your network you are targeting a complicated thing and without it we cannot help you

Maybe a simple plan with a ns7 with only a green interface could be more simple to make it. Just open the port 1194 to the ns7

stephdl · December 31, 2023, 11:26am

Did you success to ping the IP of the NS7 red from your client ?

Sepp1945 · December 31, 2023, 1:18pm

stephdl · December 31, 2023, 1:22pm

You cannot mix the green card of ns7 with the green card of your fortinet. In that case please use only one nic for ns7 and put it behind the fortinet

The modem does a dmz or open the 1194 udp port to the ns7 ?