No access to OPENVPN via Vodafone Internet line

ns_nirosh · January 5, 2023, 8:04pm

Hello everyone, we have Openvpn configured on our server 7.9.2009 and it works normally.
In December I have changed my ISP with Vodafone Fiberoptic (italy) line. Now I cannot connect to the server over Openvpn connection. You can refer the log I have inserted below which is showing when I try to log into vpn;

Thu Jan 5 20:51:11 2023 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless “allow-compression yes” is also set.
Thu Jan 5 20:51:11 2023 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add ‘–data-ciphers-fallback BF-CBC’ to your configuration and/or add BF-CBC to --data-ciphers.
Thu Jan 5 20:51:11 2023 OpenVPN 2.5.8 [git:none/0357ceb877687faa] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 2 2022
Thu Jan 5 20:51:11 2023 Windows version 10.0 (Windows 10 or greater) 64bit
Thu Jan 5 20:51:11 2023 library versions: OpenSSL 1.1.1s 1 Nov 2022, LZO 2.10
Thu Jan 5 20:51:11 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Jan 5 20:51:11 2023 Need hold release from management interface, waiting…
Thu Jan 5 20:51:12 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Jan 5 20:51:12 2023 MANAGEMENT: CMD ‘state on’
Thu Jan 5 20:51:12 2023 MANAGEMENT: CMD ‘log on all’
Thu Jan 5 20:51:12 2023 MANAGEMENT: CMD ‘echo on all’
Thu Jan 5 20:51:12 2023 MANAGEMENT: CMD ‘bytecount 5’
Thu Jan 5 20:51:12 2023 MANAGEMENT: CMD ‘state’
Thu Jan 5 20:51:12 2023 MANAGEMENT: CMD ‘hold off’
Thu Jan 5 20:51:12 2023 MANAGEMENT: CMD ‘hold release’
Thu Jan 5 20:51:14 2023 MANAGEMENT: CMD ‘username “Auth” “niroshuser”’
Thu Jan 5 20:51:14 2023 MANAGEMENT: CMD ‘password […]’
Thu Jan 5 20:51:14 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]server_publicIP:1194
Thu Jan 5 20:51:14 2023 Socket Buffers: R=[65536->65536] S=[64512->64512]
Thu Jan 5 20:51:14 2023 UDP link local: (not bound)
Thu Jan 5 20:51:14 2023 UDP link remote: [AF_INET]server_publicIP:1194
Thu Jan 5 20:51:14 2023 MANAGEMENT: >STATE:1672948274,WAIT,

Always it stops at this stage and no more connections seem to be stablished.
When I had the connection with Fastweb (italy) I had no issue with connection to access the server over Openvpn.
Could somone please help me to find and adjust something on our server (vpn) o something test on my internet line to isolate the problem? Thanks in advance.

Andy_Wismer · January 5, 2023, 8:13pm

Hi @ns_nirosh

I’m not familiar with the specifics of Italian ISPs and such, but:

Do you have both IPv6 and IPv4 enabled on your Internet connection?
Test it eg with whatismyip.com that will indicate IPv4 and / or IPv6.

You may need to get IPv4 “enabled” from your Provider…
(Phone or E-Mail query…)

You need IPv4 as NethServer can’t handle iPv6 correctly (yet), that will only come in NS8…

My 2 cents
Andy

ns_nirosh · January 5, 2023, 8:46pm

Hi Andy,
I have checked on the website that you specified on your reply and only detected IPv4. Ip version 6 not detected at all. I have noticed that all the Hotspot connections made by iPhones are not able to establish a connection to the server over Openvpn. Do we have any other area to consider ? Thanks

Andy_Wismer · January 5, 2023, 9:02pm

You can try recreating the OpenVPN config, maybe try using a different port (eg 1196) and re-exporting the config to the client…
Don’t forget to check the port used in the firewall, if needed enable the new port…

ns_nirosh · January 5, 2023, 9:05pm

Ok i will try to reconfig. Is it a problem if I have activated ipv6 on router ?

Andy_Wismer · January 5, 2023, 9:06pm

IPv6 can be a problem in NethServer networks, I tend to ban it alltogether from the router / firewall onwards…

ns_nirosh · January 5, 2023, 9:11pm

Ok. I will surely follow those steps. thanks very much again.

Andy_Wismer · January 5, 2023, 9:12pm

Good luck!

pike · January 6, 2023, 2:09pm

On RED interface is configured a private IP Address or a public one?
Which device you have as CPE (ISP provided router)?

You have static public IP for your connection?

EddieA · January 6, 2023, 4:30pm

Maybe the new carrier is using CGNAT, where the IP given to you isn’t the internet facing IP.

pike · January 6, 2023, 7:23pm

In Italy most of the business ISP connection even with CGNat have access to static public ip, with the contract or as an option.
However, CPE mostly are pre-configured from the ISP with NAT. Some allows manual configuration, other must be requested to the ISP for special configs (subnet change, port forwarding, DMZ, yada yada yada)

ns_nirosh · January 9, 2023, 8:55pm

Dear Pike, I just have changed only my ISP (home) not server side. The server remain untouched as always.
On RED interface I have configured local ip address to talk with router. By port forwarding method i have redirected the external request to server. yes we have static IP. Thanks.

ns_nirosh · January 9, 2023, 8:58pm

Hi Eddie, do we have any option to make server accept such like connections ?

pike · January 10, 2023, 10:42am

@ns_nirosh please, correct me if i’m wrong.

NethServer is OpenVPN server and nothing changed.
Now you’re using OpenVPN from your home which use Vodafone and your client cannot connect?

ns_nirosh · January 10, 2023, 12:53pm

Hi Michael, Yes I am using Vodafone in my home and i want to connect to the server which is located another city. But my openvpn client cannot reach to the destination with Vodafone, but a month ago i could connect with my FASTWEB (ITALY) ISP. Thanks.

pike · January 10, 2023, 2:43pm

Did you consider to ask to your customer service of Vodafone?
Or better: did you tried with success any other OpenVPN Connection from your current ISP?

saitobenkei · January 10, 2023, 3:11pm

Do you have the fail2ban or threat shield modules installed on Nethserver?

Possibly check that the IP address of your home Internet connection has not been blocked by one of those two modules.

ns_nirosh · January 10, 2023, 4:21pm

I have contacted a techician Vodafone and he said it’s not thier problem because when i try to connect to vpn the following error line shows in Openvpn Gui; And he asked me to risolve problema about this error.
" WARNING: No server certificate verification method has been enabled. See How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN for more info"

then I added this line to .ovpn config file ;
remote-cert-tls server

Then the Warning is disappeard but no connection.
But Our certificate is integrated withing the .ovpn file i think this is not an issue.
They are not accepting the connectiong that i had before. (FASTWEB)

I didn’t try with another vpn.

ns_nirosh · January 10, 2023, 4:33pm

Hi saitobenkei,
Thanks for contacting us to risolve the problem together. It’s a good idea to check those options.
I am sure that I have not enabled fail2ban, but Threat Shield may be activated, bun not sure.
may be IP address is blocked by default ?
if yes, as I have shown at the begening, will my connection attemp will be stop at

MANAGEMENT: >STATE:1672948274,WAIT,… step ?

saitobenkei · January 10, 2023, 4:40pm

It has happened to me before that fail2ban would intervene “randomly” on openvpn connections, cutting me off some roadwarriors.

Are the openVPN login credentials correct?
Do you have a chance to test the connection by tethering with a cell phone?

Is the IP that Vodafone provides you with static or dynamic?
If it is static you have a better chance of fail2ban or threat shield intervening.