OpenVPN NS server-client

NethServer Version: 7.7.1908
Module: OpenVPN
Hey.
I configured OpenVPN according to the instructions

When I try to connect a client to a server, I get an error

Сводка

Fri Mar 20 08:31:03 2020 OpenVPN 2.4.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Fri Mar 20 08:31:03 2020 Windows version 6.2 (Windows 8 or greater) 32bit
Fri Mar 20 08:31:03 2020 library versions: OpenSSL 1.1.0l 10 Sep 2019, LZO 2.10
Enter Management Password:
Fri Mar 20 08:31:03 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Mar 20 08:31:03 2020 Need hold release from management interface, waiting…
Fri Mar 20 08:31:03 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Mar 20 08:31:03 2020 MANAGEMENT: CMD ‘state on’
Fri Mar 20 08:31:03 2020 MANAGEMENT: CMD ‘log all on’
Fri Mar 20 08:31:04 2020 MANAGEMENT: CMD ‘echo all on’
Fri Mar 20 08:31:04 2020 MANAGEMENT: CMD ‘bytecount 5’
Fri Mar 20 08:31:04 2020 MANAGEMENT: CMD ‘hold off’
Fri Mar 20 08:31:04 2020 MANAGEMENT: CMD ‘hold release’
Fri Mar 20 08:31:04 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Mar 20 08:31:04 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]178.212.239.254:1194
Fri Mar 20 08:31:04 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Mar 20 08:31:04 2020 UDP link local: (not bound)
Fri Mar 20 08:31:04 2020 UDP link remote: [AF_INET]178.212.239.254:1194
Fri Mar 20 08:31:04 2020 MANAGEMENT: >STATE:1584685864,WAIT,
Fri Mar 20 08:32:04 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Mar 20 08:32:04 2020 TLS Error: TLS handshake failed
Fri Mar 20 08:32:04 2020 SIGUSR1[soft,tls-error] received, process restarting
Fri Mar 20 08:32:04 2020 MANAGEMENT: >STATE:1584685924,RECONNECTING,tls-error,
Fri Mar 20 08:32:04 2020 Restart pause, 5 second(s)
Fri Mar 20 08:32:09 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Mar 20 08:32:09 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]178.212.239.254:1194
Fri Mar 20 08:32:09 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Mar 20 08:32:09 2020 UDP link local: (not bound)
Fri Mar 20 08:32:09 2020 UDP link remote: [AF_INET]178.212.239.254:1194
Fri Mar 20 08:32:09 2020 MANAGEMENT: >STATE:1584685929,WAIT,
Fri Mar 20 08:33:09 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Mar 20 08:33:09 2020 TLS Error: TLS handshake failed
Fri Mar 20 08:33:09 2020 SIGUSR1[soft,tls-error] received, process restarting
Fri Mar 20 08:33:09 2020 MANAGEMENT: >STATE:1584685989,RECONNECTING,tls-error,
Fri Mar 20 08:33:09 2020 Restart pause, 5 second(s)
Fri Mar 20 08:33:14 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Mar 20 08:33:14 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]178.212.239.254:1194
Fri Mar 20 08:33:14 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Mar 20 08:33:14 2020 UDP link local: (not bound)
Fri Mar 20 08:33:14 2020 UDP link remote: [AF_INET]178.212.239.254:1194
Fri Mar 20 08:33:14 2020 MANAGEMENT: >STATE:1584685994,WAIT,
Fri Mar 20 08:34:14 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Mar 20 08:34:14 2020 TLS Error: TLS handshake failed
Fri Mar 20 08:34:14 2020 SIGUSR1[soft,tls-error] received, process restarting
Fri Mar 20 08:34:14 2020 MANAGEMENT: >STATE:1584686054,RECONNECTING,tls-error,
Fri Mar 20 08:34:14 2020 Restart pause, 5 second(s)
Fri Mar 20 08:34:19 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Mar 20 08:34:19 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]178.212.239.254:1194
Fri Mar 20 08:34:19 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Mar 20 08:34:19 2020 UDP link local: (not bound)
Fri Mar 20 08:34:19 2020 UDP link remote: [AF_INET]178.212.239.254:1194
Fri Mar 20 08:34:19 2020 MANAGEMENT: >STATE:1584686059,WAIT,
Fri Mar 20 08:35:03 2020 SIGTERM received, sending exit notification to peer
Fri Mar 20 08:35:05 2020 SIGTERM[soft,exit-with-notification] received, process exiting
Fri Mar 20 08:35:05 2020 MANAGEMENT: >STATE:1584686105,EXITING,exit-with-notification,

How to setup?

P.S.
NS is an openvpn router, firewall, and server.

Seems to be a firewalling problem:

The instructions you used tell about port forwarding but you don’t need it as Nethserver is your gateway. It’s only needed if there’s a router in front of NS.

Windows Firewall is disabled.
What else can I do to check?

If you have a firewall rule on Nethserver for the VPN, delete it. It may brake the VPN connection.
If there’s another router in front of your Nethserver you may need to forward the OpenVPN port (usually 1194/UDP) to the Nethserver.

EDIT:

You may check on the Nethserver if packets reach the WAN interface:

tcpdump -nnpi enp3s0 port 1194
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp3s0, link-type EN10MB (Ethernet), capture size 262144 bytes
0 packets captured
3727 packets received by filter
3619 packets dropped by kernel

Seems a lot of packets dropped, please check /var/log/firewall.log

You may try to disable the firewall on Nethserver with

shorewall clear

and try to connect again.

Or you may try to connect from internal network.

I forgot to enable vpn connection for verification.
[root@neth ~]# tcpdump -nnpi enp3s0 port 1194
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp3s0, link-type EN10MB (Ethernet), capture size 262144 bytes

Сводка

08:58:11.906182 IP 91.145.195.181.53492 > 178.212.239.254.1194: UDP, length 14
08:58:15.715650 IP 91.145.195.181.53492 > 178.212.239.254.1194: UDP, length 14
08:58:24.089311 IP 91.145.195.181.53492 > 178.212.239.254.1194: UDP, length 14

Which openvpn client do you use on which OS/device?

Windows 10 pro 1803
OpenVPN 2.4.8

Do you use OpenVPN GUI to import the config and connect? If not please try it.

What about the following:

I executed the command
shorewall clear
and my internet turned off.
I had to restart NS.

signal-event firewall-adjust just restarts your firewall.

Did you try this one:

Sorry, I’m out of ideas for now…

After installing the OpenVPN module, a problem arose. I cannot connect from the internal network to other computers using RDP.
Connection RDP is only possible when the firewall rules are being saved (nethserver-openvpn-save (S95trusted-networks-modify)
75%) and then disconnects.
p.s.
The problem was fail2ban. The IP I need was blocked.
Thanks @giacomo

After rebooting NS, the VPN connection works.
OpenVPN CLIENT LIST
Updated,Mon Mar 23 09:58:27 2020
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
Client1,91.145.195.181:62224,3549,4688,Mon Mar 23 09:53:26 2020
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.1.1.6,Client1,91.145.195.181:62224,Mon Mar 23 09:53:30 2020
GLOBAL STATS
Max bcast/mcast queue length,1
END

Сводка

Mon Mar 23 09:56:00 2020 OpenVPN 2.4.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Mon Mar 23 09:56:00 2020 Windows version 6.2 (Windows 8 or greater) 32bit
Mon Mar 23 09:56:00 2020 library versions: OpenSSL 1.1.0l 10 Sep 2019, LZO 2.10
Enter Management Password:
Mon Mar 23 09:56:00 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Mar 23 09:56:00 2020 Need hold release from management interface, waiting…
Mon Mar 23 09:56:00 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Mar 23 09:56:00 2020 MANAGEMENT: CMD ‘state on’
Mon Mar 23 09:56:00 2020 MANAGEMENT: CMD ‘log all on’
Mon Mar 23 09:56:00 2020 MANAGEMENT: CMD ‘echo all on’
Mon Mar 23 09:56:00 2020 MANAGEMENT: CMD ‘bytecount 5’
Mon Mar 23 09:56:00 2020 MANAGEMENT: CMD ‘hold off’
Mon Mar 23 09:56:00 2020 MANAGEMENT: CMD ‘hold release’
Mon Mar 23 09:56:00 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Mar 23 09:56:00 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]178.212.239.254:1194
Mon Mar 23 09:56:00 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Mar 23 09:56:00 2020 UDP link local: (not bound)
Mon Mar 23 09:56:00 2020 UDP link remote: [AF_INET]178.212.239.254:1194
Mon Mar 23 09:56:00 2020 MANAGEMENT: >STATE:1584950160,WAIT,
Mon Mar 23 09:57:00 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Mar 23 09:57:00 2020 TLS Error: TLS handshake failed
Mon Mar 23 09:57:00 2020 SIGUSR1[soft,tls-error] received, process restarting
Mon Mar 23 09:57:00 2020 MANAGEMENT: >STATE:1584950220,RECONNECTING,tls-error,
Mon Mar 23 09:57:00 2020 Restart pause, 5 second(s)
Mon Mar 23 09:57:05 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Mar 23 09:57:05 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]178.212.239.254:1194
Mon Mar 23 09:57:05 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Mar 23 09:57:05 2020 UDP link local: (not bound)
Mon Mar 23 09:57:05 2020 UDP link remote: [AF_INET]178.212.239.254:1194
Mon Mar 23 09:57:05 2020 MANAGEMENT: >STATE:1584950225,WAIT,
Mon Mar 23 09:57:06 2020 read UDP: Unknown error (code=10054)
Mon Mar 23 09:57:07 2020 read UDP: Unknown error (code=10054)
Mon Mar 23 09:57:11 2020 read UDP: Unknown error (code=10054)
Mon Mar 23 09:57:20 2020 read UDP: Unknown error (code=10054)
Mon Mar 23 09:57:35 2020 read UDP: Unknown error (code=10054)
Mon Mar 23 09:58:05 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Mar 23 09:58:05 2020 TLS Error: TLS handshake failed
Mon Mar 23 09:58:05 2020 SIGUSR1[soft,tls-error] received, process restarting
Mon Mar 23 09:58:05 2020 MANAGEMENT: >STATE:1584950285,RECONNECTING,tls-error,
Mon Mar 23 09:58:05 2020 Restart pause, 5 second(s)
Mon Mar 23 09:58:10 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Mar 23 09:58:10 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]178.212.239.254:1194
Mon Mar 23 09:58:10 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Mar 23 09:58:10 2020 UDP link local: (not bound)
Mon Mar 23 09:58:10 2020 UDP link remote: [AF_INET]178.212.239.254:1194
Mon Mar 23 09:58:10 2020 MANAGEMENT: >STATE:1584950290,WAIT,
Mon Mar 23 09:58:10 2020 read UDP: Unknown error (code=10054)
Mon Mar 23 09:58:13 2020 read UDP: Unknown error (code=10054)
Mon Mar 23 09:58:18 2020 read UDP: Unknown error (code=10054)
Mon Mar 23 09:58:26 2020 MANAGEMENT: >STATE:1584950306,AUTH,
Mon Mar 23 09:58:26 2020 TLS: Initial packet from [AF_INET]178.212.239.254:1194, sid=91933cc3 2661329c
Mon Mar 23 09:58:27 2020 VERIFY OK: depth=0, CN=NethServer, O=Example Org, ST=SomeState, OU=Main, emailAddress=root@localhost.localdomain, C=–, L=Hometown
Mon Mar 23 09:58:28 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Mar 23 09:58:28 2020 [NethServer] Peer Connection Initiated with [AF_INET]178.212.239.254:1194
Mon Mar 23 09:58:29 2020 MANAGEMENT: >STATE:1584950309,GET_CONFIG,
Mon Mar 23 09:58:29 2020 SENT CONTROL [NethServer]: ‘PUSH_REQUEST’ (status=1)
Mon Mar 23 09:58:31 2020 PUSH: Received control message: ‘PUSH_REPLY,dhcp-option DOMAIN en.local,dhcp-option DNS 8.8.8.8,dhcp-option WINS 10.1.1.1,dhcp-option NBDD 10.1.1.1,dhcp-option NBT 2,route 192.168.15.0 255.255.255.0,route 10.1.1.0 255.255.255.0,topology net30,ping 20,ping-restart 120,ifconfig 10.1.1.6 10.1.1.5,peer-id 0,cipher AES-256-GCM’
Mon Mar 23 09:58:31 2020 OPTIONS IMPORT: timers and/or timeouts modified
Mon Mar 23 09:58:31 2020 OPTIONS IMPORT: --ifconfig/up options modified
Mon Mar 23 09:58:31 2020 OPTIONS IMPORT: route options modified
Mon Mar 23 09:58:31 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Mar 23 09:58:31 2020 OPTIONS IMPORT: peer-id set
Mon Mar 23 09:58:31 2020 OPTIONS IMPORT: adjusting link_mtu to 1625
Mon Mar 23 09:58:31 2020 OPTIONS IMPORT: data channel crypto options modified
Mon Mar 23 09:58:31 2020 Data Channel: using negotiated cipher ‘AES-256-GCM’
Mon Mar 23 09:58:31 2020 Outgoing Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Mon Mar 23 09:58:31 2020 Incoming Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Mon Mar 23 09:58:31 2020 interactive service msg_channel=624
Mon Mar 23 09:58:31 2020 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 I=7 HWADDR=7c:c7:09:38:66:ab
Mon Mar 23 09:58:31 2020 open_tun
Mon Mar 23 09:58:31 2020 TAP-WIN32 device [Подключение по локальной сети] opened: \.\Global{7F40F6B5-0494-4B5E-AB07-275BCFC0C505}.tap
Mon Mar 23 09:58:31 2020 TAP-Windows Driver Version 9.24
Mon Mar 23 09:58:31 2020 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.1.1.6/255.255.255.252 on interface {7F40F6B5-0494-4B5E-AB07-275BCFC0C505} [DHCP-serv: 10.1.1.5, lease-time: 31536000]
Mon Mar 23 09:58:31 2020 Successful ARP Flush on interface [14] {7F40F6B5-0494-4B5E-AB07-275BCFC0C505}
Mon Mar 23 09:58:31 2020 MANAGEMENT: >STATE:1584950311,ASSIGN_IP,10.1.1.6,
Mon Mar 23 09:58:36 2020 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Mon Mar 23 09:58:36 2020 MANAGEMENT: >STATE:1584950316,ADD_ROUTES,
Mon Mar 23 09:58:36 2020 C:\Windows\system32\route.exe ADD 192.168.15.0 MASK 255.255.255.0 10.1.1.5
Mon Mar 23 09:58:36 2020 Route addition via service succeeded
Mon Mar 23 09:58:36 2020 C:\Windows\system32\route.exe ADD 10.1.1.0 MASK 255.255.255.0 10.1.1.5
Mon Mar 23 09:58:36 2020 Route addition via service succeeded
Mon Mar 23 09:58:36 2020 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Mon Mar 23 09:58:36 2020 Initialization Sequence Completed
Mon Mar 23 09:58:36 2020 MANAGEMENT: >STATE:1584950316,CONNECTED,SUCCESS,10.1.1.6,178.212.239.254,1194,
Mon Mar 23 10:05:35 2020 [NethServer] Inactivity timeout (–ping-restart), restarting
Mon Mar 23 10:05:35 2020 SIGUSR1[soft,ping-restart] received, process restarting
Mon Mar 23 10:05:35 2020 MANAGEMENT: >STATE:1584950735,RECONNECTING,ping-restart,
Mon Mar 23 10:05:35 2020 Restart pause, 5 second(s)
Mon Mar 23 10:05:40 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Mar 23 10:05:40 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]178.212.239.254:1194
Mon Mar 23 10:05:40 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Mar 23 10:05:40 2020 UDP link local: (not bound)
Mon Mar 23 10:05:40 2020 UDP link remote: [AF_INET]178.212.239.254:1194
Mon Mar 23 10:05:40 2020 MANAGEMENT: >STATE:1584950740,WAIT,
Mon Mar 23 10:06:40 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Mar 23 10:06:40 2020 TLS Error: TLS handshake failed
Mon Mar 23 10:06:40 2020 SIGUSR1[soft,tls-error] received, process restarting
Mon Mar 23 10:06:40 2020 MANAGEMENT: >STATE:1584950800,RECONNECTING,tls-error,
Mon Mar 23 10:06:40 2020 Restart pause, 5 second(s)
Mon Mar 23 10:06:45 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Mar 23 10:06:45 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]178.212.239.254:1194
Mon Mar 23 10:06:45 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Mar 23 10:06:45 2020 UDP link local: (not bound)
Mon Mar 23 10:06:45 2020 UDP link remote: [AF_INET]178.212.239.254:1194
Mon Mar 23 10:06:45 2020 MANAGEMENT: >STATE:1584950805,WAIT,
Mon Mar 23 10:07:46 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Mar 23 10:07:46 2020 TLS Error: TLS handshake failed
Mon Mar 23 10:07:46 2020 SIGUSR1[soft,tls-error] received, process restarting
Mon Mar 23 10:07:46 2020 MANAGEMENT: >STATE:1584950866,RECONNECTING,tls-error,
Mon Mar 23 10:07:46 2020 Restart pause, 5 second(s)
Mon Mar 23 10:07:51 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Mar 23 10:07:51 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]178.212.239.254:1194
Mon Mar 23 10:07:51 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Mar 23 10:07:51 2020 UDP link local: (not bound)
Mon Mar 23 10:07:51 2020 UDP link remote: [AF_INET]178.212.239.254:1194
Mon Mar 23 10:07:51 2020 MANAGEMENT: >STATE:1584950871,WAIT,
Mon Mar 23 10:08:51 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Mar 23 10:08:51 2020 TLS Error: TLS handshake failed
Mon Mar 23 10:08:51 2020 SIGUSR1[soft,tls-error] received, process restarting
Mon Mar 23 10:08:51 2020 MANAGEMENT: >STATE:1584950931,RECONNECTING,tls-error,
Mon Mar 23 10:08:51 2020 Restart pause, 5 second(s)
Mon Mar 23 10:08:56 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Mar 23 10:08:56 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]178.212.239.254:1194
Mon Mar 23 10:08:56 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Mar 23 10:08:56 2020 UDP link local: (not bound)
Mon Mar 23 10:08:56 2020 UDP link remote: [AF_INET]178.212.239.254:1194
Mon Mar 23 10:08:56 2020 MANAGEMENT: >STATE:1584950936,WAIT,
Mon Mar 23 10:09:02 2020 SIGTERM received, sending exit notification to peer
Mon Mar 23 10:09:03 2020 C:\Windows\system32\route.exe DELETE 192.168.15.0 MASK 255.255.255.0 10.1.1.5
Mon Mar 23 10:09:03 2020 Route deletion via service succeeded
Mon Mar 23 10:09:03 2020 C:\Windows\system32\route.exe DELETE 10.1.1.0 MASK 255.255.255.0 10.1.1.5
Mon Mar 23 10:09:03 2020 Route deletion via service succeeded
Mon Mar 23 10:09:03 2020 Closing TUN/TAP interface
Mon Mar 23 10:09:03 2020 TAP: DHCP address released
Mon Mar 23 10:09:03 2020 SIGTERM[soft,exit-with-notification] received, process exiting
Mon Mar 23 10:09:03 2020 MANAGEMENT: >STATE:1584950943,EXITING,exit-with-notification,

How to configure the VPN client to see internal network resources?

My network has an internal site 192.168.15.5
How to make the vpn client open this site?


Should I register a route to access the internal site? Which one?

If Nethserver acts as your gateway it should just work. If there’s another router between www and Nethserver, you may need a static route on the router that directs your VPN network to the Nethserver.

Reboot NS helped

1 Like