[solved] openvpn


#1

Hi,

I’m having problems connecting to openvpn on my router.

openvpn vtun0 {
        mode server
        server {
            name-server 192.168.23.1
            push-route 192.168.23.0/24
            subnet 192.168.70.0/24
        }
        tls {
            ca-cert-file /config/auth/ca-chain.cert.pem
            cert-file /config/auth/server.duckdns.org.cert.pem
            dh-file /config/auth/dhp.pem
            key-file /config/auth/server.duckdns.org.key.pem
        }
}

and firewall rules

set firewall name FROM-EXTERNAL rule 20 action accept
set firewall name FROM-EXTERNAL rule 20 destination port 1194
set firewall name FROM-EXTERNAL rule 20 protocol udp
set firewall name FROM-EXTERNAL rule 20 log enable

my client configuration

client
dev tun
proto udp
remote server.duckdns.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
verb 3
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
...
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
...
</key>

The problem is nothing happens, the log is something like this

Sat Sep 05 13:02:17 2015 OpenVPN 2.3.6 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec  1 2014
Sat Sep 05 13:02:17 2015 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Sat Sep 05 13:02:17 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Sep 05 13:02:17 2015 Need hold release from management interface, waiting...
Sat Sep 05 13:02:17 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Sep 05 13:02:17 2015 MANAGEMENT: CMD 'state on'
Sat Sep 05 13:02:17 2015 MANAGEMENT: CMD 'log all on'
Sat Sep 05 13:02:17 2015 MANAGEMENT: CMD 'hold off'
Sat Sep 05 13:02:17 2015 MANAGEMENT: CMD 'hold release'
Sat Sep 05 13:02:23 2015 MANAGEMENT: CMD 'password [...]'
Sat Sep 05 13:02:23 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Sep 05 13:02:23 2015 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Sep 05 13:02:23 2015 MANAGEMENT: >STATE:1441476143,RESOLVE,,,
Sat Sep 05 13:02:27 2015 UDPv4 link local: [undef]
Sat Sep 05 13:02:27 2015 UDPv4 link remote: [AF_INET]server:1194
Sat Sep 05 13:02:27 2015 MANAGEMENT: >STATE:1441476147,WAIT,,,
Sat Sep 05 13:03:27 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Sep 05 13:03:27 2015 TLS Error: TLS handshake failed
Sat Sep 05 13:03:27 2015 SIGUSR1[soft,tls-error] received, process restarting
Sat Sep 05 13:03:27 2015 MANAGEMENT: >STATE:1441476207,RECONNECTING,tls-error,,
Sat Sep 05 13:03:27 2015 Restart pause, 2 second(s)
Sat Sep 05 13:03:29 2015 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Sep 05 13:03:29 2015 MANAGEMENT: >STATE:1441476209,RESOLVE,,,
Sat Sep 05 13:03:29 2015 UDPv4 link local: [undef]
Sat Sep 05 13:03:29 2015 UDPv4 link remote: [AF_INET]server:1194
Sat Sep 05 13:03:29 2015 MANAGEMENT: >STATE:1441476209,WAIT,,,

I don’t why there’s no tls negotiation.

Where can I look for the firewall rule log ?

show log vpn displays this

Sep  5 09:32:36 kerberos openvpn-vtun0[54972]: OpenVPN 2.2.3 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Apr  2 2015
Sep  5 09:32:36 kerberos openvpn-vtun0[54972]: MANAGEMENT: unix domain socket listening on /tmp/openvpn-mgmt-intf
Sep  5 09:32:36 kerberos openvpn-vtun0[54972]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sep  5 09:32:36 kerberos openvpn-vtun0[54972]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sep  5 09:32:36 kerberos openvpn-vtun0[54972]: Diffie-Hellman initialized with 1024 bit key
Sep  5 09:32:36 kerberos openvpn-vtun0[54972]: TLS-Auth MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sep  5 09:32:36 kerberos openvpn-vtun0[54972]: Socket Buffers: R=[212992->131072] S=[212992->131072]
Sep  5 09:32:36 kerberos openvpn-vtun0[54972]: TUN/TAP device vtun0 opened
Sep  5 09:32:36 kerberos openvpn-vtun0[54972]: TUN/TAP TX queue length set to 100
Sep  5 09:32:36 kerberos openvpn-vtun0[54972]: /sbin/ifconfig vtun0 192.168.70.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.70.255
Sep  5 09:32:36 kerberos openvpn-vtun0[54972]: Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Sep  5 09:32:36 kerberos openvpn-vtun0[54977]: UDPv4 link local (bound): [undef]:1194
Sep  5 09:32:36 kerberos openvpn-vtun0[54977]: UDPv4 link remote: [undef]
Sep  5 09:32:36 kerberos openvpn-vtun0[54977]: MULTI: multi_init called, r=256 v=256
Sep  5 09:32:36 kerberos openvpn-vtun0[54977]: IFCONFIG POOL: base=192.168.70.2 size=252
Sep  5 09:32:36 kerberos openvpn-vtun0[54977]: Initialization Sequence Completed

Is there additional openvpn logging available ?

Do I need to set up other parameters ?

Thanks in advance


#2

Well, the issue turned out to be that I was opening the port wrong

set interfaces ethernet eth0 firewall in name FROM-EXTERNAL
set interfaces ethernet eth0 firewall local name TO-ROUTER

I was opening the port on the FROM-EXTERNAL chain, rather than the TO-ROUTER chain.

After changing that, it was all good !

I’m loving vyos !