Greetings - I would have liked to be more specific in my subject line, but am not sure that I can be more specific about my issue at this point. I have used OpenVPN for years at my office. I setup and administer the server and connections for a dozen clients, so I am familiar with the setup and potential issues, but this one has me stumped.
What I am trying to do now is setup an OpenVPN server on my home network on a OpenWRT box that is the access point and router for my home network. My objective is to be able to provide secure access to my home network from remote locations. My DSL modem is bridged, so the OpenWRT box is the entry point to my home network, and I have configured OpenVPN on it following the guidelines on the OpenWRT wiki. This includes configuring the firewall and network changes as they described. I have discussed some of my issues on the OpenWRT forum, but have run into a dead end there. So I thought I would bring a complete summary of my problem here knowing there are more knowledgeable network people here. My initial error trying to connect gave me the classic TLS key negotiation failure, with a snippet of the client log file shown below. Tue May 06 12:56:44 2014 us=20234 MANAGEMENT: >STATE:1399406204,WAIT,,, Tue May 06 12:56:44 2014 us=67034 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) Tue May 06 12:56:46 2014 us=563034 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) Tue May 06 12:56:50 2014 us=291434 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) Tue May 06 12:56:58 2014 us=575034 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) Tue May 06 12:57:14 2014 us=986234 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) Tue May 06 12:57:44 2014 us=875834 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Tue May 06 12:57:44 2014 us=875834 TLS Error: TLS handshake failed Tue May 06 12:57:44 2014 us=875834 TCP/UDP: Closing socket Tue May 06 12:57:44 2014 us=875834 SIGUSR1[soft,tls-error] received, process restarting Tue May 06 12:57:44 2014 us=875834 MANAGEMENT: >STATE:1399406264,RECONNECTING,tls-error,, Tue May 06 12:57:44 2014 us=875834 Restart pause, 2 second(s) My research on this error indicates that it is described as almost always a firewall or network connectivity issue. So following that logic I turned off the firewall on the Windows Vista client, and disabled and stopped iptables on the OpenWRT box. I verified that there were no firewall rules with #iptables -nL. When I tried connecting the client again I got the same error. A netstat query on the OpenWRT box shows that it is listening on Port 1194. root@gateway:~# netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 268 11.22.33.44:22 66.77.88.99:54163 ESTABLISHED tcp 0 0 11.22.33.44:22 66.77.88.99:40664 ESTABLISHED netstat: /proc/net/tcp6: No such file or directory udp 0 0 0.0.0.0:514 0.0.0.0:* udp 0 0 0.0.0.0:53 0.0.0.0:* udp 0 0 0.0.0.0:67 0.0.0.0:* udp 0 0 192.168.123.2:1194 0.0.0.0:* Then checking from outside using an nmap scan for UDP ports shows that Port 1194 is not open or listening. [root@disect ~]# nmap -sU -v 66.77.88.99 Starting Nmap 5.51 ( http://nmap.org ) at 2014-05-17 14:50 PDT Initiating Ping Scan at 14:50 Scanning 66.77.88.99 [4 ports] Completed Ping Scan at 14:50, 0.07s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 14:50 Completed Parallel DNS resolution of 1 host. at 14:50, 1.34s elapsed Initiating UDP Scan at 14:50 Scanning 66.77.88.99 [1000 ports] Increasing send delay for 66.77.88.99 from 0 to 50 due to max_successful_tryno increase to 4 ... snip ... Increasing send delay for 66.77.88.99 from 400 to 800 due to 11 out of 11 dropped probes since last increase. UDP Scan Timing: About 4.85% done; ETC: 15:01 (0:10:08 remaining) ... snip ... UDP Scan Timing: About 95.66% done; ETC: 15:07 (0:00:45 remaining) Completed UDP Scan at 15:08, 1081.06s elapsed (1000 total ports) Nmap scan report for 66.77.88.99 Host is up (0.062s latency). Not shown: 997 closed ports PORT STATE SERVICE 53/udp open domain 67/udp open|filtered dhcps 514/udp open|filtered syslog Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 1082.54 seconds Raw packets sent: 1450 (41.587KB) | Rcvd: 1085 (61.063KB) So now I am really confused. This makes it appear as if there is a blocking firewall between my Windows client and the OpenWRT box. Is it possible that my DSL provider is blocking this communication? What am I missing, what additional diagnosis is needed, and what options do I have that might still be available to me to connect to an OpenVPN server at my home? I would rather not go down the route of connecting over TCP, as I have heard about all the issue of going that direction. Just to complete the information, my server and client configs are listed below. These are essentially the same configs that I use in my office setup with a couple of minor changes, so I am sure that they work. I am using a dynamic dns service, so the client config uses the fqdn, but I have also tried with the direct IP as it hasn't changed very frequently. Thanks for any insight anyone can provide. Server Configuration (OpenWRT) local 192.168.123.2 port 1194 proto udp dev tun tls-server ca /etc/easy-rsa/keys/ca.crt cert /etc/easy-rsa/keys/GatewayVPNServer.crt key /etc/easy-rsa/keys/GatewayVPNServer.key dh /etc/easy-rsa/keys/dh2048.pem server 10.4.0.0 255.255.255.0 float ifconfig-pool-persist /etc/openvpn/ipp.txt 120 push "route 192.168.123.0 255.255.255.0" keepalive 10 120 comp-lzo persist-key persist-tun status /etc/openvpn-status.log log-append /home/openvpn.log verb 4 Client Configuration (Windows Vista) client dev tun proto udp remote <FQDN> 1194 pull nobind persist-key persist-tun tls-client ca "C:\\Program Files\\OpenVPN\\config\\ca.crt" cert "C:\\Program Files\\OpenVPN\\config\\JABopti-755.crt" key "C:\\Program Files\\OpenVPN\\config\\JABopti-755.key" ns-cert-type server resolv-retry infinite comp-lzo route-method exe route-delay 2 verb 4 Jeff Boyce Meridian Environmental ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
