OpenVPN not able to connect to public IP interface
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OpenVPN not able to connect to public IP interface
I have 2 sites that used to be linked via OpenVPN. For some reason it stopped working.
General setups:
Server OS: CentOS 7
OpenVPN v2.4.9
EasyRSA v.3.0.7
Edge firewall and VPN server is the same box. Using firewalld. IPTables is not running on either machine.
Firewall settings:
Quote:
public (active)
target: DROP
icmp-block-inversion: yes
interfaces: enp2s0
sources:
services: openvpn
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
While trying to connect to the public interface, client side has been getting:
Quote:
UDP WRITE [86] to [AF_INET](public IP Address):1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
UDP WRITE [86] to [AF_INET](public IP Address):1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
UDP WRITE [86] to [AF_INET](public IP Address):1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
UDP WRITE [86] to [AF_INET](public IP Address):1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
UDP WRITE [86] to [AF_INET](public IP Address):1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
I've done a tcpdump of my public facing interface
Quote:
tcpdump -vni enp2s0 port 1194 and udp
Nothing shows, which tells me that the packets aren't even hitting the interface.
I have also asked my ISP whether they are actively filtering OpenVPN, to which they have answered in the negative.
I have 2 sites that used to be linked via OpenVPN. For some reason it stopped working.
General setups:
Server OS: CentOS 7
OpenVPN v2.4.9
EasyRSA v.3.0.7
Edge firewall and VPN server is the same box. Using firewalld. IPTables is not running on either machine.
Firewall settings:
While trying to connect to the public interface, client side has been getting:
I've done a tcpdump of my public facing interface
Nothing shows, which tells me that the packets aren't even hitting the interface.
I have also asked my ISP whether they are actively filtering OpenVPN, to which they have answered in the negative.
Any help / advice would be greatly appreciated.
active zone is public and target shows DROP -> a source zone with the target DROP would drop all packets, even if they were whitelisted, first, change target to default.
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed -> this message means firewall blocking conn
I have 2 sites that used to be linked via OpenVPN. For some reason it stopped working.
General setups:
Server OS: CentOS 7
OpenVPN v2.4.9
EasyRSA v.3.0.7
Edge firewall and VPN server is the same box. Using firewalld. IPTables is not running on either machine.
Firewall settings:
Code:
public (active)
target: DROP
icmp-block-inversion: yes
interfaces: enp2s0
sources:
services: openvpn
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
While trying to connect to the public interface, client side has been getting:
Code:
UDP WRITE [86] to [AF_INET](public IP Address):1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
UDP WRITE [86] to [AF_INET](public IP Address):1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
UDP WRITE [86] to [AF_INET](public IP Address):1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
UDP WRITE [86] to [AF_INET](public IP Address):1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #4 ] [ ] pid=0 DATA len=0
UDP WRITE [86] to [AF_INET](public IP Address):1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #5 ] [ ] pid=0 DATA len=0
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
I've done a tcpdump of my public facing interface
Code:
tcpdump -vni enp2s0 port 1194 and udp
Nothing shows, which tells me that the packets aren't even hitting the interface. I have also asked my ISP whether they are actively filtering OpenVPN, to which they have answered in the negative.
If you're *SURE* that your firewall isn't blocking VPN on UDP 1194 (which would be the first thing to check), based on the error message it looks like the traffic is either blocked or misdirected. Do you have a firewall on your client?? Those would be first things to check is firewall on both sides. Past that, check into the "local" directive for your openVPN server config:
Code:
--local host
Local host name or IP address. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces.
Sometimes specifying that will get things going out the right interface. Post your openvpn.conf file (sanitized of identifying info, ideally) and we can take a further look.
If you're *SURE* that your firewall isn't blocking VPN on UDP 1194 (which would be the first thing to check), based on the error message it looks like the traffic is either blocked or misdirected. Do you have a firewall on your client?? Those would be first things to check is firewall on both sides. Past that, check into the "local" directive for your openVPN server config:
Code:
--local host
Local host name or IP address. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces.
Sometimes specifying that will get things going out the right interface. Post your openvpn.conf file (sanitized of identifying info, ideally) and we can take a further look.
Both sides are CentOS boxes with the same firewalld settings. First thing I'm going to try on Monday is to set target to default of the default zone.
Both sides are CentOS boxes with the same firewalld settings. First thing I'm going to try on Monday is to set target to default of the default zone.
Yes, that error is typically because traffic isn't getting through (firewall) or is getting misdirected (openVPN listening on all interfaces and not routing back correctly). The 'quick-dirty-not-too-good' way to test is to disable your firewalld on both sides for a few minutes and see if things work. That narrows down things being blocked vs. server config problem.
Also, if you're running through any sort of network device/firewall (network topology things), you may have to NAT UDP on your openVPN port to the server THERE as well.
Yes, that error is typically because traffic isn't getting through (firewall) or is getting misdirected (openVPN listening on all interfaces and not routing back correctly). The 'quick-dirty-not-too-good' way to test is to disable your firewalld on both sides for a few minutes and see if things work. That narrows down things being blocked vs. server config problem.
Also, if you're running through any sort of network device/firewall (network topology things), you may have to NAT UDP on your openVPN port to the server THERE as well.
I shut down firewalld and lo and behold, it worked! But since I can't just shut down an edge firewall, how can I determine what's blocking my UDP packets. I also changed the default target of my active zone (Public) to default, as per marilyev's suggestion but I still have no packets hitting the interface.
client.conf
Quote:
client
dev tun
proto udp
remote ...
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
tls-client
ca ...
cert ...
key ...
tls-crypt ...
tls-cipher TLS-ECDHE-RSA-WITH-AES-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
auth-nocache
;comp-lzo
verb 6
server.conf
Quote:
local ...
port 1194
proto udp
dev tun
ca easyrsa/pki/ca.crt
cert easyrsa/pki/issued/server.crt
key easyrsa/pki/private/server.key
dh easyrsa/pki/dh.pem
;tls-auth ... 0
tls-crypt ...
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.20.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
auth SHA512
;comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 4
explicit-exit-notify 1
Current firewalld configuration (though I'm going to close the 1194/tcp port since I'm not using it.)
The second rule never gets matched due to the first and can be removed. I note from the firewald config output that you had 'openvpn' service defined as well as port 1194 UDP explicitly. Only the former is needed.
The second rule never gets matched due to the first and can be removed. I note from the firewald config output that you had 'openvpn' service defined as well as port 1194 UDP explicitly. Only the former is needed.
tun0 should be present on the server as openvpn@server is running.
I did add the 2nd rule (1194/udp). I should probably remove it.
but does this indicate why my client can't connect?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.