Score:0

OpenVPN server starts but not listen on the port and cannot connect to

cn flag

Today using this blog post, I set up an openvpn server. When I check the service status using

systemctl status [email protected] 

everything's seemed to be fine. This is the log of the systemctl command:

[email protected] - OpenVPN service for server
     Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2022-10-15 10:49:34 UTC; 8min ago
       Docs: man:openvpn(8)
             https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
             https://community.openvpn.net/openvpn/wiki/HOWTO
   Main PID: 170036 (openvpn)
     Status: "Initialization Sequence Completed"
      Tasks: 1 (limit: 2344)
     Memory: 1.0M
     CGroup: /system.slice/system-openvpn\x2dserver.slice/[email protected]
             └─170036 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf

Oct 15 10:49:34 emadhelmi openvpn[170036]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Oct 15 10:49:34 emadhelmi openvpn[170036]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Oct 15 10:49:34 emadhelmi openvpn[170036]: UDPv4 link local (bound): [AF_INET]54.37.**.***:57055
Oct 15 10:49:34 emadhelmi openvpn[170036]: UDPv4 link remote: [AF_UNSPEC]
Oct 15 10:49:34 emadhelmi openvpn[170036]: GID set to nogroup
Oct 15 10:49:34 emadhelmi openvpn[170036]: UID set to nobody
Oct 15 10:49:34 emadhelmi openvpn[170036]: MULTI: multi_init called, r=256 v=256
Oct 15 10:49:34 emadhelmi openvpn[170036]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Oct 15 10:49:34 emadhelmi openvpn[170036]: IFCONFIG POOL LIST
Oct 15 10:49:34 emadhelmi openvpn[170036]: Initialization Sequence Completed

But on my local laptop when I use nc command to check the port availability I don't get any responses:

nc -u 54.37.**.*** 57055

Also from my phone with the openvpn application I just get timeout error when import the created config and trying to connect it. Here are also some (maybe) useful logs.

UFW status:

To                         Action      From
--                         ------      ----
....
57055                      ALLOW       Anywhere                  
57055/udp                  ALLOW       Anywhere                  
57055 (v6)                 ALLOW       Anywhere (v6)             
57055/udp (v6)             ALLOW       Anywhere (v6)             

server.conf:

local 54.37.**.***
port 57055
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
push "block-outside-dns"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify

result of ip addr show command:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether fa:16:3e:c4:98:e9 brd ff:ff:ff:ff:ff:ff
    inet 54.37.**.***/27 brd 54.37.**.*** scope global ens3
       valid_lft forever preferred_lft forever
    inet6 *** scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:22:83:4c:9b brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:22ff:fe83:4c9b/64 scope link 
       valid_lft forever preferred_lft forever
7: veth09f813e@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 32:04:e0:33:bd:b8 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::3004:e0ff:fe33:bdb8/64 scope link 
       valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 172.16.0.1 peer 172.16.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::d13:f0f1:c3d0:d3fc/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
951: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun1
       valid_lft forever preferred_lft forever
    inet6 fe80::dca1:48c1:da3d:d2a7/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
vidarlo avatar
ar flag
Do you have some external firewall?
Emad Helmi avatar
cn flag
@vidarlo I just use UFW and the iptables, I can acess the port if I set up another service(like python http server)
gapsf avatar
ng flag
You need to check REAL iptables and nftables rules, not only what ufw shows
vidarlo avatar
ar flag
How is the machine connected to the Internet....?
Ginnungagap avatar
gu flag
You're testing UDP connections with `nc` which defaults to TCP so that test is worthless. Add a counter to the nftables rule, `tcpdump` the expected network flow and try and connect with another device. Report back with the counter value, the network trace and the OpenVPN logs.
Emad Helmi avatar
cn flag
@vidarlo it is connected to the Internet through the ens3, you can see it in the iptables result.
Emad Helmi avatar
cn flag
@gapsf I will check that but I even don't have any results from the localhost to the port. I think it's wierd
vidarlo avatar
ar flag
@EmadHelmi Yes, but how is *that* connected? Do you have a upstream firewall?
Emad Helmi avatar
cn flag
@vidarlo this is my iptables result https://pastebin.com/xZd9zz7N
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.