I'm new to openvpn. I have tried 7,8 Linux openvpn server/client configuration tutorials. with none of them I couldnt make the connection. btw I'm living in iran and maybe due to internet ban some of your suggestion don't work but anyway it has nothing to with troubleshooting which is a general approach.
from angristan/openvpn-install script I made a server and client config. also edited /etc/openvpn/server.conf to
port 443
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 94.140.14.14"
push "dhcp-option DNS 94.140.15.15"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_XndA1l3fZ0hDMwbd.crt
key server_XndA1l3fZ0hDMwbd.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
in order to add status /var/log/openvpn/openvpn-status.log and log-append /var/log/openvpn/openvpn.log lines to have logs.
/var/log/openvpn/openvpn.log look likes:
Fri Oct 28 11:12:47 2022 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Fri Oct 28 11:12:47 2022 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Fri Oct 28 11:12:47 2022 ECDH curve prime256v1 added
Fri Oct 28 11:12:47 2022 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Oct 28 11:12:47 2022 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Oct 28 11:12:47 2022 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Oct 28 11:12:47 2022 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Oct 28 11:12:47 2022 TUN/TAP device tun0 opened
Fri Oct 28 11:12:47 2022 TUN/TAP TX queue length set to 100
Fri Oct 28 11:12:47 2022 /sbin/ip link set dev tun0 up mtu 1500
Fri Oct 28 11:12:47 2022 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Fri Oct 28 11:12:47 2022 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Oct 28 11:12:47 2022 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Oct 28 11:12:47 2022 UDPv4 link local (bound): [AF_INET][undef]:443
Fri Oct 28 11:12:47 2022 UDPv4 link remote: [AF_UNSPEC]
Fri Oct 28 11:12:47 2022 GID set to nogroup
Fri Oct 28 11:12:47 2022 UID set to nobody
Fri Oct 28 11:12:47 2022 MULTI: multi_init called, r=256 v=256
Fri Oct 28 11:12:47 2022 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Fri Oct 28 11:12:47 2022 IFCONFIG POOL LIST
Fri Oct 28 11:12:47 2022 Initialization Sequence Completed
Fri Oct 28 11:15:19 2022 86.55.**.**:64241 TLS: Initial packet from [AF_INET]86.55.**.**:64241, sid=649434bf e332059d
Fri Oct 28 11:16:01 2022 86.55.**.**:50796 TLS: Initial packet from [AF_INET]86.55.**.**:50796, sid=868afacd ca4fc7db
Fri Oct 28 11:16:19 2022 86.55.**.**:64241 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 28 11:16:19 2022 86.55.**.**:64241 TLS Error: TLS handshake failed
Fri Oct 28 11:16:19 2022 86.55.**.**:64241 SIGUSR1[soft,tls-error] received, client-instance restarting
Fri Oct 28 11:17:01 2022 86.55.**.**:50796 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 28 11:17:01 2022 86.55.**.**:50796 TLS Error: TLS handshake failed
Fri Oct 28 11:17:01 2022 86.55.**.**:50796 SIGUSR1[soft,tls-error] received, client-instance restarting
and the /var/log/openvpn/openvpn-status.log look likes:
OpenVPN CLIENT LIST
Updated,Fri Oct 28 11:18:21 2022
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END
btw the client config file looks like:
client
proto udp
explicit-exit-notify
remote 87.107.**.** 443
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_XndA1l3fZ0hDMwbd name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
the problem is that the only info I can get is that TLS handshake gets failed. so what can I do in order to get more log info about what makes tls handshake to fail? what can I do further. I mean maybe try new protocols and ports (which I have tried some and they still behave the same) or any other suggestions in order to make the connection happen or troubleshoot it? any good walkthrough or tutorials are also appreciated.
update
1.from TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) I decided to add firewall rules with sudo ufw allow 443/udp sudo ufw allow 443/tcp and sudo ufw default allow incoming but didnt help.
- also with
tcpdump -vnni any udp port 443 (from beginning of attempt to connect):
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
12:34:13.466846 IP (tos 0x38, ttl 113, id 15535, offset 0, flags [none], proto UDP (17), length 82)
86.55.**.**.53799 > 87.107.**.**.443: UDP, length 54
12:34:13.469067 IP (tos 0x0, ttl 64, id 3827, offset 0, flags [DF], proto UDP (17), length 94)
87.107.**.**.443 > 86.55.**.**.53799: UDP, length 66
12:34:13.569751 IP (tos 0x38, ttl 113, id 15536, offset 0, flags [none], proto UDP (17), length 371)
86.55.**.**.53799 > 87.107.**.**.443: UDP, length 343
12:34:13.575225 IP (tos 0x0, ttl 64, id 3842, offset 0, flags [DF], proto UDP (17), length 90)
87.107.**.**.443 > 86.55.**.**.53799: UDP, length 62
12:34:13.575419 IP (tos 0x0, ttl 64, id 3843, offset 0, flags [DF], proto UDP (17), length 1144)
87.107.**.**.443 > 86.55.**.**.53799: UDP, length 1116
12:34:13.575582 IP (tos 0x0, ttl 64, id 3844, offset 0, flags [DF], proto UDP (17), length 1144)
87.107.**.**.443 > 86.55.**.**.53799: UDP, length 1116
12:34:13.575676 IP (tos 0x0, ttl 64, id 3845, offset 0, flags [DF], proto UDP (17), length 345)
87.107.**.**.443 > 86.55.**.**.53799: UDP, length 317
12:34:16.020216 IP (tos 0x0, ttl 64, id 4106, offset 0, flags [DF], proto UDP (17), length 1144)
87.107.**.**.443 > 86.55.**.**.53798: UDP, length 1116
which shows the client(86.55.*.*) doesnt answer after 2 forward and pass. which it may mean either the clients stops working or it shows packets getting blocked either by firewall(which I have allowed ports with ufw) or by server provider.
- I also tried to add
status "F:\openvpn-status.log"
log-append "F:\openvpn.log"
to client config file which didnt add these files to drive F.
- but found
C:\Program Files\OpenVPN Connect\agent.log which was like:
Sat Oct 29 14:56:31 2022 GetBestGateway: selected gateway 192.168.74.180 on adapter 11 for destination 87.107.**.**
Sat Oct 29 14:56:31 2022 netsh interface ip delete route 87.107.**.**/32 11 192.168.74.180 store=active
Ok.
netsh interface ip add route 87.107.**.**/32 11 192.168.74.180 store=active
Ok.
