I tried to generate an OpenVPN client configuration today via Foris for a new client machine, and that client connects successfully but never passes traffic to the internet. Oddly, if I grab one of my older (also Foris generated) configurations, it works fine with the same client. There’s no obvious difference in the client configuration files, other than the certificates and hostnames are different (as you’d expect). It seems like possibly the current Foris isn’t generating valid configuration files anymore, but I have no easy way to tell. I’v logged this bug hopefully someone can investigate.
1 Like
Last time I generated a client configuration in Foris was Oct 1 2018, so this bug (if someone can verify it does exist) got introduced in 3.10.8 or later.
OK, I figured out this issue. Basically, this fix from June changed the generated OpenVPN server config for compression from
option comp_lzo 'yes'
to
option compress 'lzo'
because the comp_lzo flag will go away in OpenVPN 2.5. However, the code that generates the client configuration files also was changed at the same time to only add the required compression flags to the client if “option compress” was there in the server configuration. Since I never changed my server configuration from comp_lzo to compress, the code that generated client side files no longer was including the proper directives for compression, leading to connection issues.
To make sure your OpenVPN clients keep working, make sure their client configurations start using “compress” option before they get upgraded to OpenVPN 2.5 codebase.
1 Like
Hello Tony,
Ive followed your instructions and altered:
option comp_lzo ‘yes’
to
option compress ‘lzo’
In my client certificate. Sadly this doesnt help me. I still cant connect. Im hoping to get Openvpn working with a medkit flash or an update.
Everytime I look into "updater’ it says " An easy setup of OpenVPN server from Foris. This is not easy and its giving me an headache!
option compress ‘lzo’ has to be present in BOTH client and server config (or not present in both client and server config)
EDIT: If you post Client And/Or Server Log during connection maybe someone can take a look at it
@ekim that is not quite correct. if you have
option compress 'lzo'
in the server configuration, then the client configuration should simply have
compress lzo
The current versions of Foris OpenVPN plugin do this correctly. I only ran into difficulty because my server configuration was generated under an older version of Foris, where option comp_lzo yes was used on server side instead, and the later Foris didn’t generate matching client configurations as it only recognizes the newer “compress” option. So what I did was change the server side to use option compress 'lzo', restart the server, then Foris correctly generates client configurations that contain compress lzo. Hope that makes sense.
1 Like
Thank you for the clarification.
Can you point out where I can find the server certificate in the router? So I can check?
The server configuration for openvpn is in /etc/config/openvpn file on the router. Ignore the sample_server and sample_client sections of the file, these are just examples. If you are using the Foris generated configuration, there should be a section “server_turris” which is the enabled one. You may see either
option comp_lzo yes
or
option compress 'lzo'
depending on which version of Foris generated the configuration. option compress 'lzo' is what the current version of Foris generates. As I mentioned if you have option comp_lzo yes that came from the older Foris. I would change it to option compress 'lzo' and restart the openvpn server. Then when you generate client configurations via the current version of Foris, they will contain the proper configuration for compression.
Hello, just an update.
Flashed a medkit, checked the options.
OpenVPN does not work. Shame, I really like openvpn. I wish I could get it to work again 
1 Like
What exactly is not working? Please post log of a client trying to connect to your OpenVPN Server and/or output of system log of your TO for the time when a clinet tries to connect (LuCi → Status → System Log).
The reason why I asked for information about completely resetting OpenVPn is that I have had this problem before. With a backup I restored the certificate that worked. Now I don’t have that backup. It seems to me that there is something really off here. Ive never had problems with configuring OpenVPN. Only on Turris Omnia.
Here are the two logs:
Omnia:
2019-01-19 19:34:36 warning odhcpd[2459]: DHCPV6 SOLICIT IA_NA from 0003000164a5c35e4d3a on br-lan: ok fdc9:29a5:578b::1d8/128
2019-01-19 19:34:44 warning odhcpd[2846]: Last message 'DHCPV6 SOLICIT IA_NA' repeated 1 times, suppressed by syslog-ng on turris
2019-01-19 19:35:01 info /usr/sbin/cron[20548]: (root) CMD (/usr/bin/rainbow_button_sync.sh)
2019-01-19 19:35:01 info /usr/sbin/cron[20549]: (root) CMD ( /usr/bin/notifier)
2019-01-19 19:36:01 info /usr/sbin/cron[20612]: (root) CMD (/usr/bin/rainbow_button_sync.sh)
2019-01-19 19:36:01 info /usr/sbin/cron[20613]: (root) CMD (nethist_stats.lua)
2019-01-19 19:36:39 warning odhcpd[2459]: DHCPV6 SOLICIT IA_NA from 0003000164a5c35e4d3a on br-lan: ok fdc9:29a5:578b::1d8/128
2019-01-19 19:36:44 warning odhcpd[2846]: Last message 'DHCPV6 SOLICIT IA_NA' repeated 1 times, suppressed by syslog-ng on turris
2019-01-19 19:36:44 notice openvpn(server_turris)[19369]: 192.168.1.101 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.101:60259, sid=9664e55e f100485f
2019-01-19 19:36:54 notice openvpn(server_turris)[19369]: 192.168.1.101 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.101:54818, sid=9d13dd58 2ba6cdfc
2019-01-19 19:37:01 info /usr/sbin/cron[20641]: (root) CMD (/usr/bin/rainbow_button_sync.sh)
2019-01-19 19:37:04 notice openvpn(server_turris)[19369]: 192.168.1.101 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.101:49727, sid=26157b67 cd5665a5
2019-01-19 19:37:44 err openvpn(server_turris)[19369]: 192.168.1.101 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2019-01-19 19:37:44 err openvpn(server_turris)[19369]: 192.168.1.101 TLS Error: TLS handshake failed
2019-01-19 19:37:44 notice openvpn(server_turris)[19369]: 192.168.1.101 SIGUSR1[soft,tls-error] received, client-instance restarting
2019-01-19 19:37:54 err openvpn(server_turris)[19369]: 192.168.1.101 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2019-01-19 19:37:54 err openvpn(server_turris)[19369]: 192.168.1.101 TLS Error: TLS handshake failed
2019-01-19 19:37:54 notice openvpn(server_turris)[19369]: 192.168.1.101 SIGUSR1[soft,tls-error] received, client-instance restarting
2019-01-19 19:38:01 info /usr/sbin/cron[21403]: (root) CMD (/usr/bin/rainbow_button_sync.sh)
2019-01-19 19:38:01 info /usr/sbin/cron[21402]: (root) CMD (nethist_stats.lua)
2019-01-19 19:38:04 err openvpn(server_turris)[19369]: 192.168.1.101 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2019-01-19 19:38:04 err openvpn(server_turris)[19369]: 192.168.1.101 TLS Error: TLS handshake failed
2019-01-19 19:38:04 notice openvpn(server_turris)[19369]: 192.168.1.101 SIGUSR1[soft,tls-error] received, client-instance restarting
Log from phone:
2019-01-19 17:14:59 NIP: network not reachable
2019-01-19 17:14:59 EVENT: NETWORK_UNREACHABLE [ERR]
2019-01-19 17:14:59 Raw stats on disconnect:
2019-01-19 17:14:59 Performance stats on disconnect:
CPU usage (microseconds): 12286
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2019-01-19 17:14:59 EVENT: DISCONNECT_PENDING
2019-01-19 17:14:59 Raw stats on disconnect:
2019-01-19 17:14:59 Performance stats on disconnect:
CPU usage (microseconds): 12730
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2019-01-19 17:15:33 NIP: network not reachable
2019-01-19 17:15:33 EVENT: NETWORK_UNREACHABLE [ERR]
2019-01-19 17:15:33 Raw stats on disconnect:
2019-01-19 17:15:33 Performance stats on disconnect:
CPU usage (microseconds): 6767
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2019-01-19 17:15:33 EVENT: DISCONNECT_PENDING
2019-01-19 17:15:33 Raw stats on disconnect:
2019-01-19 17:15:33 Performance stats on disconnect:
CPU usage (microseconds): 7213
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2019-01-19 17:23:47 NIP: network not reachable
2019-01-19 17:23:47 EVENT: NETWORK_UNREACHABLE [ERR]
2019-01-19 17:23:47 Raw stats on disconnect:
2019-01-19 17:23:47 Performance stats on disconnect:
CPU usage (microseconds): 4495
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2019-01-19 17:23:47 EVENT: DISCONNECT_PENDING
2019-01-19 17:23:47 Raw stats on disconnect:
2019-01-19 17:23:47 Performance stats on disconnect:
CPU usage (microseconds): 4887
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2019-01-19 17:23:51 NIP: network not reachable
2019-01-19 17:23:51 EVENT: NETWORK_UNREACHABLE [ERR]
2019-01-19 17:23:51 Raw stats on disconnect:
2019-01-19 17:23:51 Performance stats on disconnect:
CPU usage (microseconds): 11060
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2019-01-19 17:23:51 EVENT: DISCONNECT_PENDING
2019-01-19 17:23:51 Raw stats on disconnect:
2019-01-19 17:23:51 Performance stats on disconnect:
CPU usage (microseconds): 11327
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2019-01-19 17:25:32 NIP: network not reachable
2019-01-19 17:25:32 EVENT: NETWORK_UNREACHABLE [ERR]
2019-01-19 17:25:32 Raw stats on disconnect:
2019-01-19 17:25:32 Performance stats on disconnect:
CPU usage (microseconds): 6798
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2019-01-19 17:25:32 EVENT: DISCONNECT_PENDING
2019-01-19 17:25:32 Raw stats on disconnect:
2019-01-19 17:25:32 Performance stats on disconnect:
CPU usage (microseconds): 7218
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2019-36-19 19:36:44 1
2019-36-19 19:36:44 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct 3 2018 06:35:04
2019-36-19 19:36:44 Frame=512/2048/512 mssfix-ctrl=1250
2019-36-19 19:36:44 UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
8 [mute-replay-warnings]
14 [verb] [3]
2019-36-19 19:36:44 EVENT: RESOLVE
2019-36-19 19:36:44 Contacting [84.XX.XX.XXX]:1194/UDP via UDP
2019-36-19 19:36:44 EVENT: WAIT
2019-36-19 19:36:44 Connecting to [84.XX.XX.XXX]:1194 (84.XX.XX.XXX) via UDPv4
2019-36-19 19:36:54 Server poll timeout, trying next remote entry...
2019-36-19 19:36:54 EVENT: RECONNECTING
2019-36-19 19:36:54 EVENT: RESOLVE
2019-36-19 19:36:54 Contacting [84.XX.XX.XXX]:1194/UDP via UDP
2019-36-19 19:36:54 EVENT: WAIT
2019-36-19 19:36:54 Connecting to [84.XX.XX.XXX]:1194 (84.XX.XX.XXX) via UDPv4
2019-37-19 19:37:04 Server poll timeout, trying next remote entry...
2019-37-19 19:37:04 EVENT: RECONNECTING
2019-37-19 19:37:04 EVENT: RESOLVE
2019-37-19 19:37:04 Contacting [84.XX.XX.XXX]:1194/UDP via UDP
2019-37-19 19:37:04 EVENT: WAIT
2019-37-19 19:37:04 Connecting to [84.XX.XX.XXX]:1194 (84.XX.XX.XXX) via UDPv4
2019-37-19 19:37:14 EVENT: CONNECTION_TIMEOUT [ERR]
2019-37-19 19:37:14 Raw stats on disconnect:
BYTES_OUT : 420
PACKETS_OUT : 30
CONNECTION_TIMEOUT : 1
N_RECONNECT : 2
2019-37-19 19:37:14 Performance stats on disconnect:
CPU usage (microseconds): 58649
Network bytes per CPU second: 7161
Tunnel bytes per CPU second: 0
2019-37-19 19:37:14 EVENT: DISCONNECTED
2019-37-19 19:37:14 Raw stats on disconnect:
BYTES_OUT : 420
PACKETS_OUT : 30
CONNECTION_TIMEOUT : 1
N_RECONNECT : 2
2019-37-19 19:37:14 Performance stats on disconnect:
CPU usage (microseconds): 59606
Network bytes per CPU second: 7046
Tunnel bytes per CPU second: 0See here: https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds/
Is there another router in front of yout TO? And it looks like you try to connect to your OpenVPN Server from inside your LAN. What happens when you try to connect from outside your LAN (e.g. Cellular)?
There is no other router in front of my Omnia.
When I connect through 4g it doesn’t connect.
Can you post log of this connection attempt?
Phone:
2019-16-19 20:16:20 NIP: network not reachable
2019-16-19 20:16:20 EVENT: NETWORK_UNREACHABLE [ERR]
2019-16-19 20:16:20 Raw stats on disconnect:
2019-16-19 20:16:20 Performance stats on disconnect:
CPU usage (microseconds): 6668
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2019-16-19 20:16:20 EVENT: DISCONNECT_PENDING
2019-16-19 20:16:20 Raw stats on disconnect:
2019-16-19 20:16:20 Performance stats on disconnect:
CPU usage (microseconds): 7062
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
Omnia:
2019-01-19 20:16:14 info hostapd[]: wlan0: STA info IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
2019-01-19 20:16:28 warning odhcpd[2459]: DHCPV6 SOLICIT IA_NA from 0003000164a5c35e4d3a on br-lan: ok fdc9:29a5:578b::1d8/128
2019-01-19 20:17:00 err openvpn(server_turris)[19369]: 192.168.1.101 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2019-01-19 20:17:00 err openvpn(server_turris)[19369]: 192.168.1.101 TLS Error: TLS handshake failed
2019-01-19 20:17:00 notice openvpn(server_turris)[19369]: 192.168.1.101 SIGUSR1[soft,tls-error] received, client-instance restarting
2019-01-19 20:17:01 info /usr/sbin/cron[23856]: (root) CMD (/usr/bin/rainbow_button_sync.sh)
2019-01-19 20:17:57 warning odhcpd[2459]: DHCPV6 SOLICIT IA_NA from 0003000164a5c35e4d3a on br-lan: ok fdc9:29a5:578b::1d8/128
2019-01-19 20:18:01 info /usr/sbin/cron[23888]: (root) CMD (/usr/bin/rainbow_button_sync.sh)
2019-01-19 20:18:01 info /usr/sbin/cron[23889]: (root) CMD (nethist_stats.lua)
2019-01-19 20:18:22 warning odhcpd[2459]: DHCPV6 SOLICIT IA_NA from 0003000164a5c35e4d3a on br-lan: ok fdc9:29a5:578b::1d8/128Is mobile data allowed for your OpenVPN Client in iOS? Check Mobile Data settings and OpenVPN settings (Connect via Any network)
Yes openvpn is allowed to make use of mobile data.
Then there seems to be a Problem between your Client and your TO. Does your TO have a public ip? Is your TO reachable from WAN? Is Port 1194 (OpenVPN Port) Opened in TOs firewall?
Can you show:
- Luci -> Status -> Overview -> Network
- Luci -> Network -> Firewall -> Traffic rules
Can you ping your TO from outside your LAN?
Omnia has a public ip
I can’t determine how to access Omnia from wan. Philips hue works from phone.
Hope this helps, thnx for helping!
