I used to use OpenVPN to connect to my home router some years ago. It’s sat idle in the interim and my recollection of configs is non-existent. Still, I find myself wanting to use it again. But I’m faced with some problems.
The basic problem is that the client times out. So it finds the server, port 1194 is open and it’s trying to connect, but it’s timing out. My challenge is figure our why and I’m a little short on understanding what diagnostic tools I might be able to use.
I can see with nmap from another source (even an on-lein web based nmap) that 1194 is open and:
PORT STATE SERVICE
1194/udp open openvpn
I can see on LUCI:
On the Omnia I can see:
# pgrep -a openvpn
3826 /usr/sbin/openvpn
# netstat -tulpen | grep 1194
udp 0 0 0.0.0.0:1194 0.0.0.0:* 3826/openvpn
# logread -e openvpn | tail -5
2020-08-06 13:38:31 notice openvpn(myvpn)[3826]: 192.168.0.51:52180 SIGUSR1[soft,tls-error] received, client-instance restarting
2020-08-06 13:56:56 notice openvpn(myvpn)[3826]: 185.117.153.79:52771 TLS: Initial packet from [AF_INET]185.117.153.79:52771, sid=64c17801 b89bcb8f
2020-08-06 13:57:56 err openvpn(myvpn)[3826]: 185.117.153.79:52771 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2020-08-06 13:57:56 err openvpn(myvpn)[3826]: 185.117.153.79:52771 TLS Error: TLS handshake failed
2020-08-06 13:57:56 notice openvpn(myvpn)[3826]: 185.117.153.79:52771 SIGUSR1[soft,tls-error] received, client-instance restarting
This last one suggests that TLS handshake failed. Pehraps this means I need somehow to generate a .ovpn file to use in the client? To examine my current layout, it looks like this:
# ls -Rl /etc/openvpn
/etc/openvpn:
-rw-r--r-- 1 root root 1883 Nov 13 2017 ca.crt
-rw-r--r-- 1 root root 424 Nov 13 2017 dh2048.pem
drwxr-xr-x 1 root root 90 Nov 13 2017 for_client
-rw-r--r-- 1 root root 6624 Nov 13 2017 my-server.crt
-rw-r--r-- 1 root root 1586 Nov 13 2017 my-server.csr
-rw------- 1 root root 3272 Nov 13 2017 my-server.key
drw------- 1 root root 378 Nov 13 2017 ssl
-rw-r--r-- 1 root root 11996 Nov 13 2017 uk-tunnel0.ovpn
/etc/openvpn/for_client:
-rw-r--r-- 1 root root 1883 Nov 13 2017 ca.crt
-rw-r--r-- 1 root root 6606 Nov 13 2017 my-client.crt
-rw-r--r-- 1 root root 1586 Nov 13 2017 my-client.csr
-rw------- 1 root root 3272 Nov 13 2017 my-client.key
/etc/openvpn/ssl:
-rw-r--r-- 1 root root 1883 Nov 13 2017 ca.crt
-rw------- 1 root root 3272 Nov 13 2017 ca.key
-rw-r--r-- 1 root root 424 Nov 13 2017 dh2048.pem
-rw-r--r-- 1 root root 88 Nov 13 2017 index.txt
-rw-r--r-- 1 root root 21 Nov 13 2017 index.txt.attr
-rw-r--r-- 1 root root 21 Nov 13 2017 index.txt.attr.old
-rw-r--r-- 1 root root 44 Nov 13 2017 index.txt.old
-rw-r--r-- 1 root root 6606 Nov 13 2017 my-client.crt
-rw-r--r-- 1 root root 1586 Nov 13 2017 my-client.csr
-rw------- 1 root root 3272 Nov 13 2017 my-client.key
-rw-r--r-- 1 root root 6624 Nov 13 2017 my-server.crt
-rw-r--r-- 1 root root 1586 Nov 13 2017 my-server.csr
-rw------- 1 root root 3272 Nov 13 2017 my-server.key
drw------- 1 root root 32 Nov 13 2017 newcerts
-rw-r--r-- 1 root root 11313 Nov 13 2017 openssl.cnf
-rw-r--r-- 1 root root 5 Nov 13 2017 serial
-rw-r--r-- 1 root root 5 Nov 13 2017 serial.old
/etc/openvpn/ssl/newcerts:
-rw-r--r-- 1 root root 6624 Nov 13 2017 1000.pem
-rw-r--r-- 1 root root 6606 Nov 13 2017 1001.pem
and I used /etc/openvpn/uk-tunnel0.ovpn in my OPenVPN client for the connection.
Am I right in suspecting that perhaps this ovpn is not the right thing to use? Here is what it holds with private info removed:
# cat /etc/openvpn/uk-tunnel0.ovpn
client ## implies pull, tls-client
dev tun
# proto udp ## udp is the default
fast-io
remote 1194
remote-cert-tls server
nobind
persist-key
persist-tun
comp-lzo no
verb 3
<ca>
-----BEGIN CERTIFICATE-----
STUFF
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4097 (0x1001)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CountryCode, ST=Somewhere, O=Something
Validity
Not Before: Nov 13 09:09:55 2017 GMT
Not After : Nov 11 09:09:55 2027 GMT
Subject: CN=my-client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
STUFF
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature
X509v3 Extended Key Usage:
TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
STUFF
-----BEGIN CERTIFICATE-----
STUFF
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
STUFF
-----END PRIVATE KEY-----
</key>
I’m wondering what the problem is, how to further diagnose it, and whether I’ve simply misused/abused the only .ovpn file I found by using it in my openvpn client?