OpenVPN server easy and fast

cefeus · March 26, 2019, 11:21pm

Quick and easy OpenVPN server the Foris web interface.

TLS key negotiation failed

Sat Mar 23 20:36:45 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Mar 23 20:36:45 2019 Need hold release from management interface, waiting…
Sat Mar 23 20:36:45 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Mar 23 20:36:46 2019 MANAGEMENT: CMD ‘state on’
Sat Mar 23 20:36:46 2019 MANAGEMENT: CMD ‘log all on’
Sat Mar 23 20:36:46 2019 MANAGEMENT: CMD ‘echo all on’
Sat Mar 23 20:36:46 2019 MANAGEMENT: CMD ‘bytecount 5’
Sat Mar 23 20:36:46 2019 MANAGEMENT: CMD ‘hold off’
Sat Mar 23 20:36:46 2019 MANAGEMENT: CMD ‘hold release’
Sat Mar 23 20:36:46 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]10.134.194.9:1194
Sat Mar 23 20:36:46 2019 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Mar 23 20:36:46 2019 UDP link local: (not bound)
Sat Mar 23 20:36:46 2019 UDP link remote: [AF_INET]10.134.194.9:1194
Sat Mar 23 20:36:46 2019 MANAGEMENT: >STATE:1553369806,WAIT,
Sat Mar 23 20:37:47 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Mar 23 20:37:47 2019 TLS Error: TLS handshake failed
Sat Mar 23 20:37:47 2019 SIGUSR1[soft,tls-error] received, process restarting
Sat Mar 23 20:37:47 2019 MANAGEMENT: >STATE:1553369867,RECONNECTING,tls-error,
Sat Mar 23 20:37:47 2019 Restart pause, 5 second(s)

Pepe · March 26, 2019, 11:31pm

Hi,

May I ask you, if you try to generate a new CA and try to connect it to your server? If it doesn’t help, may you uninstall and install OpenVPN on the latest release of Turris OS and try it again?

We would appreciate if you can reach us on tech.support@turris.cz with diagnostics, which you can generate in Foris. I’m sending you the article for Error reporting, which you can find here.

Fenevadkan · March 30, 2019, 10:08pm

I have the same issue, it was working before, I dont know exactly when, but stopped working.
What package you want us to uninstall and reinstall, the openvpn-openssl (vers.:2.4.6-2)?

ekim · April 7, 2019, 10:01am

I have e-mailed the requested diagnostics to support. Lets hope this gets resolved.

Life without a vpn is getting really tedious. Online banking only at home, more cash in my fysical wallet…

Fenevadkan · April 8, 2019, 3:44pm

well actually I made some test. that while openvpn seems to be running and listening when checking it locally form the router itself, but I cannot see the port opened from the same subnet from my PC:

router# ps |grep -i vpn
3313 root 3132 S /usr/sbin/openvpn --syslog openvpn(server_turris)

router# netstat -tulpn|grep 1194
udp 0 0 0.0.0.0:1194 0.0.0.0:* 3313/openvpn

pc# telnet 192.168.1.1 1194
Trying 192.168.1.1…
telnet: Unable to connect to remote host: Connection refused

I guess it is not normal or is it? should it only listen from the outside?

RomanHK · April 8, 2019, 4:04pm

This is perfectly fine. It’s blocked by Firewall (VPN has its zone).

Maxmilian_Picmaus · April 8, 2019, 8:24pm

… just some notes
If you are running openvpn-server and client on same subnet (or from router it self), you have to a bit change the options on both sides to make it working. You have to make some changes in firewall zone configuration as well. So it is easier to test connection using different isp (mobile phone, after export of user config, just rename it from xxxx.conf to xxxx.ovpn and import it to phone/openvpn app … and connect …,).

Also just note, TLS is a bit tricky, you have to set “tls-client” in client config only, remove tls related options/values from server config. There is no any ta.key generated by default.
Aside if windows/android client is used for testing connection, having “mssfix 0” , “fragment 0” and “float” options in client config is recommended.

cefeus · April 12, 2019, 3:30pm

Thank you very much

ekim · May 7, 2019, 8:45pm

1 month later, no news about my incident report from support. Is this normal?

ekim · June 12, 2019, 7:39pm

Guys I really think you need to look into OpenVPN.

After my last comments Ive deleted the OpenVPN modules.

After a month or so Ive installed the modules again. Surprise. My CA generated 1 month ago was still there.

I believe that a complete refresh of the modules and CA isnt possible, and this is why I cant get OpenVPN running. Even a factory reset/installing firmware from USB/medikit doesnt help this.

Im sorry, but this is definitely a dealbreaker. IF the next new grande firmware (4.0) doesnt resolve this, Im selling my router.

Maxmilian_Picmaus · June 13, 2019, 8:49pm

If you removed the “openvpn” packages and dependend ones, you should also clean up the left-over files in etc, config and key folder (i am pretty sure, that removal via opkg does not remove the “CA” files …you should do it via “Foris” (delete CA, generate CA so the files are overwritten), or if you do that via opkg, you should check all related locations and remove(backup to some location) necessary files manually.

Removing OpenVPN and reinstall does not mean you have re-initialized “CA” folder.

Strange is , factory reset should work, medikit should work as well. It is hard to help without log/configs. Personally i’ve tested Foris plugin three times (with complete removal and re-generation afterwards, tested also with manual opkg removal/reinstall, tested own config before Foris plugin was introduced …) , so i know it is not easy every time, but since that plugin in Foris, all is (should be) smooth.

serych · August 7, 2019, 7:29am

I need to interconnect internal networks in our two buildings via two Turris Omnia routers.
In the main building I already installed and configured OpenVPN server (OpenVPN server easy and fast)
Is there any way, how to configure “OpenVPN CLIENT easy and fast” using the configuration file created on the OpenVPN server?

Thanks in advance for any info

Bendys · August 8, 2019, 7:32pm

This is simple, on the client router in Luci/service/Openvpn/OVPN configuration file upload. Generate a configuration file in Foris Omnia VPN server.

serych · August 9, 2019, 6:21am

Do you mean menu Service/OpenVPN in Luci? I don’t have this item in Service menu

(TurrisOS version 4.0-beta8)

anon50890781 · August 9, 2019, 6:33am

is the luci-app-openvpn package installed?

serych · August 9, 2019, 1:33pm

Thanks to Bendys and n8v8r I’m much closer to success. Now I’m just tuning routing and firewall.
Thanks guys!

ekim · September 6, 2019, 2:49pm

Hello,

Ive tried it again.

Openvpn now only works when I uncheck “all traffic through VPN”

Strange thing is, I got the IP of my phone ISP.

Its really annoying. And im disappointed I cant set up my vpn.

Jan_Coufal · September 7, 2019, 2:52pm

I made a little improvement for running openvpn on a public but not static address. (mobile operators). Created script using Foris notifications and sending current IP to foris and email:
#! / bin / bash
ADDRESS = / tmp / IPaddress
INTERFACE = 3g-LTE

[ -e $ADDRESS ] && TEST1 = cat $ ADDRESS | TEST1 = 0
TEST = ifconfig -and $INTERFACE | grep "inet addr" | cut -c 21-35
if [ $TEST ! = $TEST2 ]; then
echo $TEST > $ADDRESS
create_notification -s news “Public IP: $TEST”
fi
Cron then calls the script and sends notifications and email if there is a change.

peci1 · September 8, 2019, 9:15am

Dynamic DNS? E.g. https://www.noip.com/ works for me.

rswtthub · October 27, 2019, 9:35am

I have this weird issue with the Foris OpenVPN setup.

It worked fine before, but I reflashed my Turris Omnia and now run the following versions:

foris version: 100.5
Firmware Version TurrisOS 4.0.1 80076f9 / LuCI branch (git-19.281.84184-0b4eebd)

When I set my OpenVPN network in Foris to 10.8.0.1/24 the following config is generated:

/var/etc/openvpn-server_turris.conf

persist-key
persist-tun
ca /etc/ssl/ca/openvpn/ca.crt
cert /etc/ssl/ca/openvpn/01.crt
crl-verify /etc/ssl/ca/openvpn/ca.crl
dev tun_turris
dh /etc/dhparam/dh-default.pem
ifconfig-pool-persist /tmp/ipp.txt
keepalive 10 120
key /etc/ssl/ca/openvpn/01.key
mute 20
port 1194
proto udp
push “route 192.168.1.0 255.255.255.0”
server 10.8.0.1 255.255.255.0
status /tmp/openvpn-status.log
verb 3

OpenVPN process can’t start and I get these messages under syslog:
Oct 27 09:06:04 turris openvpn(server_turris)[29782]: Options error: --server directive network/netmask combination is invalid

When I change the OpenVPN network in foris to 10.8.0.0/24

/var/etc/openvpn-server_turris.conf

server 10.8.0.0 255.255.255.0

I see the OpenVPN process

/usr/sbin/openvpn --syslog openvpn(server_turris) --status /var/run/openvpn.server_turris.status --cd /var/etc --config openvpn-server_turris.conf

and I see clients connecting in syslog, but I can’t ping the server nor contact the clients.

Shouldn’t the setup script generate a config with server ip 10.8.0.1 to work properly?

After setup with 10.8.0.0/24 I can change the server ip to 10.8.0.1 manually in the config and restart the process, then ping works.

What am I doing wrong?

The documentation https://docs.turris.cz/basics/apps/openvpn/openvpn/ uses 10.111.111.0/24 so a X.X.X.0/24 should lead to a working setup.