Openvpn – How to diagnose / fix an OpenVPN setup which works from inside of LAN but doesn not work from WAN side of router

The firm I work for has decided to go with OpenVPN to replace heavy ssh usage ( The right vpn to replace heavy ssh usage )

I have attempted to setup OpenVPN for bridging connections. I can connect via machines on the same network as the VPN server. Unfortunately I can't connect to the vpn server from just outside of the LAN; Connections that come from the WAN port fail with an WSAETIMEDOUT error message.

I am forwarding port 1194 on my router (for both tcp and udp) to my OpenVPN server on port 1194.

Is there any tool I can use (e.g. Netcat) etc to help isolate the problem and troubleshoot my setup?

Configuration Details

Ubuntu 10.04 LTS OpenVPN "Server"
Private Lan 192.168.10.0/24

Clients: Mostly Windows XP / Vista / Windows 7 machines.

/etc/network/interfaces

auto lo
iface lo inet loopback

auto br0
iface br0 inet static
    address 192.168.10.95
    network 192.168.10.0
    netmask 255.255.255.0
    broadcast 192.168.10.255
    gateway 192.168.10.1
    bridge_ports eth0
    bridge_fd 9
    bridge_hello 2
    bridge_maxage 12
    bridge_stp off

auto eth0
iface eth0 inet dhcp

/etc/openvpn/server.conf

port 1194
dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

server-bridge 192.168.10.95 255.255.255.0 192.168.10.50 192.168.10.80
tls-auth ta.key 0
user nobody
group nogroup

client-to-client
duplicate-cn
keepalive 10 120

cipher BF-CBC        # Blowfish (default)
comp-lzo

persist-key
persist-tun

status openvpn-status.log
verb 6
mute 20

up.sh
#!/bin/sh

BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV

down.sh
#!/bin/sh

BR=$1
DEV=$2

/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

client.ovpn

client
dev tap
remote 192.168.10.184:1194
ca ca.crt
cert maven-lunch.crt
key maven-lunch.key
tls-auth ta.key 1

ping 10
comp-lzo
verb 6
mute 10

**edit 9/20/2010 18:00 EDT (@Zoredache) **

I am using the wan address ( in this case 10.1.2.129 ).

I see connection attempts from my test client (10.1.10.112)

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
17:52:23.256396 IP 10.1.10.112.1638 > 192.168.10.184.1194: tcp 0
17:52:23.256415 IP 10.1.10.112.1638 > 192.168.10.184.1194: tcp 0

Looking at the syslog shows an dead connection from a disconnected test client on the local network:

tail -f /var/log/syslog

Sep 20 16:40:07 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 TUN WRITE [92]
Sep 20 16:40:07 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 TCPv4_SERVER WRITE [133] to [AF_INET]192.168.10.189:1754: P_DATA_V1 kid=0 DATA len=132
Sep 20 16:40:07 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 TCPv4_SERVER WRITE [181] to [AF_INET]192.168.10.189:1754: P_DATA_V1 kid=0 DATA len=180
Sep 20 16:40:08 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 TCPv4_SERVER READ [133] from [AF_INET]192.168.10.189:1754: P_DATA_V1 kid=0 DATA len=132
Sep 20 16:40:08 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 TUN WRITE [92]
Sep 20 16:40:08 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 TCPv4_SERVER WRITE [133] to [AF_INET]192.168.10.189:1754: P_DATA_V1 kid=0 DATA len=132
Sep 20 16:40:08 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 Connection reset, restarting [-1]
Sep 20 16:40:08 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 SIGUSR1[soft,connection-reset] received, client-instance restarting
Sep 20 16:40:08 MavenVPNBox ovpn-server[1369]: TCP/UDP: Closing socket