The firm I work for has decided to go with OpenVPN to replace heavy ssh usage ( The right vpn to replace heavy ssh usage )
I have attempted to setup OpenVPN for bridging connections. I can connect via machines on the same network as the VPN server. Unfortunately I can't connect to the vpn server from just outside of the LAN; Connections that come from the WAN port fail with an WSAETIMEDOUT
error message.
I am forwarding port 1194 on my router (for both tcp and udp) to my OpenVPN server on port 1194.
Is there any tool I can use (e.g. Netcat) etc to help isolate the problem and troubleshoot my setup?
Configuration Details
Ubuntu 10.04 LTS OpenVPN "Server"
Private Lan 192.168.10.0/24
Clients: Mostly Windows XP / Vista / Windows 7 machines.
/etc/network/interfaces
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
address 192.168.10.95
network 192.168.10.0
netmask 255.255.255.0
broadcast 192.168.10.255
gateway 192.168.10.1
bridge_ports eth0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
auto eth0
iface eth0 inet dhcp
/etc/openvpn/server.conf
port 1194
dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server-bridge 192.168.10.95 255.255.255.0 192.168.10.50 192.168.10.80
tls-auth ta.key 0
user nobody
group nogroup
client-to-client
duplicate-cn
keepalive 10 120
cipher BF-CBC # Blowfish (default)
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 6
mute 20
up.sh
#!/bin/sh
BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV
down.sh
#!/bin/sh
BR=$1
DEV=$2
/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down
client.ovpn
client
dev tap
remote 192.168.10.184:1194
ca ca.crt
cert maven-lunch.crt
key maven-lunch.key
tls-auth ta.key 1
ping 10
comp-lzo
verb 6
mute 10
**edit 9/20/2010 18:00 EDT (@Zoredache) **
I am using the wan address ( in this case 10.1.2.129 ).
I see connection attempts from my test client (10.1.10.112)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
17:52:23.256396 IP 10.1.10.112.1638 > 192.168.10.184.1194: tcp 0
17:52:23.256415 IP 10.1.10.112.1638 > 192.168.10.184.1194: tcp 0
Looking at the syslog shows an dead connection from a disconnected test client on the local network:
tail -f /var/log/syslog
Sep 20 16:40:07 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 TUN WRITE [92]
Sep 20 16:40:07 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 TCPv4_SERVER WRITE [133] to [AF_INET]192.168.10.189:1754: P_DATA_V1 kid=0 DATA len=132
Sep 20 16:40:07 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 TCPv4_SERVER WRITE [181] to [AF_INET]192.168.10.189:1754: P_DATA_V1 kid=0 DATA len=180
Sep 20 16:40:08 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 TCPv4_SERVER READ [133] from [AF_INET]192.168.10.189:1754: P_DATA_V1 kid=0 DATA len=132
Sep 20 16:40:08 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 TUN WRITE [92]
Sep 20 16:40:08 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 TCPv4_SERVER WRITE [133] to [AF_INET]192.168.10.189:1754: P_DATA_V1 kid=0 DATA len=132
Sep 20 16:40:08 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 Connection reset, restarting [-1]
Sep 20 16:40:08 MavenVPNBox ovpn-server[1369]: maven-lunch/192.168.10.189:1754 SIGUSR1[soft,connection-reset] received, client-instance restarting
Sep 20 16:40:08 MavenVPNBox ovpn-server[1369]: TCP/UDP: Closing socket
Best Answer
You have changed your
client.ovpn
to use the WAN address instead of192.168.10.184
right?Anyway, as to testing. On your server why not just do a tcpdump for udp/1194
tcpdump -qni any port 1194
. and see if any connection attempts are actually getting to the server from the outside. If they are not something is wrong with your firewall or NAT settings on your border device.Also check out your /var/log/syslog. Usually openvpn log entries will appear there when a client tries to connect.