I have an Ubuntu 20.04 LTS instance running in the Oracle Cloud "free tier". I set up OpenVPN on this VM following this guide (it's in German). Firewall port 1194/UDP open, IPv4 forwarding configured correctly (both in /etc/sysctl.conf
and in /etc/default/ufw
, UFW also does forwarding in /etc/ufw/before.rules
with this magic incantation:
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to ens3
-A POSTROUTING -s 10.27.0.0/8 -o ens3 -j MASQUERADE
COMMIT
# END OPENVPN RULES
ifconfig
output on the server:
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9000
inet 10.0.0.4 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::200:17ff:fe02:52db prefixlen 64 scopeid 0x20<link>
ether 00:00:17:02:52:db txqueuelen 1000 (Ethernet)
[....]
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.27.0.1 netmask 255.255.255.0 destination 10.27.0.1
inet6 fe80::b07f:586a:c721:fddb prefixlen 64 scopeid 0x20<link>
Looks good. The problem is that the client cannot connect to the server, the log says "TLS Error: TLS key negotiation failed to occur within 60 seconds".
When I run sudo tcpdump -ni ens3 udp and port 1194
, I can see that the packets do arrive from the client (IP address "X.X.X.X"):
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
14:18:08.024761 IP X.X.X.X.20800 > 10.0.0.4.1194: UDP, length 54
When I scan the OpenVPN server with nmap
:
sudo nmap -sU -p 1194 problematic.server.ip.address
then Port 1194/UDP is diagnosed as filtered
. Which means that nmap
detected an ICMP unreachable error according to "the Nmap book".
Luckily I have another OpenVPN server on a paid VPS which has worked OK since years, I scanned its port 1194/UDP, and the diagnosis was open|filtered
.
I suspect the problem is related to how virtual networks are configured on the Oracle Cloud. My VM has an IP 10.0.0.4, therefore the OpenVPN server config contains an entry listen 10.0.0.4
. Most likely some routing setting is missing so the server can't answer the client's connection request.
My question is: has someone set up an OpenVPN server on Oracle's cloud successfully? And if yes, what was the extra configuration step that had to be performed?
FWIW, I checked the box "Skip source/destination check" in Instance Details > Attached VNICs > Edit in the Oracle Cloud web management GUI. Otherwise the networking setup is "standard".
Best Answer
Answering my own question:
The problem was due to how Oracle set up their cloud images. The decisive hint came from this PHP developer blog: they could not access Port 80 (!) on an Oracle Cloud computing instance. Their solution was to "wipe clean" the IP tables.
I opted for a less drastic solution. The Ubuntu image provided by Oracle uses the Debian package
iptables-persistent
to save the IP tables between reboots (see this UNIX StackExchange post). I reviewed the/etc/iptables/rules.v4
file where the settings are stored, and performed the following modifications in the*filter
section:-A INPUT -p udp --dport 1194 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
and allowed IP forwarding by-A FORWARD -j ACCEPT
The full section now looks like this:
"Activating" the changes:
/sbin/iptables-restore < /etc/iptables/rules.v4
This works now, the OpenVPN server is accessible, clients can connect.