GuidoG's picture

Hello everyone,

I am having an issue installing the openvpn appliance on my virtualbox.

it has been installed succesfully, configured as bridged interface in the eth0 of the server (wich has an external ip address). It has also a second interface with a local IP address. I want to give clients access to the internal network and internet via the vpn, so I configured it as gateway.

I used the turnkey init script to do this, configured interfaces, downloaded updates and generated self ca certificate, and all the default files and keys. I was also able to generate a client config file using instructions present in https://github.com/turnkeylinux-apps/openvpn/tree/master/docs. Everything was done with the most default values, the server was supposed to be running on port 1194 UDP. Given that we do not have a FQDN for the appliance, I used its external IP address, reachable via our perimetral firewall. Port 1194/UDP is opened there and also port TCP 12321 for management web GUI. openvpn is started correctly with no apparent issues with the configuration generated by default.

The problem I am having is that trying to connect the client (from linux) I obtain a TLS handshake error. Given that the error suggests to check network connectivity, I tried to track the connection, so I checked the firewall settings; I checked the 1194 UDP port  was opened in the firewall rules (as default);   installed tcpdump on the appliance and checked that connections were arriving to the appliance from my test client, but I see only incoming packets, not the replies

I tried putting the openvpn firewall rule at the top of the rule list, but still no responses to the client.

I conclude that something has to be blocking incoming connections inside the appliance. I dont know how to debug further the problem. 

Can anyone suggest me anything? i.e.:

- how can I disable the firewall?

- how to check is openvpn is receiving the packets? config debug level = 4-11 does not seem to change much.

Thank you very much

Guido

 

Forum: 
Jeremy Davis's picture

TBH, I'm not super experienced with OpenVPN config. I have assisted to maintain it and have tested it multiple times, but haven't used it for extended periods. Also, during my testing it's always "just worked", so I haven't ever had the need to debug...

To explicitly answer your question re internal blocking, whilst TurnKey comes with preconfigured firewall settings, it's not enabled by default. So unless you've enabled it, firewall config should not be a factor.

To double check that OpenVPN is listening as it should be, try using netstat, like this:

netstat -tulnp

# t: TCP
# u: UDP
# l: listening
# n: numeric (hosts and posts)
# p: program name

Look for port 1194 (as you probably guessed...)

Also, you can use netcat to check that the port is open (from the client), e.g.:

nc -zv xxx.xxx.xxx.xxx 1194

# z: scan only
# v: verbose
# xxx.xxx.xxx.xxx: external IP address
# 1194: port to scan (multiple ports can be used, space separated)

If that appears to work, then perhaps it's also worth testing from within your network (via the internal LAN ip address)? Also if Webvmin is working ok (via port 12321) then that would suggest that it's unlikely to be something blocking externally. Although it'd be interesting to compare ports 12321 and 1194...

Beyond that, I'm not really sure, and I'm probably just guessing... I'm not 100% sure how to do it, but perhaps you can increase the verbosity of both the client and the server. Hopefully that might give you some more info? Please feel free to post back full logs. Maybe there's something that that you're missing? (Please feel free to redact anything that you'd rather not broadcast, but please explicitly note anything you've redacted).

From my understanding, one common issue with clients not connecting can be timezone mismatch. It mainly seems to be an issue for users in a timezone that is minus UTC (TurnKey servers default to UTC). So in some cases, the certificate generated is not yet valid according to the local timezone. If that's the issue, it's probably already resolved itself, but might be worth checking...

Please let me know how you go...

Add new comment