-1

I have installed a Ubuntu 20.04.1 Server as VM on a VirtualBox, this VirtualBox is running on my school's remote server and installed GNS3 on this VM(Ubuntu Server). So far, everything is fine. But when I try to use my local machine (MacOS Catalina) and TunnelBlick to connect to this remote server, I get error: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity).

So far after reading several answers, have tried:

  1. from local Mac nc -uvz <remote server IP/also VM IP> 1194 Success!
  2. checked client.ovpn, the correct remote IP is there.
  3. can do scp between host and VM with public IP - it means IP for the VM is correct and it is reachable.
  4. uninstalled and installed GNS3 several times and updated the config file.

Please help me with this.

Tabz
  • 3
  • 2
  • you know that UDP is a fire and forget protocol? nc not reporting a failure does not mean the packet reached its destination... this is a connection issue, maybe the forwarding from the remote server to the VM is incorrect. I suggest stopping the openvpn service from GNS3, and executing a ```nc -lu 1194``` on the VM. then repeat step 1 - I doubt that the message will reach its destination. – Martin Dec 12 '20 at 09:33
  • Thanks for you comment. The openvpn service is running on MacOS. when running above command from the VM I get answer `nc: Address already in use` – Tabz Dec 12 '20 at 13:48
  • TunnelBlick is the _client_ side of the OpenVPN connection... the _server_ side of the OpenVPN instance must be running inside the VM. (That's why you get the error message). To test the connectivity, I suggested that you setup a listening netcat on the openvpn port. For this to work, you need to stop the openvpn service running inside the VM, which is using this port. – Martin Dec 12 '20 at 19:27

1 Answers1

0

Let me answer your question a little more thoroughly. I have no clue about GNS3, but I know openvpn and TunnelBlick, which is a MacOS client for openvpn - And your question is network related. The question is missing important things - I have to make some assumptions, but I'll hope to get you on the right path to find the cause.

You mentioned that the remote server is located inside your school. I'll assume that your school at least has one firewall, which owns the interface holding the school's public IP address which you are using to access your VM. Let me draw this for clarification:

        FW                     remote server                virtual machine
         |                         |                           |
Pub. IP->|<--- priv. Subnet A ---> |    <-- priv. Subnet B --> |
         |                         |                           |

Again, I have no clue about your school's network infrastructure, all this is an assumption. But this clarifies my point: any connection incoming on your schools public IP must be translated to the IP inside subnet A of your remote server. This is a rule which must be present inside the firewall. Obviously, there is such a rule for the SSH port of your VM, otherwise the scp command would not work. But just because there is such a rule for the ssh port, does not mean such a rule exists for the UDP port 1194, too.

If you passed the firewall and reached the host interface of the remote server, there needs to take place a network address translation again - this IP packet is not meant for the remote server, it is meant for the VM - there needs to be a NAT rule in place to translate the incoming traffic to the VM's IP address. Maybe you have an idea now where to start searching for the cause of your problems.

Martin
  • 1,869
  • 6
  • 16
  • Thanks for detailed explanation, i understand now. Checked on my VM `ps auxw |grep openvpn` and openvpn is active and listening but on remote machine it is not. Please adivce something, to get around with this problem and make the remote server to accept my TunnelBlick connection. – Tabz Dec 12 '20 at 21:03
  • Also if I do `netstat -lnp | grep openvpn`, output is `udp 0.0.0.0:1194`? it means it is listening to connection from any IP coming at port 1194? – Tabz Dec 12 '20 at 21:05
  • no, it means openvpn listens on any available network interface for incoming UDP packets on port 1194. The best advice I can give you is to go search the administrator responsible for your school's IT and ask him for help with your problem... You probably lack access to your school's firewall, so you cannot do this on your own anyway. – Martin Dec 13 '20 at 19:07
  • I have `sudo` access, can this help? – Tabz Dec 13 '20 at 20:02
  • I though you understood what I wrote ? Consider the following scenario. Your friend is writing you a letter. But unfortunately, he puts the wrong address on the letter. Does it help to have the key of your (empty) mailbox ? Of course not, because the postman will never deliver the letter to your mailbox... – Martin Dec 14 '20 at 12:16
  • Thanks. I get it now. – Tabz Dec 15 '20 at 16:05