0

I am trying to set up OpenVPN on a server, but cannot get it working. I have changed the default port (mostly to by-pass possible VPN blocks), but cannot connect to the server.

openvpnas@ip-xxx-xx-xx-xx:~$ sudo netstat -uapn | grep openvpn
udp        0      0 0.0.0.0:1190            0.0.0.0:*                           1455/openvpn-openss

Another output

openvpnas@ip-xxx-xx-xx-xx:~$ netstat -atnp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:904           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:905           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:906           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:907           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:908           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:909           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:943             0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 172.31.42.30:22         xx.xx.xxx.xx:52882      ESTABLISHED -                   
tcp        0      0 127.0.0.1:42390         127.0.0.1:908           TIME_WAIT   -                   
tcp        0    150 xxx.xx.xx.xx:34884      xxx.xxx.xx.xx:443       ESTABLISHED -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -

From my local machine, the connection times out.

(base) ➜  dir  nc -v x.xx.xx.xx 1190
nc: connect to x.xx.xx.xx port 1190 (tcp) failed: Connection timed out

To fix this, I have tried running the following command to no avail:

sudo iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 1190 -j ACCEPT

When connecting with OpenVPN client on Linux, I get the following:

2022-06-13 17:49:00 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2022-06-13 17:49:00 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-06-13 17:49:00 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-06-13 17:49:00 TCP/UDP: Preserving recently used remote address: [AF_INET]x.xx.xx.xx:1190
2022-06-13 17:49:00 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-06-13 17:49:00 UDP link local: (not bound)
2022-06-13 17:49:00 UDP link remote: [AF_INET]x.xx.xx.xx:1190
2022-06-13 17:49:04 Server poll timeout, restarting
2022-06-13 17:49:04 SIGUSR1[soft,server_poll] received, process restarting
2022-06-13 17:49:04 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2022-06-13 17:49:04 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-06-13 17:49:04 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-06-13 17:49:04 TCP/UDP: Preserving recently used remote address: [AF_INET]x.xx.xx.xx:1190
2022-06-13 17:49:04 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-06-13 17:49:04 UDP link local: (not bound)
2022-06-13 17:49:04 UDP link remote: [AF_INET]x.xx.xx.xx:1190

Any help on troubleshooting and fixing is appreciated.

MadPhysicist
  • 133
  • 8

1 Answers1

1

There's a couple of things here.

  1. The first code block in your post shows OpenVPN listening on UDP.
  2. The second code block shows TCP.
  3. nc attempts to connect to TCP port 1190, not UDP port 1190.
  4. Your iptables rule again shows TCP; not UDP.

By default OpenVPN uses UDP, for good reasons.

UDP also implies that you can't check for connectivity as easily as with TCP; it's hard to tell the difference between a firewall silently dropping packets, and the service silently discarding unknown input.

Test with a OpenVPN client, not NC. Fix your problem with TCP vs. UDP.

vidarlo
  • 3,775
  • 1
  • 12
  • 25
  • I have tested with OpenVPN client from CLI. It does not work. I shall update the question with details of that. – MadPhysicist Jun 13 '22 at 14:49
  • Tried the following command to no avail: `sudo iptables -A INPUT -m state --state NEW -m udp -p udp --dport 1190 -j ACCEPT` – MadPhysicist Jun 13 '22 at 15:05
  • UDP doesn't have state. You simply have to accept it. – vidarlo Jun 13 '22 at 20:38
  • I have just done `sudo iptables -A INPUT -p udp -m udp --dport 1190 -j ACCEPT ` and the connection still does not work. Neither does this open port appear in netstat. – MadPhysicist Jun 14 '22 at 13:23
  • The first code block shows OpenVPN listening perfectly fine? – vidarlo Jun 14 '22 at 16:47
  • Perhaps. I am still not sure what to do and how to troubleshoot. – MadPhysicist Jun 15 '22 at 04:02
  • I suggest you update your question to reflect the changes you have done and my answer. That way it'll be clearer. I'll delete the answer since it's not really helpful to the new state of the question :) – vidarlo Jun 15 '22 at 08:00