Trying to set up OpenVPN [SOLVED]

[SuperIT762]

I've been trying to set up OpenVPN on my Pi 2 for a while now, but have gotten stuck when trying to connect.

I have installed OpenVPN using PiVPN (http://www.pivpn.io/), which (supposedly) took care of server installation and config files.

I have confirmed that the server is running by running

Code: Select all

service openvpn status

but the problem seems to be that OpenVPN isn't listening on port 1194.

I have run nmap:

Code: Select all

servers@raspberrypi:~ $ nmap localhost

Starting Nmap 6.47 ( http://nmap.org ) at 2017-06-18 19:06 CDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0029s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 993 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
587/tcp  open  submission
5222/tcp open  xmpp-client
5269/tcp open  xmpp-server
5280/tcp open  xmpp-bosh

Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds

and netstat -a:

Code: Select all

servers@raspberrypi:~ $ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:xmpp-client           *:*                     LISTEN     
tcp        0      0 localhost:submission    *:*                     LISTEN     
tcp        0      0 *:http                  *:*                     LISTEN     
tcp        0      0 *:xmpp-server           *:*                     LISTEN     
tcp        0      0 *:ssh                   *:*                     LISTEN     
tcp        0      0 localhost:smtp          *:*                     LISTEN     
tcp        0      0 *:5280                  *:*                     LISTEN     
tcp        0      0 *:5281                  *:*                     LISTEN     
tcp        0    244 10.0.1.11:ssh           10.0.1.4:59532          ESTABLISHED
tcp6       0      0 [::]:xmpp-client        [::]:*                  LISTEN     
tcp6       0      0 [::]:http               [::]:*                  LISTEN     
tcp6       0      0 [::]:xmpp-server        [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 [::]:5280               [::]:*                  LISTEN     
tcp6       0      0 [::]:5281               [::]:*                  LISTEN     
udp        0      0 *:51398                 *:*                                
udp        0      0 *:mdns                  *:*                                
udp        0      0 *:41278                 *:*                                
udp        0      0 *:bootpc                *:*                                
udp        0      0 *:bootpc                *:*                                
udp        0      0 10.8.0.1:ntp            *:*                                
udp        0      0 10.0.1.11:ntp           *:*                                
udp        0      0 localhost:ntp           *:*                                
udp        0      0 *:ntp                   *:*                                
udp        0      0 *:openvpn               *:*                                
udp6       0      0 [::]:mdns               [::]:*                             
udp6       0      0 [::]:44843              [::]:*                             
udp6       0      0 [::]:dhcpv6-client      [::]:*                             
udp6       0      0 2602:304:cf8e:9178::ntp [::]:*                             
udp6       0      0 2602:304:cf8e:9178::ntp [::]:*                             
udp6       0      0 localhost:ntp           [::]:*                             
udp6       0      0 fe80::20f:60ff:fe08:ntp [::]:*                             
udp6       0      0 [::]:ntp                [::]:*                             
udp6       0      0 [::]:49802              [::]:*                             
raw6       0      0 [::]:ipv6-icmp          [::]:*                  7          
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ]         DGRAM                    5385     /run/systemd/notify
unix  2      [ ACC ]     STREAM     LISTENING     5387     /run/systemd/private
unix  2      [ ]         DGRAM                    5914     /run/wpa_supplicant/wlan0
unix  2      [ ]         DGRAM                    5402     /run/systemd/shutdownd
unix  13     [ ]         DGRAM                    5404     /run/systemd/journal/dev-log
unix  2      [ ACC ]     SEQPACKET  LISTENING     5408     /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     5412     /run/systemd/journal/stdout
unix  5      [ ]         DGRAM                    5414     /run/systemd/journal/socket
unix  2      [ ACC ]     STREAM     LISTENING     10626    /var/run/avahi-daemon/socket
unix  2      [ ACC ]     STREAM     LISTENING     10628    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     12168    /var/run/sendmail/mta/smcontrol
unix  2      [ ]         DGRAM                    6027     /var/run/thd.socket
unix  2      [ ACC ]     STREAM     LISTENING     6041     /var/run/dhcpcd.sock
unix  2      [ ACC ]     STREAM     LISTENING     6043     /var/run/dhcpcd.unpriv.sock
unix  2      [ ]         DGRAM                    7646     /run/systemd/journal/syslog
unix  3      [ ]         STREAM     CONNECTED     7044     
unix  3      [ ]         STREAM     CONNECTED     11785    
unix  3      [ ]         DGRAM                    6406     
unix  3      [ ]         STREAM     CONNECTED     7068     
unix  2      [ ]         DGRAM                    13554    
unix  3      [ ]         STREAM     CONNECTED     7024     
unix  3      [ ]         STREAM     CONNECTED     7146     /run/systemd/journal/stdout
unix  2      [ ]         DGRAM                    13359    
unix  3      [ ]         STREAM     CONNECTED     7069     
unix  3      [ ]         STREAM     CONNECTED     7070     /var/run/dbus/system_bus_socket
unix  2      [ ]         DGRAM                    7650     
unix  3      [ ]         STREAM     CONNECTED     13407    
unix  3      [ ]         DGRAM                    6405     
unix  3      [ ]         STREAM     CONNECTED     10890    
unix  3      [ ]         STREAM     CONNECTED     7072     /var/run/dbus/system_bus_socket
unix  2      [ ]         DGRAM                    5881     
unix  3      [ ]         STREAM     CONNECTED     11916    
unix  2      [ ]         DGRAM                    7035     
unix  2      [ ]         DGRAM                    14337    
unix  3      [ ]         STREAM     CONNECTED     6008     /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     13556    
unix  3      [ ]         STREAM     CONNECTED     6007     /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     6010     /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     6026     
unix  3      [ ]         STREAM     CONNECTED     6018     /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     13557    
unix  3      [ ]         STREAM     CONNECTED     7071     /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     7037     
unix  3      [ ]         STREAM     CONNECTED     7038     
unix  2      [ ]         DGRAM                    10996    
unix  2      [ ]         DGRAM                    12152    
unix  2      [ ]         DGRAM                    7076     
unix  3      [ ]         STREAM     CONNECTED     12413    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     10779    
unix  2      [ ]         DGRAM                    6402     
unix  2      [ ]         DGRAM                    6045     
unix  2      [ ]         DGRAM                    7062     
unix  2      [ ]         DGRAM                    11724    
unix  3      [ ]         STREAM     CONNECTED     10742    
unix  2      [ ]         DGRAM                    6020   

From what I can tell, nmap is showing that 1194 isn't open, and netstat is, which is confusing.

Additionally, running an external port scan on my public IP address shows that 1194 is "blocked".

Attempting to connect to the server yields a "Connection timeout: server poll timeout" error.

I'm not really sure what to do at this point, and Google has yielded no results. Any help is appreciated!

Thanks!

EDIT: I should also mention that the firewall is set up correctly.

Code: Select all

servers@raspberrypi:~ $ sudo ufw status
WARN: uid is 0 but '/lib' is owned by 1000
WARN: /lib is group writable!
Status: active

To                         Action      From
--                         ------      ----
1194/udp                   ALLOW       Anywhere
22                         ALLOW       Anywhere
25/tcp                     ALLOW       Anywhere
80                         ALLOW       Anywhere
587/tcp                    ALLOW       Anywhere
5222/tcp                   ALLOW       Anywhere
5269/tcp                   ALLOW       Anywhere
5280/tcp                   ALLOW       Anywhere
1194/udp                   ALLOW       Anywhere (v6)
22                         ALLOW       Anywhere (v6)
25/tcp                     ALLOW       Anywhere (v6)
80                         ALLOW       Anywhere (v6)
587/tcp                    ALLOW       Anywhere (v6)
5222/tcp                   ALLOW       Anywhere (v6)
5269/tcp                   ALLOW       Anywhere (v6)
5280/tcp                   ALLOW       Anywhere (v6)

[rpdom]

It looks like nmap is only showing TCP ports, but OpenVPN is listening on UDP, which is normal.

Make sure your router (if you have one) has port forwarding set so that UDP 1194 is directed to the IP address of your Pi.

[john564]

If you want to connect at home, with PI and PC connected to same router
connect to local IP address of PI server e.g. 192.168.1.4, not your external IP
when you go to your remote location, connect to external IP or no-ip address

does not work when client and server are connected
to same router and you try external IP address.

To get external access, Points to note
1) The PI needs a static internal IP address from the router.
Remember you forwarded port 1194 to some local IP address of PI server e.g. 192.168.1.4
so you need to make sure the PI always gets 192.168.1.4 after the router is rebooted.

2) Some domestic routers need to have the level of firewall paranoia/security lowered
so port forwarding works.

[SuperIT762]

It looks like nmap is only showing TCP ports, but OpenVPN is listening on UDP, which is normal.

Make sure your router (if you have one) has port forwarding set so that UDP 1194 is directed to the IP address of your Pi.

That part is also set up correctly, because I can access other servers on the Pi externally (such as the webserver) which has port forwarding set up the same way as the VPN.

If you want to connect at home, with PI and PC connected to same router
connect to local IP address of PI server e.g. 192.168.1.4, not your external IP
when you go to your remote location, connect to external IP or no-ip address

does not work when client and server are connected
to same router and you try external IP address.

To get external access, Points to note
1) The PI needs a static internal IP address from the router.
Remember you forwarded port 1194 to some local IP address of PI server e.g. 192.168.1.4
so you need to make sure the PI always gets 192.168.1.4 after the router is rebooted.

2) Some domestic routers need to have the level of firewall paranoia/security lowered
so port forwarding works.

I don't think that's the case, since I always test my VPN connection on my phone, over cellular. Additionally, I can access the other servers using the external address just fine from inside the network.

The problem is it was working but has stopped. I recently switched from Comcast to AT&T, so there was a period of time where the AT&T gateway and my router (Airport Extreme) were fighting over IP addresses. However, I fixed it so that the Airport (which was already setup with port forwarding and static IPs) was managing everything again. There shouldn't be any issues, at least as far as I can tell.

Let me know what you think.

[SuperIT762]

So I found out today that this was a glitch caused by an update at some point. Reinstalling the client app and certificate fixed this. Now I can get all my devices to connect at least.

(It's still not working quite right, but the original issue was resolved so I'm making a new topic on that)

Hope this helps!