[Solved] OpenVPN / Pi networking help

[typerighter]

I am a pi n00b, so I am hoping the pi community can lend me a hand in troubleshooting my OpenVPN setup.

I've attempted to setup an OpenVPN server on my Pi B+ by following the Read/Write tutorial (http://bit.ly/1kyqTYR).

I had no issues with generating certificates, forwarding the port, and in general following the tutorial -- however when connecting to the server via an Android OpenVPN client on a mobile 3g network the connection times out.

To further diagnose the problem, I followed the OpenVPN tutorial to set up a Windows VPN server on another machine, on the same network with the same port -- 1194. On Windows it worked like a charm -- which tells me that the problem I am having on the PI is not ISP blocking ports and not the router (which is running DD-WRT).

Which leads me to believe that when attempting to connect to the Pi VPN server, Pi is not accepting the incoming connection.

The output for nmap is as follows:

Code: Select all

$ sudo nmap -sU 192.168.1.132 -p 1194
Starting Nmap 6.00 ( http://nmap.org ) at 2015-01-07 13:21 PST
Nmap scan report for raspberrypi.socal.rr.com (192.168.1.132)
Host is up (0.00060s latency).
PORT     STATE  SERVICE
1194/udp closed openvpn

And here is the server conf files:

Code: Select all

local 192.168.1.132
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/piserver.crt
key /etc/openvpn/easy-rsa/keys/pieater.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

Here is contents of the client configuration script:

Code: Select all

client
dev tun
proto udp
remote ***.**.***.*** 1194  (public ip obscured intentionally)
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20

iptables output:

Code: Select all

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:openvpn

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  10.8.0.0/24          192.168.1.0/24       ctstate NEW
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere 

So this is where I could really use your help, PI networking is a big mystery to me -- but clearly there's something on the server machine that is preventing it from seeing/accepting the incoming connection.

By the way, when I successfully connected to the Windows OpenVPN server, I used the same android client over a mobile 3g connetcion-- without any issues. Thank you in advance for any help/feedback you can provide.

[typerighter]

I've finally solved the problem!

I did a combination of things -- so not entirely sure what exactly fixed it.

1. There is a problem with Part 2 of the Read Write tutorial referenced in my post above.

The last section of the tutorial says that you have to copy client certificate and key files via SCP to the client machine. However, it doesn't explicitly say what files are needed to make the client talk to the VPN server. My problem was that I failed to transfer the ta.key file to the client. I transferred ca.cert, client.cert, client.key, client.ovpn, but not the ta.key file. Hence the server wouldn't even acknowledge the client on attempt to connect.

2. DD-WRT port configuration

In researching this problem I read that some people running DD-WRT had problems with the router forwarding the correct ports. So instead of port forwarding in DD-WRT (NAT/QoS tab -> Port Forwarding tab), I used port range forwarding for the same port. Not 100% if this had any affect -- but this is how it's setup now that the VPN is functioning.

3. iptables commands

I ran the following commands per the tutorial found here (http://www.raspberrypi.org/forums/viewt ... 36&t=81657)

Code: Select all

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -d 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.XX.X
service openvpn restart

Except I have a different subnet, so in the fourth command from the top I changed 192.168.0.0/24 to numbers that correspond to my subnet. Same thing with command on line 9, I changed X's to correspond to my Pi IP. Not sure which of these commands worked but now my output from nmap reads:

Code: Select all

sudo nmap -sU localhost -p 1194

Starting Nmap 6.00 ( http://nmap.org ) at 2015-01-08 11:39 PST
Nmap scan report for localhost (127.0.0.1)
Host is up.
Other addresses for localhost (not scanned): 127.0.0.1
PORT     STATE         SERVICE
1194/udp open|filtered openvpn

Nmap done: 1 IP address (1 host up) scanned in 3.37 seconds
[email protected]:/etc/openvpn/easy-rsa/keys# 

Lastly, I cobbled together my solution from the Read Write tutorial and this thread by rmurr http://www.raspberrypi.org/forums/viewt ... 36&t=81657

I used rmurr's sample server config file. However, when I checked openvpn server's log /var/log/openvpn.log, it showed an error "TLS Error: reading acknowledgement record from packet" Turn's out rmurr's sample server config file was missing a line referencing TLS certificate -- so if you're having this error, edit the server.conf file and after "keepalive 10 120 " on the next line add

Code: Select all

tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0

If you are using the server config file from the Read Write tutorial, this line is already in there.