c_korn
Posts: 14
Joined: Mon Oct 14, 2019 6:07 pm

OpenVPN port is not open/reachable from outside

Tue Oct 15, 2019 5:25 pm

Hallo,

having problems with OpenVPN on my Rasperry Pi Model 3B.

I used this script for setting up OpenVPN.

https://github.com/Nyr/openvpn-install

But when I try to connect from outside I get "connection refused".

I checked with nmap and the port seems to be open but somehow blocked?

This is the output of netstat:
$ sudo netstat -tulpn | grep 12940
tcp 0 0 192.168.0.33:12940 0.0.0.0:* LISTEN 4624/openvpn
As you can see here the port is open but I do not see it using nmap:
# nmap localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-15 18:19 BST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql
3389/tcp open ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 2.04 seconds
This is my server.conf:
local 192.168.0.33
port 12940
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem

PhatFil
Posts: 1436
Joined: Thu Apr 13, 2017 3:55 pm
Location: Oxford UK

Re: OpenVPN port is not open/reachable from outside

Tue Oct 15, 2019 5:43 pm

Try rebooting/restarting your network router/AP. It shouldnt be an issue but I have had one pi install stall on networking issues that went away with a router restart.. Also check your not applying mac filtering or other security measures requiring identification/validation for network membership

c_korn
Posts: 14
Joined: Mon Oct 14, 2019 6:07 pm

Re: OpenVPN port is not open/reachable from outside

Wed Oct 16, 2019 6:48 pm

Already restarted the device but it did not help.
MAC filter or anything is also not active.

I can successfully access my git repository on the PI.

Only OpenVPN is not working.

epoch1970
Posts: 3854
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: OpenVPN port is not open/reachable from outside

Wed Oct 16, 2019 9:46 pm

Without any further option nmap is probably not scanning that port, it only looks for a subset of commonly used ports.
Have you configured your router to forward whatever port to 192.168.0.33 12940/tcp?
Read the log on the server, you should see if anything goes wrong and otherwise see incoming connections.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

c_korn
Posts: 14
Joined: Mon Oct 14, 2019 6:07 pm

Re: OpenVPN port is not open/reachable from outside

Thu Oct 17, 2019 5:59 pm

Just changed the port to 1294 and restartet the PI, but the problems remains:
$ sudo netstat -tulpn | grep LISTEN
tcp 0 0 192.168.0.33:1294 0.0.0.0:* LISTEN 1055/openvpn
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 495/sshd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 554/mysqld
tcp6 0 0 :::80 :::* LISTEN 584/apache2
tcp6 0 0 :::22 :::* LISTEN 495/sshd
tcp6 0 0 ::1:3350 :::* LISTEN 468/xrdp-sesman
tcp6 0 0 :::443 :::* LISTEN 584/apache2
tcp6 0 0 :::3389 :::* LISTEN 498/xrdp
# nmap localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-17 18:58 BST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql
3389/tcp open ms-wbt-server
What log should I have a look at?

epoch1970
Posts: 3854
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: OpenVPN port is not open/reachable from outside

Thu Oct 17, 2019 6:29 pm

Try "nmap -p 1294 localhost"
For the logfile since you haven't a specific directive in your config file, see the default log file /var/log/syslog.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

c_korn
Posts: 14
Joined: Mon Oct 14, 2019 6:07 pm

Re: OpenVPN port is not open/reachable from outside

Thu Oct 17, 2019 8:10 pm

# nmap -p 1294 localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-17 21:09 BST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00018s latency).
Other addresses for localhost (not scanned): ::1

PORT STATE SERVICE
1294/tcp closed cmmdriver

Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds
After executing this command there is no new entry in /var/log/syslog

epoch1970
Posts: 3854
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: OpenVPN port is not open/reachable from outside

Thu Oct 17, 2019 8:18 pm

Doesn't look like it is running. Try to start it in the foreground from the command line: "sudo openvpn --config /etc/openvpn/xxxxx"
https://openvpn.net/community-resources ... le-window/
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

User avatar
DougieLawson
Posts: 36511
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: OpenVPN port is not open/reachable from outside

Thu Oct 17, 2019 8:25 pm

Has nobody pointed out that by default Openvpn runs on port 1194 UDP not TCP?
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

epoch1970
Posts: 3854
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: OpenVPN port is not open/reachable from outside

Thu Oct 17, 2019 8:27 pm

DougieLawson wrote:
Thu Oct 17, 2019 8:25 pm
Has nobody pointed out that by default Openvpn runs on port 1194 UDP not TCP?
You're right but the OP has "proto tcp" in his config file.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

c_korn
Posts: 14
Joined: Mon Oct 14, 2019 6:07 pm

Re: OpenVPN port is not open/reachable from outside

Thu Oct 17, 2019 8:53 pm

epoch1970 wrote:
Thu Oct 17, 2019 8:18 pm
Doesn't look like it is running. Try to start it in the foreground from the command line: "sudo openvpn --config /etc/openvpn/xxxxx"
https://openvpn.net/community-resources ... le-window/
Not sure if I did correctly, but here is the output:
# openvpn --config /etc/openvpn/server/server.conf
Options error: --dh fails with 'dh.pem': No such file or directory (errno=2)
Options error: --ca fails with 'ca.crt': No such file or directory (errno=2)
Options error: --cert fails with 'server.crt': No such file or directory (errno=2)
Thu Oct 17 21:51:17 2019 WARNING: cannot stat file 'server.key': No such file or directory (errno=2)
Options error: --key fails with 'server.key': No such file or directory (errno=2)
Options error: --crl-verify fails with 'crl.pem': No such file or directory (errno=2)
Thu Oct 17 21:51:17 2019 WARNING: cannot stat file 'tc.key': No such file or directory (errno=2)
Options error: --tls-crypt fails with 'tc.key': No such file or directory (errno=2)
Options error: Please correct these errors.
Use --help for more information.
Those files exist in the directory:
# ls -la /etc/openvpn/server/
total 56
drwxr-xr-x 3 root root 4096 Oct 17 18:53 .
drwxr-xr-x 4 root root 4096 Oct 11 21:08 ..
-rw------- 1 root root 1192 Oct 11 21:08 ca.crt
-rw------- 1 root root 1675 Oct 11 21:08 ca.key
-rw-r--r-- 1 root root 224 Oct 11 21:08 client-common.txt
-rw------- 1 nobody nogroup 642 Oct 11 21:08 crl.pem
-rw-r--r-- 1 root root 424 Oct 11 21:08 dh.pem
drwxrwxr-x 5 root root 4096 Oct 11 21:08 easy-rsa
-rw------- 1 root root 0 Oct 17 21:50 ipp.txt
-rw------- 1 root root 487 Oct 17 21:49 openvpn-status.log
-rw-r--r-- 1 root root 417 Oct 17 18:53 server.conf
-rw------- 1 root root 4594 Oct 11 21:08 server.crt
-rw------- 1 root root 1704 Oct 11 21:08 server.key
-rw------- 1 root root 636 Oct 11 21:08 tc.key
I know that openvpn normally runs on UDP. But I wanted to test the connection also with telnet, so I switched to TCP.
Once TCP works I will set it to UDP again.

epoch1970
Posts: 3854
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: OpenVPN port is not open/reachable from outside

Thu Oct 17, 2019 9:23 pm

Proto tcp mean the tunnel uses TCP and its payload will usually be TCP as well. Usually that is not desirable, with TCP out of order packets are retransmitted so if the tunnel has a glitch, it will retransmit and the payload inside will get out of order as well. TCP inside UDP is just better, unless a firewall disallows UDP.

You need to use absolute paths in the configuration file. Eg.

Code: Select all

ca /etc/openvpn/server/ca.crt
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

c_korn
Posts: 14
Joined: Mon Oct 14, 2019 6:07 pm

Re: OpenVPN port is not open/reachable from outside

Fri Oct 18, 2019 8:30 pm

epoch1970 wrote:
Thu Oct 17, 2019 9:23 pm
You need to use absolute paths in the configuration file. Eg.

Code: Select all

ca /etc/openvpn/server/ca.crt
Omg, this was it! Thanks. Now it seems to work!
# openvpn --config /etc/openvpn/server/server.conf
Fri Oct 18 20:50:26 2019 OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Fri Oct 18 20:50:26 2019 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Fri Oct 18 20:50:26 2019 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Fri Oct 18 20:50:26 2019 Diffie-Hellman initialized with 2048 bit key
Fri Oct 18 20:50:26 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Oct 18 20:50:26 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Oct 18 20:50:26 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Oct 18 20:50:26 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Oct 18 20:50:26 2019 TUN/TAP device tun0 opened
Fri Oct 18 20:50:26 2019 TUN/TAP TX queue length set to 100
Fri Oct 18 20:50:26 2019 /sbin/ip link set dev tun0 up mtu 1500
Fri Oct 18 20:50:26 2019 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Fri Oct 18 20:50:26 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Oct 18 20:50:26 2019 Socket Buffers: R=[87380->87380] S=[16384->16384]
Fri Oct 18 20:50:26 2019 Listening for incoming TCP connection on [AF_INET]192.168.0.33:1294
Fri Oct 18 20:50:26 2019 TCPv4_SERVER link local (bound): [AF_INET]192.168.0.33:1294
Fri Oct 18 20:50:26 2019 TCPv4_SERVER link remote: [AF_UNSPEC]
Fri Oct 18 20:50:26 2019 GID set to nogroup
Fri Oct 18 20:50:26 2019 UID set to nobody
Fri Oct 18 20:50:26 2019 MULTI: multi_init called, r=256 v=256
Fri Oct 18 20:50:26 2019 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Fri Oct 18 20:50:26 2019 IFCONFIG POOL LIST
Fri Oct 18 20:50:26 2019 MULTI: TCP INIT maxclients=1024 maxevents=1028
Fri Oct 18 20:50:26 2019 Initialization Sequence Completed
I can connect now with OpenVPN from my Windows PC to the PI.

However, there is one bonus question ^^
I want to connect from outside (with mobile phone e.g.) to the OpenVPN at home on the PI.
Problem is, that I only have an IPv6 public IP from my ISP.
But I also have a vServer with an public IPv4 which I want to use to forward the connection to my PI.
On the vServer there is this script running:
socat -d -d TCP4-LISTEN:1294,fork,su=nobody TCP6:AAAAA.eu:1294
But when the incoming request arrives there is a "Connection refused" again:
2019/10/18 22:21:10 socat[29842] N opening connection to AF=10 [XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX]:1294
2019/10/18 22:21:10 socat[29842] E connect(5, AF=10 [XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX]:1294, 28): Connection refused
Is this still a problem with a blocked port (the output of nmap on the PI is still "1294/tcp closed cmmdriver").
Or is there anything else wrong with this setup?

I use socat also to forward port 22 so I can push and pull from my git repository. This works without any problems.
Also with my mobile phone when I am not at home.

User avatar
default_user8
Posts: 678
Joined: Mon Nov 18, 2013 3:11 am

Re: OpenVPN port is not open/reachable from outside

Sat Oct 19, 2019 12:27 am

So you don't really say in your post anything about your router setup, but normally you need to set a port forward in you router to access local lan resources such as a pivpn server.
Two heads are better than one, unless one's a goat head.

c_korn
Posts: 14
Joined: Mon Oct 14, 2019 6:07 pm

Re: OpenVPN port is not open/reachable from outside

Sat Oct 19, 2019 12:32 pm

My router is configured to route all incoming IPv6 requests on my PI.

And the port is also open.
I checked that by stopping openvpn on my PI and run:

Code: Select all

# nc -6 -l 1294
On my vServer I ran:
nc -6 xxxxx.xx 1294
I was able to transfer text between the PI and my vServer. So the port is open.

User avatar
default_user8
Posts: 678
Joined: Mon Nov 18, 2013 3:11 am

Re: OpenVPN port is not open/reachable from outside

Sat Oct 19, 2019 10:21 pm

Just out of curiosity what type of connection do you have from your ISP, cable, fiber? You stated you are able to use port 22 with your ISP, but my ISP blocks common ports for residential accounts, I run a nextcloud server, but i'm unable to use let's encrypt because those ports are blocked, and I have to use port forwarding in my router to bypass the blocked ports.
Two heads are better than one, unless one's a goat head.

c_korn
Posts: 14
Joined: Mon Oct 14, 2019 6:07 pm

Re: OpenVPN port is not open/reachable from outside

Mon Oct 21, 2019 6:41 pm

Basically it's a fiber connection. But the fiber does not reach to the house but only to a central node in my village.

The last mile so to speak is usual copper cable.

User avatar
rpdom
Posts: 15567
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: OpenVPN port is not open/reachable from outside

Mon Oct 21, 2019 7:36 pm

c_korn wrote:
Mon Oct 21, 2019 6:41 pm
Basically it's a fiber connection. But the fiber does not reach to the house but only to a central node in my village.

The last mile so to speak is usual copper cable.
That sounds what is known as FTTC (Fibre To The Cabinet) as in the fibre connection runs to a box somewhere near your home and the rest of the distance is copper cable.

It is supposedly going to be replaced with FTTP (Fibre To The Premises) where you will have a full fibre link direct to your home, but I can't see that happening anytime soon.

As my FTTC connection was originally set up for cable TV service, I get a much higher downstream (receive) rate than upstream (send).

c_korn
Posts: 14
Joined: Mon Oct 14, 2019 6:07 pm

Re: OpenVPN port is not open/reachable from outside

Mon Oct 21, 2019 8:45 pm

I will see.

Any idea why OpenVPN is not working when I route it to my PI from the vServer?
Has it anything to do with IPv6?

User avatar
default_user8
Posts: 678
Joined: Mon Nov 18, 2013 3:11 am

Re: OpenVPN port is not open/reachable from outside

Tue Oct 22, 2019 12:27 am

A quick search showed that pivpn initially did not suport ipv6, however this post shows a small tweak in the server.conf file should fix your issue.

"You only have to change one line in server.conf!
tcp to tcp6 or from upd to udp6!
In your client configurations, you just have to replace your IPv4 with your IPv6!
Also change udp -> udp6 / tcp -> tcp6"

Original post: https://github.com/pivpn/pivpn/issues/259

Hope this helps.
Two heads are better than one, unless one's a goat head.

User avatar
default_user8
Posts: 678
Joined: Mon Nov 18, 2013 3:11 am

Re: OpenVPN port is not open/reachable from outside

Tue Oct 22, 2019 2:28 am

rpdom wrote:
Mon Oct 21, 2019 7:36 pm
c_korn wrote:
Mon Oct 21, 2019 6:41 pm
Basically it's a fiber connection. But the fiber does not reach to the house but only to a central node in my village.

The last mile so to speak is usual copper cable.
That sounds what is known as FTTC (Fibre To The Cabinet) as in the fibre connection runs to a box somewhere near your home and the rest of the distance is copper cable.

It is supposedly going to be replaced with FTTP (Fibre To The Premises) where you will have a full fibre link direct to your home, but I can't see that happening anytime soon.

As my FTTC connection was originally set up for cable TV service, I get a much higher downstream (receive) rate than upstream (send).
Getting off topic here, but where i live in the US, we have 2 ISP's one is cable, and one is FTTP, both provide tv, internet and phone service packages. Having been a subscriber to both I will say they both have pros and cons. The older cable service is cheaper, but the digital tv service isn't as good as the TV service from the more expensive fiber provider. The phone and internet from both is basically the same except for price point.
Two heads are better than one, unless one's a goat head.

c_korn
Posts: 14
Joined: Mon Oct 14, 2019 6:07 pm

Re: OpenVPN port is not open/reachable from outside

Tue Oct 22, 2019 6:56 pm

default_user8 wrote:
Tue Oct 22, 2019 12:27 am
A quick search showed that pivpn initially did not suport ipv6, however this post shows a small tweak in the server.conf file should fix your issue.

"You only have to change one line in server.conf!
tcp to tcp6 or from upd to udp6!
In your client configurations, you just have to replace your IPv4 with your IPv6!
Also change udp -> udp6 / tcp -> tcp6"

Original post: https://github.com/pivpn/pivpn/issues/259

Hope this helps.
This sounded very promising but it did not help :-/
My server.conf starts with:

Code: Select all

~# head /etc/openvpn/server/server.conf
local 192.168.0.33
port 1294
proto tcp6
My client profile starts with:
client
dev tun
proto tcp
remote xxx.xxx.xxx.xxx 443
xxx.xxx.xxx.xxx being the IP of my vServer.
tcp is correct here right? Because it is a IPv4 address?

On my vServer I run this command:
socat -d -d TCP4-LISTEN:443,fork,su=nobody TCP6:xxx.xxx:1294 &
But when I make connection attempts the output is still:
Connection refused
//edit
Also tried with tcp6 in the client profile but it makes no difference.

//edit2
Also I did not use pivpn but this script:
https://github.com/Nyr/openvpn-install

But should not make a difference I think.

Also I tried to change the IP in the client profile directly to the local IP of my PI (192.168.0.33).
But then I only get a connetion, when I change the server.conf from tcp6 back to tcp again.

//edit3
Now I tried something interesting ^^
Made my openvpn on the PI listen on port 1394 tcp.
Then I started socat on the PI listening on 1294 with tcp6 and forwarding it to the local port 1394 with tcp4:
socat -d -d TCP6-LISTEN:1294,fork,su=nobody TCP4:localhost:1394
When I know try to connect using my vServer the socat process on the vServer outputs:
successfully connected from local address AF=10
But the socat process on now outputs:
2019/10/22 20:10:50 socat[13910] E connect(5, AF=2 127.0.0.1:1394, 16): Connection refused

User avatar
default_user8
Posts: 678
Joined: Mon Nov 18, 2013 3:11 am

Re: OpenVPN port is not open/reachable from outside

Wed Oct 23, 2019 10:49 am

Just for schlitz and giggles, if you have a spare SD card why not start from scratch with pivpn, it may work where the other script you used did not. If that doesn't work, then i'm inclined to believe that your ISP is somehow blocking your efforts.
Two heads are better than one, unless one's a goat head.

c_korn
Posts: 14
Joined: Mon Oct 14, 2019 6:07 pm

Re: OpenVPN port is not open/reachable from outside

Wed Oct 23, 2019 9:40 pm

default_user8 wrote:
Wed Oct 23, 2019 10:49 am
Just for schlitz and giggles, if you have a spare SD card why not start from scratch with pivpn, it may work where the other script you used did not. If that doesn't work, then i'm inclined to believe that your ISP is somehow blocking your efforts.
I followed your advice and deinstalled openvpn completely. Then I set it up with pivpn again.

Still having problems to connect but I get some output in "/var/log/openvpn.log" when I try to connect
using my vServer in the middle (I changed the ovpn profile to connect to my vServer via udp).
In the server.conf on the PI there is udp6 set as protocol.
On my vServer I then run this script:
socat -d -d UDP4-LISTEN:443,fork,su=nobody UDP6:xxxxx.xxx:1294
I changed the IP and the port in the ovpn file to connect to the vServer.
When I try to connect with my mobile phone there is output in the "/var/log/openvpn.log" file:

Code: Select all

Oct 23 22:33:25 OpenVPN ovpn-server[1549]: xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx TLS: Initial packet from [AF_INET6]xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx:33793, sid=ec81a76b 49459b3e
Oct 23 22:33:26 OpenVPN ovpn-server[1549]: xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1571866405) Wed Oct 23 23:33:25 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 22:33:26 OpenVPN ovpn-server[1549]: xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx tls-crypt unwrap error: packet replay
Oct 23 22:33:26 OpenVPN ovpn-server[1549]: xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx TLS Error: tls-crypt unwrapping failed from [AF_INET6]xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx:33793
Oct 23 22:33:27 OpenVPN ovpn-server[1549]: xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1571866405) Wed Oct 23 23:33:25 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 22:33:27 OpenVPN ovpn-server[1549]: xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx tls-crypt unwrap error: packet replay
Oct 23 22:33:27 OpenVPN ovpn-server[1549]: xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx TLS Error: tls-crypt unwrapping failed from [AF_INET6]xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx:33793
Oct 23 22:33:28 OpenVPN ovpn-server[1549]: xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1571866405) Wed Oct 23 23:33:25 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 22:33:28 OpenVPN ovpn-server[1549]: xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx tls-crypt unwrap error: packet replay

User avatar
default_user8
Posts: 678
Joined: Mon Nov 18, 2013 3:11 am

Re: OpenVPN port is not open/reachable from outside

Thu Oct 24, 2019 12:49 pm

c_korn wrote:
Wed Oct 23, 2019 9:40 pm
default_user8 wrote:
Wed Oct 23, 2019 10:49 am
Just for schlitz and giggles, if you have a spare SD card why not start from scratch with pivpn, it may work where the other script you used did not. If that doesn't work, then i'm inclined to believe that your ISP is somehow blocking your efforts.
I followed your advice and deinstalled openvpn completely. Then I set it up with pivpn again.

Still having problems to connect but I get some output in "/var/log/openvpn.log" when I try to connect
using my vServer in the middle (I changed the ovpn profile to connect to my vServer via udp).
In the server.conf on the PI there is udp6 set as protocol.
On my vServer I then run this script:
socat -d -d UDP4-LISTEN:443,fork,su=nobody UDP6:xxxxx.xxx:1294
I changed the IP and the port in the ovpn file to connect to the vServer.
When I try to connect with my mobile phone there is output in the "/var/log/openvpn.log" file:

Code: Select all

Oct 23 22:33:25 OpenVPN ovpn-server[1549]: xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx TLS: Initial packet from [AF_INET6]xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx:33793, sid=ec81a76b 49459b3e
Oct 23 22:33:26 OpenVPN ovpn-server[1549]: xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1571866405) Wed Oct 23 23:33:25 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 22:33:26 OpenVPN ovpn-server[1549]: xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx tls-crypt unwrap error: packet replay
Oct 23 22:33:26 OpenVPN ovpn-server[1549]: xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx TLS Error: tls-crypt unwrapping failed from [AF_INET6]xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx:33793
Oct 23 22:33:27 OpenVPN ovpn-server[1549]: xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1571866405) Wed Oct 23 23:33:25 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 22:33:27 OpenVPN ovpn-server[1549]: xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx tls-crypt unwrap error: packet replay
Oct 23 22:33:27 OpenVPN ovpn-server[1549]: xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx TLS Error: tls-crypt unwrapping failed from [AF_INET6]xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx:33793
Oct 23 22:33:28 OpenVPN ovpn-server[1549]: xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1571866405) Wed Oct 23 23:33:25 2019 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 23 22:33:28 OpenVPN ovpn-server[1549]: xxxx:xxxx:x:xxx:xxxx:xxxx:xxxx:xxxx tls-crypt unwrap error: packet replay
I'm not sure i understand what you did exactly, so how are are you using the vserver in the middle? I'm assuming you setup a client in the vserver to connect to pivpn, and then connected to the vserver. Have you tried connecting directly to pivpn from your phone or another device?
Two heads are better than one, unless one's a goat head.

Return to “Beginners”