I followed the streamlined OpenVPN guide I cannot seem to get any of my VPN Clients to connect to OpenVPN, every client gets stuck on the authenticating step the router can see the handshake come in
Mon Feb 12 19:16:13 2018 us=305764 XXX.XXX.XXX.XXX:64332 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:64332, sid=c7508be9 9d38e1d1
Mon Feb 12 19:17:14 2018 us=80154 XXX.XXX.XXX.XXX:64332 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Feb 12 19:17:14 2018 us=80490 XXX.XXX.XXX.XXX:64332 TLS Error: TLS handshake failedI set up the .ovpn files exactly like shown in the guide, and I still cannot connect. I am trying to connect to the from my LAN to see if it works, would that matter if the OpenVPN connection firewall rule is any host and any zone?
Here is my firewall config:
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option src '*'
option dest_port '5000'
option name 'Allow Forwarded VPN Request -> <device>'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '5000'
option name 'OpenVPN'
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option src '*'
option src_ip '10.1.0.0/28'
option dest_ip '192.168.1.0/26'
option name 'Allow VPN0 -> LAN'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src '*'
option src_ip '10.1.0.0/28'
option dest '*'
option dest_ip '192.168.1.0/26'
option name 'Allow Forwarded VPN0 -> LAN'
config rule
option target 'ACCEPT'
option proto 'icmp'
option src '*'
option src_ip '10.1.0.0/28'
option dest 'lan'
option name 'Allow VPN0 (ICMP) -> LAN'
config rule
option target 'ACCEPT'
option proto 'icmp'
list icmp_type 'echo-request'
option src '*'
option src_ip '10.1.0.0/28'
option dest 'wan'
option name 'Allow VPN0 (ICMP 8) -> <device> '
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option src 'Guest'
option name 'Guest DNS'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Guest DHCP'
option src 'Guest'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'ACCEPT'
option input 'REJECT'
option network 'wan wan6'
config include
option path '/etc/firewall.user'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'Guest'
option network 'Guest'
option input 'REJECT'
config forwarding
option dest 'wan'
option src 'Guest'
config forwarding
option dest 'wan'
option src 'lan'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip 'YYY.YYY.YYY.YYY'
option dest_port '32400'
option name 'Plex'
option src_dport '12200'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option dest_ip 'YYY.YYY.YYY.YYY'
option src_dport '80'
option name 'Website Http'
option dest_port '45450'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option src_dport '443'
option dest_ip 'YYY.YYY.YYY.YYY'
option name 'Website Https'
option dest_port '45451'
option proto 'tcp udp'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '143'
option dest_ip 'YYY.YYY.YYY.YYY'
option dest_port '25253'
option name 'Email IMAP'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '993'
option dest_ip 'YYY.YYY.YYY.YYY'
option dest_port '25254'
option name 'Email IMAP TLS'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '110'
option dest_ip 'YYY.YYY.YYY.YYY'
option dest_port '25252'
option name 'Email POP'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '995'
option dest_ip 'YYY.YYY.YYY.YYY'
option dest_port '25255'
option name 'Email POP TLS'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '25'
option dest_ip 'YYY.YYY.YYY.YYY'
option name 'Email SMTP'
option dest_port '25256'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '465'
option dest_ip 'YYY.YYY.YYY.YYY'
option name 'Email SMTP TLS'
option dest_port '25257'
config redirect
option enabled '1'
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '587'
option dest_ip 'YYY.YYY.YYY.YYY'
option name 'Email SMTP STARTTLS'
option dest_port '25258'
config zone
option name 'VPN'
option network 'vpn0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option dest 'VPN'
option src 'lan'
config forwarding
option dest 'lan'
option src 'VPN'
config forwarding
option dest 'VPN'
option src 'wan'
config forwarding
option dest 'lan'
option src 'wan'This is my OpenVPN Config
config openvpn 'VPNserver'
option enabled '1'
option dev 'tun0'
option server '10.1.0.0 255.255.255.240'
option ifconfig '10.1.0.1 255.255.255.240'
list push 'route 192.168.1.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.1.1'
list push 'dhcp-option WINS 192.168.1.1'
list push 'dhcp-option DNS 208.67.222.123'
list push 'dhcp-option DNS 208.67.220.123'
list push 'dhcp-option NTP 129.6.15.30'
list push 'sndbuf 393216'
list push 'rcvbuf 393216'
option cipher 'AES-256-CBC'
option auth 'SHA512'
option tls_auth '/etc/ssl/openvpn/tls-auth.key 0'
option tls_server '1'
option tls_version_min '1.2'
option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'
option log_append '/tmp/openvpn.log'
option status '/tmp/openvpn-status.log'
option verb '4'
option keepalive '10 120'
option comp_lzo 'yes'
option client_to_client '1'
option persist_key '1'
option persist_tun '1'
option sndbuf '393216'
option rcvbuf '393216'
option tun_mtu '48000'
option user 'nobody'
option group 'nogroup'
option pkcs12 '/lib/uci/upload/cbid.openvpn.VPNserver.pkcs12'
option dh '/lib/uci/upload/cbid.openvpn.VPNserver.dh'
option port '5000'
option proto 'udp'
option float '1'
option dev_type 'tun'Thanks in advance
(Last edited by Jeansburger on 13 Feb 2018, 23:27)