OpenVPN setup does not offer what i need for my vpn server....

gpatel-fr

@Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

I must have expressed myself poorly.

fact is, these VPN network configurations are a bit intricate and difficult to explain, remotely there is only one way to make them really clear: a diagram.

@Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

adds the route

if you have to add a route manually, there is something cheesy. Normally in simple cases OpenVpn handles all the routing automatically.

@Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

if I do the same thing by launching the VPN via OpenVPN using the .ovpn and adding the same route as before, the tun0 tunnel is created and I can ping the machines on my network

I take it that you confirmed that the tunnel is opened and working by taking a look at the openvpn interface statistics on the server (your PI if I understand correctly is in all case the test server right ?)
Something like
ip stats show dev tun0
to ensure that your packets are really passing by the Vpn.

My favourite test in case of Openvpn problems is pinging from each side the opposite Openvpn address, it could be 10.238.198.1 from one side and 10.238.198.2 from the other side (to be checked with ip a on both sides, the inet and the peer should be the same but reversed of course)

On a standard Linux, Openvpn logs to syslog and it can be really interesting to take a look at it, I don't have yet a phone to check what happens on UT. Routing can get really tricky with Openvpn, even by looking at syslog, sometimes it may be necessary to set

sudo sysctl net.ipv4.conf.all.log_martians=1

because by default this kind of problem is not sent to syslog. That's typically the case where it's necessary to add a route manually (I had this problem when running Openvpn in a lxd container)..

zakafx

I am glad that I found this thread. I also wanted to have remote access to my network while on the go so I enabled open VPN on my network. I actually use wireguard, but since there is no wireguard support in settings, I decided to use openvpn just for Ubuntu touch.

I followed the guide that's on the Ubuntu touch website, extracting all of the keys and information required to set this up. However, while I am able to establish a connection, I cannot ping anything at all, my route out to the internet as well as to internal network devices is dead.

I thought perhaps my configuration was wrong, so to verify everything was fine, I downloaded the OpenVPN app on my regular phone (android) and imported the profile that was created from my router (I used this exact profile to extract keys from above). Once it connected, everything just worked.

I'll follow this thread in case there are additional instructions I need to implement.

gpatel-fr

@zakafx said in OpenVPN setup does not offer what i need for my vpn server....:

I followed the guide that's on the Ubuntu touch website, extracting all of the keys and information required to set this up. However, while I am able to establish a connection, I cannot ping anything at all, my route out to the internet as well as to internal network devices is dead.

sorry I can't help you more but my phone under UT is still in the near future :-). I'd advise you to run the commands I gave in my previous message and post the result, with possibly a schema of your network to make things more clear.

zakafx

@gpatel-fr I just arrived back from a work trip so perhaps this weekend ill play around and report back. ill add a route manually and see what happens!

Vlad Nirky

@gpatel-en
Thank you for these explanations. Interesting...
I will look into it further.
I will keep you informed.

OtaDr

Hello, I am using an internet proxy with OVPN (IPFire project) and a phone with UT 24.04 (Pixel 3Axl). The VPN works both for accessing the local network and as a proxy for accessing, for example, the web from a mobile phone. (There were problems with the encryption type on the ovpn server side.)

I will add:
On the server side, I changed the encryption type from AES-GCM 256-bit to CBC 256-bit, and
then added the PKCS12 certificate to the phone...

Translated with DeepL.com (free version)

MrT10001

In the Xenial days I used VPN Editor which worked great for NordVPN. I don't know if it will work on Focal or Noble, may need an upgrade, but it had more tweaks to get things going.

jagdtigger

@arubislander said in OpenVPN setup does not offer what i need for my vpn server....:

Do you have an Ubuntu Desktop PC you could configure your VPN on and see if it works? Preferably one running the very same base version as the UT you have on your device. So 20.04 or 24.04.

Sorry for the long radio silence, something come up. Copied over the yaml file from netplan as is leaving content and name unchanged (minus the cert and key paths). It wont show up in settings under VPN, not even a reboot makes it appear.....

Vlad Nirky

@jagdtigger
Here's what I've done so far.
I imported the .ovpn file generated by my OpenVPN server into an Ubuntu 24.04 PC.
I tested that the VPN was working properly on the PC.
I exported this configuration using
nmcli connection export "<vpn name="">" > myvpn.nmconnection
I corrected the paths so that they point to /home/phablet/...
I copied this file to my phone, then imported the connection
nmcli connection import type openvpn file myvpn.ovpn
I opened this configuration in the UT VPN settings to add the TLS key password
I connected to my wife's phone's Wi-Fi and activated the VPN, which turned on.
My IP was 10.238.198.3
No way to ping a machine on my network even though the VPN is up (tun0 is in the result of ip a)
I copied the ovpn file on the smartphone then I then tried to simplify (no longer going through NetworkManager) and used
sudo openvpn --config /home/phablet/<vpn name>.ovpn --verb 4
ip a gives tun0 present
but no way to ping a machine on my network .
I have added the route
sudo ip route add 192.168.128.0/23 dev tun0.
After that i have been able to ping my network from the phone.

gpatel-fr

@Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

to add the TLS key password

strange that you have to do that, it's the ta.key parameter right ? why should it be not migrated I wonder.

ip a gives tun0 present

you can ping the other side of the vpn I take it (peer in ip a) I presume

sudo ip route add 192.168.128.0/23 dev tun0.

should NOT be necessary. Normally the log should give a reason why. Off the top of my head I can't imagine the reason - except maybe a ipv4/v6 problem.
I don't have my phone yet, is there not a syslog file under /var/log like in desktop Ubuntu ?

Vlad Nirky

@gpatel-fr
I guess TLS key has to be feed at the begining of the connection (as it does in openvpn connection)

With the NetworkManager

phablet@ubuntu-phablet:~$ route -v
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.238.198.1    0.0.0.0         UG    50     0        0 tun0
default         192.168.43.1    0.0.0.0         UG    600    0        0 wlan0
10.238.198.0    0.0.0.0         255.255.255.0   U     50     0        0 tun0
171.167-240-81. 192.168.43.1    255.255.255.255 UGH   50     0        0 wlan0
147.69.137.0    0.0.0.0         255.255.255.192 U     0      0        0 rmnet_data0
192.168.43.0    0.0.0.0         255.255.255.0   U     600    0        0 wlan0
192.168.43.1    0.0.0.0         255.255.255.255 UH    50     0        0 wlan0
192.168.128.0   0.0.0.0         255.255.254.0   U     50     0        0 tun0

But i was not able to ping 192.168.129.161 (my PC)

No NAT/MASQUERADE on the openvpn server?

No idea, i have tried to had
push "route 192.168.128.0 255.255.254.0"
push "dhcp-option DNS 192.168.128.1"
in server config but without result.(/etc/openvpn/server.conf)

sudo systemctl status NetworkManager
and
sudo systemctl status openvpn
gave me some clues (such as the TLS issue)

I haven't had time yet to look at the various logs

VPN on my PC works fine with the actual openvpn server but not the phone...

gpatel-fr

@Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.238.198.1 0.0.0.0 UG 50 0 0 tun0
default 192.168.43.1 0.0.0.0 UG 600 0 0 wlan0

2 default routes ? Is this really recommended by the Openvpn doc ?

All Vpns I have seen have ONE default route going by the standard network interface (wlan0 in your case), and a route for the specifc network to contact through the VPN, this route being created dynamically by Openvpn on instructions from the server. 2 default routes seems a recipe for getting random results.

Vlad Nirky

@gpatel-fr
My first openvpn...
It is usable (Ratchanan has connected my phone to debug some issues) and i use it to connect to my proxmox infra.

[jll @ rpi3 - 06:33:20 ]  ~ 
> cat /etc/openvpn/server.conf
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/rpi3_9b0ae2d9-f297-4706-ab24-8a9d63b3b51f.crt
key /etc/openvpn/easy-rsa/pki/private/rpi3_9b0ae2d9-f297-4706-ab24-8a9d63b3b51f.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.238.198.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 10.238.198.1"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
 tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io

Vlad Nirky

@gpatel-fr
On the PC
Connected through my wife phone

[jll @ fedora - 06:42:15 ]  ~ 
> ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether fe:aa:b6:35:ee:2d brd ff:ff:ff:ff:ff:ff permaddr 94:e6:f8:ed:7d:c6
    altname wlp0s20f3
    altname wlx94e6f7ed7dc6
    inet 192.168.43.91/24 brd 192.168.43.255 scope global dynamic noprefixroute wlo1
       valid_lft 3583sec preferred_lft 3583sec
    inet6 2a02:a020:3ca:ad84:2f98:edb3:fe4a:5d89/64 scope global dynamic noprefixroute 
       valid_lft 3583sec preferred_lft 3583sec
    inet6 fe80::fa56:6baf:9454:41db/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 7a:36:73:60:85:f6 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.238.198.3/24 brd 10.238.198.255 scope global noprefixroute tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::1ba:8201:6599:7bb8/64 scope link stable-privacy proto kernel_ll 
       valid_lft forever preferred_lft forever
[jll @ fedora - 06:42:20 ]  ~ 
> route -v
Table de routage IP du noyau
Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    50     0        0 tun0
default         _gateway        0.0.0.0         UG    600    0        0 wlo1
10.238.198.0    0.0.0.0         255.255.255.0   U     50     0        0 tun0
171.167-240-81. _gateway        255.255.255.255 UGH   50     0        0 wlo1
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.43.0    0.0.0.0         255.255.255.0   U     600    0        0 wlo1
_gateway        0.0.0.0         255.255.255.255 UH    50     0        0 wlo1
[jll @ fedora - 06:49:12 ]  ~ 
> ping 10.238.198.1
PING 10.238.198.1 (10.238.198.1) 56(84) octets de données.
64 octets de 10.238.198.1 : icmp_seq=1 ttl=64 temps=37.5 ms
64 octets de 10.238.198.1 : icmp_seq=2 ttl=64 temps=48.1 ms
^C
--- statistiques ping 10.238.198.1 ---
2 paquets transmis, 2 reçus, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 37.533/42.797/48.062/5.264 ms
[jll @ fedora - 06:49:24 ]  ~ 
> ping 10.238.198.2
PING 10.238.198.2 (10.238.198.2) 56(84) octets de données.
De 10.238.198.1 icmp_seq=2 Rediriger l'hôte(Nouveau sautsuivant : 10.238.198.2)
De 10.238.198.1 icmp_seq=3 Rediriger l'hôte(Nouveau sautsuivant : 10.238.198.2)
De 10.238.198.1 icmp_seq=4 Rediriger l'hôte(Nouveau sautsuivant : 10.238.198.2)
^C
--- statistiques ping 10.238.198.2 ---
4 paquets transmis, 0 reçus, +3 erreurs, 100% packet loss, time 3031ms

[jll @ fedora - 06:44:05 ]  ~ 
> ping 192.168.129.64
PING 192.168.129.64 (192.168.129.64) 56(84) octets de données.
64 octets de 192.168.129.64 : icmp_seq=1 ttl=254 temps=51.0 ms
64 octets de 192.168.129.64 : icmp_seq=2 ttl=254 temps=49.7 ms
64 octets de 192.168.129.64 : icmp_seq=3 ttl=254 temps=51.5 ms
^C
--- statistiques ping 192.168.129.64 ---
3 paquets transmis, 3 reçus, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 49.699/50.727/51.526/0.763 ms

Vlad Nirky

@gpatel-fr
I think a have something interresting in the openvpn server log (as you expected)

After phone connexion to VPN
root@rpi3:/var/log# 
cat openvpn.log 
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 TLS: Initial packet from [AF_INET]188.5.220.190:1210, sid=e5f0bc02 623c1eb2
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY OK: depth=1, CN=Easy-RSA CA
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY KU OK
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Validating certificate extended key usage
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY EKU OK
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY OK: depth=0, CN=phde
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_VER=2.6.14
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_PLAT=linux
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_TCPNL=1
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_MTU=1600
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_CIPHERS=AES-256-CBC
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_PROTO=990
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_LZO_STUB=1
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_COMP_STUB=1
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_COMP_STUBv2=1
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1557'
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 [phde] Peer Connection Initiated with [AF_INET]188.5.220.190:1210
Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI: new connection by client 'phde' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI_sva: pool returned IPv4=10.238.198.2, IPv6=(Not enabled)
Oct 26 07:14:56 rpi3 ovpn-server[11385]: OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/phde
Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI: Learn: 10.238.198.3 -> phde/188.5.220.190:1210
Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI: primary virtual IP for phde/188.5.220.190:1210: 10.238.198.3
Oct 26 07:14:56 rpi3 ovpn-server[11385]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Oct 26 07:14:56 rpi3 ovpn-server[11385]: Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 26 07:14:56 rpi3 ovpn-server[11385]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Oct 26 07:14:56 rpi3 ovpn-server[11385]: Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 26 07:14:56 rpi3 ovpn-server[11385]: SENT CONTROL [phde]: 'PUSH_REPLY,dhcp-option DNS 10.238.198.1,block-outside-dns,redirect-gateway def1,route-gateway 10.238.198.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.238.198.3 255.255.255.0,peer-id 0,cipher AES-256-CBC' (status=1)
Oct 26 07:14:56 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed
Oct 26 07:15:00 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed
Oct 26 07:15:07 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed
Oct 26 07:15:21 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed

After PC connexion to VPN
///Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 TLS: Initial packet from [AF_INET]188.5.220.190:1898, sid=0bfa998b 8f16b815
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY OK: depth=1, CN=Easy-RSA CA
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY KU OK
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Validating certificate extended key usage
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY EKU OK
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY OK: depth=0, CN=phde
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_VER=2.6.15
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_PLAT=linux
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_TCPNL=1
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_MTU=1600
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_NCP=2
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_PROTO=990
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_LZO_STUB=1
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_COMP_STUB=1
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_COMP_STUBv2=1
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 [phde] Peer Connection Initiated with [AF_INET]188.5.220.190:1898
Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 MULTI_sva: pool returned IPv4=10.238.198.2, IPv6=(Not enabled)
Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/phde
Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 MULTI: Learn: 10.238.198.3 -> phde/188.5.220.190:1898
Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 MULTI: primary virtual IP for phde/188.5.220.190:1898: 10.238.198.3
Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 Data Channel: using negotiated cipher 'AES-256-GCM'
Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 SENT CONTROL [phde]: 'PUSH_REPLY,dhcp-option DNS 10.238.198.1,block-outside-dns,redirect-gateway def1,route-gateway 10.238.198.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.238.198.3 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Oct 26 07:25:29 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 PUSH: Received control message: 'PUSH_REQUEST'

gpatel-fr

@Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

overriding but not wiping out the original default gateway.

I see. I have never seen this kind of configuration where road warriors are getting their internet access routed through the server, it has always been a theoretical thing because the combined download speed of several road warriors can't exceed a fraction of the upload speed of the server - and for a small business in my country, getting a 'business quality' connection of even 40Mbits/s is expensive and not worth the extra control that this is providing, hence routing access like that would make for a miserable performance for each road warrior whose personal network download performance would often exceed the total upload speed of the server.

So this is outside of my experience with Openvpn

OtaDr

@gpatel-fr
VPN or OVPN, if it does not route to the required network, it will be on the router side. It depends on how you are able to experiment and what your options are. If you have the option to build a router from a PC, I personally have had good experience (and tested functionality with "UT") with https://www.ipfire.org. It is Linux, so a lot of things can be configured there. / Unlike a router—a company, a brand, a box where even the instructions tend to be brief....

Translated with DeepL.com (free version)

Vlad Nirky

@OtaDr @gpatel-fr
Openvpn is a cherry pick on my pihole rpi server...
The first goal was to anonymize the DNS so i have installed pihole and unbound.
The vpn is for rare take over from outdoor UT developpers to debug issue on my hardware.

I thing there is some issue in the packet decryption.
This issue don't seem to happen when i launch openvpn manually on the phone (to be confirmed) so i have something to look out there.

The openvpn are not in the same version on the different parts

[jll @ rpi3 - 07:44:11 ]  ~ 
> openvpn --version
OpenVPN 2.5.1 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Aug 25 2025
library versions: OpenSSL 1.1.1w  11 Sep 2023, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

[jll @ fedora - 07:42:40 ]  ~ 
> openvpn --version
OpenVPN 2.6.15 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.2.6 30 Sep 2025, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=yes enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=yes enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no

phablet@ubuntu-phablet:~$ openvpn --version
OpenVPN 2.6.14 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no

gpatel-fr

@Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

Authenticate/Decrypt packet error: packet HMAC authentication failed

looks like a mismatch for the ta.key file.

@Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'

should have the same value for client and server...how that can be possible if you generated the config for the phone from the working config on the PC ?

gpatel-fr

@zakafx

I don't know if you are still struggling with this OpenVpn configuration, it seems that the default configuration generated with PIVpn assumes that every access should be routed by the server, if you have as a symptom that all Internet access is lost after launching the VPN this could be a reason, routing everything through the server is often not what is wanted anyway. Try to use easy-openvpn-server instead, from what I remember it generates a more usable configuration.