UBports Robot Logo UBports Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    OpenVPN setup does not offer what i need for my vpn server....

    Scheduled Pinned Locked Moved Unsolved Support
    40 Posts 7 Posters 355 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
      Reply
      • Reply as topic
      Log in to reply
      This topic has been deleted. Only users with topic management privileges can see it.
      • Vlad NirkyV Online
        Vlad Nirky @gpatel-fr
        last edited by

        @gpatel-fr
        Yes and the serveur config is working with my pc Fedora 42 and NetworkManager.
        The VPN serveur is not my routeur but a rpi 3 running openvpn.
        I have tried sudo openvpn --config /home/phablet/jll.ovpn --verb 4
        The vpn is up and tun0 created.
        but i can't ping my local network.
        I have had ping success when i added sudo ip route add 192.168.128.0/23 dev tun0
        It's look like (i'm not a network expert) the NM don't add the route for some reason on the phone (confinment or bug) and the NM on my PC does it.

        G 1 Reply Last reply Reply Quote 0
        • Vlad NirkyV Online
          Vlad Nirky @gpatel-fr
          last edited by

          @gpatel-fr
          Tesing is uneasy because i can't connect via ssh on the phone and have to d all through terminal on the phone... 😢

          1 Reply Last reply Reply Quote 0
          • G Online
            gpatel-fr @Vlad Nirky
            last edited by

            @Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

            The VPN serveur is not my routeur but a rpi 3 running openvpn.

            if this means that both your client and the server use the same network configuration, I don't think it can work. For routing to pass through the VPN, the client network and the server network should be different. That could be done with manual IP configuration at least on your test server (the Pi if I understand correctly).

            Vlad NirkyV 1 Reply Last reply Reply Quote 0
            • Vlad NirkyV Online
              Vlad Nirky @gpatel-fr
              last edited by

              @gpatel-fr
              I must have expressed myself poorly.
              The tunnel created tun0 has an address of 10.238.198.3.
              By adding the route, I can access my 192.168.128.0/23 network.
              On my PC, NetworkManager does the job: it opens the connection, receives an IP for the VPN, and adds the route (this is configured by my user's .ovpn, which I imported).
              Under UT, there is no .ovpn import. Configuration via the NetworkManager interface does not work (or I cannot get it to work). I exported the NetworkManager configuration from my PC with nmcli connection export and re-imported it into UT via nmcli connection import.
              Roughly speaking, it should contain what is in the .ovpn file.
              I added the TLS key password.
              The connection is established, I have a tun0 created with an IP address of 10.238.198.x, but pinging my 192.168.128.x network does not work even if I add the route so that my access to 192.168.128.0/23 is via tun0.
              However, if I do the same thing by launching the VPN via OpenVPN using the .ovpn and adding the same route as before, the tun0 tunnel is created and I can ping the machines on my network.

              G 1 Reply Last reply Reply Quote 0
              • G Online
                gpatel-fr @Vlad Nirky
                last edited by

                @Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

                I must have expressed myself poorly.

                fact is, these VPN network configurations are a bit intricate and difficult to explain, remotely there is only one way to make them really clear: a diagram.

                @Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

                adds the route

                if you have to add a route manually, there is something cheesy. Normally in simple cases OpenVpn handles all the routing automatically.

                @Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

                if I do the same thing by launching the VPN via OpenVPN using the .ovpn and adding the same route as before, the tun0 tunnel is created and I can ping the machines on my network

                I take it that you confirmed that the tunnel is opened and working by taking a look at the openvpn interface statistics on the server (your PI if I understand correctly is in all case the test server right ?)
                Something like
                ip stats show dev tun0
                to ensure that your packets are really passing by the Vpn.

                My favourite test in case of Openvpn problems is pinging from each side the opposite Openvpn address, it could be 10.238.198.1 from one side and 10.238.198.2 from the other side (to be checked with ip a on both sides, the inet and the peer should be the same but reversed of course)

                On a standard Linux, Openvpn logs to syslog and it can be really interesting to take a look at it, I don't have yet a phone to check what happens on UT. Routing can get really tricky with Openvpn, even by looking at syslog, sometimes it may be necessary to set

                sudo sysctl net.ipv4.conf.all.log_martians=1

                because by default this kind of problem is not sent to syslog. That's typically the case where it's necessary to add a route manually (I had this problem when running Openvpn in a lxd container)..

                Z Vlad NirkyV 2 Replies Last reply Reply Quote 0
                • Z Offline
                  zakafx @gpatel-fr
                  last edited by

                  I am glad that I found this thread. I also wanted to have remote access to my network while on the go so I enabled open VPN on my network. I actually use wireguard, but since there is no wireguard support in settings, I decided to use openvpn just for Ubuntu touch.

                  I followed the guide that's on the Ubuntu touch website, extracting all of the keys and information required to set this up. However, while I am able to establish a connection, I cannot ping anything at all, my route out to the internet as well as to internal network devices is dead.

                  I thought perhaps my configuration was wrong, so to verify everything was fine, I downloaded the OpenVPN app on my regular phone (android) and imported the profile that was created from my router (I used this exact profile to extract keys from above). Once it connected, everything just worked.

                  I'll follow this thread in case there are additional instructions I need to implement.

                  G 1 Reply Last reply Reply Quote 0
                  • G Online
                    gpatel-fr @zakafx
                    last edited by

                    @zakafx said in OpenVPN setup does not offer what i need for my vpn server....:

                    I followed the guide that's on the Ubuntu touch website, extracting all of the keys and information required to set this up. However, while I am able to establish a connection, I cannot ping anything at all, my route out to the internet as well as to internal network devices is dead.

                    sorry I can't help you more but my phone under UT is still in the near future :-). I'd advise you to run the commands I gave in my previous message and post the result, with possibly a schema of your network to make things more clear.

                    Z 1 Reply Last reply Reply Quote 0
                    • Z Offline
                      zakafx @gpatel-fr
                      last edited by zakafx

                      @gpatel-fr I just arrived back from a work trip so perhaps this weekend ill play around and report back. ill add a route manually and see what happens!

                      G 1 Reply Last reply Reply Quote 0
                      • Vlad NirkyV Online
                        Vlad Nirky @gpatel-fr
                        last edited by

                        @gpatel-en
                        Thank you for these explanations. Interesting...
                        I will look into it further.
                        I will keep you informed.

                        1 Reply Last reply Reply Quote 0
                        • O Online
                          OtaDr
                          last edited by OtaDr

                          Hello, I am using an internet proxy with OVPN (IPFire project) and a phone with UT 24.04 (Pixel 3Axl). The VPN works both for accessing the local network and as a proxy for accessing, for example, the web from a mobile phone. (There were problems with the encryption type on the ovpn server side.)

                          I will add:
                          On the server side, I changed the encryption type from AES-GCM 256-bit to CBC 256-bit, and
                          then added the PKCS12 certificate to the phone...

                          Translated with DeepL.com (free version)

                          1 Reply Last reply Reply Quote 1
                          • MrT10001M Offline
                            MrT10001
                            last edited by

                            In the Xenial days I used VPN Editor which worked great for NordVPN. I don't know if it will work on Focal or Noble, may need an upgrade, but it had more tweaks to get things going.

                            Xiaomi Redmi Note 7.... And more...
                            I have too many devices...

                            1 Reply Last reply Reply Quote 0
                            • J Offline
                              jagdtigger @arubislander
                              last edited by jagdtigger

                              @arubislander said in OpenVPN setup does not offer what i need for my vpn server....:

                              Do you have an Ubuntu Desktop PC you could configure your VPN on and see if it works? Preferably one running the very same base version as the UT you have on your device. So 20.04 or 24.04.

                              Sorry for the long radio silence, something come up. Copied over the yaml file from netplan as is leaving content and name unchanged (minus the cert and key paths). It wont show up in settings under VPN, not even a reboot makes it appear.....

                              Vlad NirkyV 1 Reply Last reply Reply Quote 0
                              • Vlad NirkyV Online
                                Vlad Nirky @jagdtigger
                                last edited by

                                @jagdtigger
                                Here's what I've done so far.
                                I imported the .ovpn file generated by my OpenVPN server into an Ubuntu 24.04 PC.
                                I tested that the VPN was working properly on the PC.
                                I exported this configuration using
                                nmcli connection export "<vpn name="">" > myvpn.nmconnection
                                I corrected the paths so that they point to /home/phablet/...
                                I copied this file to my phone, then imported the connection
                                nmcli connection import type openvpn file myvpn.ovpn
                                I opened this configuration in the UT VPN settings to add the TLS key password
                                I connected to my wife's phone's Wi-Fi and activated the VPN, which turned on.
                                My IP was 10.238.198.3
                                No way to ping a machine on my network even though the VPN is up (tun0 is in the result of ip a)
                                I copied the ovpn file on the smartphone then I then tried to simplify (no longer going through NetworkManager) and used
                                sudo openvpn --config /home/phablet/<vpn name>.ovpn --verb 4
                                ip a gives tun0 present
                                but no way to ping a machine on my network .
                                I have added the route
                                sudo ip route add 192.168.128.0/23 dev tun0.
                                After that i have been able to ping my network from the phone.

                                G 1 Reply Last reply Reply Quote 0
                                • G Online
                                  gpatel-fr @Vlad Nirky
                                  last edited by

                                  @Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

                                  to add the TLS key password

                                  strange that you have to do that, it's the ta.key parameter right ? why should it be not migrated I wonder.

                                  ip a gives tun0 present

                                  you can ping the other side of the vpn I take it (peer in ip a) I presume

                                  sudo ip route add 192.168.128.0/23 dev tun0.

                                  should NOT be necessary. Normally the log should give a reason why. Off the top of my head I can't imagine the reason - except maybe a ipv4/v6 problem.
                                  I don't have my phone yet, is there not a syslog file under /var/log like in desktop Ubuntu ?

                                  Vlad NirkyV 1 Reply Last reply Reply Quote 0
                                  • Vlad NirkyV Online
                                    Vlad Nirky @gpatel-fr
                                    last edited by Vlad Nirky

                                    @gpatel-fr
                                    I guess TLS key has to be feed at the begining of the connection (as it does in openvpn connection)

                                    With the NetworkManager

                                    phablet@ubuntu-phablet:~$ route -v
                                    Kernel IP routing table
                                    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
                                    default         10.238.198.1    0.0.0.0         UG    50     0        0 tun0
                                    default         192.168.43.1    0.0.0.0         UG    600    0        0 wlan0
                                    10.238.198.0    0.0.0.0         255.255.255.0   U     50     0        0 tun0
                                    171.167-240-81. 192.168.43.1    255.255.255.255 UGH   50     0        0 wlan0
                                    147.69.137.0    0.0.0.0         255.255.255.192 U     0      0        0 rmnet_data0
                                    192.168.43.0    0.0.0.0         255.255.255.0   U     600    0        0 wlan0
                                    192.168.43.1    0.0.0.0         255.255.255.255 UH    50     0        0 wlan0
                                    192.168.128.0   0.0.0.0         255.255.254.0   U     50     0        0 tun0
                                    

                                    But i was not able to ping 192.168.129.161 (my PC)

                                    No NAT/MASQUERADE on the openvpn server?

                                    No idea, i have tried to had
                                    push "route 192.168.128.0 255.255.254.0"
                                    push "dhcp-option DNS 192.168.128.1"
                                    in server config but without result.(/etc/openvpn/server.conf)

                                    sudo systemctl status NetworkManager
                                    and
                                    sudo systemctl status openvpn
                                    gave me some clues (such as the TLS issue)

                                    I haven't had time yet to look at the various logs

                                    VPN on my PC works fine with the actual openvpn server but not the phone...

                                    G 1 Reply Last reply Reply Quote 0
                                    • G Online
                                      gpatel-fr @Vlad Nirky
                                      last edited by gpatel-fr

                                      @Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

                                      Destination Gateway Genmask Flags Metric Ref Use Iface
                                      default 10.238.198.1 0.0.0.0 UG 50 0 0 tun0
                                      default 192.168.43.1 0.0.0.0 UG 600 0 0 wlan0

                                      2 default routes ? Is this really recommended by the Openvpn doc ?

                                      All Vpns I have seen have ONE default route going by the standard network interface (wlan0 in your case), and a route for the specifc network to contact through the VPN, this route being created dynamically by Openvpn on instructions from the server. 2 default routes seems a recipe for getting random results.

                                      Vlad NirkyV 3 Replies Last reply Reply Quote 0
                                      • Vlad NirkyV Online
                                        Vlad Nirky @gpatel-fr
                                        last edited by

                                        @gpatel-fr
                                        My first openvpn...
                                        It is usable (Ratchanan has connected my phone to debug some issues) and i use it to connect to my proxmox infra.

                                        [jll @ rpi3 - 06:33:20 ]  ~ 
                                        > cat /etc/openvpn/server.conf
                                        dev tun
                                        proto udp
                                        port 1194
                                        ca /etc/openvpn/easy-rsa/pki/ca.crt
                                        cert /etc/openvpn/easy-rsa/pki/issued/rpi3_9b0ae2d9-f297-4706-ab24-8a9d63b3b51f.crt
                                        key /etc/openvpn/easy-rsa/pki/private/rpi3_9b0ae2d9-f297-4706-ab24-8a9d63b3b51f.key
                                        dh none
                                        ecdh-curve prime256v1
                                        topology subnet
                                        server 10.238.198.0 255.255.255.0
                                        # Set your primary domain name server address for clients
                                        push "dhcp-option DNS 10.238.198.1"
                                        push "block-outside-dns"
                                        # Override the Client default gateway by using 0.0.0.0/1 and
                                        # 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
                                        # overriding but not wiping out the original default gateway.
                                        push "redirect-gateway def1"
                                        client-to-client
                                        client-config-dir /etc/openvpn/ccd
                                        keepalive 15 120
                                        remote-cert-tls client
                                        tls-version-min 1.2
                                         tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
                                        cipher AES-256-CBC
                                        auth SHA256
                                        user openvpn
                                        group openvpn
                                        persist-key
                                        persist-tun
                                        crl-verify /etc/openvpn/crl.pem
                                        status /var/log/openvpn-status.log 20
                                        status-version 3
                                        syslog
                                        verb 3
                                        #DuplicateCNs allow access control on a less-granular, per user basis.
                                        #Remove # if you will manage access by user instead of device. 
                                        #duplicate-cn
                                        # Generated for use by PiVPN.io
                                        
                                        G 1 Reply Last reply Reply Quote 0
                                        • Vlad NirkyV Online
                                          Vlad Nirky @gpatel-fr
                                          last edited by Vlad Nirky

                                          @gpatel-fr
                                          On the PC
                                          Connected through my wife phone

                                          [jll @ fedora - 06:42:15 ]  ~ 
                                          > ip a
                                          1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
                                              link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
                                              inet 127.0.0.1/8 scope host lo
                                                 valid_lft forever preferred_lft forever
                                              inet6 ::1/128 scope host noprefixroute 
                                                 valid_lft forever preferred_lft forever
                                          2: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
                                              link/ether fe:aa:b6:35:ee:2d brd ff:ff:ff:ff:ff:ff permaddr 94:e6:f8:ed:7d:c6
                                              altname wlp0s20f3
                                              altname wlx94e6f7ed7dc6
                                              inet 192.168.43.91/24 brd 192.168.43.255 scope global dynamic noprefixroute wlo1
                                                 valid_lft 3583sec preferred_lft 3583sec
                                              inet6 2a02:a020:3ca:ad84:2f98:edb3:fe4a:5d89/64 scope global dynamic noprefixroute 
                                                 valid_lft 3583sec preferred_lft 3583sec
                                              inet6 fe80::fa56:6baf:9454:41db/64 scope link noprefixroute 
                                                 valid_lft forever preferred_lft forever
                                          3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
                                              link/ether 7a:36:73:60:85:f6 brd ff:ff:ff:ff:ff:ff
                                              inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
                                                 valid_lft forever preferred_lft forever
                                          6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
                                              link/none 
                                              inet 10.238.198.3/24 brd 10.238.198.255 scope global noprefixroute tun0
                                                 valid_lft forever preferred_lft forever
                                              inet6 fe80::1ba:8201:6599:7bb8/64 scope link stable-privacy proto kernel_ll 
                                                 valid_lft forever preferred_lft forever
                                          [jll @ fedora - 06:42:20 ]  ~ 
                                          > route -v
                                          Table de routage IP du noyau
                                          Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
                                          default         _gateway        0.0.0.0         UG    50     0        0 tun0
                                          default         _gateway        0.0.0.0         UG    600    0        0 wlo1
                                          10.238.198.0    0.0.0.0         255.255.255.0   U     50     0        0 tun0
                                          171.167-240-81. _gateway        255.255.255.255 UGH   50     0        0 wlo1
                                          172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
                                          192.168.43.0    0.0.0.0         255.255.255.0   U     600    0        0 wlo1
                                          _gateway        0.0.0.0         255.255.255.255 UH    50     0        0 wlo1
                                          [jll @ fedora - 06:49:12 ]  ~ 
                                          > ping 10.238.198.1
                                          PING 10.238.198.1 (10.238.198.1) 56(84) octets de données.
                                          64 octets de 10.238.198.1 : icmp_seq=1 ttl=64 temps=37.5 ms
                                          64 octets de 10.238.198.1 : icmp_seq=2 ttl=64 temps=48.1 ms
                                          ^C
                                          --- statistiques ping 10.238.198.1 ---
                                          2 paquets transmis, 2 reçus, 0% packet loss, time 1002ms
                                          rtt min/avg/max/mdev = 37.533/42.797/48.062/5.264 ms
                                          [jll @ fedora - 06:49:24 ]  ~ 
                                          > ping 10.238.198.2
                                          PING 10.238.198.2 (10.238.198.2) 56(84) octets de données.
                                          De 10.238.198.1 icmp_seq=2 Rediriger l'hôte(Nouveau sautsuivant : 10.238.198.2)
                                          De 10.238.198.1 icmp_seq=3 Rediriger l'hôte(Nouveau sautsuivant : 10.238.198.2)
                                          De 10.238.198.1 icmp_seq=4 Rediriger l'hôte(Nouveau sautsuivant : 10.238.198.2)
                                          ^C
                                          --- statistiques ping 10.238.198.2 ---
                                          4 paquets transmis, 0 reçus, +3 erreurs, 100% packet loss, time 3031ms
                                          
                                          [jll @ fedora - 06:44:05 ]  ~ 
                                          > ping 192.168.129.64
                                          PING 192.168.129.64 (192.168.129.64) 56(84) octets de données.
                                          64 octets de 192.168.129.64 : icmp_seq=1 ttl=254 temps=51.0 ms
                                          64 octets de 192.168.129.64 : icmp_seq=2 ttl=254 temps=49.7 ms
                                          64 octets de 192.168.129.64 : icmp_seq=3 ttl=254 temps=51.5 ms
                                          ^C
                                          --- statistiques ping 192.168.129.64 ---
                                          3 paquets transmis, 3 reçus, 0% packet loss, time 2003ms
                                          rtt min/avg/max/mdev = 49.699/50.727/51.526/0.763 ms
                                          
                                          
                                          1 Reply Last reply Reply Quote 0
                                          • Vlad NirkyV Online
                                            Vlad Nirky @gpatel-fr
                                            last edited by

                                            @gpatel-fr
                                            I think a have something interresting in the openvpn server log (as you expected)

                                            
                                            After phone connexion to VPN
                                            root@rpi3:/var/log# 
                                            cat openvpn.log 
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 TLS: Initial packet from [AF_INET]188.5.220.190:1210, sid=e5f0bc02 623c1eb2
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY OK: depth=1, CN=Easy-RSA CA
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY KU OK
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Validating certificate extended key usage
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY EKU OK
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY OK: depth=0, CN=phde
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_VER=2.6.14
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_PLAT=linux
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_TCPNL=1
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_MTU=1600
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_CIPHERS=AES-256-CBC
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_PROTO=990
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_LZO_STUB=1
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_COMP_STUB=1
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_COMP_STUBv2=1
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1557'
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 [phde] Peer Connection Initiated with [AF_INET]188.5.220.190:1210
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI: new connection by client 'phde' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI_sva: pool returned IPv4=10.238.198.2, IPv6=(Not enabled)
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/phde
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI: Learn: 10.238.198.3 -> phde/188.5.220.190:1210
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI: primary virtual IP for phde/188.5.220.190:1210: 10.238.198.3
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: SENT CONTROL [phde]: 'PUSH_REPLY,dhcp-option DNS 10.238.198.1,block-outside-dns,redirect-gateway def1,route-gateway 10.238.198.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.238.198.3 255.255.255.0,peer-id 0,cipher AES-256-CBC' (status=1)
                                            Oct 26 07:14:56 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed
                                            Oct 26 07:15:00 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed
                                            Oct 26 07:15:07 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed
                                            Oct 26 07:15:21 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed
                                            
                                            After PC connexion to VPN
                                            ///Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 TLS: Initial packet from [AF_INET]188.5.220.190:1898, sid=0bfa998b 8f16b815
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY OK: depth=1, CN=Easy-RSA CA
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY KU OK
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Validating certificate extended key usage
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY EKU OK
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY OK: depth=0, CN=phde
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_VER=2.6.15
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_PLAT=linux
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_TCPNL=1
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_MTU=1600
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_NCP=2
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_PROTO=990
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_LZO_STUB=1
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_COMP_STUB=1
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_COMP_STUBv2=1
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 [phde] Peer Connection Initiated with [AF_INET]188.5.220.190:1898
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 MULTI_sva: pool returned IPv4=10.238.198.2, IPv6=(Not enabled)
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/phde
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 MULTI: Learn: 10.238.198.3 -> phde/188.5.220.190:1898
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 MULTI: primary virtual IP for phde/188.5.220.190:1898: 10.238.198.3
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 Data Channel: using negotiated cipher 'AES-256-GCM'
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
                                            Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 SENT CONTROL [phde]: 'PUSH_REPLY,dhcp-option DNS 10.238.198.1,block-outside-dns,redirect-gateway def1,route-gateway 10.238.198.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.238.198.3 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
                                            Oct 26 07:25:29 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 PUSH: Received control message: 'PUSH_REQUEST'
                                            
                                            G 1 Reply Last reply Reply Quote 0
                                            • G Online
                                              gpatel-fr @Vlad Nirky
                                              last edited by

                                              @Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

                                              overriding but not wiping out the original default gateway.

                                              I see. I have never seen this kind of configuration where road warriors are getting their internet access routed through the server, it has always been a theoretical thing because the combined download speed of several road warriors can't exceed a fraction of the upload speed of the server - and for a small business in my country, getting a 'business quality' connection of even 40Mbits/s is expensive and not worth the extra control that this is providing, hence routing access like that would make for a miserable performance for each road warrior whose personal network download performance would often exceed the total upload speed of the server.

                                              So this is outside of my experience with Openvpn 😞

                                              O 1 Reply Last reply Reply Quote 0
                                              • First post
                                                Last post