| View previous topic :: View next topic |
| Author |
Message |
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
|
 Posted: Fri Aug 17, 2018 3:52 pm Post subject: OpenVPN timing out? |
 |
|
I have an OpenVPN server setup at a client location and am trying to get it to work. I created the CA, server key, client key for me, etc. Server is running. However, whenever I attempt to connect I get the following.
| Code: |
Aug 17 11:42:42 9y84mj1 NetworkManager[1612]: <info> [1534520562.9093] vpn-connection[0x563d5e944880,90e3327d-4044-499c-88b0-3dcd852294de,"Truevine Ministries A",0]: Started the VPN service, PID 7473
Aug 17 11:42:42 9y84mj1 NetworkManager[1612]: <info> [1534520562.9215] vpn-connection[0x563d5e944880,90e3327d-4044-499c-88b0-3dcd852294de,"Truevine Ministries A",0]: Saw the service appear; activating connection
Aug 17 11:42:42 9y84mj1 NetworkManager[1612]: <info> [1534520562.9484] vpn-connection[0x563d5e944880,90e3327d-4044-499c-88b0-3dcd852294de,"Truevine Ministries A",0]: VPN plugin: state changed: starting (3)
Aug 17 11:42:42 9y84mj1 nm-openvpn[7476]: OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 23 2018
Aug 17 11:42:42 9y84mj1 nm-openvpn[7476]: library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
Aug 17 11:42:42 9y84mj1 nm-openvpn[7476]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 17 11:42:42 9y84mj1 nm-openvpn[7476]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 17 11:42:43 9y84mj1 nm-openvpn[7476]: TCP/UDP: Preserving recently used remote address: [AF_INET]1.2.3.4:1194
Aug 17 11:42:43 9y84mj1 nm-openvpn[7476]: UDP link local: (not bound)
Aug 17 11:42:43 9y84mj1 nm-openvpn[7476]: UDP link remote: [AF_INET]1.2.3.4:1194
Aug 17 11:42:43 9y84mj1 nm-openvpn[7476]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Aug 17 11:43:43 9y84mj1 NetworkManager[1612]: <warn> [1534520623.0884] vpn-connection[0x563d5e944880,90e3327d-4044-499c-88b0-3dcd852294de,"Truevine Ministries A",0]: VPN connection: connect timeout exceeded.
Aug 17 11:43:43 9y84mj1 nm-openvpn[7476]: SIGTERM[hard,] received, process exiting
Aug 17 11:43:43 9y84mj1 NetworkManager[1612]: <warn> [1534520623.0958] vpn-connection[0x563d5e944880,90e3327d-4044-499c-88b0-3dcd852294de,"Truevine Ministries A",0]: VPN plugin: failed: connect-failed (1)
Aug 17 11:43:43 9y84mj1 NetworkManager[1612]: <info> [1534520623.0960] vpn-connection[0x563d5e944880,90e3327d-4044-499c-88b0-3dcd852294de,"Truevine Ministries A",0]: VPN plugin: state changed: stopping (5)
Aug 17 11:43:43 9y84mj1 NetworkManager[1612]: <info> [1534520623.0961] vpn-connection[0x563d5e944880,90e3327d-4044-499c-88b0-3dcd852294de,"Truevine Ministries A",0]: VPN plugin: state changed: stopped (6)
|
Not sure what's going on and causing the timeout above. Is there a guide for setting up the client-side using NetworkManager somewhere? I am sure I have left out an option but there are so many I am swamped and not sure what to touch and what not to touch.
Note that I changed my clients public IP address to 1.2.3.4 above. That is NOT what it is actually connecting to!
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
 |
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3136
|
| Posted: Sat Aug 18, 2018 10:00 am Post subject: |
|
|
| Quote: | g 17 11:42:43 9y84mj1 nm-openvpn[7476]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Aug 17 11:43:43 9y84mj1 NetworkManager[1612]: <warn> [1534520623.0884] vpn-connection[0x563d5e944880,90e3327d-4044-499c-88b0-3dcd852294de,"Truevine Ministries A",0]: VPN connection: connect timeout exceeded. |
Firewall?
If you control both, server and client, try changing to TCP. Some people really hate UDP and mess it to the point it's completely unreliable. (You can revert this later, once your connection works) |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
|
| Posted: Sun Aug 19, 2018 3:50 pm Post subject: |
|
|
Not sure how to switch to TCP server-side. The host is a DD-WRT router. I have it running PPTP as well so I can work on it remotely. I'll look into switching it and see what I can come up with.
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
|
| Posted: Mon Aug 20, 2018 11:22 pm Post subject: |
|
|
OK, seems to be a bug in starting it. After a reboot the firewall rules showed up in iptables. Apparently simply saving then applying the changes does not add the rules. I will be testing the connection soon. Cannot do it just yet.
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
|
| Posted: Thu Aug 23, 2018 4:40 am Post subject: |
|
|
OK, I figured it out. The issue is with one of the pem files. My issue is that I cannot find a single guide for using this stupid easy-rsa script! It doesn't follow the guide on the actual OpenVPN site! They keep referencing "./build whatever" and there is no build script. I have one single script called "easy-rsa" and I am apparently using it incorrectly. Debian still has the ./build stuff but this version doesn't.
Where on earth can I find a guide to creating my certificates with this new script? I have been all over the OpenVPN site and cannot find ANYTHING about this script. Is this really so new that no documentation exists? Can I downgrade to something which works (the entire planet has a million guides for this, but none use this script!) so I can at least get myself up and running? I've blown almost two weeks on this and I am finally throwing in the towel and asking for help. It's incredibly frustrating that a million guides exist and none teach you how to use this crappy script!
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
|
| Posted: Thu Aug 23, 2018 3:01 pm Post subject: |
|
|
OK, I found a guide. I had to search for "easy-rsa 3". The problem with this guide is that it expects you to have one machine for the CA, various servers, and then clients. Why is this so difficult? One guide that uses one machine to generate ALL certificates is all I am asking for! Now I have to try to piece this one together. Seriously, they expect you to create certificates across three separate machines? Maybe this is too convoluted for commercial use.
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9679
Location: almost Mile High in the USA
|
| Posted: Thu Aug 23, 2018 3:20 pm Post subject: |
|
|
easy-rsa worked for me a while ago when I was building keys, and I made all keys (CA, server, client) on just one machine...
I've forgotten but was able to sign a key using the key generated with easy-rsa as well, it's openssl wrappers.
I doubt key generation is the root of the problem you're seeing however. I thought that it would report bad keys explicitly if they don't match what's expected? Not sure.
(This may have been easy-rsa v2, it's been a long time...)
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
|
| Posted: Thu Aug 23, 2018 7:25 pm Post subject: |
|
|
I used easy-rsa 2 a while back without a hitch due to virtually every guide being aimed at using it and one computer to generate everything. I have no clue who was smoking the good stuff when the version 3 guide was written, but they seriously expect you to generate a request on each client machine, which is impossible for me. That would require me to go to hundreds of individuals homes, install this crap, then generate the request there. It makes absolutely no sense how this guide was written. I need to generate certificates and keys, then distribute them at the place of work to all employees who have VPN access.
*EDIT*
The guide is linked below and is utterly ridiculous. It literally instructs you to go to each client machine (can we say months of travel?), generate a request, ferry those to the CA machine, sign them, then ferry them back, and then use the VPN. Yeah, VPN setup is supposed to take a year or more now. Great...
The fundamentally flawed v3 guide
*EDIT*
OK, I found one that shows how to do this from a single machine. Much better.
The correct method which doesn't require 50,000gal of fuel to accomplish!
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3136
|
| Posted: Thu Aug 23, 2018 9:14 pm Post subject: |
|
|
| Quote: | | The issue is with one of the pem files. My issue is that I cannot find a single guide for using this stupid easy-rsa script! It |
So don't use it. It's just a wrapper around openssl.
https://duckduckgo.com/?q=openssl+CA+howto
one of the first results looks more or less fine http://pages.cs.wisc.edu/~zmiller/ca-howto/
Obviously, 1024 rsa key is rather weak by today's standards; use 2048 or ecc instead.
You can build CA, issue CSR, and then sign them to create certificates with openssl alone, without external helpers.
| Quote: |
I doubt key generation is the root of the problem you're seeing however. I thought that it would report bad keys explicitly if they don't match what's expected? Not sure. |
Yeah, I don't think it is a bad key either, but openvpn is not known for it's superior error reporting capabilities, so every single idea is worth checking out. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21633
|
| Posted: Fri Aug 24, 2018 2:02 am Post subject: |
|
|
| The_Great_Sephiroth wrote: | | The problem with this guide is that it expects you to have one machine for the CA, various servers, and then clients. Why is this so difficult? One guide that uses one machine to generate ALL certificates is all I am asking for! |
It's difficult because you are doing it wrong.  You can trivially convert a multi-machine guide into a single-machine guide by just using the same machine for every step, optionally with different subdirectories for each "machine" the guide expects you to use. However, you cannot necessarily easily convert a single-machine guide into a multi-machine guide, because a single machine guide may assume that every step has access to all the files from all prior steps. | The_Great_Sephiroth wrote: | | I used easy-rsa 2 a while back without a hitch due to virtually every guide being aimed at using it and one computer to generate everything. |
So the guides have improved since then. Good. | The_Great_Sephiroth wrote: | | I have no clue who was smoking the good stuff when the version 3 guide was written, but they seriously expect you to generate a request on each client machine, which is impossible for me. |
Creating certificates across separate machines is the right way to do this, if you don't have a trustworthy transport mechanism. You need the private keys to be stored only on the systems that should use them. You can do this by generating them on the required machine and never transporting them, or by generating them centrally and then securely transporting them. If you have no secure transport, you must either distribute them at the edge or accept insecure distribution. | The_Great_Sephiroth wrote: | | The guide is linked below and is utterly ridiculous. It literally instructs you to go to each client machine (can we say months of travel?), generate a request, ferry those to the CA machine, sign them, then ferry them back, and then use the VPN. Yeah, VPN setup is supposed to take a year or more now. Great... |
What kind of round trip latency do you have on this network? I can get to all the machines I need to manage in seconds over ssh. Why would you personally visit all these machines? If you don't have ssh access, you can remotely operate a user by telephone / IM to do the work. |
|
| Back to top |
|
|
joanandk
Apprentice
Joined: 12 Feb 2017
Posts: 169
|
| Posted: Fri Aug 24, 2018 7:40 am Post subject: |
|
|
| szatox wrote: | | Some people really hate UDP and mess it to the point it's completely unreliable. |
I have been using UDP for decades without any issues. It is possible that a public or hotel WLAN has blocks to UDP (which I have once encountered), but this is rare case.
BR |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9679
Location: almost Mile High in the USA
|
| Posted: Fri Aug 24, 2018 1:25 pm Post subject: |
|
|
I think that the hate for UDP is not necessarily the VPN implementer but rather the network infrastructure. As UDP is stateless, the problem is for NAT routers that despite UDP being stateless, needs to still keep state for them and would rather drop them to keep things simple.
I was trying to use OpenVPN to connect back to my home network, however found that many hotspots filter simply filter UDP, so I was forced to implement TCP tunneling. UDP works so much better ... except when they get filtered.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
|
| Posted: Fri Aug 24, 2018 4:00 pm Post subject: |
|
|
Hu, the network is at a clients office. The "remote systems" are Windows 7, 8, 8.1, and 10 at people's homes. SSH is out. Hell, almost everything is out due to this being home users using the network remotely. I literally need to do this on-site at the office and give each user their certificate and key on USB stick. No real way around it.
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3136
|
| Posted: Fri Aug 24, 2018 5:01 pm Post subject: |
|
|
| Quote: | | I have been using UDP for decades without any issues. It is possible that a public or hotel WLAN has blocks to UDP (which I have once encountered), but this is rare case. |
Yeah, tell me more about your flawless experience.
I didn't say they "block it". I said they mess it up. And by "them" I mean one of the biggest hosting companies in the Europe.
These guys are really pushing the limits on "not guaranteeing" UDP packets to make it through.
| Quote: | | I literally need to do this on-site at the office and give each user their certificate and key on USB stick |
Do they explicitly demand SSL certificates?
Why not just go with usernames and passwords? |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21633
|
| Posted: Sat Aug 25, 2018 12:30 am Post subject: |
|
|
| The_Great_Sephiroth wrote: | | Hu, the network is at a clients office. The "remote systems" are Windows 7, 8, 8.1, and 10 at people's homes. SSH is out. Hell, almost everything is out due to this being home users using the network remotely. I literally need to do this on-site at the office and give each user their certificate and key on USB stick. No real way around it. |
That is rather inconvenient, yes. In that case, I'd definitely go with one of the two suggestions szatox made up-thread: either skip using the script and issue the certificates directly (if the script fights you too much) or abandon the whole thing and go with passwords. Personally, I prefer not relying on username/password for this, but it is the easiest route.
When last I dealt with this as an end user, the network operator had a nice web portal that users on the internal network could use to get their configuration and certificates. That likewise followed the "bad" model of distributing private keys rather than letting users generate them, but it did work and it was very simple to use.
| szatox wrote: | | These guys are really pushing the limits on "not guaranteeing" UDP packets to make it through. |
Perhaps they misunderstood the specification. Instead of reading "not guaranteed to be delivered", they went with "guaranteed not to be delivered."  |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
|
| Posted: Sun Aug 26, 2018 3:05 am Post subject: |
|
|
I found a guide that details how to do it on a single PC. It is then up to me to secure the certificates and such, which I can easily do. The script isn't the issue, it was that the "official" guide was literally asking me to burn hundred of gallons of fuel in that it asked me to go to every users' PC and generate the requests, run to the server, accept them, and then run around again. Not happening. I am good now though.
I also don't know what the issue with UDP is. I do a LOT with UDP including gaming. Never had any issues.
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21633
|
| Posted: Sun Aug 26, 2018 3:49 pm Post subject: |
|
|
| The original guide told you how to do it properly: private keys kept private by not copying them anywhere, ever. It implicitly assumed that every system is just an ssh away from your console. If your environment isn't that convenient, then that guide is not a good fit for you. |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9679
Location: almost Mile High in the USA
|
| Posted: Sun Aug 26, 2018 10:51 pm Post subject: |
|
|
Supposedly the original guide should have told the remote people to generate a key and send you a CSR (with public key) -- without their private key.
You should then sign the CSR and send the certificate back to them. They should now use their private key and certificate to sign into your VPN.
This way it should be secure as long as you trust the CSR coming to you, and you don't need to drive to the remote sites.
You can give them keys too as you're doing now, this also requires that the key does not get disclosed over the network.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3136
|
| Posted: Sun Aug 26, 2018 11:11 pm Post subject: |
|
|
| Quote: | | Supposedly the original guide should have told the remote people to generate a key and send you a CSR (with public key) -- without their private key. |
I bet it did. Still, lower your expectations regarding regular users, it will spare you a lot of disappointments 
The_Great_Sephiroth, have you managed to sort out the problem with timeouts?
After fixing firewall, did replacing keys really do the trick? |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
|
| Posted: Tue Aug 28, 2018 10:40 pm Post subject: |
|
|
Yes, the OS on the router needs an upgrade. The OpenVPN server does not like the shiny, new keys and certificates generated here in Gentoo. I am hoping to go on-site tomorrow to upgrade it and report back that I am good.
Eccerr0r, you actually believe a commoner who struggles to turnt he PC on can type ANYTHING? If I showed them instructions for downloading that crap the first stop would be "I click it but it don't do nuffin'!". Then after getting it installed, it would be "You mean I gotta' type sumfin'?!" followed by "I type it right but it no work" while clearly they're not typing it correctly. Seriously, average users in Windows are almost as brain-dead as Mac users these days. If you can't click on it with the mouse and have the whole damn process done, they cannot handle it.
I have actually been told by my boss I talk down to people by using words like "cable modem" and "router" instead of "Internet box" and "other box". He doesn't care, but I have people complain that that type of lingo is too technical. Seriously, either I do this or it would NEVER get done.
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21633
|
| Posted: Wed Aug 29, 2018 1:05 am Post subject: |
|
|
| Users may come into the business with no skill, but letting them remain unskilled is a disservice to them (not that they know it) and to everyone forced to deal with them. Educating them on proper terminology is not easy, but is a worthwhile task, in my opinion. |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
|
| Posted: Wed Aug 29, 2018 4:32 pm Post subject: |
|
|
I agree, but remember, everybody is a snowflake now. You try to teach a term and you get blasted for "talking down to them" or "talking so I cannot understand". It's non-sense. I hate the area I live in and want to move out west to Texas.
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
