Reply
Regular Member
Posts: 420
Registered: ‎02-24-2015
Kudos: 75
Solutions: 8

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

@GainfulShrimp...

 

Interesting...!!!

 

On the Mac, using ca.key worked just fine, but that fails on my linux box.

 

Your new code line works perfect on my linux box. I look forward to the results of your tests.

 

Thanks..!!! Man Happy Man Happy

EdgeRouter 8
EdgeSwitch 24 Port (x2), EdgeSwitch 8 Port (x2) and ToughSwitch 5 PoE
UniFi Video running on Intel NUC with eight UVC Gen3 and two UVC-Pro Cameras
UAP-AC, UAP-AC-LR & UAP-AC-Lite.
Member
Posts: 112
Registered: ‎03-25-2015
Kudos: 57
Solutions: 2

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

I've double-checked my config and notes on this, and the key to getting udp working was this (obviously you should replace 192.168.2.1 with your Edgerouter's local IP address):

 

# When using UDP, we need to tell OpenVPN which interface to listen on, as it 
# won't work properly when listening on all interfaces
set interfaces openvpn vtun1 local-host 192.168.2.1

I found the tip originally in this post:

http://community.ubnt.com/t5/EdgeMAX/OpenVPN-server-config-help/td-p/429663

But I have no idea why the local-host setting is required for udp servers and not required for tcp servers... it's a bit baffling, but it works (for me anyway)! Man Happy

Emerging Member
Posts: 63
Registered: ‎04-06-2016
Kudos: 16
Solutions: 5

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

I followed this to add TOTP to OpenVPN on my EdgeRouter X this evening, and only had to make one change: download the mipsel Google Authenticator package instead of the mips one.

 

With that one difference it all worked like a charm. Thank you for a very comprehensive guide.

Regular Member
Posts: 420
Registered: ‎02-24-2015
Kudos: 75
Solutions: 8

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

@GainfulShrimp...

 

Regarding generating the p12 key, do you know how the name as shown in iOS Profiles can be altered? I have setup a 2048 and 4096 set of keys. The user keys are (eg) called bob-iphone for both sets.

 

After importing to the iOS device the bob-iphone.p12 for 2048, and bob-iphone.p12 for 4096 I can't tell which is which as both are listed as bob-iphone. Is there a way to generate differing names during the p12 creation?

 

Please, this is NOT a big issue. More of interest.

 

Again, awesome work putting this Howto together.

 

Cheers..!! Man Happy

EdgeRouter 8
EdgeSwitch 24 Port (x2), EdgeSwitch 8 Port (x2) and ToughSwitch 5 PoE
UniFi Video running on Intel NUC with eight UVC Gen3 and two UVC-Pro Cameras
UAP-AC, UAP-AC-LR & UAP-AC-Lite.
Emerging Member
Posts: 63
Registered: ‎04-06-2016
Kudos: 16
Solutions: 5

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

[ Edited ]

WayneGee wrote:
After importing to the iOS device the bob-iphone.p12 for 2048, and bob-iphone.p12 for 4096 I can't tell which is which as both are listed as bob-iphone. Is there a way to generate differing names during the p12 creation?

(Before running the following commands, set the key size in vars to either 2048 or 4096, according to which one you wish to generate each time.)

 

./build-key bob-iphone-2048
./build-key bob-iphone-4096

openssl pkcs12 -export -in bob-iphone-2048.crt -inkey bob-iphone-2048.key -certfile ca.crt -name OVPNclient -out bob-iphone-2048.p12
openssl pkcs12 -export -in bob-iphone-4096.crt -inkey bob-iphone-4096.key -certfile ca.crt -name OVPNclient -out bob-iphone-4096.p12

New Member
Posts: 15
Registered: ‎11-29-2015
Kudos: 2

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

Nice guide, thanks for taking the time to write it up. The only thing I found with the line-

 

set interfaces openvpn vtun1 openvpn-option '--cipher AES-128-CBC'

I believe should be-

 

set interfaces openvpn vtun1 openvpn-option '--cipher AES-256-CBC'

In line with the rest of the guide.

 

Cheers!

Member
Posts: 112
Registered: ‎03-25-2015
Kudos: 57
Solutions: 2

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

Thanks @jneilly699, I've updated it to be consistent now. Man Happy

Regular Member
Posts: 420
Registered: ‎02-24-2015
Kudos: 75
Solutions: 8

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

Hello All...

 

Regarding the security of the app to generate the TOTP, especially for those who are iOS and Mac based, you can use AgileBits 1Password.

 

The app is capable of generating TOTP based on the QR code generated. Apart from that, it is an encrypted app that requires either a password or fingerprint to open. 

 

Works a treat..!!!

 

Cheeers..!!! Man Happy

EdgeRouter 8
EdgeSwitch 24 Port (x2), EdgeSwitch 8 Port (x2) and ToughSwitch 5 PoE
UniFi Video running on Intel NUC with eight UVC Gen3 and two UVC-Pro Cameras
UAP-AC, UAP-AC-LR & UAP-AC-Lite.
New Member
Posts: 15
Registered: ‎11-29-2015
Kudos: 2

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

I had this running on 1.7 but today upgraded to 1.8 and a TCP connection won't authenticate (wrong username/password) while UDP still works perfectly. I thought it may have been something to do with SSLH, but stopped it and manually forwarded 443 to 1194 on my listening interface with the same result.

 

If I change system image back to 1.7, it works. When I change back to 1.8, it doesn't. 

 

Am I missing something obvious?

Member
Posts: 112
Registered: ‎03-25-2015
Kudos: 57
Solutions: 2

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

I fear you might be missing something yes, @jneilly699...

 

It works fine for me on 1.8.0 - both udp and tcp.  And I use sslh too (for tcp only, of course).

 

If the openvpn logs don't give any clues, you could try increasing the logging level from "verb 4" to something higher like "verb 6"?

 

Are you sure you've got the exact same config for your 1.8 image - e.g. the same PAM settings and everything?

New Member
Posts: 15
Registered: ‎11-29-2015
Kudos: 2

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

@GainfulShrimp,

 

If there was an issue with anything to do with authentication wouldn't it stop a UDP connection from working? Or is there something in the config specific to TCP?

Member
Posts: 112
Registered: ‎03-25-2015
Kudos: 57
Solutions: 2

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

Sorry @jneilly699 I don't think I read your post properly before. Man Wink

 

The only difference I can think of between the two configs (if you've essentially copied my examples in the guide, or applied the same changes to both udp and tcp versions) is the "local-host [IP of ERL]" line that I found was needed to get UDP working properly.  You could try adding that to your TCP config, but it's not needed for mine.

 

Looking again at your error though - bad username or password - maybe it's something very subtle like a NTP settings thing?  Do you have the same time servers set for your 1.7 and 1.8 images - and does your client device get their time set from the edgerouter? 

I find tcp takes a short while longer to connect successfully, so maybe if your edgerouter and client have slightly skewed time set on them, the extra delay for tcp could mean the OTP code is wrong by the time it's checked... just a thought.

 

I'm struggling to think what might have changed tbh, sorry.

Regular Member
Posts: 342
Registered: ‎02-16-2014
Kudos: 40
Solutions: 7

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

So, I sell and install the ERL's to most all of my clients these days.  We put them in and setup the PPTP server on the ERL and use a product called AuthAnvil for 2fa.  I load a small piece of software that mimicks a RADIUS server on the local LAN, and that software points back to my Authanvil server for the auth, I point the ERL to the IP of the computer that the software is installed on as the RADIUS server and I have a 2fa VPN solution to all of my customer's networks.  I just use the built in VPN client in Windows, IOS or Android to connect and then usually use something like a VNC client for remote access from there.

We have used PPTP VPNs for years.  And I have always read how insecure they are.

 

So when I found this topic I was intrigued.  But it seems a little complicated to complete, especially if I have to do it to a lot of routers.  And having to have each device listed on each router doesn't work for us as that can change.

 

So I guess I'm asking, is there an OpenVPN solution that would be similar to the PPTP solution I'm currently using? 

 

It has to be simple to setup, it has to have 2fa and centralized user management for all routers.

 

Thoughts??

 

Thanks!!!

New Member
Posts: 15
Registered: ‎11-29-2015
Kudos: 2

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

@GainfulShrimp no worries. Thanks for the suggestions- I just wanted to make sure I wasn't missing something obvious. I haven't had time to play with this but have just bought a dedicated box for Untangle so I'll probably never find out! Either way, thanks again for the guide- it's been working great on 1,7 Man Happy

New Member
Posts: 16
Registered: ‎09-12-2015
Kudos: 1
Solutions: 1

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

First, my thanks to the author for this great tutorial. After some minor initial hitches, I was up and running within a couple hours.  However I used XCA to generate my CA as it's GUI based and I was able to generate the keys on my PC (as recommended by Ubiquity), then transfer to the ERL via WinSCP.

 

Though my tunnels (UDP, TCP) were created and stable after upgrading to 1.85 from 1.6x, I could not connect.  Logs didn't tell me why so I scanned the ERL directories with WinSCP and found that the pam.d directory had new files and the openvpn file had been erased.

 

So to be safe, I re-ran the "4. Install and configure Google Authenticator" section and now I can connect with both TCP and UDP.

 

Is there any way to make authentication "upgrade proof."  Perhaps something in the config file.  I'd have been lost had I not found this thread again as I don't use google authenticator for anything else.

 

Thx in advance.

Emerging Member
Posts: 50
Registered: ‎09-12-2015
Kudos: 16
Solutions: 1

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

I noticed the same during the upgrade from 1.8.0 to 1.8.5.

 

The following get lost during the upgrade:

- Google authenticator package

- libqrencode3 package

- openvpn config file in pam.d folder

- .google_authenticator file in each home directory

 

I'm not sure, but I think you have to do the following steps after an upgrade:

- restore .google_authenticator file

- install libqrencode3

- install google_authenticator

- restore openvpn config file to pam.d folder

 

I noticed, that openvpn looked at the wrong place for the google_authenticator pam module and the authentication failed. So I copied the module to the place openvpn is looking for it:

root@router:~# cd /lib/security/
root@router:/lib/security# cp /usr/lib/mips-linux-gnu/security/pam_google_authenticator.so .

This was with google_authenticator package 20160607-1

 

HTH...

New Member
Posts: 16
Registered: ‎09-12-2015
Kudos: 1
Solutions: 1

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

Yes,  I found the same files missing.  Is it possible to maintain libqrencode3 and google_authenticator in the config file, much like the repo Wheezy.  I'm thinking that the user config folder doesn't get changed and the additional files could be placed in a subdirectory of one's user folder, with working paths in the config.   Not sure what can be done about the pam file.

New Member
Posts: 6
Registered: ‎07-14-2014
Kudos: 1

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

[ Edited ]

I've been able to follow this guide (with some tweaks) to get this configuration successfully up and running on EdgeOS v1.9.0 on UDP only. I've since gone back and added in the TCP vtun and for the life of me, I just can't get it to work. I've even changed the web-gui port to something other than 443 and tried just keeping everything on TCP on port 443 - still no change. All the details below are with this more straight-forward 443 approach without forwarding it to TCP:1194.

 

EdgeOS Configuration:

Spoiler
firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "From WAN/Internet to LAN/internal"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "From WAN/Internet to router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow OpenVPN UDP"
            destination {
                port 1194
            }
            log enable
            protocol tcp_udp
        }
        rule 20 {
            action accept
            description "Allow OpenVPN TCP"
            destination {
                port 443
            }
            log enable
            protocol tcp
        }
        rule 30 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.1.1/24
        description Local
        duplex auto
        speed auto
    }
    ethernet eth1 {
        address xx.xx.xx.xx/24
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 10.0.100.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        description "OpenVPN server UDP"
        encryption aes256
        hash sha256
        mode server
        openvpn-option "--port 1194"
        openvpn-option "--comp-lzo yes"
        openvpn-option --tls-server
        openvpn-option --persist-key
        openvpn-option --persist-tun
        openvpn-option "--user nobody"
        openvpn-option "--group nogroup"
        openvpn-option --persist-local-ip
        openvpn-option --persist-remote-ip
        openvpn-option "--keepalive 8 30"
        openvpn-option "--verb 6"
        openvpn-option "--ifconfig-pool-persist /config/auth/openvpn/vtun0-ipp.txt"
        openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn"
        openvpn-option --float
        openvpn-option "--tls-auth /config/auth/openvpn/keys/tls-auth.key 0"
        openvpn-option "--remote-cert-tls client"
        openvpn-option "--log-append /var/log/openvpn/ovpn.log"
        openvpn-option "--status /var/log/openvpn/status.log"
        protocol udp
        server {
            name-server xx.xx.xx.xx
            subnet 10.10.100.0/24
        }
        tls {
            ca-cert-file /config/auth/openvpn/keys/ovpn_CA.pem
            cert-file /config/auth/openvpn/keys/ovpn_srv_crt.pem
            dh-file /config/auth/openvpn/keys/dh4096.pem
            key-file /config/auth/openvpn/keys/ovpn_srv_key.pem
        }
    }
    openvpn vtun1 {
        description "OpenVPN server TCP"
        encryption aes256
        hash sha256
        local-port 443
        mode server
        openvpn-option "--port 443"
        openvpn-option "--comp-lzo yes"
        openvpn-option --tls-server
        openvpn-option --persist-key
        openvpn-option --persist-tun
        openvpn-option "--user nobody"
        openvpn-option "--group nogroup"
        openvpn-option --persist-local-ip
        openvpn-option --persist-remote-ip
        openvpn-option "--keepalive 8 30"
        openvpn-option "--verb 6"
        openvpn-option "--ifconfig-pool-persist /config/auth/openvpn/vtun0-ipp.txt"
        openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn"
        openvpn-option --float
        openvpn-option "--tls-auth /config/auth/openvpn/keys/tls-auth.key 0"
        openvpn-option "--remote-cert-tls client"
        openvpn-option "--log-append /var/log/openvpn/ovpn.log"
        openvpn-option "--status /var/log/openvpn/status.log"
        openvpn-option "--dev-type tun"
        protocol tcp-passive
        server {
            subnet 10.10.110.0/24
        }
        tls {
            ca-cert-file /config/auth/openvpn/keys/ovpn_CA.pem
            cert-file /config/auth/openvpn/keys/ovpn_srv_crt.pem
            dh-file /config/auth/openvpn/keys/dh4096.pem
            key-file /config/auth/openvpn/keys/ovpn_srv_key.pem
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth2
    wan-interface eth1
}
protocols {
    static {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name eth2-LAN {
            authoritative disable
            subnet 10.0.100.0/24 {
                default-router 10.0.100.1
                dns-server 10.0.100.1
                lease 86400
                start 10.0.100.2 {
                    stop 10.0.100.254
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth2
            listen-on vtun0
            listen-on vtun1
            name-server xx.xx.xx.xx
            name-server xx.xx.xx.xx
        }
    }
    gui {
        http-port 80
        https-port 50000
        older-ciphers enable
    }
    nat {
        rule 5010 {
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    gateway-address xx.xx.xx.xx
    host-name ubnt
    login {
        user iphone {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            full-name "iPhone OpenVPN config"
            level operator
        }
        user admin {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            full-name Admin
            level admin
        }
    }
    name-server xx.xx.xx.xx
    name-server xx.xx.xx.xx
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    package {
        repository wheezy {
            components "main contrib non-free"
            distribution wheezy
            password ****************
            url http://http.us.debian.org/debian
            username ""
        }
        repository wheezy-backports {
            components "main contrib non-free"
            distribution wheezy-backports
            password ****************
            url http://ftp.ch.debian.org/debian
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Los_Angeles
    traffic-analysis {
        dpi enable
        export enable
    }
}

(Successful) UDP config:

Spoiler
client
dev tun
proto udp
remote xx.xx.xx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth-user-pass
cipher AES-256-CBC
auth SHA256
redirect-gateway def1
user nobody
group nogroup
tls-client
comp-lzo
verb 4
reneg-sec 0
remote-cert-eku "TLS Web Server Authentication"

<ca>
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
</ca>

key-direction 1

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
…
-----END OpenVPN Static key V1-----
</tls-auth>

setenv ALLOW_PASSWORD_SAVE 0

(Unsuccessful) TCP config:

Spoiler
client
dev-type tun
proto tcp
remote xx.xx.xx.xx 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth-user-pass
cipher AES-256-CBC
auth SHA256
redirect-gateway def1
user nobody
group nogroup
tls-client
comp-lzo
verb 6
reneg-sec 0

<ca>
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
</ca>

key-direction 1

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
…
-----END OpenVPN Static key V1-----
</tls-auth>

setenv ALLOW_PASSWORD_SAVE 0

Observed TCP Config Behavior on iOS OpenVPN app (and Connection Log)

Spoiler
"Bytes Out" slowly increments, but ultimately ends in a "Connection Timeout". The Connection Log isn't particularly helpful (for me):

2016-09-02 11:41:53 ----- OpenVPN Start -----
OpenVPN core 3.0 ios armv7s thumb2 32-bit
2016-09-02 11:41:53 Keychain Cert Extraction: 1 certificate(s) found
2016-09-02 11:41:53 UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
13 [user] [nobody]
14 [group] [nogroup]
15 [tls-client]
17 [verb] [6]
22 [setenv] [ALLOW_PASSWORD_SAVE] [0]
23 [dev] [tun]

2016-09-02 11:41:53 EVENT: RESOLVE
2016-09-02 11:41:53 LZO-ASYM init swap=0 asym=0
2016-09-02 11:41:53 Contacting xx.xx.xx.xx:443 via TCP
2016-09-02 11:41:53 EVENT: WAIT
2016-09-02 11:41:53 SetTunnelSocket returned 1
2016-09-02 11:41:53 Connecting to xx.xx.xx.xx:443 (xx.xx.xx.xx) via TCPv4
2016-09-02 11:42:03 Server poll timeout, trying next remote entry...
2016-09-02 11:42:03 EVENT: RECONNECTING
2016-09-02 11:42:03 LZO-ASYM init swap=0 asym=0
2016-09-02 11:42:03 Contacting xx.xx.xx.xx:443 via TCP
2016-09-02 11:42:03 EVENT: WAIT
2016-09-02 11:42:03 SetTunnelSocket returned 1
2016-09-02 11:42:04 Connecting to xx.xx.xx.xx:443 (xx.xx.xx.xx) via TCPv4
2016-09-02 11:42:13 Server poll timeout, trying next remote entry...
2016-09-02 11:42:13 EVENT: RECONNECTING
2016-09-02 11:42:13 LZO-ASYM init swap=0 asym=0
2016-09-02 11:42:13 Contacting xx.xx.xx.xx:443 via TCP
2016-09-02 11:42:13 EVENT: WAIT
2016-09-02 11:42:13 SetTunnelSocket returned 1
2016-09-02 11:42:14 Connecting to xx.xx.xx.xx:443 (xx.xx.xx.xx) via TCPv4
2016-09-02 11:42:23 Server poll timeout, trying next remote entry...
2016-09-02 11:42:23 EVENT: RECONNECTING
2016-09-02 11:42:23 LZO-ASYM init swap=0 asym=0
2016-09-02 11:42:23 Contacting xx.xx.xx.xx:443 via TCP
2016-09-02 11:42:23 EVENT: WAIT
2016-09-02 11:42:23 SetTunnelSocket returned 1
2016-09-02 11:42:24 Connecting to xx.xx.xx.xx:443 (xx.xx.xx.xx) via TCPv4
2016-09-02 11:42:33 Server poll timeout, trying next remote entry...
2016-09-02 11:42:33 EVENT: RECONNECTING
2016-09-02 11:42:33 LZO-ASYM init swap=0 asym=0
2016-09-02 11:42:33 Contacting xx.xx.xx.xx:443 via TCP
2016-09-02 11:42:33 EVENT: WAIT
2016-09-02 11:42:33 SetTunnelSocket returned 1
2016-09-02 11:42:34 Connecting to xx.xx.xx.xx:443 (xx.xx.xx.xx) via TCPv4
2016-09-02 11:42:43 Server poll timeout, trying next remote entry...
2016-09-02 11:42:43 EVENT: RECONNECTING
2016-09-02 11:42:43 LZO-ASYM init swap=0 asym=0
2016-09-02 11:42:43 Contacting xx.xx.xx.xx:443 via TCP
2016-09-02 11:42:43 EVENT: WAIT
2016-09-02 11:42:43 SetTunnelSocket returned 1
2016-09-02 11:42:44 Connecting to xx.xx.xx.xx:443 (xx.xx.xx.xx) via TCPv4
2016-09-02 11:42:53 EVENT: CONNECTION_TIMEOUT [ERR]
2016-09-02 11:42:53 EVENT: DISCONNECTED
2016-09-02 11:42:53 Raw stats on disconnect:
BYTES_OUT : 336
PACKETS_OUT : 6
CONNECTION_TIMEOUT : 1
N_RECONNECT : 5
2016-09-02 11:42:53 Performance stats on disconnect:
CPU usage (microseconds): 53152
Network bytes per CPU second: 6321
Tunnel bytes per CPU second: 0
2016-09-02 11:42:53 EVENT: DISCONNECT_PENDING
2016-09-02 11:42:53 ----- OpenVPN Stop -----

Server Log (/var/log/openvpn/ovpn.log) - attached as it's --verb 6

 

Any help would be very much appreciated - I'm tearing what's left of my hair out over here!

 

Thanks in advance!

Brian

 

 

New Member
Posts: 16
Registered: ‎09-12-2015
Kudos: 1
Solutions: 1

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

[ Edited ]

I have my TCP connection listening to port 1194. 

 

local-host 10.x.x.x
local-port 1194
mode server

 

Port forwarding redirects the traffic.

 

rule 1 {
description "OpenVPN TCP"
forward-to {
address 10.x.x.x
port 1194
}
original-port 443
protocol tcp
}

I also have a few config items set differently:

 

openvpn-option --tls-server
openvpn-option --comp-lzo
openvpn-option "--user nobody --group nogroup"
openvpn-option --persist-key
openvpn-option --persist-tun
openvpn-option --persist-local-ip
openvpn-option --persist-remote-ip
openvpn-option "--keepalive 8 30"
openvpn-option "--verb 5"
openvpn-option --client-to-client
openvpn-option "--ifconfig-pool-persist /config/auth/openvpn/vtun0-ipp.txt"
openvpn-option "--push redirect-gateway def1"
openvpn-option "--push dhcp-option DNS 10.x.x.1"
openvpn-option "--tls-auth /config/auth/openvpn/keys/ta.key 0"
openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn"
openvpn-option "--cipher AES-128-CBC"
openvpn-option "--tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA"
openvpn-option --float
openvpn-option "--tcp-queue-limit 256"
protocol tcp-passive
server {
subnet 10.x.y.0/24
}

 

New Member
Posts: 6
Registered: ‎07-14-2014
Kudos: 1

Re: Secure OpenVPN server setup with multi-factor authentication (Google Authenticator): step-by-ste

Thanks for replying with your config details @BuxtonCalvin. With the exception of changing the ciphers to AES-128-CBC, I tried replicating the details I didn't already have to no avail.

 

I suspect unless anyone else has any breakthrough ideas I'm left with…

 

keep_calm_and_nuke_it_from_orbit_by_matthewwarlick-d5l9r4d.jpg

 

At this point, the only thing I can think of is that my experimentation must have corrupted something somewhere along the way … unless I'm blind to missing config item(s) that I'm consistently missing in my repetitive config changes. But the fact that UDP is happily connecting while TCP continues to resist is just… baffling. Mad2

 

Any last suggestions before I pull the trigger on resetting the router to default and starting from scratch would be most appreciated! I'm going to be putting it off a couple of days anyway - both because I've got other things to be doing and, honestly, procrastinating on everything that's involved. Smiley Wink

 

Thanks!

Reply