Can't Connect to OpenVPN Server

[Electr0]

Hi All,

I know this is probably a OpenVPN problem, but I'm setting it up on my TrueNAS and I'm a little stuck...

I've been trying to follow this video (https://www.youtube.com/watch?v=YEkfW4aC9Rk) to setup an OpenVPN server on my TrueNAS.

I believe I've set up everything correctly:

I've exported the Client Configs and made the necessary changes, however when I run the OpenVPN Client on my Mac, I get the following error messages:

Code:

[Oct 4, 2021, 23:28:59] OpenVPN core 3.git::d06e216e mac x86_64 64-bit built on Sep 17 2021 04:58:03
[Oct 4, 2021, 23:28:59] Frame=512/2048/512 mssfix-ctrl=1250
[Oct 4, 2021, 23:28:59] UNUSED OPTIONS
    5 [user] [nobody]
    6 [group] [nobody]
    7 [persist-key]
    8 [persist-tun]
    12 [verb] [3]
[Oct 4, 2021, 23:28:59] EVENT: RESOLVE
[Oct 4, 2021, 23:29:00] Contacting xxx.xx.xxx.82:1194 via UDP
[Oct 4, 2021, 23:29:00] EVENT: WAIT
[Oct 4, 2021, 23:29:00] UnixCommandAgent: transmitting bypass route to /var/run/agent_ovpnconnect.sock
{
    "host" : "xxx.xx.xxx.82",
    "ipv6" : false,
    "pid" : 71707
}

[Oct 4, 2021, 23:29:00] Connecting to [subdomain.domain.net]:1194 (xxx.xx.xxx.82) via UDPv4
[Oct 4, 2021, 23:29:09] Server poll timeout, trying next remote entry...
[Oct 4, 2021, 23:29:09] EVENT: RECONNECTING
[Oct 4, 2021, 23:29:09] EVENT: RESOLVE
[Oct 4, 2021, 23:29:09] Contacting xxx.xx.xxx.82:1194 via UDP
[Oct 4, 2021, 23:29:09] EVENT: WAIT
[Oct 4, 2021, 23:29:09] UnixCommandAgent: transmitting bypass route to /var/run/agent_ovpnconnect.sock
{
    "host" : "xxx.xx.xxx.82",
    "ipv6" : false,
    "pid" : 71707
}

[Oct 4, 2021, 23:29:09] Connecting to [subdomain.domain.net]:1194 (xxx.xx.xxx.82) via UDPv4
[Oct 4, 2021, 23:29:19] Server poll timeout, trying next remote entry...

I've redacted my IP address but left the last two numbers so you can see it's the same everywhere.
The "subdomain.domain.net" address correctly resolves to my external IP address as I've setup DDNS.
It seems like I'm not able to contact the server, but it's resolving the correct external IP and I have forwarded the correct UDP port in my FritzBox.

I'm not sure where to find the OpenVPN SERVER logs, so I can't check if the server is actually receiving any info.

I've tried connecting using my mobile as well, but I get the same series of messages in the log file, except without the "UnixCommandAgent" lines.

Any ideas on what I should check, or what could be going wrong?

 

[John Doe]

it took me like 4 days to get it working. I cannot give a direct solution but I do propose to easify the chain of problems.

e.g. try without certificate and just go with password and username, when this works, go with certificates.

another remark:
UDP is faster but in some cases public hotspots are blocking it. in case you go with tcp/ip and port 443 public hotspots cannot block it the easy way. it just sneaks along other https data

 

[Electr0]

e.g. try without certificate and just go with password and username, when this works, go with certificates.

How would I set that up?

I found this link: https://openvpn.net/community-resources/using-alternative-authentication-methods/
But it doesn't give any info on how to set the Username and Password.

I just ran a WireShark analysis on my router and got the following:

The xxx.xx.xxx.95 IP address is the address of my client - accessing inbound from the internet.

I'm guessing that port forwarding is working okay, as the Destination is my TrueNAS server IP, located at 192.168.0.200
Although I'm not sure what the P_CONTROL_HARD_RESET_CLIENT_V2 means...

----------

After doing some searching I stumbled upon this page (https://sourceforge.net/p/openvpn/mailman/openvpn-users/thread/200502231146.06867@-mr700/) in which someone says the following:

In SSL/TLS mode, the initial P_CONTROL_HARD_RESET_CLIENT or
P_CONTROL_HARD_RESET_SERVER message creates an untrusted client instance
object and sets the reply address, which cannot change during the life of
the session (if the client address changes, a new session must be
negotiated). If --tls-auth is used, the reply address will not be learned
from a packet unless it is verified by an HMAC integrity check.

So I turned off the TLS Crypt Auth Enabled option and lo and behold I can connect - it's now working perfectly!

A few follow up questions:

1. Do I need to somehow configure the TLS Auth option on my Client, or is it safe enough to just not use it?

2. I can now access the TrueNAS Web UI when I navigate to 192.168.0.200 while connected via the VPN, but how do I access other applications/ports on the same IP? I have NZBget, Sonarr and Radarr on differnet ports (6789, 8989, etc) but when I append them to the servers IP, nothing resolves. but nothing else resolves, whether I try to access Sonarr or NZGget on the TrueNAS server by appending their ports to the IP address, or if I try to access my Router Web UI at the default gateway IP address, or even my Pi-Hole Web UI running on a Raspberry Pi - nothing works. What's going on? What did I mess up?