How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

Status
Not open for further replies.
robles

robles

Explorer
Joined
Jul 29, 2014
Messages
89
zoomzoom said:
This would fall into the only other use case besides troubleshooting, high packet loss using UDP, as TCP literally cannot efficiently encapsulate itself.
  • I'd be curious to know if anyone has tried udp over port 80 to bypass strict firewalls, as that would be far more ideal.


The conversation has been about this tutorial and using an openssl.cnf in lieu of Easy-RSA to generate certs...
  • Please re-read the posts, looking past arbitrary certificate name references, referenced so because they're generic names within the openssl.cnf linked in my signature.
    • While I do believe @EvanVanVan referenced my OpenWrt OpenVPN wiki once or twice, the posts were always in regards to utilizing an openssl.cnf to generate certs in lieu of Easy-RSA in respect to this thread's tutorial
With that being said, this is your thread about your tutorial. If you believe the posts distract from the purpose of this thread, I'm more than happy to move them to their own separate thread.
Click to expand...
I've tried to use UDP port 80, but have been more successful through TCP port 443.

This is because a strict stateful firewall will only let traffic through port 80 over TCP so it can read the traffic and decide on the go which should pass through; OpenVPN traffic will cause it to drop those packets. In port 443 the firewall knows it won't be able to intercept encrypted traffic, so it has no other option than to allow any TCP traffic that doesn't exceed transport packet size or some giveaway abnormal packet formation. Again, YMMV.

Regarding the openssl.cnf conversation, I've read the OpenWRT wiki trying to find an easy way to substitute Easy-RSA, since the security concerns you posted earlier are valid, but they are way beyond the scope of this tutorial about creating a simple VPN tunnel.
 
zoomzoom

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
No problem at all. Would you like the posts about using openssl directly moved to their own thread?
 
R

ram

Cadet
Joined
Jul 31, 2015
Messages
5
zoomzoom said:
@ram
While TCP can be used for OpenVPN, there's only two use cases for it:
  1. Troubleshooting
  2. High packet loss when utilizing UDP
Outside of those two use cases, TCP should not be utilized, as TCP cannot efficiently encapsulate itself.
Click to expand...

It was not meant as an answer, only a in my opinion useful addition to the first post.
I use TCP in restricted WLAN's which only allow 80/tcp 443/tcp (my client config uses it automatically when udp is not available). It's better than no VPN at all.
 
zoomzoom

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
ram said:
It was not meant as an answer, only a in my opinion useful addition to the first post.
I use TCP in restricted WLAN's which only allow 80/tcp 443/tcp (my client config uses it automatically when udp is not available). It's better than no VPN at all.
Click to expand...
That would fall under "High packet loss when utilizing UDP"...

The issue with your original post is:
  1. There's no discernable purpose one can garnish from your post
    • It appears it was in reference to @kpeng's problems, and if so, what you posted is not helpful in regards to their posts, as they need to post their log files for troubleshooting (their log files, combined with their configs, would be relevant to troubleshooting)
  2. What you posted in the aforementioned link can be found in the first post in this thread
    • Re-posting config files which are thoroughly covered by the OP is a bit baffling, leading one to posit you didn't read/skim the first post in this thread.
 
Last edited:
M

Michele Lombardo

Dabbler
Joined
Jul 16, 2016
Messages
17
Dear all,
after a few months I'm back to my problem. I want to dedicate a few days to fix it. The issue is I can access with my iPhone ONLY when I'm on 3G/4G (using openVPN app); but I can't connect when I'm on WiFi. If I try to connect with my Mac, I can connect to VPN but I don't see any services.
Please could you help me? Do you need to see some logs?
Thank you very much!
 
M

Michele Lombardo

Dabbler
Joined
Jul 16, 2016
Messages
17
I add some other infos.
First of all I explain how I'm testing now: I'm at home where my NAS is connected to local LAN; my ISP router is configured to forward port 1195 to my Jail IP (that's why I can access with my phone from 3G network without any problem); since I don't have an "external wifi" here, I'm using my iPhone hotspot to connect my Mac to an "external network".

I'm using Shimo (registered) on my Mac with the same configuration files I successfully use with my iPhone on 3G. Shimo connects to my NAS but I don't have a "secured IP", I only see my "Remote IP" (my NAS public IP).

After connecting in that way with Shimo I checked my Mac WiFi IP settings and I have a 172.20.10.x address for both IPv4 address and Router. While subnet mask is 255.255.255.240.

The problem seems my Mac can't get a valid IP to see my NAS services, right? I just think that because when I successfully connect with my iPhone on 3G, the app immediately give me 10.66.66.2 as VPN IPv4.

Where could be the problem? I do hope is just in client configuration, since creating the server side has been pretty hard for me!!!!

Thank you for your kind help!
 
zoomzoom

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
@Michele Lombardo Please post the following config files:
  • Server Config
  • Client Config
  • Any firewall rules pertaining to the OpenVPN server within the jail
Please post the following log files:
  • VPN Server log (path should be in the VPN server config)
  • VPN Client logs for iPhone and Mac
 
M

Michele Lombardo

Dabbler
Joined
Jul 16, 2016
Messages
17
Hi @zoomzoom
thank you for your reply. Yesterday night I was at home and I worked a lot looking at all settings. After many attempts I saw a "pull" option in Shimo (I really don't know how I didn't see before... since I had just upgraded versione I want to believe it wasn't there before...) and magically I got a Secured IP. Everything was working perfectly on my Mac. Now I want to test it on a "real" external wifi (I was using my iPhone hot spot). So tomorrow I'll be in town and I'll check both Mac and iPhone on a different Wifi.

I let you know how things will go.

Thank you again!
 
THX

THX

Dabbler
Joined
Dec 6, 2013
Messages
28
I found a little mistake in the howto. In openvpn-2.3.13_1, which is recent when installing via pkg one need to specify auth sha256 in server AND client config.

Now to my problem: I can't connect to my emby jail through vpn. It drives me crazy for a few days now. I recently updated from freenas 9.3 to freenas 9.10. Thought I delete my old openvpn jail to start over and put in latest security features. I had a backup from my old (working) server.conf and just added some things later on.

I know I need to push route to my home network, maybe also allow client-to-client.
Code:
#server.conf
#
#
#local 192.168.20.200
port 1194
proto udp
dev tun
user nobody
group nobody
#
ca /openvpn/keys/ca.crt
cert /openvpn/keys/Ragbay.crt
key /openvpn/keys/Ragbay.key
dh /openvpn/keys/dh.pem
tls-auth /openvpn/keys/ta.key 0
#
server 10.8.0.0 255.255.255.0
push "route 192.168.20.0 255.255.255.0"
#push "redirect-gateway"
push "dhcp-option DNS 208.67.222.222"
client-to-client
keepalive 10 120
#
cipher AES-256-CBC
auth SHA512
#tls-cipher
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-S$
#
tls-version-min 1.2
comp-lzo
persist-key
persist-tun
status /openvpn/openvpn-status.log
ifconfig-pool-persist /openvpn/ipp.txt
verb 3


Code:
client
dev tun
proto udp
remote my.ddns.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
#
remote-cert-tls server
#
cipher AES-256-CBC
auth SHA512
#
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
#
#tls-version-min 1.2
mute-replay-warnings
comp-lzo
verb 3
#
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1

Configured ipfw accordingly
Code:
#nat!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to 192.168.20.203 out via
${EPAIR}
ipfw -q add nat 1 all from 192.168.20.203 to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0


Route seems to be fine.
Code:
root@OpenVPN:/openvpn # netstat -nr
Routing tables

Internet:
Destination		Gateway			Flags	  Netif Expire
default			192.168.20.1	   UGS	 epair0b
10.8.0.0/24		10.8.0.2		   UGS		tun0
10.8.0.1		   link#3			 UHS		 lo0
10.8.0.2		   link#3			 UH		 tun0
127.0.0.1		  link#1			 UH		  lo0
192.168.20.0/24	link#2			 U	   epair0b
192.168.20.200	 link#2			 UHS		 lo0
root@OpenVPN:/openvpn #


status.log
Code:
OpenVPN CLIENT LIST
Updated,Mon Dec 12 05:56:37 2016
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
me.me,2.2.2.2:17001,6911,6201,Mon Dec 12 05:56:19 2016
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.6,me.me,2.2.2.2:17001,Mon Dec 12 05:56:26 2016
GLOBAL STATS
Max bcast/mcast queue length,0
END


Code:
2016-12-12 04:55:32 Generiere OpenVPN-Konfiguration…
2016-12-12 04:55:32 started Socket Thread
2016-12-12 04:55:33 Current Parameter Settings:
2016-12-12 04:55:33   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2016-12-12 04:55:33   mode = 0
2016-12-12 04:55:33   show_ciphers = DISABLED
2016-12-12 04:55:33   show_digests = DISABLED
2016-12-12 04:55:33   show_engines = DISABLED
2016-12-12 04:55:33   genkey = DISABLED
2016-12-12 04:55:33   key_pass_file = '[UNDEF]'
2016-12-12 04:55:33   show_tls_ciphers = DISABLED
2016-12-12 04:55:33   connect_retry_max = 0
2016-12-12 04:55:33 Connection profiles [0]:
2016-12-12 04:55:33   proto = udp
2016-12-12 04:55:33   local = '[UNDEF]'
2016-12-12 04:55:33   local_port = '[UNDEF]'
2016-12-12 04:55:33   remote = 'my.ddns.com'
2016-12-12 04:55:33   remote_port = '443'
2016-12-12 04:55:33   remote_float = DISABLED
2016-12-12 04:55:33   bind_defined = DISABLED
2016-12-12 04:55:33   bind_local = DISABLED
2016-12-12 04:55:33   bind_ipv6_only = DISABLED
2016-12-12 04:55:33   connect_retry_seconds = 2
2016-12-12 04:55:33   connect_timeout = 120
2016-12-12 04:55:33   socks_proxy_server = '[UNDEF]'
2016-12-12 04:55:33   socks_proxy_port = '[UNDEF]'
2016-12-12 04:55:33   tun_mtu = 1500
2016-12-12 04:55:33   tun_mtu_defined = ENABLED
2016-12-12 04:55:33   link_mtu = 1500
2016-12-12 04:55:33   link_mtu_defined = DISABLED
2016-12-12 04:55:33   tun_mtu_extra = 0
2016-12-12 04:55:33   tun_mtu_extra_defined = DISABLED
2016-12-12 04:55:33   mtu_discover_type = -1
2016-12-12 04:55:33   fragment = 0
2016-12-12 04:55:33   mssfix = 1450
2016-12-12 04:55:33   explicit_exit_notification = 0
2016-12-12 04:55:33 Connection profiles END
2016-12-12 04:55:33   remote_random = DISABLED
2016-12-12 04:55:33   ipchange = '[UNDEF]'
2016-12-12 04:55:33   dev = 'tun'
2016-12-12 04:55:33   dev_type = '[UNDEF]'
2016-12-12 04:55:33   dev_node = '[UNDEF]'
2016-12-12 04:55:33   lladdr = '[UNDEF]'
2016-12-12 04:55:33   topology = 1
2016-12-12 04:55:33   ifconfig_local = '[UNDEF]'
2016-12-12 04:55:33   ifconfig_remote_netmask = '[UNDEF]'
2016-12-12 04:55:33   ifconfig_noexec = DISABLED
2016-12-12 04:55:33   ifconfig_nowarn = ENABLED
2016-12-12 04:55:33   ifconfig_ipv6_local = '[UNDEF]'
2016-12-12 04:55:33   ifconfig_ipv6_netbits = 0
2016-12-12 04:55:33   ifconfig_ipv6_remote = '[UNDEF]'
2016-12-12 04:55:33   shaper = 0
2016-12-12 04:55:33   mtu_test = 0
2016-12-12 04:55:33   mlock = DISABLED
2016-12-12 04:55:33   keepalive_ping = 0
2016-12-12 04:55:33   keepalive_timeout = 0
2016-12-12 04:55:33   inactivity_timeout = 0
2016-12-12 04:55:33   ping_send_timeout = 0
2016-12-12 04:55:33   ping_rec_timeout = 0
2016-12-12 04:55:33   ping_rec_timeout_action = 0
2016-12-12 04:55:33   ping_timer_remote = DISABLED
2016-12-12 04:55:33   remap_sigusr1 = 0
2016-12-12 04:55:33   persist_tun = ENABLED
2016-12-12 04:55:33   persist_local_ip = DISABLED
2016-12-12 04:55:33   persist_remote_ip = DISABLED
2016-12-12 04:55:33   persist_key = DISABLED
2016-12-12 04:55:33   passtos = DISABLED
2016-12-12 04:55:33   resolve_retry_seconds = 1000000000
2016-12-12 04:55:33   resolve_in_advance = ENABLED
2016-12-12 04:55:33   username = '[UNDEF]'
2016-12-12 04:55:33   groupname = '[UNDEF]'
2016-12-12 04:55:33   chroot_dir = '[UNDEF]'
2016-12-12 04:55:33   cd_dir = '[UNDEF]'
2016-12-12 04:55:33   writepid = '[UNDEF]'
2016-12-12 04:55:33   up_script = '[UNDEF]'
2016-12-12 04:55:33   down_script = '[UNDEF]'
2016-12-12 04:55:33   down_pre = DISABLED
2016-12-12 04:55:33   up_restart = DISABLED
2016-12-12 04:55:33   up_delay = DISABLED
2016-12-12 04:55:33   daemon = DISABLED
2016-12-12 04:55:33   inetd = 0
2016-12-12 04:55:33   log = DISABLED
2016-12-12 04:55:33   suppress_timestamps = DISABLED
2016-12-12 04:55:33   machine_readable_output = ENABLED
2016-12-12 04:55:33   nice = 0
2016-12-12 04:55:33   verbosity = 4
2016-12-12 04:55:33   mute = 0
2016-12-12 04:55:33   gremlin = 0
2016-12-12 04:55:33   status_file = '[UNDEF]'
2016-12-12 04:55:33   status_file_version = 1
2016-12-12 04:55:33   status_file_update_freq = 60
2016-12-12 04:55:33   occ = ENABLED
2016-12-12 04:55:33   rcvbuf = 0
2016-12-12 04:55:33   sndbuf = 0
2016-12-12 04:55:33   sockflags = 0
2016-12-12 04:55:33   fast_io = DISABLED
2016-12-12 04:55:33   comp.alg = 2
2016-12-12 04:55:33   comp.flags = 1
2016-12-12 04:55:33   route_script = '[UNDEF]'
2016-12-12 04:55:33   route_default_gateway = '[UNDEF]'
2016-12-12 04:55:33   route_default_metric = 0
2016-12-12 04:55:33   route_noexec = DISABLED
2016-12-12 04:55:33   route_delay = 0
2016-12-12 04:55:33   route_delay_window = 30
2016-12-12 04:55:33   route_delay_defined = DISABLED
2016-12-12 04:55:33   route_nopull = DISABLED
2016-12-12 04:55:33   route_gateway_via_dhcp = DISABLED
2016-12-12 04:55:33   allow_pull_fqdn = DISABLED
2016-12-12 04:55:33   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2016-12-12 04:55:33   management_port = 'unix'
2016-12-12 04:55:33   management_user_pass = '[UNDEF]'
2016-12-12 04:55:33   management_log_history_cache = 250
2016-12-12 04:55:33   management_echo_buffer_size = 100
2016-12-12 04:55:33   management_write_peer_info_file = '[UNDEF]'
2016-12-12 04:55:33   management_client_user = '[UNDEF]'
2016-12-12 04:55:33   management_client_group = '[UNDEF]'
2016-12-12 04:55:33   management_flags = 4390
2016-12-12 04:55:33   shared_secret_file = '[UNDEF]'
2016-12-12 04:55:33   key_direction = 2
2016-12-12 04:55:33   ciphername = 'AES-256-CBC'
2016-12-12 04:55:33   authname = 'SHA512'
2016-12-12 04:55:33   prng_hash = 'SHA1'
2016-12-12 04:55:33   prng_nonce_secret_len = 16
2016-12-12 04:55:33   keysize = 0
2016-12-12 04:55:33   engine = DISABLED
2016-12-12 04:55:33   replay = ENABLED
2016-12-12 04:55:33   mute_replay_warnings = ENABLED
2016-12-12 04:55:33   replay_window = 64
2016-12-12 04:55:33   replay_time = 15
2016-12-12 04:55:33   packet_id_file = '[UNDEF]'
2016-12-12 04:55:33   use_iv = ENABLED
2016-12-12 04:55:33   test_crypto = DISABLED
2016-12-12 04:55:33   tls_server = DISABLED
2016-12-12 04:55:33   tls_client = ENABLED
2016-12-12 04:55:33   key_method = 2
2016-12-12 04:55:33   ca_file = '[[INLINE]]'
2016-12-12 04:55:33   ca_path = '[UNDEF]'
2016-12-12 04:55:33   dh_file = '[UNDEF]'
2016-12-12 04:55:33   cert_file = '[[INLINE]]'
2016-12-12 04:55:33   extra_certs_file = '[UNDEF]'
2016-12-12 04:55:33   priv_key_file = '[[INLINE]]'
2016-12-12 04:55:33   pkcs12_file = '[UNDEF]'
2016-12-12 04:55:33   cipher_list = 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
2016-12-12 04:55:33   tls_verify = '[UNDEF]'
2016-12-12 04:55:33   tls_export_cert = '[UNDEF]'
2016-12-12 04:55:33   verify_x509_type = 0
2016-12-12 04:55:33   verify_x509_name = '[UNDEF]'
2016-12-12 04:55:33   crl_file = '[UNDEF]'
2016-12-12 04:55:33   ns_cert_type = 0
2016-12-12 04:55:33   remote_cert_ku = 160
2016-12-12 04:55:33   remote_cert_ku = 136
2016-12-12 04:55:33   remote_cert_ku = 0
2016-12-12 04:55:33   remote_cert_ku = 0
2016-12-12 04:55:33   remote_cert_ku = 0
2016-12-12 04:55:33   remote_cert_ku = 0
2016-12-12 04:55:33   remote_cert_ku = 0
2016-12-12 04:55:33   remote_cert_ku = 0
2016-12-12 04:55:33   remote_cert_ku = 0
2016-12-12 04:55:33   remote_cert_ku = 0
2016-12-12 04:55:33   remote_cert_ku = 0
2016-12-12 04:55:33   remote_cert_ku = 0
2016-12-12 04:55:33   remote_cert_ku = 0
2016-12-12 04:55:33   remote_cert_ku = 0
2016-12-12 04:55:33   remote_cert_ku = 0
2016-12-12 04:55:33   remote_cert_ku = 0
2016-12-12 04:55:33   remote_cert_eku = 'TLS Web Server Authentication'
2016-12-12 04:55:33   ssl_flags = 0
2016-12-12 04:55:33   tls_timeout = 2
2016-12-12 04:55:33   renegotiate_bytes = 0
2016-12-12 04:55:33   renegotiate_packets = 0
2016-12-12 04:55:33   renegotiate_seconds = 3600
2016-12-12 04:55:33   handshake_window = 60
2016-12-12 04:55:33   transition_window = 3600
2016-12-12 04:55:33   single_session = DISABLED
2016-12-12 04:55:33   push_peer_info = DISABLED
2016-12-12 04:55:33   tls_exit = DISABLED
2016-12-12 04:55:33   tls_auth_file = '[[INLINE]]'
2016-12-12 04:55:33   client = ENABLED
2016-12-12 04:55:33   pull = ENABLED
2016-12-12 04:55:33   auth_user_pass_file = '[UNDEF]'
2016-12-12 04:55:33 OpenVPN 2.4-icsopenvpn [git:HEAD-9d8801b6185d7453] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [IPv6] built on Oct 13 2016
2016-12-12 04:55:33 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
2016-12-12 04:55:33 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2016-12-12 04:55:33 MANAGEMENT: CMD 'hold release'
2016-12-12 04:55:34 MANAGEMENT: CMD 'bytecount 2'
2016-12-12 04:55:34 MANAGEMENT: CMD 'proxy NONE'
2016-12-12 04:55:34 MANAGEMENT: CMD 'state on'
2016-12-12 04:55:34 Netzwerkstatus: CONNECTED HSDPA to MOBILE internet.q.de
2016-12-12 04:55:35 MANAGEMENT: CMD 'password [...]'
2016-12-12 04:55:35 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2016-12-12 04:55:35 Deprecated TLS cipher name 'DHE-RSA-AES256-GCM-SHA384', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'
2016-12-12 04:55:35 Deprecated TLS cipher name 'DHE-RSA-AES256-SHA256', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA256'
2016-12-12 04:55:35 Deprecated TLS cipher name 'DHE-RSA-AES128-GCM-SHA256', please use IANA name 'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'
2016-12-12 04:55:35 Deprecated TLS cipher name 'DHE-RSA-AES128-SHA256', please use IANA name 'TLS-DHE-RSA-WITH-AES-128-CBC-SHA256'
2016-12-12 04:55:35 Deprecated TLS cipher name 'DHE-RSA-CAMELLIA256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA'
2016-12-12 04:55:35 Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
2016-12-12 04:55:35 Deprecated TLS cipher name 'DHE-RSA-CAMELLIA128-SHA', please use IANA name 'TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA'
2016-12-12 04:55:35 Deprecated TLS cipher name 'DHE-RSA-AES128-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-128-CBC-SHA'
2016-12-12 04:55:35 Deprecated TLS cipher name 'CAMELLIA256-SHA', please use IANA name 'TLS-RSA-WITH-CAMELLIA-256-CBC-SHA'
2016-12-12 04:55:35 Deprecated TLS cipher name 'AES256-SHA', please use IANA name 'TLS-RSA-WITH-AES-256-CBC-SHA'
2016-12-12 04:55:35 Deprecated TLS cipher name 'CAMELLIA128-SHA', please use IANA name 'TLS-RSA-WITH-CAMELLIA-128-CBC-SHA'
2016-12-12 04:55:35 Deprecated TLS cipher name 'AES128-SHA', please use IANA name 'TLS-RSA-WITH-AES-128-CBC-SHA'
2016-12-12 04:55:35 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2016-12-12 04:55:35 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2016-12-12 04:55:35 LZO compression initializing
2016-12-12 04:55:35 Control Channel MTU parms [ L:1622 D:1140 EF:110 EB:0 ET:0 EL:3 ]
2016-12-12 04:55:35 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2016-12-12 04:55:35 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
2016-12-12 04:55:35 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
2016-12-12 04:55:35 TCP/UDP: Preserving recently used remote address: [AF_INET]1.1.1.1:443
2016-12-12 04:55:35 Socket Buffers: R=[163840->163840] S=[163840->163840]
2016-12-12 04:55:35 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2016-12-12 04:55:35 UDP link local: (not bound)
2016-12-12 04:55:35 UDP link remote: [AF_INET]1.1.1.1:443
2016-12-12 04:55:35 MANAGEMENT: >STATE:1481514935,WAIT,,,,,,
2016-12-12 04:55:36 MANAGEMENT: >STATE:1481514936,AUTH,,,,,,
2016-12-12 04:55:36 TLS: Initial packet from [AF_INET]1.1.1.1:443, sid=244492b2 35563393
2016-12-12 04:55:36 PID_ERR replay-window backtrack occurred [2] [TLS_AUTH-0] [00_00] 1481514937:5 1481514937:3 t=1481514936[0] r=[0,64,15,2,1] sl=[59,5,64,272]
2016-12-12 04:55:36 VERIFY OK: depth=1, CN=Easy-RSA CA
2016-12-12 04:55:36 Validating certificate key usage
2016-12-12 04:55:36 ++ Certificate has key usage  00a0, expects 00a0
2016-12-12 04:55:36 VERIFY KU OK
2016-12-12 04:55:36 Validating certificate extended key usage
2016-12-12 04:55:36 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2016-12-12 04:55:36 VERIFY EKU OK
2016-12-12 04:55:36 VERIFY OK: depth=0, CN=OVPN
2016-12-12 04:55:37 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
2016-12-12 04:55:37 [OVPN] Peer Connection Initiated with [AF_INET]1.1.1.1:443
2016-12-12 04:55:39 MANAGEMENT: >STATE:1481514939,GET_CONFIG,,,,,,
2016-12-12 04:55:39 SENT CONTROL [OVPN]: 'PUSH_REQUEST' (status=1)
2016-12-12 04:55:39 PUSH: Received control message: 'PUSH_REPLY,route 192.168.20.0 255.255.255.0,redirect-gateway,dhcp-option DNS 208.67.222.222,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
2016-12-12 04:55:39 OPTIONS IMPORT: timers and/or timeouts modified
2016-12-12 04:55:39 OPTIONS IMPORT: --ifconfig/up options modified
2016-12-12 04:55:39 OPTIONS IMPORT: route options modified
2016-12-12 04:55:39 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2016-12-12 04:55:39 Data Channel MTU parms [ L:1602 D:1450 EF:102 EB:406 ET:0 EL:3 ]
2016-12-12 04:55:39 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2016-12-12 04:55:39 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
2016-12-12 04:55:39 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2016-12-12 04:55:39 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
2016-12-12 04:55:39 GDG: SIOCGIFHWADDR(lo) failed
2016-12-12 04:55:39 ROUTE_GATEWAY 127.2.2.2/255.0.0.0 IFACE=lo
2016-12-12 04:55:39 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2016-12-12 04:55:39 MANAGEMENT: >STATE:1481514939,ASSIGN_IP,,10.8.0.6,,,,
2016-12-12 04:55:39 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2016-12-12 04:55:39 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2016-12-12 04:55:39 MANAGEMENT: >STATE:1481514939,ADD_ROUTES,,,,,,
2016-12-12 04:55:39 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2016-12-12 04:55:39 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2016-12-12 04:55:39 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2016-12-12 04:55:39 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2016-12-12 04:55:39 Tun-Netzwerkinterface wird geöffnet:
2016-12-12 04:55:39 Lokale IPv4: 10.8.0.6/30 IPv6: null MTU: 1500
2016-12-12 04:55:39 DNS-Server: 208.67.222.222, Domäne: null
2016-12-12 04:55:39 Routen: 0.0.0.0/0, 10.8.0.0/24, 10.8.0.4/30, 192.168.20.0/24
2016-12-12 04:55:39 Ausgeschlossene Routen: 
2016-12-12 04:55:39 Installierte VpnService-Routen: 0.0.0.0/0
2016-12-12 04:55:39 Nicht zugelassene Apps für das VPN:
2016-12-12 04:55:39 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2016-12-12 04:55:39 Initialization Sequence Completed
2016-12-12 04:55:39 MANAGEMENT: >STATE:1481514939,CONNECTED,SUCCESS,10.8.0.6,1.1.1.1,443,,
2016-12-12 04:55:39 Netzwerkstatus: CONNECTED HSPA+ to MOBILE internet.q.de
2016-12-12 05:19:45 MANAGEMENT: CMD 'signal SIGINT'
2016-12-12 05:19:45 Local IP address unset and received. Neither pushed server config nor local config specifies an IP addresses. Opening tun device is most likely going to fail.
2016-12-12 05:19:45 TCP/UDP: Closing socket
2016-12-12 05:19:45 Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only.
2016-12-12 05:19:45 Closing TUN/TAP interface
2016-12-12 05:19:46 SIGINT[hard,] received, process exiting
2016-12-12 05:19:46 MANAGEMENT: >STATE:1481516386,EXITING,SIGINT,,,,,
2016-12-12 05:19:46 Connection to OpenVPN closed (socket closed)
 
Last edited:
zoomzoom

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
@THX Please see this post for what else needs to be posted
 
THX

THX

Dabbler
Joined
Dec 6, 2013
Messages
28
@zoomzoom
I updated my post above. To say it a little more precise. I can connect to my vpn. I even can connect to a ftp server I installed in the vpn jail (both via 10.8.0.1 and 192.168.20.200) but I can't reach Emby (192.168.20.203) through VPN. If I'm not connected to VPN and am connected to wifi, I reach Emby just fine.
 
Last edited:
zoomzoom

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
THX said:
@zoomzoom
I updated my post above. To say it a little more precise. I can connect to my vpn. I even can connect to a ftp server I installed in the vpn jail (both via 10.8.0.1 and 192.168.20.200) but I can't reach Emby (192.168.20.203) through VPN. If I'm not connected to VPN and am connected to wifi, I reach Emby just fine.
Click to expand...
Please put code & log output within code brackets, not cmd brackets... cmd brackets are for commands, code brackets are for configs, log files, & scripts.
(Reason: the two are formatted differently, and you'll immediately notice the difference once you change them to code brackets)

Currently, per the client log, the connection failed since you're missing a server IP.
  • Either:
    • OpenVPN server interface needs to have a static IP assigned
      OR:
    • OpenVPN server config must specify a server interface ifconfig command
      • server 10.8.0.0 255.255.255.0 specifies VPN subnet
      • ifconfig 10.8.0.1 255.255.255.0 specifies VPN Server IP
Code:
2016-12-12 05:19:45 Local IP address unset and received. Neither pushed server config nor local config specifies an IP addresses. Opening tun device is most likely going to fail.

A few things stood out:

  1. [server] tls-cipher has $ at the end and is not a complete cipher string
  2. [server & client] If you haven't already done so, you're going to want to run openvpn --show-tls on your client and server, then compile a matching cipher list using only AES-256-CBC/AES-256-GCM ciphers:
    • If you'd like to use AES-128-CBC/GCM and/or AES-192-CBC/GCM, simply match their respective versions of the AES256 ciphers below; however, it's recommended to avoid the rest due to security
      • i.e. do not use camellia, dss, dsa, etc. or ciphers using hashing below SHA256
    • While EC will not be supported until 2.4, it is in final testing, so including EC ciphers now will make one less thing to do when it is upgraded in the next few months
      • Your ciphers are also not in the correct format, which is the IANA name (i.e. prefaced with "TLS-")
    • 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:TLS-RSA-WITH-AES-256-GCM-SHA384:TLS-RSA-WITH-AES-256-CBC-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4'
      • I'm almost positive I read some information on StackExchange around a month ago regarding GCM ciphers and avoiding them, instead relying on CBC only. I could very well be misremembering, however it is something you're going to want to spend a bit of time researching (thread/posts themselves were from ~2015 /2016 IIRC)
  3. [client] Your TLS ciphers should be modified, removing all but the first two
    • See #2: copy, paste, remove everything following TLS-RSA-WITH-AES-256-CBC-SHA256
  4. [server & client] Unless you're accessing highly confidential data, 4096bit encryption is way overboard, offering no advantages over 2048bit, and a whole host of disadvantages.
    • Currently, 2048bit is uncrackable and will remain so until at least 2030, barring any major breakthroughs in quantum computing (at which point all current encryption algorithms will be rendered insecure).
    • Once 2.4 is released and EC ciphers are accepted and used, then hashes and keys must exceed the encryption value one wishes to have if utilizing EC ciphers (i.e. 2048bit encryption would require a key that is 3072bit or 4096bit; a hash of SHA256 would need to be SHA384 or SHA512)
  5. [server & client] You may already know this, but if not, unless your client and/or server is running an x64 OS, SHA256 should be utilized.
    • SHA512 should only be utilized on x64 installations due to the ability of 64bit OSes to process SHA512 faster than SHA256
  6. [client] tls-version-min should be specified if you're specifying it in the server config
    • Majority of server options must/should be mirrored in the client config
  7. [server & client] Change to: proto tcp
    • TCP should be used when troubleshooting
  8. [server] Change to: verb 4
  9. [client] Change to: verb 5
  10. [server] log is missing
    • status log is not the same as the server log - they're two completely different logs with two completely different purposes.
  11. [server] While not an issue per say, you should add topology subnet, otherwise OpenVPN uses Net30 by default, which is obsolete.
Once done, restart server, then attempt to connect to Emby. Once an access attempt fails, please post:
  • server log file
  • client log file
 
Last edited:
  • Like
Reactions: THX
THX

THX

Dabbler
Joined
Dec 6, 2013
Messages
28
Thanks for all your help zoomzoom. Much appreciated.

I changed some of the things you mentioned, but need to look deeper in some.
Most important to me is that openvpn clients can connect to the services of my server jails. Everything else I will see into later.

For privacy reasons I changed the public IP addresses:
IP mobile: 82.20.20.20
IP server: 10.10.10.10

So I connected with my android phone to the server. But still can't reach Emby. I see now there is an address in private IP range which packets get dropped. I think thats the problem. I don't know why/where my client got this address.

Code:
bad source address from client [10.146.12.209], packet dropped


edit: Unfortunatly becuase of the charakter limit I had to shorten the logs. If you think something is missing I need to upload them somewhere else and provide you with the link.
Code:
#
#server.log
#
Fri Dec 16 00:26:31 2016 us=131594 MULTI: multi_create_instance called
Fri Dec 16 00:26:31 2016 us=131832 Re-using SSL/TLS context
Fri Dec 16 00:26:31 2016 us=131938 LZO compression initialized
Fri Dec 16 00:26:31 2016 us=132282 Control Channel MTU parms [ L:1604 D:1138 EF:112 EB:0 ET:0 EL:3 ]
Fri Dec 16 00:26:31 2016 us=132386 Data Channel MTU parms [ L:1604 D:1450 EF:104 EB:143 ET:0 EL:3 AF:3/1 ]
Fri Dec 16 00:26:31 2016 us=132493 Local Options String: 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Fri Dec 16 00:26:31 2016 us=132546 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Fri Dec 16 00:26:31 2016 us=132641 Local Options hash (VER=V4): 'eda38e81'
Fri Dec 16 00:26:31 2016 us=132708 Expected Remote Options hash (VER=V4): 'c19f87b0'
Fri Dec 16 00:26:31 2016 us=132805 TCP connection established with [AF_INET]82.20.20.20:12303
Fri Dec 16 00:26:31 2016 us=132866 TCPv4_SERVER link local: [undef]
Fri Dec 16 00:26:31 2016 us=132923 TCPv4_SERVER link remote: [AF_INET]82.20.20.20:12303
Fri Dec 16 00:26:31 2016 us=193096 82.20.20.20:12303 TLS: Initial packet from [AF_INET]82.20.20.20:12303, sid=8092302b 323dd476
Fri Dec 16 00:26:33 2016 us=974067 82.20.20.20:12303 VERIFY OK: depth=1, CN=Easy-RSA CA
Fri Dec 16 00:26:33 2016 us=975058 82.20.20.20:12303 Validating certificate key usage
Fri Dec 16 00:26:33 2016 us=975120 82.20.20.20:12303 ++ Certificate has key usage  0080, expects 0080
Fri Dec 16 00:26:33 2016 us=975166 82.20.20.20:12303 VERIFY KU OK
Fri Dec 16 00:26:33 2016 us=975215 82.20.20.20:12303 Validating certificate extended key usage
Fri Dec 16 00:26:33 2016 us=975266 82.20.20.20:12303 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Fri Dec 16 00:26:33 2016 us=975307 82.20.20.20:12303 VERIFY EKU OK
Fri Dec 16 00:26:33 2016 us=975347 82.20.20.20:12303 VERIFY OK: depth=0, CN=me.client
Fri Dec 16 00:26:34 2016 us=202190 82.20.20.20:12303 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Dec 16 00:26:34 2016 us=202344 82.20.20.20:12303 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri Dec 16 00:26:34 2016 us=202399 82.20.20.20:12303 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Dec 16 00:26:34 2016 us=202452 82.20.20.20:12303 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri Dec 16 00:26:34 2016 us=291236 82.20.20.20:12303 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Fri Dec 16 00:26:34 2016 us=291377 82.20.20.20:12303 [me.client] Peer Connection Initiated with [AF_INET]82.20.20.20:12303
Fri Dec 16 00:26:34 2016 us=291467 me.client/82.20.20.20:12303 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Fri Dec 16 00:26:34 2016 us=291587 me.client/82.20.20.20:12303 MULTI: Learn: 10.8.0.6 -> me.client/82.20.20.20:12303
Fri Dec 16 00:26:34 2016 us=291635 me.client/82.20.20.20:12303 MULTI: primary virtual IP for me.client/82.20.20.20:12303: 10.8.0.6
Fri Dec 16 00:26:35 2016 us=351323 me.client/82.20.20.20:12303 PUSH: Received control message: 'PUSH_REQUEST'
Fri Dec 16 00:26:35 2016 us=351458 me.client/82.20.20.20:12303 send_push_reply(): safe_cap=940
Fri Dec 16 00:26:35 2016 us=351544 me.client/82.20.20.20:12303 SENT CONTROL [me.client]: 'PUSH_REPLY,route 192.168.20.0 255.255.255.0,DNS 208.67.222.222,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Fri Dec 16 00:26:35 2016 us=931273 me.client/82.20.20.20:12303 MULTI: bad source address from client [10.146.12.209], packet dropped
Fri Dec 16 00:26:36 2016 us=261764 me.client/82.20.20.20:12303 MULTI: bad source address from client [10.146.12.209], packet dropped
Fri Dec 16 00:26:36 2016 us=921402 me.client/82.20.20.20:12303 MULTI: bad source address from client [10.146.12.209], packet dropped
Fri Dec 16 00:26:38 2016 us=241553 me.client/82.20.20.20:12303 MULTI: bad source address from client [10.146.12.209], packet dropped
Fri Dec 16 00:26:40 2016 us=891548 me.client/82.20.20.20:12303 MULTI: bad source address from client [10.146.12.209], packet dropped
Fri Dec 16 00:26:47 2016 us=270012 me.client/82.20.20.20:12303 MULTI: bad source address from client [10.146.12.209], packet dropped
Fri Dec 16 00:26:52 2016 us=872076 me.client/82.20.20.20:12303 MULTI: bad source address from client [10.146.12.209], packet dropped
Fri Dec 16 00:26:57 2016 us=702441 me.client/82.20.20.20:12303 MULTI: bad source address from client [10.146.12.209], packet dropped
Fri Dec 16 00:27:18 2016 us=397195 me.client/82.20.20.20:12303 MULTI: bad source address from client [10.146.12.209], packet dropped


Code:
#
#client.log
#
2016-12-16 00:26:34 Routen: 0.0.0.0/0, 10.8.0.0/24, 10.8.0.4/30, 192.168.20.0/24
2016-12-16 00:26:34 Ausgeschlossene Routen:
2016-12-16 00:26:34 Installierte VpnService-Routen: 0.0.0.0/0
2016-12-16 00:26:34 Nicht zugelassene Apps für das VPN:
2016-12-16 00:26:34 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2016-12-16 00:26:34 Initialization Sequence Completed
2016-12-16 00:26:34 MANAGEMENT: >STATE:1481844394,CONNECTED,SUCCESS,10.8.0.6,10.10.10.10,443,10.146.12.209,49056
2016-12-16 00:26:34 Netzwerkstatus: CONNECTED HSPA+ to MOBILE internet.eplus.de

‎[00:28:20] ‎HX Phone‎: 2016-12-16 00:26:25 F-Droid built and signed version 0.6.60 läuft auf samsung GT-I9505 (MSM8960), Android 6.0.1 (MOB31K) API 23, ABI armeabi-v7a, (samsung/jfltexx/jflte:5.0.1/LRX22C/I9505XXUHPF4:user/release-keys)
2016-12-16 00:26:25 Generiere OpenVPN-Konfiguration…
2016-12-16 00:26:25 started Socket Thread
2016-12-16 00:26:26 Current Parameter Settings:
2016-12-16 00:26:26   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2016-12-16 00:26:26   mode = 0
2016-12-16 00:26:26   show_ciphers = DISABLED
2016-12-16 00:26:26   show_digests = DISABLED
2016-12-16 00:26:26   show_engines = DISABLED
2016-12-16 00:26:26   genkey = DISABLED
2016-12-16 00:26:26   key_pass_file = '[UNDEF]'
2016-12-16 00:26:26   show_tls_ciphers = DISABLED
2016-12-16 00:26:26   connect_retry_max = 0
2016-12-16 00:26:26 Connection profiles [0]:
2016-12-16 00:26:26   proto = tcp-client
2016-12-16 00:26:26   local = '[UNDEF]'
2016-12-16 00:26:26   local_port = '[UNDEF]'
2016-12-16 00:26:26   remote = 'my.ddns.com'
2016-12-16 00:26:26   remote_port = '443'
2016-12-16 00:26:26   remote_float = DISABLED
2016-12-16 00:26:26   bind_defined = DISABLED
2016-12-16 00:26:26   bind_local = DISABLED
2016-12-16 00:26:26   bind_ipv6_only = DISABLED
2016-12-16 00:26:26   connect_retry_seconds = 2
2016-12-16 00:26:26   connect_timeout = 120
2016-12-16 00:26:26   socks_proxy_server = '[UNDEF]'
2016-12-16 00:26:26   socks_proxy_port = '[UNDEF]'
2016-12-16 00:26:26   tun_mtu = 1500
2016-12-16 00:26:26   tun_mtu_defined = ENABLED
2016-12-16 00:26:26   link_mtu = 1500
2016-12-16 00:26:26   link_mtu_defined = DISABLED
2016-12-16 00:26:26   tun_mtu_extra = 0
2016-12-16 00:26:26   tun_mtu_extra_defined = DISABLED
2016-12-16 00:26:26   mtu_discover_type = -1
2016-12-16 00:26:26   fragment = 0
2016-12-16 00:26:26   mssfix = 1450
2016-12-16 00:26:26   explicit_exit_notification = 0
2016-12-16 00:26:26 Connection profiles END
2016-12-16 00:26:26   remote_random = DISABLED
2016-12-16 00:26:26   ipchange = '[UNDEF]'
2016-12-16 00:26:26   dev = 'tun'
2016-12-16 00:26:26   dev_type = '[UNDEF]'
2016-12-16 00:26:26   dev_node = '[UNDEF]'
2016-12-16 00:26:26   lladdr = '[UNDEF]'
2016-12-16 00:26:26   topology = 1
2016-12-16 00:26:26   ifconfig_local = '[UNDEF]'
2016-12-16 00:26:26   ifconfig_remote_netmask = '[UNDEF]'
2016-12-16 00:26:26   ifconfig_noexec = DISABLED
2016-12-16 00:26:26   ifconfig_nowarn = ENABLED
2016-12-16 00:26:26   ifconfig_ipv6_local = '[UNDEF]'
2016-12-16 00:26:26   ifconfig_ipv6_netbits = 0
2016-12-16 00:26:26   ifconfig_ipv6_remote = '[UNDEF]'
2016-12-16 00:26:26   shaper = 0
2016-12-16 00:26:26   mtu_test = 0
2016-12-16 00:26:26   mlock = DISABLED
2016-12-16 00:26:26   keepalive_ping = 0
2016-12-16 00:26:26   keepalive_timeout = 0
2016-12-16 00:26:26   inactivity_timeout = 0
2016-12-16 00:26:26   ping_send_timeout = 0
2016-12-16 00:26:26   ping_rec_timeout = 0
2016-12-16 00:26:26   ping_rec_timeout_action = 0
2016-12-16 00:26:26   ping_timer_remote = DISABLED
2016-12-16 00:26:26   remap_sigusr1 = 0
2016-12-16 00:26:26   persist_tun = ENABLED
2016-12-16 00:26:26   persist_local_ip = DISABLED
2016-12-16 00:26:26   persist_remote_ip = DISABLED
2016-12-16 00:26:26   persist_key = DISABLED
2016-12-16 00:26:26   passtos = DISABLED
2016-12-16 00:26:26   resolve_retry_seconds = 1000000000
2016-12-16 00:26:26   resolve_in_advance = ENABLED
2016-12-16 00:26:26   username = '[UNDEF]'
2016-12-16 00:26:26   groupname = '[UNDEF]'
2016-12-16 00:26:26   chroot_dir = '[UNDEF]'
2016-12-16 00:26:26   cd_dir = '[UNDEF]'
2016-12-16 00:26:26   writepid = '[UNDEF]'
2016-12-16 00:26:26   up_script = '[UNDEF]'
2016-12-16 00:26:26   down_script = '[UNDEF]'
2016-12-16 00:26:26   down_pre = DISABLED
2016-12-16 00:26:26   up_restart = DISABLED
2016-12-16 00:26:26   up_delay = DISABLED
2016-12-16 00:26:26   daemon = DISABLED
2016-12-16 00:26:26   inetd = 0
2016-12-16 00:26:26   log = DISABLED
2016-12-16 00:26:26   suppress_timestamps = DISABLED
2016-12-16 00:26:26   machine_readable_output = ENABLED
2016-12-16 00:26:26   nice = 0
2016-12-16 00:26:26   verbosity = 4
2016-12-16 00:26:26   mute = 0
2016-12-16 00:26:26   gremlin = 0
2016-12-16 00:26:26   status_file = '[UNDEF]'
2016-12-16 00:26:26   status_file_version = 1
2016-12-16 00:26:26   status_file_update_freq = 60
2016-12-16 00:26:26   occ = ENABLED
2016-12-16 00:26:26   rcvbuf = 0
2016-12-16 00:26:26   sndbuf = 0
2016-12-16 00:26:26   sockflags = 0
2016-12-16 00:26:26   fast_io = DISABLED
2016-12-16 00:26:26   comp.alg = 2
2016-12-16 00:26:26   comp.flags = 1
2016-12-16 00:26:26   route_script = '[UNDEF]'
2016-12-16 00:26:26   route_default_gateway = '[UNDEF]'
2016-12-16 00:26:26   route_default_metric = 0
2016-12-16 00:26:26   route_noexec = DISABLED
2016-12-16 00:26:26   route_delay = 0
2016-12-16 00:26:26   route_delay_window = 30
2016-12-16 00:26:26   route_delay_defined = DISABLED
2016-12-16 00:26:26   route_nopull = DISABLED
2016-12-16 00:26:26   route_gateway_via_dhcp = DISABLED
2016-12-16 00:26:26   allow_pull_fqdn = DISABLED
2016-12-16 00:26:26   route 0.0.0.0/0.0.0.0/vpn_gateway/default (not set)
2016-12-16 00:26:26   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2016-12-16 00:26:26   management_port = 'unix'
2016-12-16 00:26:26   management_user_pass = '[UNDEF]'
2016-12-16 00:26:26   management_log_history_cache = 250
2016-12-16 00:26:26   management_echo_buffer_size = 100
2016-12-16 00:26:26   management_write_peer_info_file = '[UNDEF]'
2016-12-16 00:26:26   management_client_user = '[UNDEF]'
2016-12-16 00:26:26   management_client_group = '[UNDEF]'
2016-12-16 00:26:26   management_flags = 4390
2016-12-16 00:26:26   shared_secret_file = '[UNDEF]'
2016-12-16 00:26:26   key_direction = 2
2016-12-16 00:26:26   ciphername = 'AES-256-CBC'
2016-12-16 00:26:26   authname = 'SHA512'
2016-12-16 00:26:26   prng_hash = 'SHA1'
2016-12-16 00:26:26   prng_nonce_secret_len = 16
2016-12-16 00:26:26   keysize = 0
2016-12-16 00:26:26   engine = DISABLED
2016-12-16 00:26:26   replay = ENABLED
2016-12-16 00:26:26   mute_replay_warnings = ENABLED
2016-12-16 00:26:26   replay_window = 64
2016-12-16 00:26:26   replay_time = 15
2016-12-16 00:26:26   packet_id_file = '[UNDEF]'
2016-12-16 00:26:26   use_iv = ENABLED
2016-12-16 00:26:26   test_crypto = DISABLED
2016-12-16 00:26:26   tls_server = DISABLED
2016-12-16 00:26:26   tls_client = ENABLED
2016-12-16 00:26:26   key_method = 2
2016-12-16 00:26:26   ca_file = '[[INLINE]]'
2016-12-16 00:26:26   ca_path = '[UNDEF]'
2016-12-16 00:26:26   dh_file = '[UNDEF]'
2016-12-16 00:26:26   cert_file = '[[INLINE]]'
2016-12-16 00:26:26   extra_certs_file = '[UNDEF]'
2016-12-16 00:26:26   priv_key_file = '[[INLINE]]'
2016-12-16 00:26:26   pkcs12_file = '[UNDEF]'
2016-12-16 00:26:26   cipher_list = 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256'
2016-12-16 00:26:26   tls_verify = '[UNDEF]'
2016-12-16 00:26:26   tls_export_cert = '[UNDEF]'
2016-12-16 00:26:26   verify_x509_type = 0
2016-12-16 00:26:26   verify_x509_name = '[UNDEF]'
2016-12-16 00:26:26   crl_file = '[UNDEF]'
2016-12-16 00:26:26   ns_cert_type = 0
2016-12-16 00:26:26   remote_cert_ku = 160
2016-12-16 00:26:26   remote_cert_ku = 136
2016-12-16 00:26:26   remote_cert_ku = 0
2016-12-16 00:26:26   remote_cert_ku = 0
2016-12-16 00:26:26   remote_cert_ku = 0
2016-12-16 00:26:26   remote_cert_ku = 0
2016-12-16 00:26:26   remote_cert_ku = 0
2016-12-16 00:26:26   remote_cert_ku = 0
2016-12-16 00:26:26   remote_cert_ku = 0
2016-12-16 00:26:26   remote_cert_ku = 0
2016-12-16 00:26:26   remote_cert_ku = 0
2016-12-16 00:26:26   remote_cert_ku = 0
2016-12-16 00:26:26   remote_cert_ku = 0
2016-12-16 00:26:26   remote_cert_ku = 0
2016-12-16 00:26:26   remote_cert_ku = 0
2016-12-16 00:26:26   remote_cert_ku = 0
2016-12-16 00:26:26   remote_cert_eku = 'TLS Web Server Authentication'
2016-12-16 00:26:26   ssl_flags = 192
2016-12-16 00:26:26   tls_timeout = 2
2016-12-16 00:26:26   renegotiate_bytes = 0
2016-12-16 00:26:26   renegotiate_packets = 0
2016-12-16 00:26:26   renegotiate_seconds = 3600
2016-12-16 00:26:26   handshake_window = 60
2016-12-16 00:26:26   transition_window = 3600
2016-12-16 00:26:26   single_session = DISABLED
2016-12-16 00:26:26   push_peer_info = DISABLED
2016-12-16 00:26:26   tls_exit = DISABLED
2016-12-16 00:26:26   tls_auth_file = '[[INLINE]]'
2016-12-16 00:26:26   client = ENABLED
2016-12-16 00:26:26   pull = ENABLED
2016-12-16 00:26:26   auth_user_pass_file = '[UNDEF]'
2016-12-16 00:26:26 OpenVPN 2.4-icsopenvpn [git:HEAD-9d8801b6185d7453] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [IPv6] built on Oct 13 2016
2016-12-16 00:26:26 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
2016-12-16 00:26:26 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2016-12-16 00:26:26 MANAGEMENT: CMD 'hold release'
2016-12-16 00:26:27 Netzwerkstatus: CONNECTED HSDPA to MOBILE internet.eplus.de
2016-12-16 00:26:27 MANAGEMENT: CMD 'bytecount 2'
2016-12-16 00:26:27 MANAGEMENT: CMD 'state on'
2016-12-16 00:26:27 MANAGEMENT: CMD 'proxy NONE'
2016-12-16 00:26:28 MANAGEMENT: CMD 'password [...]'
2016-12-16 00:26:28 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2016-12-16 00:26:28 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2016-12-16 00:26:28 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2016-12-16 00:26:28 LZO compression initializing
2016-12-16 00:26:28 Control Channel MTU parms [ L:1624 D:1138 EF:112 EB:0 ET:0 EL:3 ]
2016-12-16 00:26:28 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
2016-12-16 00:26:28 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
2016-12-16 00:26:28 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
2016-12-16 00:26:28 TCP/UDP: Preserving recently used remote address: [AF_INET]10.10.10.10:443
2016-12-16 00:26:28 Socket Buffers: R=[87380->87380] S=[16384->16384]
2016-12-16 00:26:28 Attempting to establish TCP connection with [AF_INET]10.10.10.10:443 [nonblock]
2016-12-16 00:26:28 MANAGEMENT: >STATE:1481844388,TCP_CONNECT,,,,,,
2016-12-16 00:26:28 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2016-12-16 00:26:29 TCP connection established with [AF_INET]10.10.10.10:443
2016-12-16 00:26:29 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2016-12-16 00:26:29 TCP_CLIENT link local: (not bound)
2016-12-16 00:26:29 TCP_CLIENT link remote: [AF_INET]10.10.10.10:443
2016-12-16 00:26:29 MANAGEMENT: >STATE:1481844389,WAIT,,,,,,
2016-12-16 00:26:30 MANAGEMENT: >STATE:1481844390,AUTH,,,,,,
2016-12-16 00:26:30 TLS: Initial packet from [AF_INET]10.10.10.10:443, sid=47979406 eb02289e
2016-12-16 00:26:32 VERIFY OK: depth=1, CN=Easy-RSA CA
2016-12-16 00:26:32 Validating certificate key usage
2016-12-16 00:26:32 ++ Certificate has key usage  00a0, expects 00a0
2016-12-16 00:26:32 VERIFY KU OK
2016-12-16 00:26:32 Validating certificate extended key usage
2016-12-16 00:26:32 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2016-12-16 00:26:32 VERIFY EKU OK
2016-12-16 00:26:32 VERIFY OK: depth=0, CN=Ragbay
2016-12-16 00:26:33 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
2016-12-16 00:26:33 [Ragbay] Peer Connection Initiated with [AF_INET]10.10.10.10:443
2016-12-16 00:26:34 MANAGEMENT: >STATE:1481844394,GET_CONFIG,,,,,,
2016-12-16 00:26:34 SENT CONTROL [Ragbay]: 'PUSH_REQUEST' (status=1)
2016-12-16 00:26:34 PUSH: Received control message: 'PUSH_REPLY,route 192.168.20.0 255.255.255.0,DNS 208.67.222.222,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
2016-12-16 00:26:34 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:2: DNS (2.4_master)
2016-12-16 00:26:34 OPTIONS IMPORT: timers and/or timeouts modified
2016-12-16 00:26:34 OPTIONS IMPORT: --ifconfig/up options modified
2016-12-16 00:26:34 OPTIONS IMPORT: route options modified
2016-12-16 00:26:34 Data Channel MTU parms [ L:1604 D:1450 EF:104 EB:406 ET:0 EL:3 ]
2016-12-16 00:26:34 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2016-12-16 00:26:34 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
2016-12-16 00:26:34 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2016-12-16 00:26:34 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
2016-12-16 00:26:34 GDG: SIOCGIFHWADDR(lo) failed
2016-12-16 00:26:34 ROUTE_GATEWAY 127.100.103.119/255.0.0.0 IFACE=lo
2016-12-16 00:26:34 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2016-12-16 00:26:34 MANAGEMENT: >STATE:1481844394,ASSIGN_IP,,10.8.0.6,,,,
2016-12-16 00:26:34 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2016-12-16 00:26:34 MANAGEMENT: >STATE:1481844394,ADD_ROUTES,,,,,,
2016-12-16 00:26:34 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2016-12-16 00:26:34 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2016-12-16 00:26:34 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2016-12-16 00:26:34 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2016-12-16 00:26:34 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2016-12-16 00:26:34 MANAGEMENT: CMD 'needok 'DNSDOMAIN' ok'
2016-12-16 00:26:34 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2016-12-16 00:26:34 Tun-Netzwerkinterface wird geöffnet:
2016-12-16 00:26:34 Lokale IPv4: 10.8.0.6/30 IPv6: null MTU: 1500
2016-12-16 00:26:34 DNS-Server: 208.67.222.222, 8.8.4.4, Domäne: blinkt.de
2016-12-16 00:26:34 Routen: 0.0.0.0/0, 10.8.0.0/24, 10.8.0.4/30, 192.168.20.0/24
2016-12-16 00:26:34 Ausgeschlossene Routen:
2016-12-16 00:26:34 Installierte VpnService-Routen: 0.0.0.0/0
2016-12-16 00:26:34 Nicht zugelassene Apps für das VPN:
2016-12-16 00:26:34 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2016-12-16 00:26:34 Initialization Sequence Completed
2016-12-16 00:26:34 MANAGEMENT: >STATE:1481844394,CONNECTED,SUCCESS,10.8.0.6,10.10.10.10,443,10.146.12.209,49056
2016-12-16 00:26:34 Netzwerkstatus: CONNECTED HSPA+ to MOBILE internet.eplus.de
 
zoomzoom

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
@THX See: MULTI: bad source address from client
  • I saw the 4096bit key still being used... you gain zero benefits from using a 4096bit key. 2048bit is currently uncrackable and will be until at least 2030.
    • Unless you're using Emby to store highly sensitive, top secret corporate intelligence or state secrets, there is no logical reason to utilize 4096bit encryption.
      • Even the IAD [NSA] recommends a minimum 3072bit or DH 16 encryption on TS/SCI [AES256] classifications, AES192 for Secret.
      • While the NSA has deemed RSA 2048bit keys and DH 2048bit keys as insecure for classified data, unless there's a risk of an individual being targeted by a corporation or governmental entity with a supercomputer, anything above 2048bit encryption offers no advantages and severe disadvantages.
        • If you live in a country with an oppressive government, 3072bit should be sufficient to prevent intrusion from a government run CyberCom unit
  • OpenSSL Speeds
    • AsRock C2750D4I server board, 32GB RAM, 8C Atom C2750 2.4gHz [FreeNAS 9.10]
      • RSA 2048
        Code:
        [root@FreeNAS] ~# openssl speed rsa2048
Doing 2048 bit private rsa's for 10s: 2027	2048 bit private RSA's in 10.01s
Doing 2048 bit public rsa's for 10s: 53527	2048 bit public RSA's in 10.00s
OpenSSL 1.0.1t-freebsd  3 May 2016

		sign	verify		sign/s  verify/s
rsa 2048 bits 0.004937s 0.000187s	202.5   5352.7
      • RSA 4096
        Code:
        [root@FreeNAS] ~# openssl speed rsa4096
Doing 4096 bit private rsa's for 10s:  274	4096 bit private RSA's in 10.03s
Doing 4096 bit public rsa's for 10s: 15962	4096 bit public RSA's in 9.97s
OpenSSL 1.0.1t-freebsd  3 May 2016

		sign	verify		sign/s  verify/s
rsa 4096 bits 0.036610s 0.000625s	 27.3   1601.2
    • Alienware 18, 32GB RAM, 4C i7 4710MQ OC'd 3.5gHz [Windows 10 v1607]
      • RSA 2048
        Code:
        PS C:\Windows\System32> openssl speed rsa2048
Doing 2048 bit private rsa's for 10s:  8370	2048 bit private RSA's in 9.98s
Doing 2048 bit public rsa's for 10s: 273259	2048 bit public RSA's in 9.94s
OpenSSL 1.0.1r  28 Jan 2016

		sign	verify		sign/s  verify/s
rsa 2048 bits 0.004827s 0.000141s	207.2   7102.6
      • RSA 4096
        Code:
        PS C:\Windows\System32> openssl speed rsa4096
Doing 4096 bit private rsa's for 10s: 1204	4096 bit private RSA's in 10.00s
Doing 4096 bit public rsa's for 10s: 75111	4096 bit public RSA's in 10.00s
OpenSSL 1.0.1r  28 Jan 2016

		sign	verify		sign/s  verify/s
rsa 4096 bits 0.008307s 0.000132s	120.4   7571.2
    • SuperMicro A1SRi-2758F server board, 32GB RAM, 8C Atom C2758 2.4gHz [ESXi 6.5]
      • RSA 2048
        Code:
        [root@ESXi] ~# openssl speed rsa2048
Doing 2048 bit private rsa's for 10s: 2057	2048 bit private RSA's in 10.00s
Doing 2048 bit public rsa's for 10s: 70793	2048 bit public RSA's in 10.00s
OpenSSL 1.0.2j-fips  26 Sep 2016

		sign	verify		sign/s  verify/s
rsa 2048 bits 0.004827s 0.000141s	207.2   7102.6
      • RSA 4096
        Code:
        [root@ESXi] ~# openssl speed rsa4096
Doing 4096 bit private rsa's for 10s:  284	4096 bit private RSA's in 9.97s
Doing 4096 bit public rsa's for 10s: 18778	4096 bit public RSA's in 10.05s
OpenSSL 1.0.2j-fips  26 Sep 2016

		sign	verify		sign/s  verify/s
rsa 4096 bits 0.035298s 0.000532s	 28.3   1879.0
 
Last edited:
THX

THX

Dabbler
Joined
Dec 6, 2013
Messages
28
As I said, I didn't want to spend more time with this for creating new keys and what not, as long as the problem with Emby is not solved.
But thanks for the overview. So it is mostly a about speed. And yeah, for my needs most likely 2048bit is sufficient.

So if I understand it right I need to put in server.conf
Code:
client-config-dir ccd

Then create a directory named ccd. Then create a file with the name of the client 'me.client' which contains the route:
Code:
iroute 192.168.20.0/24

Is this correct?

I don't understand why this is neccesarry. Last time I created my ovpn jail I didn't need to do this. Why is pushing the route not enough (anymore?)?
 
zoomzoom

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
@THX It would be most beneficial to you to do some research on OpenVPN's web page to understand the config options and why you're having issues. Anyone running an OpenVPN server needs to know and understand what the options in their configs do, what they mean, and additional settings that must be set for any arbitrary setting.
Your issues are stemming from your configs and, at least it seems, a lack of understanding regarding what options are required in the configs and what those options mean. I always recommend anyone running their own OpenVPN server to fully read the OpenVPN HowTo and Man pages, as any problems that arise can almost always be solved through those two webpages, with the former taking ~15min to read through and the latter ~45min.
  • While I could continue to take substantial time to show you were the issues are and how to fix them, it's going to be far more beneficial to you, both in the short term as well the long term, to read the two aforementioned pages (especially the HowTo, and, at minimum, the Man page sections for every option in both your server and client configs, especially redirect-gateway settings).
    • I say this not to be hubristic, but because I knew nothing about OpenVPN when I first installed OpenWrt 2+ years ago, and after reading the HowTo and Man pages, I not only never had an issue again, I knew exactly where to look if a problem did arise.
  • It is entirely possible something changed in 2.4 from 2.3, so I'd also recommend skimming the changelog
 
Last edited:
zoomzoom

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
@THX Were you able to find the information you needed and learn why you were having issues?
 
M

Michele Lombardo

Dabbler
Joined
Jul 16, 2016
Messages
17
zoomzoom said:
@Michele Lombardo Please post the following config files:
  • Server Config
  • Client Config
  • Any firewall rules pertaining to the OpenVPN server within the jail
Please post the following log files:
  • VPN Server log (path should be in the VPN server config)
  • VPN Client logs for iPhone and Mac
Click to expand...

Hi zoomzoom,
I finally did some tests outside my house and country. The thing is my current VPN is perfectly working (both phone or Mac) on some wifi networks (like a hotel one) but it doesn't work on others (like my parents house wifi network). Could it help you understanding what's the issue?
If you do need to see logs, could you help me on how to get those log files?

Thank you very much!
 
zoomzoom

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
Michele Lombardo said:
Hi zoomzoom,
I finally did some tests outside my house and country. The thing is my current VPN is perfectly working (both phone or Mac) on some wifi networks (like a hotel one) but it doesn't work on others (like my parents house wifi network). Could it help you understanding what's the issue?
If you do need to see logs, could you help me on how to get those log files?

Thank you very much!
Click to expand...
Server log location should be specified in the server config, if it's not, I believe the BSD option would be "log log/location/OpenVPN.log", but check back a few posts to verify if you don't have it specified.

Client log should be accessible right from the client app if using an iPhone or android, however I'm not sure on a Mac (Google would be the best, and most convenient, place to look). The client app on a smartphone should also allow you to share the log via an email app directly from the client app itself. If using Android, the best OpenVPN client app is OpenVPN Connect, not OpenVPN's app.

Server log needs to have its verbosity set to 4: verb 4
Client log needs to be set to 5: verb 5

Sent from my Pixel XL using Tapatalk
 
L

Lamafoos

Cadet
Joined
Sep 12, 2016
Messages
3
Hey!
Sorry for beeing a noob but i cant get it to work.. everything seems to be as it should be except for one thing, the sockstat -4 -l only gives me:
root@OpenVPN_1:/ # sockstat -4 -l

USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root syslogd 33755 7 udp4 *:514 *:*

I dont know how to get it to listen on port 10011.
Any help appriciated

/Lamafoos
 
Status
Not open for further replies.

Similar threads

Bibi40k
Step by step to install OpenVPN inside a Jail in FreeNAS 11.1-U1
12 13 14 15 16
Replies
302
Views
165K
EsTaF
EsTaF
M
Openvpn in a jail, no traffic
Replies
3
Views
2K
mattlev
M
V
  • Locked
SOLVED OpenVPN says Starting but status says it has not.
Replies
7
Views
2K
Vince
V
Xaint
  • Locked
Problem with OpenVPN and FreeNAS 11 - where did I make a mistake?
Replies
10
Views
6K
gsrcrxsi
G
D
SOLVED Openvpn Jail
Replies
2
Views
2K
catnas
catnas
Top