Trouble with OpenVPN tunnel

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












Just reloaded my OS (Linux Mint 19) and I am attempting to get my VPN connection running. I am using the same .ovpn configuration file I used with my previous OS (which worked fine) but now I can't seem to get the tunnel to configure properly (even though it says it's connected). an ip a shows tun0 in the following configuration:



11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.14 peer 10.8.0.13/32 brd 10.8.0.14 scope global noprefixroute tun0
valid_lft forever preferred_lft forever
inet6 fe80::492b:6fe4:1395:8619/64 scope link stable-privacy
valid_lft forever preferred_lft forever


My client config file:



# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote premprovsol.com 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
auth SHA256
key-direction 1

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
#certs are below


Typically I would mount my NFS shares on the 10.8.0.1 Server address but the only thing I can do with that address is ping it. Is there something that I am missing?



journalctl--



Logs begin at Tue 2018-07-10 21:24:32 EDT, end at Wed 2018-07-11 11:25:24 EDT. --
Jul 10 21:24:43 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 10 21:24:43 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 08:01:12 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 08:04:32 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 08:04:32 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 09:01:18 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 09:02:11 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 09:02:11 Shawn-Home systemd[1]: Started OpenVPN service.


openvpn command log:



Wed Jul 11 11:54:56 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
Wed Jul 11 11:54:56 2018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Wed Jul 11 11:54:56 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Jul 11 11:54:56 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jul 11 11:54:56 2018 UDP link local: (not bound)
Wed Jul 11 11:54:56 2018 UDP link remote: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Wed Jul 11 11:54:57 2018 TLS: Initial packet from [AF_INET]97.76.87.146:1194, sid=87606e28 e67e77b4
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Jul 11 11:54:58 2018 VERIFY KU OK
Wed Jul 11 11:54:58 2018 Validating certificate extended key usage
Wed Jul 11 11:54:58 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jul 11 11:54:58 2018 VERIFY EKU OK
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=0, CN=server
Wed Jul 11 11:54:58 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jul 11 11:54:58 2018 [server] Peer Connection Initiated with [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:59 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jul 11 11:54:59 2018 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13,peer-id 1,cipher AES-256-GCM'
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: route options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: peer-id set
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: adjusting link_mtu to 1624
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: data channel crypto options modified
Wed Jul 11 11:54:59 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jul 11 11:54:59 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 ROUTE_GATEWAY 10.0.10.1/255.255.255.0 IFACE=enp2s0 HWADDR=48:4d:7e:d2:08:0a
Wed Jul 11 11:54:59 2018 TUN/TAP device tun1 opened
Wed Jul 11 11:54:59 2018 TUN/TAP TX queue length set to 100
Wed Jul 11 11:54:59 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jul 11 11:54:59 2018 /sbin/ip link set dev tun1 up mtu 1500
Wed Jul 11 11:54:59 2018 /sbin/ip addr add dev tun1 local 10.8.0.14 peer 10.8.0.13
Wed Jul 11 11:54:59 2018 /etc/openvpn/update-resolv-conf tun1 1500 1552 10.8.0.14 10.8.0.13 init
Wed Jul 11 11:54:59 2018 /sbin/ip route add 10.8.0.1/32 via 10.8.0.13
Wed Jul 11 11:54:59 2018 GID set to nogroup
Wed Jul 11 11:54:59 2018 UID set to nobody
Wed Jul 11 11:54:59 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jul 11 11:54:59 2018 Initialization Sequence Completed






share|improve this question





















  • What do the log files for OpenVPN say? (Look under /var/log)
    – roaima
    Jul 11 at 15:17










  • There is an openvpn directory under /var/log but it is empty
    – user1532602
    Jul 11 at 15:20










  • Might be logging to journald, try journalctl -u openvpn.
    – slm♦
    Jul 11 at 15:27










  • updated with journald logs
    – user1532602
    Jul 11 at 15:35










  • There should be some logs that get generated when you start the service. You've got log level 3 so they must be somewhere... grep -Eril 'shawn-home|o[a-z]*vpn' /var/log/* for starters.
    – roaima
    Jul 11 at 15:51














up vote
0
down vote

favorite












Just reloaded my OS (Linux Mint 19) and I am attempting to get my VPN connection running. I am using the same .ovpn configuration file I used with my previous OS (which worked fine) but now I can't seem to get the tunnel to configure properly (even though it says it's connected). an ip a shows tun0 in the following configuration:



11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.14 peer 10.8.0.13/32 brd 10.8.0.14 scope global noprefixroute tun0
valid_lft forever preferred_lft forever
inet6 fe80::492b:6fe4:1395:8619/64 scope link stable-privacy
valid_lft forever preferred_lft forever


My client config file:



# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote premprovsol.com 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
auth SHA256
key-direction 1

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
#certs are below


Typically I would mount my NFS shares on the 10.8.0.1 Server address but the only thing I can do with that address is ping it. Is there something that I am missing?



journalctl--



Logs begin at Tue 2018-07-10 21:24:32 EDT, end at Wed 2018-07-11 11:25:24 EDT. --
Jul 10 21:24:43 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 10 21:24:43 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 08:01:12 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 08:04:32 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 08:04:32 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 09:01:18 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 09:02:11 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 09:02:11 Shawn-Home systemd[1]: Started OpenVPN service.


openvpn command log:



Wed Jul 11 11:54:56 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
Wed Jul 11 11:54:56 2018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Wed Jul 11 11:54:56 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Jul 11 11:54:56 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jul 11 11:54:56 2018 UDP link local: (not bound)
Wed Jul 11 11:54:56 2018 UDP link remote: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Wed Jul 11 11:54:57 2018 TLS: Initial packet from [AF_INET]97.76.87.146:1194, sid=87606e28 e67e77b4
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Jul 11 11:54:58 2018 VERIFY KU OK
Wed Jul 11 11:54:58 2018 Validating certificate extended key usage
Wed Jul 11 11:54:58 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jul 11 11:54:58 2018 VERIFY EKU OK
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=0, CN=server
Wed Jul 11 11:54:58 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jul 11 11:54:58 2018 [server] Peer Connection Initiated with [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:59 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jul 11 11:54:59 2018 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13,peer-id 1,cipher AES-256-GCM'
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: route options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: peer-id set
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: adjusting link_mtu to 1624
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: data channel crypto options modified
Wed Jul 11 11:54:59 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jul 11 11:54:59 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 ROUTE_GATEWAY 10.0.10.1/255.255.255.0 IFACE=enp2s0 HWADDR=48:4d:7e:d2:08:0a
Wed Jul 11 11:54:59 2018 TUN/TAP device tun1 opened
Wed Jul 11 11:54:59 2018 TUN/TAP TX queue length set to 100
Wed Jul 11 11:54:59 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jul 11 11:54:59 2018 /sbin/ip link set dev tun1 up mtu 1500
Wed Jul 11 11:54:59 2018 /sbin/ip addr add dev tun1 local 10.8.0.14 peer 10.8.0.13
Wed Jul 11 11:54:59 2018 /etc/openvpn/update-resolv-conf tun1 1500 1552 10.8.0.14 10.8.0.13 init
Wed Jul 11 11:54:59 2018 /sbin/ip route add 10.8.0.1/32 via 10.8.0.13
Wed Jul 11 11:54:59 2018 GID set to nogroup
Wed Jul 11 11:54:59 2018 UID set to nobody
Wed Jul 11 11:54:59 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jul 11 11:54:59 2018 Initialization Sequence Completed






share|improve this question





















  • What do the log files for OpenVPN say? (Look under /var/log)
    – roaima
    Jul 11 at 15:17










  • There is an openvpn directory under /var/log but it is empty
    – user1532602
    Jul 11 at 15:20










  • Might be logging to journald, try journalctl -u openvpn.
    – slm♦
    Jul 11 at 15:27










  • updated with journald logs
    – user1532602
    Jul 11 at 15:35










  • There should be some logs that get generated when you start the service. You've got log level 3 so they must be somewhere... grep -Eril 'shawn-home|o[a-z]*vpn' /var/log/* for starters.
    – roaima
    Jul 11 at 15:51












up vote
0
down vote

favorite









up vote
0
down vote

favorite











Just reloaded my OS (Linux Mint 19) and I am attempting to get my VPN connection running. I am using the same .ovpn configuration file I used with my previous OS (which worked fine) but now I can't seem to get the tunnel to configure properly (even though it says it's connected). an ip a shows tun0 in the following configuration:



11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.14 peer 10.8.0.13/32 brd 10.8.0.14 scope global noprefixroute tun0
valid_lft forever preferred_lft forever
inet6 fe80::492b:6fe4:1395:8619/64 scope link stable-privacy
valid_lft forever preferred_lft forever


My client config file:



# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote premprovsol.com 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
auth SHA256
key-direction 1

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
#certs are below


Typically I would mount my NFS shares on the 10.8.0.1 Server address but the only thing I can do with that address is ping it. Is there something that I am missing?



journalctl--



Logs begin at Tue 2018-07-10 21:24:32 EDT, end at Wed 2018-07-11 11:25:24 EDT. --
Jul 10 21:24:43 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 10 21:24:43 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 08:01:12 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 08:04:32 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 08:04:32 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 09:01:18 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 09:02:11 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 09:02:11 Shawn-Home systemd[1]: Started OpenVPN service.


openvpn command log:



Wed Jul 11 11:54:56 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
Wed Jul 11 11:54:56 2018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Wed Jul 11 11:54:56 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Jul 11 11:54:56 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jul 11 11:54:56 2018 UDP link local: (not bound)
Wed Jul 11 11:54:56 2018 UDP link remote: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Wed Jul 11 11:54:57 2018 TLS: Initial packet from [AF_INET]97.76.87.146:1194, sid=87606e28 e67e77b4
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Jul 11 11:54:58 2018 VERIFY KU OK
Wed Jul 11 11:54:58 2018 Validating certificate extended key usage
Wed Jul 11 11:54:58 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jul 11 11:54:58 2018 VERIFY EKU OK
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=0, CN=server
Wed Jul 11 11:54:58 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jul 11 11:54:58 2018 [server] Peer Connection Initiated with [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:59 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jul 11 11:54:59 2018 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13,peer-id 1,cipher AES-256-GCM'
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: route options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: peer-id set
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: adjusting link_mtu to 1624
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: data channel crypto options modified
Wed Jul 11 11:54:59 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jul 11 11:54:59 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 ROUTE_GATEWAY 10.0.10.1/255.255.255.0 IFACE=enp2s0 HWADDR=48:4d:7e:d2:08:0a
Wed Jul 11 11:54:59 2018 TUN/TAP device tun1 opened
Wed Jul 11 11:54:59 2018 TUN/TAP TX queue length set to 100
Wed Jul 11 11:54:59 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jul 11 11:54:59 2018 /sbin/ip link set dev tun1 up mtu 1500
Wed Jul 11 11:54:59 2018 /sbin/ip addr add dev tun1 local 10.8.0.14 peer 10.8.0.13
Wed Jul 11 11:54:59 2018 /etc/openvpn/update-resolv-conf tun1 1500 1552 10.8.0.14 10.8.0.13 init
Wed Jul 11 11:54:59 2018 /sbin/ip route add 10.8.0.1/32 via 10.8.0.13
Wed Jul 11 11:54:59 2018 GID set to nogroup
Wed Jul 11 11:54:59 2018 UID set to nobody
Wed Jul 11 11:54:59 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jul 11 11:54:59 2018 Initialization Sequence Completed






share|improve this question













Just reloaded my OS (Linux Mint 19) and I am attempting to get my VPN connection running. I am using the same .ovpn configuration file I used with my previous OS (which worked fine) but now I can't seem to get the tunnel to configure properly (even though it says it's connected). an ip a shows tun0 in the following configuration:



11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.14 peer 10.8.0.13/32 brd 10.8.0.14 scope global noprefixroute tun0
valid_lft forever preferred_lft forever
inet6 fe80::492b:6fe4:1395:8619/64 scope link stable-privacy
valid_lft forever preferred_lft forever


My client config file:



# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote premprovsol.com 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
auth SHA256
key-direction 1

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
#certs are below


Typically I would mount my NFS shares on the 10.8.0.1 Server address but the only thing I can do with that address is ping it. Is there something that I am missing?



journalctl--



Logs begin at Tue 2018-07-10 21:24:32 EDT, end at Wed 2018-07-11 11:25:24 EDT. --
Jul 10 21:24:43 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 10 21:24:43 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 08:01:12 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 08:04:32 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 08:04:32 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 09:01:18 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 09:02:11 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 09:02:11 Shawn-Home systemd[1]: Started OpenVPN service.


openvpn command log:



Wed Jul 11 11:54:56 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
Wed Jul 11 11:54:56 2018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Wed Jul 11 11:54:56 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Jul 11 11:54:56 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jul 11 11:54:56 2018 UDP link local: (not bound)
Wed Jul 11 11:54:56 2018 UDP link remote: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Wed Jul 11 11:54:57 2018 TLS: Initial packet from [AF_INET]97.76.87.146:1194, sid=87606e28 e67e77b4
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Jul 11 11:54:58 2018 VERIFY KU OK
Wed Jul 11 11:54:58 2018 Validating certificate extended key usage
Wed Jul 11 11:54:58 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jul 11 11:54:58 2018 VERIFY EKU OK
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=0, CN=server
Wed Jul 11 11:54:58 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jul 11 11:54:58 2018 [server] Peer Connection Initiated with [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:59 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jul 11 11:54:59 2018 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13,peer-id 1,cipher AES-256-GCM'
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: route options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: peer-id set
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: adjusting link_mtu to 1624
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: data channel crypto options modified
Wed Jul 11 11:54:59 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jul 11 11:54:59 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 ROUTE_GATEWAY 10.0.10.1/255.255.255.0 IFACE=enp2s0 HWADDR=48:4d:7e:d2:08:0a
Wed Jul 11 11:54:59 2018 TUN/TAP device tun1 opened
Wed Jul 11 11:54:59 2018 TUN/TAP TX queue length set to 100
Wed Jul 11 11:54:59 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jul 11 11:54:59 2018 /sbin/ip link set dev tun1 up mtu 1500
Wed Jul 11 11:54:59 2018 /sbin/ip addr add dev tun1 local 10.8.0.14 peer 10.8.0.13
Wed Jul 11 11:54:59 2018 /etc/openvpn/update-resolv-conf tun1 1500 1552 10.8.0.14 10.8.0.13 init
Wed Jul 11 11:54:59 2018 /sbin/ip route add 10.8.0.1/32 via 10.8.0.13
Wed Jul 11 11:54:59 2018 GID set to nogroup
Wed Jul 11 11:54:59 2018 UID set to nobody
Wed Jul 11 11:54:59 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jul 11 11:54:59 2018 Initialization Sequence Completed








share|improve this question












share|improve this question




share|improve this question








edited Jul 11 at 15:56
























asked Jul 11 at 15:15









user1532602

1011




1011











  • What do the log files for OpenVPN say? (Look under /var/log)
    – roaima
    Jul 11 at 15:17










  • There is an openvpn directory under /var/log but it is empty
    – user1532602
    Jul 11 at 15:20










  • Might be logging to journald, try journalctl -u openvpn.
    – slm♦
    Jul 11 at 15:27










  • updated with journald logs
    – user1532602
    Jul 11 at 15:35










  • There should be some logs that get generated when you start the service. You've got log level 3 so they must be somewhere... grep -Eril 'shawn-home|o[a-z]*vpn' /var/log/* for starters.
    – roaima
    Jul 11 at 15:51
















  • What do the log files for OpenVPN say? (Look under /var/log)
    – roaima
    Jul 11 at 15:17










  • There is an openvpn directory under /var/log but it is empty
    – user1532602
    Jul 11 at 15:20










  • Might be logging to journald, try journalctl -u openvpn.
    – slm♦
    Jul 11 at 15:27










  • updated with journald logs
    – user1532602
    Jul 11 at 15:35










  • There should be some logs that get generated when you start the service. You've got log level 3 so they must be somewhere... grep -Eril 'shawn-home|o[a-z]*vpn' /var/log/* for starters.
    – roaima
    Jul 11 at 15:51















What do the log files for OpenVPN say? (Look under /var/log)
– roaima
Jul 11 at 15:17




What do the log files for OpenVPN say? (Look under /var/log)
– roaima
Jul 11 at 15:17












There is an openvpn directory under /var/log but it is empty
– user1532602
Jul 11 at 15:20




There is an openvpn directory under /var/log but it is empty
– user1532602
Jul 11 at 15:20












Might be logging to journald, try journalctl -u openvpn.
– slm♦
Jul 11 at 15:27




Might be logging to journald, try journalctl -u openvpn.
– slm♦
Jul 11 at 15:27












updated with journald logs
– user1532602
Jul 11 at 15:35




updated with journald logs
– user1532602
Jul 11 at 15:35












There should be some logs that get generated when you start the service. You've got log level 3 so they must be somewhere... grep -Eril 'shawn-home|o[a-z]*vpn' /var/log/* for starters.
– roaima
Jul 11 at 15:51




There should be some logs that get generated when you start the service. You've got log level 3 so they must be somewhere... grep -Eril 'shawn-home|o[a-z]*vpn' /var/log/* for starters.
– roaima
Jul 11 at 15:51















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f454714%2ftrouble-with-openvpn-tunnel%23new-answer', 'question_page');

);

Post as a guest



































active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes










 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f454714%2ftrouble-with-openvpn-tunnel%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?