Trouble with OpenVPN tunnel
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
Just reloaded my OS (Linux Mint 19) and I am attempting to get my VPN connection running. I am using the same .ovpn configuration file I used with my previous OS (which worked fine) but now I can't seem to get the tunnel to configure properly (even though it says it's connected). an ip a
shows tun0 in the following configuration:
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.14 peer 10.8.0.13/32 brd 10.8.0.14 scope global noprefixroute tun0
valid_lft forever preferred_lft forever
inet6 fe80::492b:6fe4:1395:8619/64 scope link stable-privacy
valid_lft forever preferred_lft forever
My client config file:
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote premprovsol.com 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key
# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
auth SHA256
key-direction 1
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
#certs are below
Typically I would mount my NFS shares on the 10.8.0.1 Server address but the only thing I can do with that address is ping it. Is there something that I am missing?
journalctl--
Logs begin at Tue 2018-07-10 21:24:32 EDT, end at Wed 2018-07-11 11:25:24 EDT. --
Jul 10 21:24:43 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 10 21:24:43 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 08:01:12 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 08:04:32 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 08:04:32 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 09:01:18 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 09:02:11 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 09:02:11 Shawn-Home systemd[1]: Started OpenVPN service.
openvpn command log:
Wed Jul 11 11:54:56 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
Wed Jul 11 11:54:56 2018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Wed Jul 11 11:54:56 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Jul 11 11:54:56 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jul 11 11:54:56 2018 UDP link local: (not bound)
Wed Jul 11 11:54:56 2018 UDP link remote: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Wed Jul 11 11:54:57 2018 TLS: Initial packet from [AF_INET]97.76.87.146:1194, sid=87606e28 e67e77b4
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Jul 11 11:54:58 2018 VERIFY KU OK
Wed Jul 11 11:54:58 2018 Validating certificate extended key usage
Wed Jul 11 11:54:58 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jul 11 11:54:58 2018 VERIFY EKU OK
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=0, CN=server
Wed Jul 11 11:54:58 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jul 11 11:54:58 2018 [server] Peer Connection Initiated with [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:59 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jul 11 11:54:59 2018 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13,peer-id 1,cipher AES-256-GCM'
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: route options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: peer-id set
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: adjusting link_mtu to 1624
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: data channel crypto options modified
Wed Jul 11 11:54:59 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jul 11 11:54:59 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 ROUTE_GATEWAY 10.0.10.1/255.255.255.0 IFACE=enp2s0 HWADDR=48:4d:7e:d2:08:0a
Wed Jul 11 11:54:59 2018 TUN/TAP device tun1 opened
Wed Jul 11 11:54:59 2018 TUN/TAP TX queue length set to 100
Wed Jul 11 11:54:59 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jul 11 11:54:59 2018 /sbin/ip link set dev tun1 up mtu 1500
Wed Jul 11 11:54:59 2018 /sbin/ip addr add dev tun1 local 10.8.0.14 peer 10.8.0.13
Wed Jul 11 11:54:59 2018 /etc/openvpn/update-resolv-conf tun1 1500 1552 10.8.0.14 10.8.0.13 init
Wed Jul 11 11:54:59 2018 /sbin/ip route add 10.8.0.1/32 via 10.8.0.13
Wed Jul 11 11:54:59 2018 GID set to nogroup
Wed Jul 11 11:54:59 2018 UID set to nobody
Wed Jul 11 11:54:59 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jul 11 11:54:59 2018 Initialization Sequence Completed
openvpn
 |Â
show 1 more comment
up vote
0
down vote
favorite
Just reloaded my OS (Linux Mint 19) and I am attempting to get my VPN connection running. I am using the same .ovpn configuration file I used with my previous OS (which worked fine) but now I can't seem to get the tunnel to configure properly (even though it says it's connected). an ip a
shows tun0 in the following configuration:
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.14 peer 10.8.0.13/32 brd 10.8.0.14 scope global noprefixroute tun0
valid_lft forever preferred_lft forever
inet6 fe80::492b:6fe4:1395:8619/64 scope link stable-privacy
valid_lft forever preferred_lft forever
My client config file:
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote premprovsol.com 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key
# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
auth SHA256
key-direction 1
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
#certs are below
Typically I would mount my NFS shares on the 10.8.0.1 Server address but the only thing I can do with that address is ping it. Is there something that I am missing?
journalctl--
Logs begin at Tue 2018-07-10 21:24:32 EDT, end at Wed 2018-07-11 11:25:24 EDT. --
Jul 10 21:24:43 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 10 21:24:43 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 08:01:12 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 08:04:32 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 08:04:32 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 09:01:18 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 09:02:11 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 09:02:11 Shawn-Home systemd[1]: Started OpenVPN service.
openvpn command log:
Wed Jul 11 11:54:56 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
Wed Jul 11 11:54:56 2018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Wed Jul 11 11:54:56 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Jul 11 11:54:56 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jul 11 11:54:56 2018 UDP link local: (not bound)
Wed Jul 11 11:54:56 2018 UDP link remote: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Wed Jul 11 11:54:57 2018 TLS: Initial packet from [AF_INET]97.76.87.146:1194, sid=87606e28 e67e77b4
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Jul 11 11:54:58 2018 VERIFY KU OK
Wed Jul 11 11:54:58 2018 Validating certificate extended key usage
Wed Jul 11 11:54:58 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jul 11 11:54:58 2018 VERIFY EKU OK
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=0, CN=server
Wed Jul 11 11:54:58 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jul 11 11:54:58 2018 [server] Peer Connection Initiated with [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:59 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jul 11 11:54:59 2018 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13,peer-id 1,cipher AES-256-GCM'
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: route options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: peer-id set
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: adjusting link_mtu to 1624
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: data channel crypto options modified
Wed Jul 11 11:54:59 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jul 11 11:54:59 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 ROUTE_GATEWAY 10.0.10.1/255.255.255.0 IFACE=enp2s0 HWADDR=48:4d:7e:d2:08:0a
Wed Jul 11 11:54:59 2018 TUN/TAP device tun1 opened
Wed Jul 11 11:54:59 2018 TUN/TAP TX queue length set to 100
Wed Jul 11 11:54:59 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jul 11 11:54:59 2018 /sbin/ip link set dev tun1 up mtu 1500
Wed Jul 11 11:54:59 2018 /sbin/ip addr add dev tun1 local 10.8.0.14 peer 10.8.0.13
Wed Jul 11 11:54:59 2018 /etc/openvpn/update-resolv-conf tun1 1500 1552 10.8.0.14 10.8.0.13 init
Wed Jul 11 11:54:59 2018 /sbin/ip route add 10.8.0.1/32 via 10.8.0.13
Wed Jul 11 11:54:59 2018 GID set to nogroup
Wed Jul 11 11:54:59 2018 UID set to nobody
Wed Jul 11 11:54:59 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jul 11 11:54:59 2018 Initialization Sequence Completed
openvpn
What do the log files for OpenVPN say? (Look under/var/log
)
â roaima
Jul 11 at 15:17
There is an openvpn directory under /var/log but it is empty
â user1532602
Jul 11 at 15:20
Might be logging to journald, tryjournalctl -u openvpn
.
â slmâ¦
Jul 11 at 15:27
updated with journald logs
â user1532602
Jul 11 at 15:35
There should be some logs that get generated when you start the service. You've got log level 3 so they must be somewhere...grep -Eril 'shawn-home|o[a-z]*vpn' /var/log/*
for starters.
â roaima
Jul 11 at 15:51
 |Â
show 1 more comment
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Just reloaded my OS (Linux Mint 19) and I am attempting to get my VPN connection running. I am using the same .ovpn configuration file I used with my previous OS (which worked fine) but now I can't seem to get the tunnel to configure properly (even though it says it's connected). an ip a
shows tun0 in the following configuration:
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.14 peer 10.8.0.13/32 brd 10.8.0.14 scope global noprefixroute tun0
valid_lft forever preferred_lft forever
inet6 fe80::492b:6fe4:1395:8619/64 scope link stable-privacy
valid_lft forever preferred_lft forever
My client config file:
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote premprovsol.com 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key
# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
auth SHA256
key-direction 1
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
#certs are below
Typically I would mount my NFS shares on the 10.8.0.1 Server address but the only thing I can do with that address is ping it. Is there something that I am missing?
journalctl--
Logs begin at Tue 2018-07-10 21:24:32 EDT, end at Wed 2018-07-11 11:25:24 EDT. --
Jul 10 21:24:43 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 10 21:24:43 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 08:01:12 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 08:04:32 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 08:04:32 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 09:01:18 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 09:02:11 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 09:02:11 Shawn-Home systemd[1]: Started OpenVPN service.
openvpn command log:
Wed Jul 11 11:54:56 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
Wed Jul 11 11:54:56 2018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Wed Jul 11 11:54:56 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Jul 11 11:54:56 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jul 11 11:54:56 2018 UDP link local: (not bound)
Wed Jul 11 11:54:56 2018 UDP link remote: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Wed Jul 11 11:54:57 2018 TLS: Initial packet from [AF_INET]97.76.87.146:1194, sid=87606e28 e67e77b4
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Jul 11 11:54:58 2018 VERIFY KU OK
Wed Jul 11 11:54:58 2018 Validating certificate extended key usage
Wed Jul 11 11:54:58 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jul 11 11:54:58 2018 VERIFY EKU OK
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=0, CN=server
Wed Jul 11 11:54:58 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jul 11 11:54:58 2018 [server] Peer Connection Initiated with [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:59 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jul 11 11:54:59 2018 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13,peer-id 1,cipher AES-256-GCM'
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: route options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: peer-id set
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: adjusting link_mtu to 1624
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: data channel crypto options modified
Wed Jul 11 11:54:59 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jul 11 11:54:59 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 ROUTE_GATEWAY 10.0.10.1/255.255.255.0 IFACE=enp2s0 HWADDR=48:4d:7e:d2:08:0a
Wed Jul 11 11:54:59 2018 TUN/TAP device tun1 opened
Wed Jul 11 11:54:59 2018 TUN/TAP TX queue length set to 100
Wed Jul 11 11:54:59 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jul 11 11:54:59 2018 /sbin/ip link set dev tun1 up mtu 1500
Wed Jul 11 11:54:59 2018 /sbin/ip addr add dev tun1 local 10.8.0.14 peer 10.8.0.13
Wed Jul 11 11:54:59 2018 /etc/openvpn/update-resolv-conf tun1 1500 1552 10.8.0.14 10.8.0.13 init
Wed Jul 11 11:54:59 2018 /sbin/ip route add 10.8.0.1/32 via 10.8.0.13
Wed Jul 11 11:54:59 2018 GID set to nogroup
Wed Jul 11 11:54:59 2018 UID set to nobody
Wed Jul 11 11:54:59 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jul 11 11:54:59 2018 Initialization Sequence Completed
openvpn
Just reloaded my OS (Linux Mint 19) and I am attempting to get my VPN connection running. I am using the same .ovpn configuration file I used with my previous OS (which worked fine) but now I can't seem to get the tunnel to configure properly (even though it says it's connected). an ip a
shows tun0 in the following configuration:
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.14 peer 10.8.0.13/32 brd 10.8.0.14 scope global noprefixroute tun0
valid_lft forever preferred_lft forever
inet6 fe80::492b:6fe4:1395:8619/64 scope link stable-privacy
valid_lft forever preferred_lft forever
My client config file:
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote premprovsol.com 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key
# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
auth SHA256
key-direction 1
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
#certs are below
Typically I would mount my NFS shares on the 10.8.0.1 Server address but the only thing I can do with that address is ping it. Is there something that I am missing?
journalctl--
Logs begin at Tue 2018-07-10 21:24:32 EDT, end at Wed 2018-07-11 11:25:24 EDT. --
Jul 10 21:24:43 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 10 21:24:43 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 08:01:12 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 08:04:32 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 08:04:32 Shawn-Home systemd[1]: Started OpenVPN service.
Jul 11 09:01:18 Shawn-Home systemd[1]: Stopped OpenVPN service.
-- Reboot --
Jul 11 09:02:11 Shawn-Home systemd[1]: Starting OpenVPN service...
Jul 11 09:02:11 Shawn-Home systemd[1]: Started OpenVPN service.
openvpn command log:
Wed Jul 11 11:54:56 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
Wed Jul 11 11:54:56 2018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Wed Jul 11 11:54:56 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Jul 11 11:54:56 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Jul 11 11:54:56 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jul 11 11:54:56 2018 UDP link local: (not bound)
Wed Jul 11 11:54:56 2018 UDP link remote: [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:56 2018 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Wed Jul 11 11:54:57 2018 TLS: Initial packet from [AF_INET]97.76.87.146:1194, sid=87606e28 e67e77b4
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=1, CN=Easy-RSA CA
Wed Jul 11 11:54:58 2018 VERIFY KU OK
Wed Jul 11 11:54:58 2018 Validating certificate extended key usage
Wed Jul 11 11:54:58 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jul 11 11:54:58 2018 VERIFY EKU OK
Wed Jul 11 11:54:58 2018 VERIFY OK: depth=0, CN=server
Wed Jul 11 11:54:58 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jul 11 11:54:58 2018 [server] Peer Connection Initiated with [AF_INET]97.76.87.146:1194
Wed Jul 11 11:54:59 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jul 11 11:54:59 2018 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13,peer-id 1,cipher AES-256-GCM'
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: route options modified
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: peer-id set
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: adjusting link_mtu to 1624
Wed Jul 11 11:54:59 2018 OPTIONS IMPORT: data channel crypto options modified
Wed Jul 11 11:54:59 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jul 11 11:54:59 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jul 11 11:54:59 2018 ROUTE_GATEWAY 10.0.10.1/255.255.255.0 IFACE=enp2s0 HWADDR=48:4d:7e:d2:08:0a
Wed Jul 11 11:54:59 2018 TUN/TAP device tun1 opened
Wed Jul 11 11:54:59 2018 TUN/TAP TX queue length set to 100
Wed Jul 11 11:54:59 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jul 11 11:54:59 2018 /sbin/ip link set dev tun1 up mtu 1500
Wed Jul 11 11:54:59 2018 /sbin/ip addr add dev tun1 local 10.8.0.14 peer 10.8.0.13
Wed Jul 11 11:54:59 2018 /etc/openvpn/update-resolv-conf tun1 1500 1552 10.8.0.14 10.8.0.13 init
Wed Jul 11 11:54:59 2018 /sbin/ip route add 10.8.0.1/32 via 10.8.0.13
Wed Jul 11 11:54:59 2018 GID set to nogroup
Wed Jul 11 11:54:59 2018 UID set to nobody
Wed Jul 11 11:54:59 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jul 11 11:54:59 2018 Initialization Sequence Completed
openvpn
edited Jul 11 at 15:56
asked Jul 11 at 15:15
user1532602
1011
1011
What do the log files for OpenVPN say? (Look under/var/log
)
â roaima
Jul 11 at 15:17
There is an openvpn directory under /var/log but it is empty
â user1532602
Jul 11 at 15:20
Might be logging to journald, tryjournalctl -u openvpn
.
â slmâ¦
Jul 11 at 15:27
updated with journald logs
â user1532602
Jul 11 at 15:35
There should be some logs that get generated when you start the service. You've got log level 3 so they must be somewhere...grep -Eril 'shawn-home|o[a-z]*vpn' /var/log/*
for starters.
â roaima
Jul 11 at 15:51
 |Â
show 1 more comment
What do the log files for OpenVPN say? (Look under/var/log
)
â roaima
Jul 11 at 15:17
There is an openvpn directory under /var/log but it is empty
â user1532602
Jul 11 at 15:20
Might be logging to journald, tryjournalctl -u openvpn
.
â slmâ¦
Jul 11 at 15:27
updated with journald logs
â user1532602
Jul 11 at 15:35
There should be some logs that get generated when you start the service. You've got log level 3 so they must be somewhere...grep -Eril 'shawn-home|o[a-z]*vpn' /var/log/*
for starters.
â roaima
Jul 11 at 15:51
What do the log files for OpenVPN say? (Look under
/var/log
)â roaima
Jul 11 at 15:17
What do the log files for OpenVPN say? (Look under
/var/log
)â roaima
Jul 11 at 15:17
There is an openvpn directory under /var/log but it is empty
â user1532602
Jul 11 at 15:20
There is an openvpn directory under /var/log but it is empty
â user1532602
Jul 11 at 15:20
Might be logging to journald, try
journalctl -u openvpn
.â slmâ¦
Jul 11 at 15:27
Might be logging to journald, try
journalctl -u openvpn
.â slmâ¦
Jul 11 at 15:27
updated with journald logs
â user1532602
Jul 11 at 15:35
updated with journald logs
â user1532602
Jul 11 at 15:35
There should be some logs that get generated when you start the service. You've got log level 3 so they must be somewhere...
grep -Eril 'shawn-home|o[a-z]*vpn' /var/log/*
for starters.â roaima
Jul 11 at 15:51
There should be some logs that get generated when you start the service. You've got log level 3 so they must be somewhere...
grep -Eril 'shawn-home|o[a-z]*vpn' /var/log/*
for starters.â roaima
Jul 11 at 15:51
 |Â
show 1 more comment
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f454714%2ftrouble-with-openvpn-tunnel%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
What do the log files for OpenVPN say? (Look under
/var/log
)â roaima
Jul 11 at 15:17
There is an openvpn directory under /var/log but it is empty
â user1532602
Jul 11 at 15:20
Might be logging to journald, try
journalctl -u openvpn
.â slmâ¦
Jul 11 at 15:27
updated with journald logs
â user1532602
Jul 11 at 15:35
There should be some logs that get generated when you start the service. You've got log level 3 so they must be somewhere...
grep -Eril 'shawn-home|o[a-z]*vpn' /var/log/*
for starters.â roaima
Jul 11 at 15:51