What's new

Carrier Grade Nat and OVPN Server problem

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

skeal

Part of the Furniture
Can this even be overcome. I have forwarded the port and my log shows this entry over and over any ideas what to start to chase down or is this just not doable?
Code:
Mar 31 15:06:55 ovpn-server1[12947]: 142.165.85.237:36762 TLS Error: tls-crypt unwrapping failed from [AF_INET]142.165.85.237:36762
Mar 31 15:06:56 ovpn-server1[12947]: 142.165.85.237:36762 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1585688808) Tue Mar 31 15:06:48 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mar 31 15:06:56 ovpn-server1[12947]: 142.165.85.237:36762 tls-crypt unwrap error: packet replay
Edit: And what should ddns be set to internal/external?
 
It sounds like that without access to my ISP's access point or router I have no options of a successful port forward either. This sucks.
 
It sounds like that without access to my ISP's access point or router I have no options of a successful port forward either.
That's true. But if that's the case how could you have performed the test that generated the error?
 
That's true. But if that's the case how could you have performed the test that generated the error?
Ahh! I see your point. I am hitting the router. I just don't get the TLS stuff.
 
I set it up with default values. Now all I get is this message repeated with a different ending sid value.
Code:
Mar 31 16:06:57 ovpn-server1[26919]: 142.165.85.237:56381 TLS: Initial packet from [AF_INET]142.165.85.237:56381, sid=45a5f98b 69024e98
 
Are you exporting the ovpn file each time you make a change and importing it into your VPN client?
 
I set it up with default values. Now all I get is this message repeated with a different ending sid value.
Code:
Mar 31 16:06:57 ovpn-server1[26919]: 142.165.85.237:56381 TLS: Initial packet from [AF_INET]142.165.85.237:56381, sid=45a5f98b 69024e98
Is this the only message you're getting? Or do you see other messages, like timeout's?
 
Is this the only message you're getting? Or do you see other messages, like timeout's?
This would be more accurate.
Code:
Mar 31 16:06:57 ovpn-server1[26919]: 142.165.85.237:56381 TLS: Initial packet from [AF_INET]142.165.85.237:56381, sid=45a5f98b 69024e98
Mar 31 16:07:06 ovpn-server1[26919]: 142.165.85.237:56261 TLS: Initial packet from [AF_INET]142.165.85.237:56261, sid=d04683eb 0962aff4
Mar 31 16:07:16 ovpn-server1[26919]: 142.165.85.237:46041 TLS: Initial packet from [AF_INET]142.165.85.237:46041, sid=83bf0d99 810063e9
Mar 31 16:07:26 ovpn-server1[26919]: 142.165.85.237:56071 TLS: Initial packet from [AF_INET]142.165.85.237:56071, sid=011ff79b 1b35468a
Mar 31 16:07:37 ovpn-server1[26919]: 142.165.85.237:59025 TLS: Initial packet from [AF_INET]142.165.85.237:59025, sid=eadd0bc7 ed84a856
Mar 31 16:07:47 ovpn-server1[26919]: 142.165.85.237:58450 TLS: Initial packet from [AF_INET]142.165.85.237:58450, sid=6e24d537 78eaf220
Mar 31 16:07:58 ovpn-server1[26919]: 142.165.85.237:56381 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 31 16:07:58 ovpn-server1[26919]: 142.165.85.237:56381 TLS Error: TLS handshake failed
Mar 31 16:07:58 ovpn-server1[26919]: 142.165.85.237:56381 SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 31 16:08:06 ovpn-server1[26919]: 142.165.85.237:56261 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 31 16:08:06 ovpn-server1[26919]: 142.165.85.237:56261 TLS Error: TLS handshake failed
M
 
That's make more sense now.

Can you explain how you're testing this exactly? The client's IP address is 142.165.85.237. That's a public IP address, is it a phone, another router, etc.?

You mention CGNAT, so where are you seeing this CGNAT address. On the ISP's router? What is the VPN server's IP address, 192.168.x.y?
 
Can you explain how you're testing this exactly? The client's IP address is 142.165.85.237. That's a public IP address, is it a phone, another router, etc.?
Using cell phone from cell network.
You mention CGNAT, so where are you seeing this CGNAT address. On the ISP's router? What is the VPN server's IP address, 192.168.x.y?
100.72.8.135 on the AX88U's network map page. No ISP modem/router.
 
Using cell phone from cell network.

100.72.8.135 on the AX88U's network map page. No ISP modem/router.
So what IP address is the client connecting to? :confused: It can't be 100.72.8.135 because that's not a public address. But you also said that you have no access to the ISP router to do any port forwarding.
 
So what IP address is the client connecting to? :confused: It can't be 100.72.8.135 because that's not a public address. But you also said that you have no access to the ISP router to do any port forwarding.
The log on the phone says its translating the ddns name to 100.72.8.135 then gets Server poll timeout, trying next remote entry...
 
My ddns is set to internal.
 
If i do this all with the ddns set to external the phone never hits the server.
 
The DDNS should be set to external if you're behind any kind of NAT. However, that won't help you with CGNAT unless you have arranged with your ISP to forward some ports for you.

Is your mobile phone service provided by the same company the provides your internet connection? I vaguely remember a forum member in such a situation being able to connect directly to his CGNAT address (but I might be mis-remembering that).

https://openvpn.net/faq/tls-error-t...n-60-seconds-check-your-network-connectivity/
 
The DDNS should be set to external if you're behind any kind of NAT. However, that won't help you with CGNAT unless you have arranged with your ISP to forward some ports for you.

Is your mobile phone service provided by the same company the provides your internet connection? I vaguely remember a forum member in such a situation being able to connect directly to his CGNAT address (but I might be mis-remembering that).

https://openvpn.net/faq/tls-error-t...n-60-seconds-check-your-network-connectivity/
I'm inclined to believe that without access to the CGNAT router port forward I'm spinning my wheels. I downgraded my internet to save a few bucks and now I'm questioning my logic...LOL
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Top