Carrier Grade Nat and OVPN Server problem

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

skeal

Part of the Furniture
Can this even be overcome. I have forwarded the port and my log shows this entry over and over any ideas what to start to chase down or is this just not doable?
Code:
Mar 31 15:06:55 ovpn-server1[12947]: 142.165.85.237:36762 TLS Error: tls-crypt unwrapping failed from [AF_INET]142.165.85.237:36762
Mar 31 15:06:56 ovpn-server1[12947]: 142.165.85.237:36762 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1585688808) Tue Mar 31 15:06:48 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mar 31 15:06:56 ovpn-server1[12947]: 142.165.85.237:36762 tls-crypt unwrap error: packet replay
Edit: And what should ddns be set to internal/external?
 

ColinTaylor

Part of the Furniture
Set TLS control channel security to disabled?
 

skeal

Part of the Furniture

skeal

Part of the Furniture
It sounds like that without access to my ISP's access point or router I have no options of a successful port forward either. This sucks.
 

ColinTaylor

Part of the Furniture
It sounds like that without access to my ISP's access point or router I have no options of a successful port forward either.
That's true. But if that's the case how could you have performed the test that generated the error?
 

skeal

Part of the Furniture
That's true. But if that's the case how could you have performed the test that generated the error?
Ahh! I see your point. I am hitting the router. I just don't get the TLS stuff.
 

skeal

Part of the Furniture
I set it up with default values. Now all I get is this message repeated with a different ending sid value.
Code:
Mar 31 16:06:57 ovpn-server1[26919]: 142.165.85.237:56381 TLS: Initial packet from [AF_INET]142.165.85.237:56381, sid=45a5f98b 69024e98
 

ColinTaylor

Part of the Furniture
Are you exporting the ovpn file each time you make a change and importing it into your VPN client?
 

skeal

Part of the Furniture

ColinTaylor

Part of the Furniture
I set it up with default values. Now all I get is this message repeated with a different ending sid value.
Code:
Mar 31 16:06:57 ovpn-server1[26919]: 142.165.85.237:56381 TLS: Initial packet from [AF_INET]142.165.85.237:56381, sid=45a5f98b 69024e98
Is this the only message you're getting? Or do you see other messages, like timeout's?
 

skeal

Part of the Furniture
Is this the only message you're getting? Or do you see other messages, like timeout's?
This would be more accurate.
Code:
Mar 31 16:06:57 ovpn-server1[26919]: 142.165.85.237:56381 TLS: Initial packet from [AF_INET]142.165.85.237:56381, sid=45a5f98b 69024e98
Mar 31 16:07:06 ovpn-server1[26919]: 142.165.85.237:56261 TLS: Initial packet from [AF_INET]142.165.85.237:56261, sid=d04683eb 0962aff4
Mar 31 16:07:16 ovpn-server1[26919]: 142.165.85.237:46041 TLS: Initial packet from [AF_INET]142.165.85.237:46041, sid=83bf0d99 810063e9
Mar 31 16:07:26 ovpn-server1[26919]: 142.165.85.237:56071 TLS: Initial packet from [AF_INET]142.165.85.237:56071, sid=011ff79b 1b35468a
Mar 31 16:07:37 ovpn-server1[26919]: 142.165.85.237:59025 TLS: Initial packet from [AF_INET]142.165.85.237:59025, sid=eadd0bc7 ed84a856
Mar 31 16:07:47 ovpn-server1[26919]: 142.165.85.237:58450 TLS: Initial packet from [AF_INET]142.165.85.237:58450, sid=6e24d537 78eaf220
Mar 31 16:07:58 ovpn-server1[26919]: 142.165.85.237:56381 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 31 16:07:58 ovpn-server1[26919]: 142.165.85.237:56381 TLS Error: TLS handshake failed
Mar 31 16:07:58 ovpn-server1[26919]: 142.165.85.237:56381 SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 31 16:08:06 ovpn-server1[26919]: 142.165.85.237:56261 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 31 16:08:06 ovpn-server1[26919]: 142.165.85.237:56261 TLS Error: TLS handshake failed
M
 

ColinTaylor

Part of the Furniture
That's make more sense now.

Can you explain how you're testing this exactly? The client's IP address is 142.165.85.237. That's a public IP address, is it a phone, another router, etc.?

You mention CGNAT, so where are you seeing this CGNAT address. On the ISP's router? What is the VPN server's IP address, 192.168.x.y?
 

skeal

Part of the Furniture
Can you explain how you're testing this exactly? The client's IP address is 142.165.85.237. That's a public IP address, is it a phone, another router, etc.?
Using cell phone from cell network.
You mention CGNAT, so where are you seeing this CGNAT address. On the ISP's router? What is the VPN server's IP address, 192.168.x.y?
100.72.8.135 on the AX88U's network map page. No ISP modem/router.
 

ColinTaylor

Part of the Furniture
Using cell phone from cell network.

100.72.8.135 on the AX88U's network map page. No ISP modem/router.
So what IP address is the client connecting to? :confused: It can't be 100.72.8.135 because that's not a public address. But you also said that you have no access to the ISP router to do any port forwarding.
 

skeal

Part of the Furniture
So what IP address is the client connecting to? :confused: It can't be 100.72.8.135 because that's not a public address. But you also said that you have no access to the ISP router to do any port forwarding.
The log on the phone says its translating the ddns name to 100.72.8.135 then gets Server poll timeout, trying next remote entry...
 

skeal

Part of the Furniture
My ddns is set to internal.
 

skeal

Part of the Furniture
If i do this all with the ddns set to external the phone never hits the server.
 

ColinTaylor

Part of the Furniture
The DDNS should be set to external if you're behind any kind of NAT. However, that won't help you with CGNAT unless you have arranged with your ISP to forward some ports for you.

Is your mobile phone service provided by the same company the provides your internet connection? I vaguely remember a forum member in such a situation being able to connect directly to his CGNAT address (but I might be mis-remembering that).

https://openvpn.net/faq/tls-error-t...n-60-seconds-check-your-network-connectivity/
 

skeal

Part of the Furniture
The DDNS should be set to external if you're behind any kind of NAT. However, that won't help you with CGNAT unless you have arranged with your ISP to forward some ports for you.

Is your mobile phone service provided by the same company the provides your internet connection? I vaguely remember a forum member in such a situation being able to connect directly to his CGNAT address (but I might be mis-remembering that).

https://openvpn.net/faq/tls-error-t...n-60-seconds-check-your-network-connectivity/
I'm inclined to believe that without access to the CGNAT router port forward I'm spinning my wheels. I downgraded my internet to save a few bucks and now I'm questioning my logic...LOL
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top