1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Carrier Grade Nat and OVPN Server problem

Discussion in 'Asuswrt-Merlin' started by skeal, Mar 31, 2020.

  1. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,850
    Location:
    Riderville, SK
    Can this even be overcome. I have forwarded the port and my log shows this entry over and over any ideas what to start to chase down or is this just not doable?
    Code:
    Mar 31 15:06:55 ovpn-server1[12947]: 142.165.85.237:36762 TLS Error: tls-crypt unwrapping failed from [AF_INET]142.165.85.237:36762
    Mar 31 15:06:56 ovpn-server1[12947]: 142.165.85.237:36762 tls-crypt unwrap error: bad packet ID (may be a replay): [ #1 / time = (1585688808) Tue Mar 31 15:06:48 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Mar 31 15:06:56 ovpn-server1[12947]: 142.165.85.237:36762 tls-crypt unwrap error: packet replay
    
    Edit: And what should ddns be set to internal/external?
     
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    11,646
    Location:
    UK
    Set TLS control channel security to disabled?
     
  3. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,850
    Location:
    Riderville, SK
    Thanks for the reply but nope didn't work.:( Same error.
     
  4. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,850
    Location:
    Riderville, SK
    It sounds like that without access to my ISP's access point or router I have no options of a successful port forward either. This sucks.
     
  5. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    11,646
    Location:
    UK
    That's true. But if that's the case how could you have performed the test that generated the error?
     
  6. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,850
    Location:
    Riderville, SK
    Ahh! I see your point. I am hitting the router. I just don't get the TLS stuff.
     
  7. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,850
    Location:
    Riderville, SK
    I set it up with default values. Now all I get is this message repeated with a different ending sid value.
    Code:
    Mar 31 16:06:57 ovpn-server1[26919]: 142.165.85.237:56381 TLS: Initial packet from [AF_INET]142.165.85.237:56381, sid=45a5f98b 69024e98
     
  8. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    11,646
    Location:
    UK
    Are you exporting the ovpn file each time you make a change and importing it into your VPN client?
     
  9. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,850
    Location:
    Riderville, SK
    Yes sir!
     
  10. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    11,646
    Location:
    UK
    Is this the only message you're getting? Or do you see other messages, like timeout's?
     
  11. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,850
    Location:
    Riderville, SK
    This would be more accurate.
    Code:
    Mar 31 16:06:57 ovpn-server1[26919]: 142.165.85.237:56381 TLS: Initial packet from [AF_INET]142.165.85.237:56381, sid=45a5f98b 69024e98
    Mar 31 16:07:06 ovpn-server1[26919]: 142.165.85.237:56261 TLS: Initial packet from [AF_INET]142.165.85.237:56261, sid=d04683eb 0962aff4
    Mar 31 16:07:16 ovpn-server1[26919]: 142.165.85.237:46041 TLS: Initial packet from [AF_INET]142.165.85.237:46041, sid=83bf0d99 810063e9
    Mar 31 16:07:26 ovpn-server1[26919]: 142.165.85.237:56071 TLS: Initial packet from [AF_INET]142.165.85.237:56071, sid=011ff79b 1b35468a
    Mar 31 16:07:37 ovpn-server1[26919]: 142.165.85.237:59025 TLS: Initial packet from [AF_INET]142.165.85.237:59025, sid=eadd0bc7 ed84a856
    Mar 31 16:07:47 ovpn-server1[26919]: 142.165.85.237:58450 TLS: Initial packet from [AF_INET]142.165.85.237:58450, sid=6e24d537 78eaf220
    Mar 31 16:07:58 ovpn-server1[26919]: 142.165.85.237:56381 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mar 31 16:07:58 ovpn-server1[26919]: 142.165.85.237:56381 TLS Error: TLS handshake failed
    Mar 31 16:07:58 ovpn-server1[26919]: 142.165.85.237:56381 SIGUSR1[soft,tls-error] received, client-instance restarting
    Mar 31 16:08:06 ovpn-server1[26919]: 142.165.85.237:56261 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mar 31 16:08:06 ovpn-server1[26919]: 142.165.85.237:56261 TLS Error: TLS handshake failed
    M
     
  12. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    11,646
    Location:
    UK
    That's make more sense now.

    Can you explain how you're testing this exactly? The client's IP address is 142.165.85.237. That's a public IP address, is it a phone, another router, etc.?

    You mention CGNAT, so where are you seeing this CGNAT address. On the ISP's router? What is the VPN server's IP address, 192.168.x.y?
     
  13. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,850
    Location:
    Riderville, SK
    Using cell phone from cell network.
    100.72.8.135 on the AX88U's network map page. No ISP modem/router.
     
  14. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    11,646
    Location:
    UK
    So what IP address is the client connecting to? :confused: It can't be 100.72.8.135 because that's not a public address. But you also said that you have no access to the ISP router to do any port forwarding.
     
  15. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,850
    Location:
    Riderville, SK
    The log on the phone says its translating the ddns name to 100.72.8.135 then gets Server poll timeout, trying next remote entry...
     
  16. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,850
    Location:
    Riderville, SK
    My ddns is set to internal.
     
  17. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,850
    Location:
    Riderville, SK
    If i do this all with the ddns set to external the phone never hits the server.
     
  18. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    11,646
    Location:
    UK
    The DDNS should be set to external if you're behind any kind of NAT. However, that won't help you with CGNAT unless you have arranged with your ISP to forward some ports for you.

    Is your mobile phone service provided by the same company the provides your internet connection? I vaguely remember a forum member in such a situation being able to connect directly to his CGNAT address (but I might be mis-remembering that).

    https://openvpn.net/faq/tls-error-t...n-60-seconds-check-your-network-connectivity/
     
  19. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,850
    Location:
    Riderville, SK
    I'm inclined to believe that without access to the CGNAT router port forward I'm spinning my wheels. I downgraded my internet to save a few bucks and now I'm questioning my logic...LOL
     
  20. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    11,646
    Location:
    UK
    Ultimately this is the problem.
     
    skeal likes this.