flaschengeist
New Around Here
Hi all,
i am currently facing a few issues trying to route a locally running OpenVPN Server through my VPN Client activated on my DSL-AC68U running gnuton 384.17.
I want to route the OpenVPN Server (and all client connected to it without losing access to local lan) through the VPN Client.
When there is a client already connected and i active the routing (policy based, strict) everythings works just fine: The traffic gets routed through the VPN and local lan access is still possible.
But when i activate the VPN Client and a new client wants to connect (or an already connected client wants to reconnect), there is no connection to the OpenVPN Server possible.
Once i delete the strict policy routing, the clients are able to connect normally again.
Error Log of the OpenVPN Server with activated routing through VPN Client:
1.1.1.1 is a remote ip different from the host network.
OpenVPN Server configuration (192.168.1.x):
I used the the following script to install the server: https://github.com/Nyr/openvpn-install
OpenVPN Client configuration:
VPN Client configuration on the router (.ovpn imported from PIA's openvpn.zip):
Any suggestions how to fix the problem?
Thanks in advance.
i am currently facing a few issues trying to route a locally running OpenVPN Server through my VPN Client activated on my DSL-AC68U running gnuton 384.17.
I want to route the OpenVPN Server (and all client connected to it without losing access to local lan) through the VPN Client.
When there is a client already connected and i active the routing (policy based, strict) everythings works just fine: The traffic gets routed through the VPN and local lan access is still possible.
But when i activate the VPN Client and a new client wants to connect (or an already connected client wants to reconnect), there is no connection to the OpenVPN Server possible.
Once i delete the strict policy routing, the clients are able to connect normally again.
Error Log of the OpenVPN Server with activated routing through VPN Client:
Sep 21 17:07:27 openvpn openvpn[627]: 1.1.1.1:50341 TLS: Initial packet from [AF_INET]1.1.1.1:50341, sid=a9612a61 84e9d961
Sep 21 17:08:27 openvpn openvpn[627]: 1.1.1.1:50341 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 21 17:08:27 openvpn openvpn[627]: 1.1.1.1:50341 TLS Error: TLS handshake failed
Sep 21 17:08:27 openvpn openvpn[627]: 1.1.1.1:50341 SIGUSR1[soft,tls-error] received, client-instance restarting
1.1.1.1 is a remote ip different from the host network.
OpenVPN Server configuration (192.168.1.x):
local 192.168.1.x
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 192.168.1.1"
client-to-client
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify
I used the the following script to install the server: https://github.com/Nyr/openvpn-install
OpenVPN Client configuration:
client
dev tun
proto udp
remote x.x.x.x (remote ip) 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
<ca>
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
…
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
…
-----END OpenVPN Static key V1-----
</tls-crypt>
VPN Client configuration on the router (.ovpn imported from PIA's openvpn.zip):
client
dev tun
proto udp
remote de-frankfurt.privacy.network 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass
compress
verb 1
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----
…
-----END X509 CRL-----
</crl-verify>
<ca>
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
</ca>
disable-occ
Any suggestions how to fix the problem?
Thanks in advance.