Azure – GCP – connection via Openvpn

I need to create connection between GCP and Azure cloud. There in Open vpn connection created between GCP and Azure cloud, OpenVPN azure IP is 10.5.1.5.

In Azure I have core vnetA and satelite vnetB. Between vnetA and vnetB I have peering configured, gateway transit is enabled on both sides of peered vnets.

I have two route tables: RTableA, RTableB.

RTableA is associated with subnetA in vnetA, RTableB is associated with subnetB in vnetB.

In RTableA I have routes

1.(Name GCPtraffic;addr.prefix 192.168.0.0/24;virtual appliance/openvpn IP 10.5.1.5),
2.(Name InternetGateway;addr.prefix 0.0.0.0/0; Internet),
3.(Name Local; addr.prefix 10.5.1.0/24; Virtual Network).
In RTableB I have only one route 1.(Name GCPtraffic;addr.prefix 192.168.0.0/24;virtual appliance/openvpn IP 10.5.1.5).

I have VMs: VmA located in subnetA, VmB located in subnetB.

I have connection both directions VmA –> VmB, VmB –> VmA, and I can connect VmA –> GCP network.

Problem is that I am not able to connect VmB –> GCP network. Is there any route missing in that scenario?

OpenVPN server on an Oracle Cloud computing instance: routing problems

I have an Ubuntu 20.04 LTS instance running in the Oracle Cloud “free tier”. I set up OpenVPN on this VM following this guide (it’s in German). Firewall port 1194/UDP open, IPv4 forwarding configured correctly (both in /etc/sysctl.conf and in /etc/default/ufw, UFW also does forwarding in /etc/ufw/before.rules with this magic incantation:

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT (0:0)
# Allow traffic from OpenVPN client to ens3
-A POSTROUTING -s 10.27.0.0/8 -o ens3 -j MASQUERADE
COMMIT
# END OPENVPN RULES

ifconfig output on the server:

ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9000
        inet 10.0.0.4  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::200:17ff:fe02:52db  prefixlen 64  scopeid 0x20<link>
        ether 00:00:17:02:52:db  txqueuelen 1000  (Ethernet)
(....)
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.27.0.1  netmask 255.255.255.0  destination 10.27.0.1
        inet6 fe80::b07f:586a:c721:fddb  prefixlen 64  scopeid 0x20<link>

Looks good. The problem is that the client cannot connect to the server, the log says “TLS Error: TLS key negotiation failed to occur within 60 seconds”.

When I run sudo tcpdump -ni ens3 udp and port 1194, I can see that the packets do arrive from the client (IP address “X.X.X.X”):

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
14:18:08.024761 IP X.X.X.X.20800 > 10.0.0.4.1194: UDP, length 54

I suspect the problem is related to how virtual networks are configured on the Oracle Cloud. My VM has an IP 10.0.0.4, therefore the OpenVPN server config contains an entry listen 10.0.0.4. Most likely some routing setting is missing so the server can’t answer the client’s connection request.

My question is: has someone set up an OpenVPN server on Oracle’s cloud successfully? And if yes, what was the extra configuration step that had to be performed?

FWIW, I checked the box “Skip source/destination check” in Instance Details > Attached VNICs > Edit in the Oracle Cloud web management GUI. Otherwise the networking setup is “standard”.

linux – OpenVPN: Client cannot ping 4.2.2.2 when connected

My client cannot surf the internet when connected to the vpn. I have

push "redirect-gateway def1"

and

root@vortex:/home# cat /proc/sys/net/ipv4/ip_forward
1

set.

Sserver and client connect just fine and error free and can ping each other across the VPN, but that’s as far as it goes.

root@vortex:/home# cat /etc/openvpn/server.conf

mode server
tls-server
port 1194
proto udp
dev tun

#ca      /usr/share/easy-rsa/keys/ca.crt    # generated keys
#cert    /usr/share/easy-rsa/keys/server.crt
#key     /usr/share/easy-rsa/keys/server.key  # keep secret
#dh      /usr/share/easy-rsa/keys/dh2048.pem

ca      /pki/ca.crt
cert    /pki/issued/vortex.trade.com.crt
key     /pki/private/vortex.trade.com.key
dh      /pki/dh.pem

server 10.9.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo         # Compression - must be turned on at both end
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 1  # verbose mode
user nobody
group nogroup
client-config-dir /etc/openvpn/ccd
client-to-client
push "redirect-gateway def1"
push "redirect-gateway bypass-dhcp"
push "route 192.168.0.0 255.255.255.0"
#push "dhcp-option DNS 188.120.247.2"
#push "dhcp-option DNS 188.120.247.8"
#push "dhcp-option DNS 82.146.59.250"
push "dhcp-option DNS 4.2.2.2"

log /var/log/openvpn/openvpn.log

root@vortex:/home# cat /etc/iptables/rules.v4

# Generated by iptables-save v1.6.0 on Mon Jul 20 07:13:41 2020
*filter
:INPUT ACCEPT (0:0)
:FORWARD ACCEPT (0:0)
:OUTPUT ACCEPT (0:0)
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -j DROP
-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 443 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 695 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 3128 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 6667 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 9001 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 9030 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: "
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -s 10.9.8.0/24 -i tun0 -o eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.9.8.14/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: "
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 2222 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED -m udp --sport 1194 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 695 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3128 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 6667 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9001 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9030 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_OUTPUT_denied: "
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Mon Jul 20 07:13:41 2020
# Generated by iptables-save v1.6.0 on Mon Jul 20 07:13:41 2020
*nat
:PREROUTING ACCEPT (58:7571)
:INPUT ACCEPT (8:2109)
:OUTPUT ACCEPT (0:0)
:POSTROUTING ACCEPT (2:120)
COMMIT
# Completed on Mon Jul 20 07:13:41 2020
# Generated by iptables-save v1.6.0 on Mon Jul 20 07:13:41 2020
*mangle
:PREROUTING ACCEPT (254:43256)
:INPUT ACCEPT (216:40502)
:FORWARD ACCEPT (7:420)
:OUTPUT ACCEPT (93:16424)
:POSTROUTING ACCEPT (100:16844)
COMMIT
# Completed on Mon Jul 20 07:13:41 2020

The issue does seem to have appeared following a knockd installation, but not sure.

root@vortex:/home# cat /etc/knockd.conf

(options)
        UseSyslog
    Interface = IFACE
(SSH)
        sequence = 90,90,90
        seq_timeout = 15
        tcpflags = syn
        start_command = /sbin/iptables -I INPUT -i eth0 -s %IP% -p tcp --dport 2222 -j ACCEPT
        stop_command = /sbin/iptables -D INPUT -i eth0 -s %IP% -p tcp --dport 2222 -j ACCEPT
        cmd_timeout = 20

client:

root@Inspiron-laptop:/home/# cat /etc/openvpn/client.conf 
client
remote 188.120.224.182
dev tun
#ifconfig 10.9.8.2 10.9.8.1
nobind
#persist-key
#persist-tun
tls-client
ca /etc/openvpn/ca.crt
cert /etc/openvpn/dell.trade.com.crt
key /etc/openvpn/dell.trade.com.key
comp-lzo
verb 3
redirect-gateway def1
ping-restart 60
log /var/log/openvpn/openvpn.log

The tunnel interface comes up fine

root@Inspiron-laptop:/home/# ifconfig

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1044649  bytes 565199288 (565.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1044649  bytes 565199288 (565.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.9.8.10  netmask 255.255.255.255  destination 10.9.8.9
        inet6 fe80::82a9:e454:8136:6d9f  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 29  bytes 4077 (4.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.43.160  netmask 255.255.255.0  broadcast 192.168.43.255
        inet6 fe80::3fdf:a130:31c3:32eb  prefixlen 64  scopeid 0x20<link>
        inet6 2600:100a:b128:d429:ef84:249c:a98d:f078  prefixlen 64  scopeid 0x0<global>
        inet6 2600:100a:b128:d429:9cdb:5dbf:2415:6022  prefixlen 64  scopeid 0x0<global>
        ether dc:53:60:6d:f3:62  txqueuelen 1000  (Ethernet)
        RX packets 7446346  bytes 5129002739 (5.1 GB)
        RX errors 0  dropped 212149  overruns 0  frame 0
        TX packets 4900063  bytes 859603059 (859.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlx1cbfcebf5fba: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.43.25  netmask 255.255.255.0  broadcast 192.168.43.255
        inet6 2600:100a:b128:d429:fc6e:cdca:d721:6d6c  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::fde3:a1d3:3dc5:56ec  prefixlen 64  scopeid 0x20<link>
        inet6 2600:100a:b128:d429:c93:106a:f84a:4f78  prefixlen 64  scopeid 0x0<global>
        ether 1c:bf:ce:bf:5f:ba  txqueuelen 1000  (Ethernet)
        RX packets 526561  bytes 480490738 (480.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 456675  bytes 94595265 (94.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I can ping the WAN interface of the VPN from the tunnel from the client when connected.

root@Inspiron-laptop:/home/# ping 188.120.224.182
PING 188.120.224.182 (188.120.224.182) 56(84) bytes of data.
64 bytes from 188.120.224.182: icmp_seq=1 ttl=46 time=212 ms
64 bytes from 188.120.224.182: icmp_seq=2 ttl=46 time=310 ms
64 bytes from 188.120.224.182: icmp_seq=3 ttl=46 time=329 ms
64 bytes from 188.120.224.182: icmp_seq=4 ttl=46 time=180 ms
^C
--- 188.120.224.182 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 180.428/257.780/328.903/63.126 ms

But no farther

root@Inspiron-laptop:/home/# ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data.
^C
--- 4.2.2.2 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5098ms

I suspect firewall but I can’t find the issue.

vpn – Configure Routing on GCP for External Resources for OpenVPN Split Tunnel

I spun up an OpenVPN Access Server VM from the Google Cloud Marketplace. My use case is to reach a third party service from a whitelisted static ip.

If I configure Should client Internet traffic be routed through the VPN? to YES
Full tunnel VPN works just fine, but if I set it to NO and use server config directives to push specific routes to external resources the client traffic gets dropped somewhere after reaching the VM.

For example if I use a server config directive to push "route 204.11.35.98 255.255.255.255 vpn_gateway"

I followed this troubleshooting guide for reaching systems over the VPN:

From the client, if I ping the ip of the external resource (public ip)

If I run tcpdump on the server and ping from the client I can see the echo request, but don’t get any replies:

10:04:38.934805  In ethertype IPv4 (0x0800), length 76: 172.27.232.2 > 204.11.35.98: ICMP echo request, id 1, seq 530, length 40

From the client, if I ping the Access Server’s internal ip (10.150.0.4) you can see the replies:

10:06:32.589234  In ethertype IPv4 (0x0800), length 76: 172.27.232.2 > 10.150.0.4: ICMP echo request, id 1, seq 536, length 40
10:06:32.589280 Out ethertype IPv4 (0x0800), length 76: 10.150.0.4 > 172.27.232.2: ICMP echo reply, id 1, seq 536, length 40

The server can ping the external resource, so it seems like the traffic is getting lost on the way out of the VPC or on the way back in. I tried adding a route on the VPC for 172.27.224.0/20 and specified the next hop of the Access Server’s VM, but the traffic is still dropped.

In this simple example how do you configure the GCP project to route traffic out to the extrnal resource and back to the VPN client?

vpn – OpenVPN authentication error

Now I use Synology’s MR2200AC as my home router and Synology’s DS918+ as my NAS for hosting some virtual machines. And I’m trying to connect to the virtual machines from my laptop via a OpenVPN server of VPN plus server app on the Synology MR2200AC.

However, when I’m trying to make a OpenVPN connection to the OpenVPN server, it results in authentication error. But I can success that once in a while. So username and password is correct. The error occurs both the laptop is inside and outside my home LAN.

Current environment of the connection is here.

The laptop is outside my home:
Laptop–Smartphone(tethering)–Internet–MR2200AC–virtual machines(on Synology DS918+)

The laptop is inside my home:
Laptop–MR2200AC–virtual machines(on Synology DS918+)

Laptop:MacOS 10.14.6, with using OpenVPN connect v3.2.1(https://openvpn.net/download-open-vpn/)
Smartphone:iOS(13.3)
MR2200AC:SRM 1.2.4-8081(Internet connection is IPoE(MAP-E))
DS918+:DRM 6.2.3-25426
virtual machines:ubuntu server 20.04 on DS918+’s Virtual Machine Manager app

The OpenVPN connection between the OpenVPN server and the virtual machines is not problem. The virtual machines can always success the authorization and can keep it’s OpenVPN connection with the OpenVPN server.

I can make vpn connection with the MR2200AC from outside my home if I use WebVPN function on the VPN plus server app(Not OpenVPN connection). So I have tried to export configuration file from OpenVPN tab on the VPN plus server app when the laptop is outside my home and used the file.
Also I have tried to change udp protocol to tcp protocol, and to launched the OpenVPN APP on the laptop with root priviledge.

But those work once in a while, not always.

I thought the above IPoE(MAP-E) may cause problem. But a DNS configuration of the MR2200AC works correctly.

I can’t understand what is wrong.

I’d like to want to build a reliable vpn connection between the laptop and the virtual machines. For example, I access to a mysql server on the virtual machine, whether the laptop is inside or outside my home LAN. In this example, the above WebVPN is useless.

Please help me.

One of Logs for example is here.

7/31/2020, 1:04:33 PM OpenVPN core 3.git::3e56f9a6 mac x86_64 64-bit built on Jul 3 2020 15:36:10
7/31/2020, 1:04:33 PM Frame=512/2048/512 mssfix-ctrl=1250
7/31/2020, 1:04:33 PM UNUSED OPTIONS
1 (tls-client)
3 (pull)
5 (script-security) (2)
7/31/2020, 1:04:33 PM EVENT: RESOLVE 
7/31/2020, 1:04:33 PM Contacting ************* via TCPv4
7/31/2020, 1:04:33 PM EVENT: WAIT 
7/31/2020, 1:04:33 PM UnixCommandAgent: transmitting bypass route to /var/run/agent_ovpnconnect.sock
{
"host" : "**********",
"ipv6" : false,
"pid" : 35641
}
7/31/2020, 1:04:33 PM Connecting to (***************):**** (***********) via TCPv4
7/31/2020, 1:04:33 PM EVENT: CONNECTING 
7/31/2020, 1:04:33 PM Tunnel Options:V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client
7/31/2020, 1:04:33 PM Creds: Username/Password
7/31/2020, 1:04:33 PM Peer Info:
IV_VER=3.git::3e56f9a6
IV_PLAT=mac
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_GUI_VER=OCmacOS_3.2.1-1484
IV_SSO=openers

7/31/2020, 1:04:34 PM VERIFY OK: depth=2, /O=Digital Signature Trust Co./CN=DST Root CA X3
7/31/2020, 1:04:34 PM VERIFY OK: depth=1, /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
7/31/2020, 1:04:34 PM VERIFY OK: depth=0, /CN=**************
7/31/2020, 1:04:40 PM SSL Handshake: CN=*****************, TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
7/31/2020, 1:04:40 PM Session is ACTIVE
7/31/2020, 1:04:40 PM EVENT: GET_CONFIG 
7/31/2020, 1:04:40 PM Sending PUSH_REQUEST to server...
7/31/2020, 1:04:40 PM AUTH_FAILED
7/31/2020, 1:04:40 PM EVENT: AUTH_FAILED 
7/31/2020, 1:04:40 PM EVENT: DISCONNECTED 
7/31/2020, 1:04:44 PM Raw stats on disconnect:

BYTES_IN : 4993
BYTES_OUT : 2163
PACKETS_IN : 10
PACKETS_OUT : 10
AUTH_FAILED : 1
⏎7/31/2020, 1:04:44 PM Performance stats on disconnect:
CPU usage (microseconds): 9352624
Network bytes per CPU second: 765
Tunnel bytes per CPU second: 0

amazon web services – iptables port forwarding with AWS and openVPN

I am trying to expose OpenVPN client port (5060) to public network and cannot make it work.
Topology:
USG – client of OpenVPN (Unifi USG router))
OVPN- OpenVPN server (AWS EC2 instance)
RASP – Client in network behind S1 (Raspberry Pi)

So basically I would like to expose port 5060 of RASP via OVPN. OVPN is visible to RASP and vice versa.

I have tried various combinations and this is what is the best I could figure out:

iptable rule (not sure exactly what it does..):

*nat
:PREROUTING ACCEPT (0:0)
:INPUT ACCEPT (0:0)
:OUTPUT ACCEPT (0:0)
:POSTROUTING ACCEPT (0:0)
-A POSTROUTING -j MASQUERADE
COMMIT

And following commands:

iptables -t nat -A PREROUTING -d OVPN_IP -p tcp --dport 5060 -j DNAT --to-dest RASP_IP:5060
iptables -t nat -A POSTROUTING -d RASP_IP -p tcp --dport 5060 -j SNAT --to-source OVPN_VPN_IP

After that set on actions on OVPN I am able to telnet OVPN but only on AWS internal IP (OVPN_IP), but not Elastic IP (public one) attached to OVPN server, what I exactly need…

Any help?

windows 10 – How do I check via command line whether OpenVPN is connected to the VPN or not?

This is such a typical situation: I need to do the most basic imaginable thing, yet here I am, sweating and swearing from exhaustion after spending hours upon hours searching and experimenting, unable to accomplish this ultra-basic task.

I’ve looked through all the countless options on:

openvpn.exe --help

None of them are called anything like --is-connected or --has-connected or --is-online. As far as I can tell, the feature doesn’t exist, but that sounds too unlikely to be true.

I’ve made numerous searches online and only find unrelated nonsense, like always.

How can such as basic feature (apparently) be overlooked? This is crucial information for other applications to know in order to know whether they can safely start making network requests. (In many situations, the VPN is temporarily down when I start the computer, etc.)

I don’t want to have to make a HTTP request to an external server using one of my VPN’s proxies (which only work if you are connected to the VPN). While it would technically work, it would involve relying on third parties and be very “wasteful” for something that should be so simple and kept fully “local”.

I can visually tell whether OpenVPN is connected to my VPN by looking in the bottom-right corner of my screen, where the little OpenVPN icon is lit green. How do I do the same from the command line?

I just need a 0/1 or true/false value.

router – OpenVPN does not connect outside network

We have a small office setup, currently due to pandemic employees need to work remotely therefore we are tying to configure OpenVPN so they can access internal applications. Using following tutorial I’m able to connect openvpn from inside the office network. However if I switch to diffrent internet connection other than office network VPN does not connect. Wireshark shows P_Control_Hard_Reset_Client_V2.
Since I’m able to connect internally I don’t think that there would be any issue on server side, however I think I am making some mistake while routing the UDP connection.
We have a basic D-Link DIR-600M router where I have added internal server IP under Advanced and Private server option and port 1149 to be forwarded (All public IP request with UDP port 1194 to be route to 192.168.0.3 UDP 1194 port). I also checked with ISP and they said that the port 1194 UDP is open. However if I try to connect using our public IP, OpenVPN does not connect.
Any suggestions please?

I’m getting following error

    Sun Jul 19 09:35:42 2020 OpenVPN 2.4.9 x86_64-redhat-linux-gnu (SSL (OpenSSL)) (LZO) (LZ4) (EPOLL) (PKCS11) (MH/PKTINFO) (AEAD) built on Apr 24 2020
Sun Jul 19 09:35:42 2020 library versions: OpenSSL 1.1.1c FIPS  28 May 2019, LZO 2.08
Sun Jul 19 09:35:42 2020 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jul 19 09:35:42 2020 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jul 19 09:35:42 2020 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jul 19 09:35:42 2020 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jul 19 09:35:42 2020 TCP/UDP: Preserving recently used remote address: (AF_INET)MY_PUBLIC_IP:1194
Sun Jul 19 09:35:42 2020 Socket Buffers: R=(212992->212992) S=(212992->212992)
Sun Jul 19 09:35:42 2020 UDP link local: (not bound)
Sun Jul 19 09:35:42 2020 UDP link remote: (AF_INET)MY_PUBLIC_IP:1194
Sun Jul 19 09:35:42 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sun Jul 19 09:36:42 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Jul 19 09:36:42 2020 TLS Error: TLS handshake failed
Sun Jul 19 09:36:42 2020 SIGUSR1(soft,tls-error) received, process restarting
Sun Jul 19 09:36:42 2020 Restart pause, 5 second(s)
Sun Jul 19 09:36:48 2020 RESOLVE: Cannot resolve host address: vpn.MY_SERVERE.net:1194 (Name or service not known)
Sun Jul 19 09:36:53 2020 RESOLVE: Cannot resolve host address: vpn.MY_SERVERE.net:1194 (Name or service not known)
Sun Jul 19 09:36:53 2020 Could not determine IPv4/IPv6 protocol
Sun Jul 19 09:36:53 2020 SIGUSR1(soft,init_instance) received, process restarting
Sun Jul 19 09:36:53 2020 Restart pause, 5 second(s)
Sun Jul 19 09:36:58 2020 TCP/UDP: Preserving recently used remote address: (AF_INET)MY_PUBLIC_IP:1194
Sun Jul 19 09:36:58 2020 Socket Buffers: R=(212992->212992) S=(212992->212992)
Sun Jul 19 09:36:58 2020 UDP link local: (not bound)
Sun Jul 19 09:36:58 2020 UDP link remote: (AF_INET)MY_PUBLIC_IP:1194

openvpn – Cannot use SSH when using VPN

I’ve installed OpenVPN on my Ubuntu server, essentially I executed the steps of this guide. All is working fine, so OpenVPN is actually installed in a system service and runs to every reboot of the machine.

The problem’s that I encountered is that I cannot use SSH with putty ’cause the VPN has changed my server IP (that’s sound fine), for this, I’ve wrote the following commands before the machine start:

sudo ip route add table 128 to gatewayip
sudo ip route add table 128 to subnet ip dev eth0
sudo ip route add table 128 default via default gateway

then I launched openvpn service using this command:

sudo service openvpn-client@client.service start 

and I can use the SSH again with Putty. So I tried to add the commands above in a bash script:

#!/bin/bash
sudo ip route add table 128 to gatewayip
sudo ip route add table 128 to subnet ip dev eth0
sudo ip route add table 128 default via default gateway

which is started using a service:

(Unit)
After=network.target
Before=openvpn-client@client.service

(Service)
ExecStart=/usr/local/sbin/myrouting

(Install)
WantedBy=default.target

I also modified the openvpn-client@.service which is located in /lib/systemd/system, specifically I added:

After=syslog.target network-online.target myrouting.service

both the services are running fine, but when I reboot the server I cannot access to SSH