[Support] PiVPN + Client from RPi/Ubuntu/Microtik not working

crystal-way commented 4 years ago

In raising this issue, I confirm the following:

{please fill the checkboxes, e.g: [X]}

[X] I have read and understood the contributors guide.
[X] The issue I am reporting can be replicated.
[] The issue I am reporting can be is directly related to the pivpn installer script.
[X] The issue I am reporting isn't a duplicate (see FAQs, closed issues, and open issues).

I have runing PiVPN (OpenVPN v.2.4.7) on PRETTY_NAME="Raspbian GNU/Linux 10 (buster)" NAME="Raspbian GNU/Linux" VERSION_ID="10". I have NO problems connecting to it from iPAD using OpenVPN app also NO problems connecting to it from Mac OS/Tunnelblick.

I have running two other machines with Ubuntu AND Raspbian (both with installed PiVPN as SERVER) and as server they work great. But i CAN'T connect from these two machines to the first one. Connection is successful, but i can't even ping a server. The logs on the server does not show anything bad. I've read hundreds of posts, tried many different iptables (client side) checked firewall also on client site (it is disabled) and no success to even ping the server. While as mentioned before, from ipad and tunnelblick - everything works fine.

Then i've decided to go for workaround and connect to the first machine using Mikrotik router hAP ac2. But this device could not even connect to PiVPN server. I only get errors on server side: tls-crypt unwrap error: packet too short TLS Error: tls-crypt unwrapping failed from Fatal TLS error (check_tls_errors_co), restarting SIGUSR1[soft,tls-error] received, client-instance restarting

Have no idea what to try else. from iPAD and Mac OS , everything is fine, from Ubuntu, Raspbian and Mikrotik - FAILS only.

Have you searched for similar issues and solutions?

(yes/no / which issues?)

yes

Console output of `curl -L install.pivpn.dev | bash`

 curl -L install.pivpn.dev | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100     5  100     5    0     0     17      0 --:--:-- --:--:-- --:--:--    17
100   162  100   162    0     0    310      0 --:--:-- --:--:-- --:--:--   310
100 83592  100 83592    0     0  94135      0 --:--:-- --:--:-- --:--:--  264k
:::
::: sudo will be used for the install.
::: Hostname length OK
::: Verifying free disk space...
:::
::: Checking apt-get for upgraded packages.... done!
:::
::: Your system is up to date! Continuing with PiVPN installation...
[sudo] password for user:

(here i have terminated installation again, as it is working and i have no physical access to this device. As you can see it's up to date and running fine).

Console output of `pivpn add` or `pivpn add nopass`

  Output Here

Console output of `pivpn debug`

pivpn debug
::: Generating Debug Output
[sudo] password for user: 
::::            PiVPN debug              ::::
=============================================
::::            Latest commit            ::::
commit d0c10db6ec391961b7201fb564055c1176ca73e3
Author: 4s3ti <cfcolaco@colacoweb.net>
Date:   Tue Sep 3 10:09:48 2019 +0200

    install.sh: apt-get with , uninstall.sh: added var PKG_MANAGER and replaced apt-get with
=============================================
::::        Installation settings        ::::
/etc/pivpn/DET_PLATFORM -> Raspbian
/etc/pivpn/FORWARD_CHAIN_EDITED -> 1
/etc/pivpn/HELP_SHOWN -> 
/etc/pivpn/INPUT_CHAIN_EDITED -> 1
/etc/pivpn/INSTALL_PORT -> 28282
/etc/pivpn/INSTALL_PROTO -> udp
/etc/pivpn/INSTALL_USER -> user
/etc/pivpn/NO_UFW -> 1
/etc/pivpn/pivpnINTERFACE -> eth0
/etc/pivpn/TWO_POINT_FOUR -> 
=============================================
::::    setupVars file shown below       ::::
INSTALL_USER=user
UNATTUPG=unattended-upgrades
pivpnInterface=eth0
IPv4dns=
IPv4addr=192.168.88.42
IPv4gw=192.168.88.1
pivpnProto=udp
PORT=28282
ENCRYPT=521
APPLY_TWO_POINT_FOUR=true
DOWNLOAD_DH_PARAM=false
PUBLICDNS=REMOTE
OVPNDNS1=208.67.222.222
OVPNDNS2=208.67.220.220
=============================================
::::  Server configuration shown below   ::::
dev tun
proto tcp
port 28282
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/user_90c7c29a-18de-4e8e-86c3-361960001e50.crt
key /etc/openvpn/easy-rsa/pki/private/user_90c7c29a-18de-4e8e-86c3-361960001e50.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io
=============================================
::::  Client template file shown below   ::::
client
dev tun
proto udp
remote REMOTE 28282
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name user_90c7c29a-18de-4e8e-86c3-361960001e50 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
=============================================
::::    Recursive list of files in       ::::
::: /etc/openvpn/easy-rsa/pki shows below :::
/etc/openvpn/easy-rsa/pki/:
ca.crt
crl.pem
Default.txt
ecparams
extensions.temp
index.txt
index.txt.attr
index.txt.attr.old
index.txt.old
issued
user.ovpn
openssl-easyrsa.cnf
private
renewed
revoked
safessl-easyrsa.cnf
serial
serial.old
ta.key

/etc/openvpn/easy-rsa/pki/ecparams:
secp521r1.pem

/etc/openvpn/easy-rsa/pki/issued:
user_90c7c29a-18de-4e8e-86c3-361960001e50.crt
user.crt

/etc/openvpn/easy-rsa/pki/private:
ca.key
user_90c7c29a-18de-4e8e-86c3-361960001e50.key
user.key

/etc/openvpn/easy-rsa/pki/renewed:
private_by_serial
reqs_by_serial

/etc/openvpn/easy-rsa/pki/renewed/private_by_serial:

/etc/openvpn/easy-rsa/pki/renewed/reqs_by_serial:

/etc/openvpn/easy-rsa/pki/revoked:
private_by_serial
reqs_by_serial

/etc/openvpn/easy-rsa/pki/revoked/private_by_serial:

/etc/openvpn/easy-rsa/pki/revoked/reqs_by_serial:
=============================================
::::            Self check               ::::
:: [OK] IP forwarding is enabled
:: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] n
:: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] n
:: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] n
:: [OK] OpenVPN is running
:: [OK] OpenVPN is enabled (it will automatically start on reboot)
:: [ERR] OpenVPN is not listening, try to restart now? [Y/n] n
[INFO] Run pivpn -d again to see if we detect issues
=============================================
::::      Snippet of the server log      ::::
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 VERIFY EKU OK
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 VERIFY OK: depth=0, CN=user
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.1.2-3096
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 peer info: IV_VER=3.git::f225fcd0
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 peer info: IV_PLAT=ios
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 peer info: IV_NCP=2
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 peer info: IV_TCPNL=1
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 peer info: IV_PROTO=2
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 peer info: IV_AUTO_SESS=1
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 521 bit EC, curve: secp521r1
Jun 30 15:43:36 user ovpn-server[17712]: REDACTED:34052 [user] Peer Connection Initiated with [AF_INET]REDACTED:34052
Jun 30 15:43:36 user ovpn-server[17712]: user/REDACTED:34052 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jun 30 15:43:36 user ovpn-server[17712]: user/REDACTED:34052 MULTI: Learn: 10.8.0.2 -> user/REDACTED:34052
Jun 30 15:43:36 user ovpn-server[17712]: user/REDACTED:34052 MULTI: primary virtual IP for user/REDACTED:34052: 10.8.0.2
Jun 30 15:43:36 user ovpn-server[17712]: user/REDACTED:34052 PUSH: Received control message: 'PUSH_REQUEST'
Jun 30 15:43:36 user ovpn-server[17712]: user/REDACTED:34052 SENT CONTROL [user]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 1800,ping-restart 3600,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Jun 30 15:43:36 user ovpn-server[17712]: user/REDACTED:34052 Data Channel: using negotiated cipher 'AES-256-GCM'
Jun 30 15:43:36 user ovpn-server[17712]: user/REDACTED:34052 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jun 30 15:43:36 user ovpn-server[17712]: user/REDACTED:34052 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
=============================================
::::            Debug complete           ::::
::: 
::: Debug output completed above.
::: Copy saved to /tmp/debug.txt
::: 
user@user:~ $

Have you taken any steps towards solving your issue?

  read as much post and forums as i found

At least one solution would solve my problems. I would be happy to access PiVPN server from Ubuntu or RPi or Mikrotik. I can access it from Mac OS and iPAD, but this does not solve my problem.

Thank you.

crystal-way commented 4 years ago

While posting this topic, i've noticed that in the DEBUG report it is written: IPv4addr=192.168.88.42 IPv4gw=192.168.88.1

These are old IP's from the network where RPi and PiVPN where installed. Now it is running on the ip address 192.168.1.80 with gw 192.168.1.1, but as mentioned in the begining i can access over VPN PiVPN server with no problems.

orazioedoardo commented 4 years ago

There are a lot of errors in the debug log, can you show the output of these (firewall and openvpn status)?

sudo iptables -S
sudo iptables -t nat -S
sudo systemctl restart openvpn
tail -n 20 /var/log/openvpn.log

crystal-way commented 4 years ago

There are a lot of errors in the debug log, can you show the output of these (firewall and openvpn status)?

On which machine i should export log's? Ubuntu or RPI openvpn client, that connect but have no ping?

or RPi openvpn server?

orazioedoardo commented 4 years ago

On the RPI openvpn server

crystal-way commented 4 years ago

Please see all information. I've got it while connected from Mac OS to RPi server. This connection as mention before works great (except i can't access other devices on the destination LAN, only server, but this is not the first priority question). Thank you.

$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 14002 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 28967 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

$ sudo iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 14002 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 28967 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 14002 -j DNAT --to-destination 172.17.0.4:14002
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 10058 -j DNAT --to-destination 172.17.0.4:28967

$ sudo tail -n 20 /var/log/openvpn.log
Jul  1 21:36:57 user ovpn-server[12120]: REDACTED:39849 peer info: IV_PLAT=mac
Jul  1 21:36:57 user ovpn-server[12120]: REDACTED:39849 peer info: IV_PROTO=2
Jul  1 21:36:57 user ovpn-server[12120]: REDACTED:39849 peer info: IV_NCP=2
Jul  1 21:36:57 user ovpn-server[12120]: REDACTED:39849 peer info: IV_LZ4=1
Jul  1 21:36:57 user ovpn-server[12120]: REDACTED:39849 peer info: IV_LZ4v2=1
Jul  1 21:36:57 user ovpn-server[12120]: REDACTED:39849 peer info: IV_LZO=1
Jul  1 21:36:57 user ovpn-server[12120]: REDACTED:39849 peer info: IV_COMP_STUB=1
Jul  1 21:36:57 user ovpn-server[12120]: REDACTED:39849 peer info: IV_COMP_STUBv2=1
Jul  1 21:36:57 user ovpn-server[12120]: REDACTED:39849 peer info: IV_TCPNL=1
Jul  1 21:36:57 user ovpn-server[12120]: REDACTED:39849 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5400_3.8.1__build_5400)"
Jul  1 21:36:57 user ovpn-server[12120]: REDACTED:39849 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 521 bit EC, curve: secp521r1
Jul  1 21:36:57 user ovpn-server[12120]: REDACTED:39849 [user] Peer Connection Initiated with [AF_INET]REDACTED:39849
Jul  1 21:36:57 user ovpn-server[12120]: user/REDACTED:39849 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jul  1 21:36:57 user ovpn-server[12120]: user/REDACTED:39849 MULTI: Learn: 10.8.0.2 -> user/REDACTED:39849
Jul  1 21:36:57 user ovpn-server[12120]: user/REDACTED:39849 MULTI: primary virtual IP for user/REDACTED:39849: 10.8.0.2
Jul  1 21:36:57 user ovpn-server[12120]: user/REDACTED:39849 PUSH: Received control message: 'PUSH_REQUEST'
Jul  1 21:36:57 user ovpn-server[12120]: user/REDACTED:39849 SENT CONTROL [user]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 1800,ping-restart 3600,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Jul  1 21:36:57 user ovpn-server[12120]: user/REDACTED:39849 Data Channel: using negotiated cipher 'AES-256-GCM'
Jul  1 21:36:57 user ovpn-server[12120]: user/REDACTED:39849 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul  1 21:36:57 user ovpn-server[12120]: user/REDACTED:39849 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

orazioedoardo commented 4 years ago

Run pivpn -d and say Y to fix iptables rules.

crystal-way commented 4 years ago

Should i make "Y" for all 3 iptables fix'es and 4th "Y" for restart?

[OK] IP forwarding is enabled :: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] n :: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] n :: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] n :: [OK] OpenVPN is running :: [OK] OpenVPN is enabled (it will automatically start on reboot) :: [ERR] OpenVPN is not listening, try to restart now? [Y/n] n

orazioedoardo commented 4 years ago

If the debug reports that OpenVPN is not listening, say Y to that too. Then post pivpn -d again.

crystal-way commented 4 years ago

I've tried a few time, everytime it says that OpenVPN ins not listening (but it's actually does, as i'm connecting to it).

Also why it's remember old IP's:

IPv4addr=192.168.88.42 IPv4gw=192.168.88.1

Currently it is no the 192.168.8.0 network with the 192.168.8.222 IP address.

$ sudo pivpn -d
::: Generating Debug Output
::::            PiVPN debug              ::::
=============================================
::::            Latest commit            ::::
commit d0c10db6ec391961b7201fb564055c1176ca73e3
Author: 4s3ti <cfcolaco@colacoweb.net>
Date:   Tue Sep 3 10:09:48 2019 +0200

    install.sh: apt-get with , uninstall.sh: added var PKG_MANAGER and replaced apt-get with
=============================================
::::        Installation settings        ::::
/etc/pivpn/DET_PLATFORM -> Raspbian
/etc/pivpn/FORWARD_CHAIN_EDITED -> 1
/etc/pivpn/HELP_SHOWN -> 
/etc/pivpn/INPUT_CHAIN_EDITED -> 1
/etc/pivpn/INSTALL_PORT -> 28282
/etc/pivpn/INSTALL_PROTO -> udp
/etc/pivpn/INSTALL_USER -> user
/etc/pivpn/NO_UFW -> 1
/etc/pivpn/pivpnINTERFACE -> eth0
/etc/pivpn/TWO_POINT_FOUR -> 
=============================================
::::    setupVars file shown below       ::::
INSTALL_USER=user
UNATTUPG=unattended-upgrades
pivpnInterface=eth0
IPv4dns=
IPv4addr=192.168.88.42
IPv4gw=192.168.88.1
pivpnProto=udp
PORT=28282
ENCRYPT=521
APPLY_TWO_POINT_FOUR=true
DOWNLOAD_DH_PARAM=false
PUBLICDNS=REMOTE
OVPNDNS1=208.67.222.222
OVPNDNS2=208.67.220.220
=============================================
::::  Server configuration shown below   ::::
dev tun
proto tcp
port 28282
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/user_90c7c29a-18de-4e8e-86c3-361960001e50.crt
key /etc/openvpn/easy-rsa/pki/private/user_90c7c29a-18de-4e8e-86c3-361960001e50.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io
=============================================
::::  Client template file shown below   ::::
client
dev tun
proto udp
remote REMOTE 28282
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name user_90c7c29a-18de-4e8e-86c3-361960001e50 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
=============================================
::::    Recursive list of files in       ::::
::: /etc/openvpn/easy-rsa/pki shows below :::
/etc/openvpn/easy-rsa/pki/:
ca.crt
crl.pem
Default.txt
ecparams
extensions.temp
index.txt
index.txt.attr
index.txt.attr.old
index.txt.old
issued
user.ovpn
openssl-easyrsa.cnf
private
renewed
revoked
safessl-easyrsa.cnf
serial
serial.old
ta.key

/etc/openvpn/easy-rsa/pki/ecparams:
secp521r1.pem

/etc/openvpn/easy-rsa/pki/issued:
user_90c7c29a-18de-4e8e-86c3-361960001e50.crt
user.crt

/etc/openvpn/easy-rsa/pki/private:
ca.key
user_90c7c29a-18de-4e8e-86c3-361960001e50.key
user.key

/etc/openvpn/easy-rsa/pki/renewed:
private_by_serial
reqs_by_serial

/etc/openvpn/easy-rsa/pki/renewed/private_by_serial:

/etc/openvpn/easy-rsa/pki/renewed/reqs_by_serial:

/etc/openvpn/easy-rsa/pki/revoked:
private_by_serial
reqs_by_serial

/etc/openvpn/easy-rsa/pki/revoked/private_by_serial:

/etc/openvpn/easy-rsa/pki/revoked/reqs_by_serial:
=============================================
::::            Self check               ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] Iptables INPUT rule set
:: [OK] Iptables FORWARD rule set
:: [OK] OpenVPN is running
:: [OK] OpenVPN is enabled (it will automatically start on reboot)
:: [ERR] OpenVPN is not listening, try to restart now? [Y/n] y
Done
[INFO] Run pivpn -d again to see if we detect issues
=============================================
::::      Snippet of the server log      ::::
Jul  2 10:11:08 user ovpn-server[24107]: REDACTED:51822 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.1.2-3096
Jul  2 10:11:08 user ovpn-server[24107]: REDACTED:51822 peer info: IV_VER=3.git::f225fcd0
Jul  2 10:11:08 user ovpn-server[24107]: REDACTED:51822 peer info: IV_PLAT=ios
Jul  2 10:11:08 user ovpn-server[24107]: REDACTED:51822 peer info: IV_NCP=2
Jul  2 10:11:08 user ovpn-server[24107]: REDACTED:51822 peer info: IV_TCPNL=1
Jul  2 10:11:08 user ovpn-server[24107]: REDACTED:51822 peer info: IV_PROTO=2
Jul  2 10:11:08 user ovpn-server[24107]: REDACTED:51822 peer info: IV_AUTO_SESS=1
Jul  2 10:11:08 user ovpn-server[24107]: REDACTED:51822 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 521 bit EC, curve: secp521r1
Jul  2 10:11:08 user ovpn-server[24107]: REDACTED:51822 [user] Peer Connection Initiated with [AF_INET]REDACTED:51822
Jul  2 10:11:08 user ovpn-server[24107]: user/REDACTED:51822 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jul  2 10:11:08 user ovpn-server[24107]: user/REDACTED:51822 MULTI: Learn: 10.8.0.2 -> user/REDACTED:51822
Jul  2 10:11:08 user ovpn-server[24107]: user/REDACTED:51822 MULTI: primary virtual IP for user/REDACTED:51822: 10.8.0.2
Jul  2 10:11:08 user ovpn-server[24107]: user/REDACTED:51822 PUSH: Received control message: 'PUSH_REQUEST'
Jul  2 10:11:08 user ovpn-server[24107]: user/REDACTED:51822 SENT CONTROL [user]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 1800,ping-restart 3600,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Jul  2 10:11:08 user ovpn-server[24107]: user/REDACTED:51822 Data Channel: using negotiated cipher 'AES-256-GCM'
Jul  2 10:11:08 user ovpn-server[24107]: user/REDACTED:51822 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul  2 10:11:08 user ovpn-server[24107]: user/REDACTED:51822 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul  2 10:11:16 user ovpn-server[24107]: Closing TUN/TAP interface
Jul  2 10:11:16 user ovpn-server[24107]: /sbin/ip addr del dev tun0 10.8.0.1/24
Jul  2 10:11:16 user ovpn-server[24107]: Linux ip addr del failed: external program exited with error status: 2
=============================================
::::            Debug complete           ::::
::: 
::: Debug output completed above.
::: Copy saved to /tmp/debug.txt
::: 
user@user:~ $

orazioedoardo commented 4 years ago

Also why it's remember old IP's:

Old IPs at the time you installed.

I've tried a few time, everytime it says that OpenVPN ins not listening (but it's actually does, as i'm connecting to it).

How about netstat -uanpt | grep openvpn

P.S. I also formatted your previous comments and removed client IPs. Next time use the insert code button to post code otherwise it is hard to read.

crystal-way commented 4 years ago

Thank you. I've seen that it looks ugly, but could not find how to sort it out. Should i change somewhere those old IP's that left from installation or it does not matter? please see answer from:

netstat -uanpt | grep openvpn

`sudo netstat -uanpt | grep openvpn tcp 0 0 0.0.0.0:28282 0.0.0.0:* LISTEN 24187/openvpn
tcp 0 142 192.168.8.222:28282 34.14.111.89:51879 ESTABLISHED 24187/openvpn

`

orazioedoardo commented 4 years ago

Wait, why the server is TCP but the client is UDP, did you change that?

If you want to use UDP, edit the config sudo nano /etc/openvpn/server.conf and replace proto tcp with proto udp, then restart sudo systemctl restart openvpn.

crystal-way commented 4 years ago

Originally it was installed as UDP. With this configuration also i could make connection to server from RPi and Ubuntu, but could NOT ping the server (Mac OS and ipad could connect/ping/access).

As i need to make rsync between these two machines, i've changed manually server to TCP, as well as all my clients to TCP. After this change, Mac OS and iPAD still can connect and access server. RPi and ubuntu also still can connect to server (over TCP), but can't ping or access server.

So i believe this does not have anything with the issue, as over UDP i had same problem.

orazioedoardo commented 4 years ago

i've changed manually server to TCP

Ok, that's the reason why the debug says it's not listening, it expects udp but actually is tcp.

RPi and ubuntu also still can connect to server (over TCP), but can't ping or access server.

Try not that we fixed the firewall rules.

crystal-way commented 4 years ago

Same story. From iPAD i can connect to VPN and PING + SSH to server. From Ubuntu. i can connect to VPN, but no ping, no SSH to server :|

orazioedoardo commented 4 years ago

From Ubuntu. i can connect to VPN, but no ping, no SSH to server :|

Can you post the openvpn log when you connect, on the client and on the server (remove client IPs if you want). Is the Ubuntu PC in the same network as the pivpn or on a different network?

crystal-way commented 4 years ago

Strange thing. On both clients there are no log's. /var/log/openvpn.log is empty. nothing in there. but the openvpn.log.1 contains older data. Maybe for the client i should see other file?

While server log is here:

Jul 7 14:24:55 user ovpn-server[24187]: TCP connection established with [AF_INET]34.14.111.89:42548 Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 TLS: Initial packet from [AF_INET]34.14.111.89:42548, sid=78559f1f 026214a1 Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 VERIFY OK: depth=1, CN=ChangeMe Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 VERIFY KU OK Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 Validating certificate extended key usage Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 VERIFY EKU OK Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 VERIFY OK: depth=0, CN=user Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 peer info: IV_VER=2.4.4 Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 peer info: IV_PLAT=linux Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 peer info: IV_PROTO=2 Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 peer info: IV_NCP=2 Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 peer info: IV_LZ4=1 Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 peer info: IV_LZ4v2=1 Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 peer info: IV_LZO=1 Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 peer info: IV_COMP_STUB=1 Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 peer info: IV_COMP_STUBv2=1 Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 peer info: IV_TCPNL=1 Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 521 bit EC, curve: secp521r1 Jul 7 14:24:56 user ovpn-server[24187]: 34.14.111.89:42548 [user] Peer Connection Initiated with [AF_INET]34.14.111.89:42548 Jul 7 14:24:56 user ovpn-server[24187]: user/34.14.111.89:42548 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled) Jul 7 14:24:56 user ovpn-server[24187]: user/34.14.111.89:42548 MULTI: Learn: 10.8.0.2 -> user/34.14.111.89:42548 Jul 7 14:24:56 user ovpn-server[24187]: user/34.14.111.89:42548 MULTI: primary virtual IP for user/34.14.111.89:42548: 10.8.0.2 Jul 7 14:24:58 user ovpn-server[24187]: user/34.14.111.89:42548 PUSH: Received control message: 'PUSH_REQUEST' Jul 7 14:24:58 user ovpn-server[24187]: user/34.14.111.89:42548 SENT CONTROL [user]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 1800,ping-restart 3600,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1) Jul 7 14:24:58 user ovpn-server[24187]: user/34.14.111.89:42548 Data Channel: using negotiated cipher 'AES-256-GCM' Jul 7 14:24:58 user ovpn-server[24187]: user/34.14.111.89:42548 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 7 14:24:58 user ovpn-server[24187]: user/34.14.111.89:42548 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 7 14:26:32 user ovpn-server[24187]: user/34.14.111.89:42548 Connection reset, restarting [0] Jul 7 14:26:32 user ovpn-server[24187]: user/34.14.111.89:42548 SIGUSR1[soft,connection-reset] received, client-instance restarting Jul 7 14:32:36 user ovpn-server[24187]: TCP connection established with [AF_INET]34.14.111.90:34656 Jul 7 14:32:37 user ovpn-server[24187]: 34.14.111.90:34656 TLS: Initial packet from [AF_INET]34.14.111.90:34656, sid=965e86da 2ee86637 Jul 7 14:32:38 user ovpn-server[24187]: 34.14.111.90:34656 VERIFY OK: depth=1, CN=ChangeMe Jul 7 14:32:38 user ovpn-server[24187]: 34.14.111.90:34656 VERIFY KU OK Jul 7 14:32:38 user ovpn-server[24187]: 34.14.111.90:34656 Validating certificate extended key usage Jul 7 14:32:38 user ovpn-server[24187]: 34.14.111.90:34656 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication Jul 7 14:32:38 user ovpn-server[24187]: 34.14.111.90:34656 VERIFY EKU OK Jul 7 14:32:38 user ovpn-server[24187]: 34.14.111.90:34656 VERIFY OK: depth=0, CN=user Jul 7 14:32:38 user ovpn-server[24187]: 34.14.111.90:34656 peer info: IV_VER=2.4.7 Jul 7 14:32:38 user ovpn-server[24187]: 34.14.111.90:34656 peer info: IV_PLAT=linux Jul 7 14:32:38 user ovpn-server[24187]: 34.14.111.90:34656 peer info: IV_PROTO=2 Jul 7 14:32:38 user ovpn-server[24187]: 34.14.111.90:34656 peer info: IV_NCP=2 Jul 7 14:32:38 user ovpn-server[24187]: 34.14.111.90:34656 peer info: IV_LZ4=1 Jul 7 14:32:38 user ovpn-server[24187]: 34.14.111.90:34656 peer info: IV_LZ4v2=1 Jul 7 14:32:38 user ovpn-server[24187]: 34.14.111.90:34656 peer info: IV_LZO=1 Jul 7 14:32:38 user ovpn-server[24187]: 34.14.111.90:34656 peer info: IV_COMP_STUB=1 Jul 7 14:32:38 user ovpn-server[24187]: 34.14.111.90:34656 peer info: IV_COMP_STUBv2=1 Jul 7 14:32:38 user ovpn-server[24187]: 34.14.111.90:34656 peer info: IV_TCPNL=1 Jul 7 14:32:38 user ovpn-server[24187]: 34.14.111.90:34656 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 521 bit EC, curve: secp521r1 Jul 7 14:32:38 user ovpn-server[24187]: 34.14.111.90:34656 [user] Peer Connection Initiated with [AF_INET]34.14.111.90:34656 Jul 7 14:32:38 user ovpn-server[24187]: user/34.14.111.90:34656 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled) Jul 7 14:32:38 user ovpn-server[24187]: user/34.14.111.90:34656 MULTI: Learn: 10.8.0.2 -> user/34.14.111.90:34656 Jul 7 14:32:38 user ovpn-server[24187]: user/34.14.111.90:34656 MULTI: primary virtual IP for user/34.14.111.90:34656: 10.8.0.2 Jul 7 14:32:39 user ovpn-server[24187]: user/34.14.111.90:34656 PUSH: Received control message: 'PUSH_REQUEST' Jul 7 14:32:39 user ovpn-server[24187]: user/34.14.111.90:34656 SENT CONTROL [user]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 1800,ping-restart 3600,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1) Jul 7 14:32:39 user ovpn-server[24187]: user/34.14.111.90:34656 Data Channel: using negotiated cipher 'AES-256-GCM' Jul 7 14:32:39 user ovpn-server[24187]: user/34.14.111.90:34656 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 7 14:32:39 user ovpn-server[24187]: user/34.14.111.90:34656 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 7 14:36:15 user ovpn-server[24187]: user/34.14.111.90:34656 Connection reset, restarting [0] Jul 7 14:36:15 user ovpn-server[24187]: user/34.14.111.90:34656 SIGUSR1[soft,connection-reset] received, client-instance restarting

orazioedoardo commented 4 years ago

I see nothing wrong in the log. What about this question:

Is the Ubuntu PC in the same network as the pivpn or on a different network?

crystal-way commented 4 years ago

Ubuntu PC and RPi with client are on different network. RPi pivpn server on another.

orazioedoardo commented 4 years ago

I don't really know how to help at this point, most likely not PiVPN related. If you can ssh from iPad but not from Ubuntu, it should be a client side issue. What error you you get when connecting via ssh, connection refused, no route to host, timeout?

crystal-way commented 4 years ago

@orazioedoardo thank you for your time and help. I've made a work around. Have installed a new ubuntu machine, connected to RPi server, all works fine. As this is one time project i will be happy with work around.

Have a nice life! ;)

pivpn / pivpn