[General Issue]: Can't connect to OpenVPN, via Android nor PC, VPN worked before on this Pi. #1800
Unanswered
donlombardo
asked this question in
Support
Replies: 2 comments
-
I see nothing wrong here. Do you have public IP? What happens on the client when you try to connect? Please follow https://docs.pivpn.io/faq/#how-do-i-troubleshoot-connection-issues |
Beta Was this translation helpful? Give feedback.
0 replies
-
Moved to discussions as this seems to be a connectivity related issue rather than a PiVPN related issue |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
In raising this issue I confirm that
Describe the issue
I can't connect to VPN. I have run VPN on this Raspberry Pi via IPsec. All of a sudden it stopped working. I tried installing IPsec on another Raspberry Pi, with no success, the same problem. I can't connect.
I thought I'd try with OpenVPN via pivpn, after finding it when googling. I installed it and the issue persist.
My router is connected to the Rapsberry Pi via an ethernet cable and it has internet connection.
I am well versed in linux. What other information can I give? I have posted a lot of terminal outputs below.
Expected behavior
I expect to connect to VPN.
Please describe the steps to replicate the issue
I guess you would have to have my devices.
eth0 and public is correct.
Have you taken any steps towards solving your issue?
I have tried on both Android and on a PC with the OpenVPN software.
Screenshots
Router is a 4G CPE 3
Where did you run pivpn?
Model : Raspberry Pi 4 Model B Rev 1.1
Please provide your output from
uname -a
Linux retropie 5.10.103-v7l+ #1529 SMP Tue Mar 8 12:24:00 GMT 2022 armv7l GNU/Linux
Details about Operative System
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"
_
Profile / Client creation
Enter a Name for the Client: testclient
How many days should the certificate last? 1080
Enter the password for the client:
Enter the password again to verify:
Notice:
Using Easy-RSA configuration from: /etc/openvpn/easy-rsa/pki/vars
Notice:
Using SSL: openssl OpenSSL 1.1.1n 15 Mar 2022
Generating an EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/55033fda/temp.9a00a4a7'
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/testclient.req
key: /etc/openvpn/easy-rsa/pki/private/testclient.key
Using configuration from /etc/openvpn/easy-rsa/pki/55033fda/temp.6fbdc963
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'testclient'
Certificate is to be certified until Nov 20 17:10:28 2026 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/testclient.crt
Client's cert found: testclient.crt
Client's Private Key found: testclient.key
CA public Key found: ca.crt
tls Private Key found: ta.key
Done! testclient.ovpn successfully created!
testclient.ovpn was copied to:
/home/pi/ovpns
for easy transfer. Please use this profile only on one
device and create additional profiles for other devices.
Debug output
Generating Debug Output
PiVPN debug
Latest commit
Branch: master
Commit: 701a817
Author: kokomo123
Date: Tue Nov 7 14:46:43 2023 -0500
Summary: refactor(core): Change wording on the window (#1779)
PLAT=Raspbian
OSCN=buster
USING_UFW=0
pivpnforceipv6route=1
IPv4dev=eth0
IPv4addr=192.168.8.108/24
IPv4gw=192.168.8.1
install_user=pi
install_home=/home/pi
VPN=openvpn
pivpnPROTO=udp
pivpnPORT=1194
pivpnDNS1=1.1.1.1
pivpnDNS2=
pivpnSEARCHDOMAIN=
pivpnHOST=REDACTED
TWO_POINT_FOUR=1
pivpnENCRYPT=256
USE_PREDEFINED_DH_PARAM=0
INPUT_CHAIN_EDITED=1
FORWARD_CHAIN_EDITED=1
INPUT_CHAIN_EDITEDv6=
FORWARD_CHAIN_EDITEDv6=
pivpnDEV=tun0
pivpnNET=10.148.94.0
subnetClass=24
pivpnenableipv6=0
ALLOWED_IPS=""
UNATTUPG=1
INSTALLED_PACKAGES=(grepcidr iptables-persistent openvpn unattended-upgrades)
HELP_SHOWN=1
Server configuration shown below
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/retropie_c5c89977-4e10-4226-8a4d-06ffab89b2f0.crt
key /etc/openvpn/easy-rsa/pki/private/retropie_c5c89977-4e10-4226-8a4d-06ffab89b2f0.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.148.94.0 255.255.255.0
Set your primary domain name server address for clients
push "dhcp-option DNS 1.1.1.1"
push "block-outside-dns"
Override the Client default gateway by using 0.0.0.0/1 and
28.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
DuplicateCNs allow access control on a less-granular, per user basis.
Remove if you will manage access by user instead of device.
duplicate-cn
Generated for use by PiVPN.io
Client template file shown below
client
dev tun
proto udp
remote REDACTED 1194
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name retropie_c5c89977-4e10-4226-8a4d-06ffab89b2f0 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
Recursive list of files in
/etc/openvpn/easy-rsa/pki shows below
/etc/openvpn/easy-rsa/pki/:
ca.crt
crl.pem
dator.ovpn
Default.txt
index.txt
index.txt.attr
index.txt.attr.old
index.txt.old
issued
openssl-easyrsa.cnf
pi.ovpn
private
revoked
safessl-easyrsa.cnf
serial
serial.old
ta.key
vars
vars.example
/etc/openvpn/easy-rsa/pki/issued:
dator.crt
pi.crt
retropie_c5c89977-4e10-4226-8a4d-06ffab89b2f0.crt
/etc/openvpn/easy-rsa/pki/private:
ca.key
dator.key
pi.key
retropie_c5c89977-4e10-4226-8a4d-06ffab89b2f0.key
/etc/openvpn/easy-rsa/pki/revoked:
private_by_serial
reqs_by_serial
/etc/openvpn/easy-rsa/pki/revoked/private_by_serial:
/etc/openvpn/easy-rsa/pki/revoked/reqs_by_serial:
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] Iptables INPUT rule set
:: [OK] Iptables FORWARD rule set
:: [OK] OpenVPN is running
:: [OK] OpenVPN is enabled
(it will automatically start on reboot)
:: [OK] OpenVPN is listening on port 1194/udp
Having trouble connecting? Take a look at the FAQ:
https://docs.pivpn.io/faq
Snippet of the server log
Dec 4 18:34:40 retropie ovpn-server[1395]: OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
Dec 4 18:34:40 retropie ovpn-server[1395]: library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
Dec 4 18:34:40 retropie ovpn-server[1395]: ECDH curve prime256v1 added
Dec 4 18:34:40 retropie ovpn-server[1395]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Dec 4 18:34:40 retropie ovpn-server[1395]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Dec 4 18:34:40 retropie ovpn-server[1395]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Dec 4 18:34:40 retropie ovpn-server[1395]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Dec 4 18:34:40 retropie ovpn-server[1395]: TUN/TAP device tun0 opened
Dec 4 18:34:40 retropie ovpn-server[1395]: TUN/TAP TX queue length set to 100
Dec 4 18:34:40 retropie ovpn-server[1395]: /sbin/ip link set dev tun0 up mtu 1500
Dec 4 18:34:40 retropie ovpn-server[1395]: /sbin/ip addr add dev tun0 10.148.94.1/24 broadcast 10.148.94.255
Dec 4 18:34:40 retropie ovpn-server[1395]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Dec 4 18:34:40 retropie ovpn-server[1395]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Dec 4 18:34:40 retropie ovpn-server[1395]: UDPv4 link local (bound): [AF_INET][undef]:1194
Dec 4 18:34:40 retropie ovpn-server[1395]: UDPv4 link remote: [AF_UNSPEC]
Dec 4 18:34:40 retropie ovpn-server[1395]: GID set to openvpn
Dec 4 18:34:40 retropie ovpn-server[1395]: UID set to openvpn
Dec 4 18:34:40 retropie ovpn-server[1395]: MULTI: multi_init called, r=256 v=256
Dec 4 18:34:40 retropie ovpn-server[1395]: IFCONFIG POOL: base=10.148.94.2 size=252, ipv6=0
Dec 4 18:34:40 retropie ovpn-server[1395]: Initialization Sequence Completed
Debug output completed above.
Copy saved to /tmp/debug.log
PLAT=Raspbian
OSCN=buster
USING_UFW=0
pivpnforceipv6route=1
IPv4dev=eth0
IPv4addr=192.168.8.108/24
IPv4gw=192.168.8.1
install_user=pi
install_home=/home/pi
VPN=openvpn
pivpnPROTO=udp
pivpnPORT=1194
pivpnDNS1=1.1.1.1
pivpnDNS2=
pivpnSEARCHDOMAIN=
pivpnHOST=censored (but correct)
TWO_POINT_FOUR=1
pivpnENCRYPT=256
USE_PREDEFINED_DH_PARAM=0
INPUT_CHAIN_EDITED=1
FORWARD_CHAIN_EDITED=1
INPUT_CHAIN_EDITEDv6=
FORWARD_CHAIN_EDITEDv6=
pivpnDEV=tun0
pivpnNET=10.148.94.0
subnetClass=24
pivpnenableipv6=0
ALLOWED_IPS=""
UNATTUPG=1
INSTALLED_PACKAGES=(grepcidr iptables-persistent openvpn unattended-upgrades)
HELP_SHOWN=1
: NOTE : The output below is NOT real-time!
: : It may be off by a few minutes.
::: Client Status List :::
Name Remote IP Virtual IP Bytes Received Bytes Sent Connected Since
No Clients Connected!
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1194 -m comment --comment openvpn-input-rule -j ACCEPT
-A FORWARD -d 10.148.94.0/24 -i eth0 -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment openvpn-forward-rule -j ACCEPT
-A FORWARD -s 10.148.94.0/24 -i tun0 -o eth0 -m comment --comment openvpn-forward-rule -j ACCEPT
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-A POSTROUTING -s 10.148.94.0/24 -o eth0 -m comment --comment openvpn-nat-rule -j MASQUERADE
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
● openvpn.service - OpenVPN service
Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2023-12-06 18:29:09 CET; 48s ago
Process: 12052 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 12052 (code=exited, status=0/SUCCESS)
dec 06 18:29:09 retropie systemd[1]: Starting OpenVPN service...
dec 06 18:29:09 retropie systemd[1]: Started OpenVPN service.
Beta Was this translation helpful? Give feedback.
All reactions