PiVPN not connecting externally..

SiCKFoRM · 3 February 2021 23:22

The keys seem to work over LAN but for some reason I can not connect externally.

My router is set up correctly but I am not sure what happened this time around (I had to fresh install due to a HHD failure which caused a failed boot)…

I checked all ports with an online tester.
1194 (the default) shows that I can not connect as the port is closed.

I checked in server.conf and changed a couple of settings:

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/.crt
key /etc/openvpn/easy-rsa/pki/private/.key
dh none
ecdh-curve prime256v1
topology subnet
server ************ 255.255.255.0 <<< ************ This is the IP of my internal RPi

Set your primary domain name server address for clients

push “dhcp-option DOMAIN *****.ddns.net”
push “dhcp-option DNS 1.1.1.1”
push “dhcp-option DNS 1.0.0.1”

Prevent DNS leaks on Windows

push “block-outside-dns”

Override the Client default gateway by using 0.0.0.0/1 and

128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of

overriding but not wiping out the original default gateway.

push “redirect-gateway def1”
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn

Generated for use by PiVPN.io

I am not sure what else to do at this point.

I had everything working great before the crash, and now I just can’t seem to get it to work at all.

I’ve tried reinstalling multiple times, and still no dice.

I am not sure what else to do at this point.

I have all the other installs I wish for installed and working correctly, I am trying to avoid yet another fresh install.

Any light on this would be great.

Thanks in advance!

Joulinar · 3 February 2021 23:28

Hi,

I’m not using PiPVN/OpenPVN but probably PiVPN created a new client configuration file. Did you upload this on client side as well?

SiCKFoRM · 3 February 2021 23:38

Yes.

But it refuses… (The key, which works locally)

It was a fresh install, so not sure why I can’t get it to work externally now.

I can open over LAN / the key works great.

I’ve checked through loads of forums etc, but everything I have tried does not seem to work.

I do not believe it to be a key issue.

It seems to be a port related issue?

I’m just wondering if there is a way I can return everything to default in terms of routing / firewall etc without disturbing other installations?

Joulinar · 4 February 2021 00:09

I tested PiVPN/OpenVPN and for me it was working well. Just to be sure, let’s check following

your router is forwarding port 1194 UDP (not TCP) correctly?
OpenVPN is LISTEN on correct port?

ss -tulpn |grep openvpn

your client config file contains correct DDNS/external IP address?

cat /home/dietpi/ovpns/<your_file>.ovpn | grep 1194

trendy · 4 February 2021 11:20

You could also check the logs for any useful hint.

SiCKFoRM · 5 February 2021 00:31

your router is forwarding port > 1194 UDP > (not TCP) correctly?

Yes. I have both TCP and UDP open and forwarded to the correct IP address.

OpenVPN is > LISTEN > on correct port?

I have it set to the default 1194. This is matched in my router settings.

When I use

ss -tulpn |grep openvpn

I get zero echo / readout.
It just moves on to the next line. This is regardless of using sudo / root.

your client config file contains correct DDNS/external IP address?

I am using no-ip to forward as my public domain and pointing in.
I have cloudFlare pointing out for searches.

When using

cat /home/***/ovpns/***.ovpn | grep 1194

I get back:
remote ***.ddns.net 1194

I believe this to be correct ( *** == hidden / private details).

Joulinar · 5 February 2021 12:24

I believe this to be correct

Well, you are the only one who knows if this is correct . You can check if the NoIP DDNS is correctly set and pointing to your external IP your router has.

As connection is working inside your network (according your info), the issue doesn’t seems to be with DietPi

trendy · 5 February 2021 14:20

This means that the server is not running.
Check the logs.

SiCKFoRM · 5 February 2021 19:57

Now this is odd…

I checked the logs, and for both openvpn files that I could find, there was zero information in them.

I then ran

sudo ps -A

and openvpn is nowhere to be found!

So then I opened dietpi-services, and it says that openvpn is running??

I tried to uninstall, and openvpn still appears in services as inactive, despite an uninstall and reboot.

After unistalling a second time it then doesn’t appear in installations, but still does in processes as “inactive”.

I am really not sure what has happened here, so have decided to bite the bullet, back up the entire system, backup all configs of known working installs, and returning everything to scratch, attempting to install piVPN first and making sure this works.

I am not sure if this is a bug or something I have done by accident, but wish me luck!

Joulinar · 5 February 2021 21:42

usually PiVPN is working and I verified it this week. PiVPN will install OpenVPN if selected during PiVPN installation process.

SiCKFoRM · 6 February 2021 18:32

I have done a fresh install today which gave more info

I used an external port sniffer and opened all my router ports.
Everything was as expected except 1194.
It stated that it was closed.

I am a little confused as to why this is.
Does the port normally get seen externally or is it closed until handshake etc?

sudo ps -A

3073 ? 00:00:00 openvpn

On

sudo ss -tulpn |grep openvpn

udp UNCONN 0 0 0.0.0.0:1194 0.0.0.0:* users:((“openvpn”,pid=3073,fd=6))

nano openvpn-status.log

TITLE OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] b$
TIME Fri Feb 5 23:52:55 2021 1612569175
HEADER CLIENT_LIST Common Name Real Address Virtual Address Virtual IPv6 Address Bytes Received Byte$
CLIENT_LIST ********* 192.168.0.1:65294 10.8.0.2 80570 71093 Fri Feb 5 23:52:18 $
HEADER ROUTING_TABLE Virtual Address Common Name Real Address Last Ref Last Ref (time_t)
ROUTING_TABLE 10.8.0.2 ******** 192.168.0.1:65294 Fri Feb 5 23:52:50 2021 1612569170
GLOBAL_STATS Max bcast/mcast queue length 0
END

90.200.112.206 isn’t responding on port 1194 (openvpn).

lsof -i -P -n

openvpn 3073 openvpn 6u IPv4 45126 0t0 UDP *:1194

Joulinar · 6 February 2021 20:37

I guess it’s ok for the port scanner not detecting the VPN Server port because VPN server is running UDP and most of scanner checking on TCP

Anyway, OpenVPN is running correctly. If I understood as well, you are able to connect inside you network as well. Means it is working. You still need to find out what happen on your port forwarding.