-
hey_aj
- OpenVpn Newbie
- Posts: 3
- Joined: Sat Aug 26, 2017 11:05 am
[Resolved] NETWORK_EOF_ERROR (transport error)
Have been using OpenVPN on 3 different iOS devices for weeks without issues. Yesterday, all 3 encountered the same issue- my iPad and iPhone here on business travel in Australia, my wife’s iPhone back home in the US. Doesn’t matter if on cell data or wifi. Key problem seems to be a transport error per the log below. Client status toggles between «waiting for server» and «transport pause» before timing out. Had wife reboot our asus router but did not resolve. Grateful for any assistance.
2017-08-26 20:59:26 EVENT: RESOLVE
2017-08-26 20:59:26 Contacting 24.9.69.17:443 via TCP
2017-08-26 20:59:26 EVENT: WAIT
2017-08-26 20:59:26 SetTunnelSocket returned 1
2017-08-26 20:59:27 Connecting to [xxxx.asuscomm.com]:443 (24.9.69.17) via TCPv4
2017-08-26 20:59:27 TCP recv EOF
2017-08-26 20:59:27 Transport Error: Transport error on ‘xxxx.asuscomm.com: NETWORK_EOF_ERROR
2017-08-26 20:59:27 EVENT: TRANSPORT_ERROR Transport error on ‘xxxx.asuscomm.com: NETWORK_EOF_ERROR [ERR]
2017-08-26 20:59:27 Client terminated, restarting in 5000 ms…
2017-08-26 20:59:27 NET Internet:ReachableViaWiFi/-R t——
2017-08-26 20:59:30 RECONNECT TEST: Internet:ReachableViaWiFi/-R t——
2017-08-26 20:59:30 Client terminated, reconnecting in 1…
2017-08-26 20:59:31 EVENT: RECONNECTING
2017-08-26 20:59:31 EVENT: RESOLVE
2017-08-26 20:59:31 Contacting 24.9.69.17:443 via TCP
2017-08-26 20:59:31 EVENT: WAIT
2017-08-26 20:59:31 SetTunnelSocket returned 1
2017-08-26 20:59:31 Connecting to [xxxx.asuscomm.com]:443 (24.9.69.17) via TCPv4
2017-08-26 20:59:32 TCP recv EOF
2017-08-26 20:59:32 Transport Error: Transport error on ‘xxxx.asuscomm.com: NETWORK_EOF_ERROR
2017-08-26 20:59:32 EVENT: TRANSPORT_ERROR Transport error on ‘xxxx.asuscomm.com: NETWORK_EOF_ERROR [ERR]
2017-08-26 20:59:32 Client terminated, restarting in 5000 ms…
2017-08-26 20:59:35 RECONNECT TEST: Internet:ReachableViaWiFi/-R t——
2017-08-26 20:59:35 Client terminated, reconnecting in 1…
2017-08-26 20:59:36 EVENT: RECONNECTING
2017-08-26 20:59:36 EVENT: RESOLVE
2017-08-26 20:59:36 Contacting 24.9.69.17:443 via TCP
2017-08-26 20:59:36 EVENT: WAIT
2017-08-26 20:59:36 SetTunnelSocket returned 1
2017-08-26 20:59:36 Connecting to [xxxx.asuscomm.com]:443 (24.9.69.17) via TCPv4
2017-08-26 20:59:36 TCP recv EOF
2017-08-26 20:59:36 Transport Error: Transport error on ‘xxxx.asuscomm.com: NETWORK_EOF_ERROR
2017-08-26 20:59:36 EVENT: TRANSPORT_ERROR Transport error on ‘xxxx.asuscomm.com: NETWORK_EOF_ERROR [ERR]
2017-08-26 20:59:36 Client terminated, restarting in 5000 ms…
2017-08-26 20:59:39 RECONNECT TEST: Internet:ReachableViaWiFi/-R t——
2017-08-26 20:59:39 Client terminated, reconnecting in 1…
2017-08-26 20:59:40 EVENT: RECONNECTING
2017-08-26 20:59:40 EVENT: RESOLVE
2017-08-26 20:59:40 Contacting 24.9.69.17:443 via TCP
2017-08-26 20:59:40 EVENT: WAIT
2017-08-26 20:59:40 SetTunnelSocket returned 1
2017-08-26 20:59:40 Connecting to [xxxx.asuscomm.com]:443 (24.9.69.17) via TCPv4
2017-08-26 20:59:41 TCP recv EOF
2017-08-26 20:59:41 Transport Error: Transport error on ‘xxxx.asuscomm.com: NETWORK_EOF_ERROR
2017-08-26 20:59:41 EVENT: TRANSPORT_ERROR Transport error on ‘xxxx.asuscomm.com: NETWORK_EOF_ERROR [ERR]
2017-08-26 20:59:41 Client terminated, restarting in 5000 ms…
2017-08-26 20:59:41 EVENT: DISCONNECTED
2017-08-26 20:59:41 Raw stats on disconnect:
BYTES_OUT : 64
PACKETS_OUT : 4
NETWORK_EOF_ERROR : 4
TRANSPORT_ERROR : 4
N_RECONNECT : 3
2017-08-26 20:59:41 Performance stats on disconnect:
CPU usage (microseconds): 21531
Network bytes per CPU second: 2972
Tunnel bytes per CPU second: 0
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11142
- Joined: Fri Jun 03, 2016 1:17 pm
Re: NETWORK_EOF_ERROR (transport error)
Post
by TinCanTech » Sat Aug 26, 2017 1:45 pm
Check your server log.
-
hey_aj
- OpenVpn Newbie
- Posts: 3
- Joined: Sat Aug 26, 2017 11:05 am
Re: NETWORK_EOF_ERROR (transport error)
Post
by hey_aj » Mon Aug 28, 2017 8:31 am
Sure, two follow-up questions:
1) I assume you are referring to the log on my router, in which case I will need to check when I return home as I am currently remote
2) Any suggestion as to what I am looking for or what the issue is? Or, just generic guidance to check the log?
Thanks
-
klanimantsi
- OpenVpn Newbie
- Posts: 13
- Joined: Mon Sep 04, 2017 9:00 am
Re: NETWORK_EOF_ERROR (transport error)
Post
by klanimantsi » Tue Sep 05, 2017 10:06 am
Did you verify the connection attempt was made?
-
hey_aj
- OpenVpn Newbie
- Posts: 3
- Joined: Sat Aug 26, 2017 11:05 am
Re: NETWORK_EOF_ERROR (transport error) SOLVED
Post
by hey_aj » Tue Sep 05, 2017 11:55 pm
Finally home from travels and could log into my router (ASUS RT-ACRH13). On OpenVPN Server config page there was this message: «OpenVPN server daemon failed to start». Tried various things to restart it, including reboot. No obvious way to do this. Then noticed alert for a firmware upgrade. Did the upgrade. All good now.
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11142
- Joined: Fri Jun 03, 2016 1:17 pm
Re: NETWORK_EOF_ERROR (transport error)
Post
by TinCanTech » Wed Sep 06, 2017 12:27 am
Great .. Thanks for letting us know
Содержание
- OpenVPN Support Forum
- Connection Timeout: NETWORK_EOF_ERROR
- Connection Timeout: NETWORK_EOF_ERROR
- Re: Connection Timeout: NETWORK_EOF_ERROR
- Re: Connection Timeout: NETWORK_EOF_ERROR
- Re: Connection Timeout: NETWORK_EOF_ERROR
- Re: Connection Timeout: NETWORK_EOF_ERROR
- Re: Connection Timeout: NETWORK_EOF_ERROR
- Re: Connection Timeout: NETWORK_EOF_ERROR
- Re: Connection Timeout: NETWORK_EOF_ERROR
- Transport error network eof error openvpn
- OpenVPN Support Forum
- Unknown openvpn error occured transport error on x.x.x.x via HTTP proxy x.x.x.x:80 NETWORK_EOF_ERROR
- Unknown openvpn error occured transport error on x.x.x.x via HTTP proxy x.x.x.x:80 NETWORK_EOF_ERROR
OpenVPN Support Forum
Community Support Forum
Connection Timeout: NETWORK_EOF_ERROR
Connection Timeout: NETWORK_EOF_ERROR
Post by christiansam » Sat Feb 02, 2013 10:17 am
I have problems connecting with openvpn connect (ios) to my openvpn server. Before any crypto-stuff can get handled out, it breaks up with the following message:
—
logfile:
EVENT: CONNECTIONG
Tunnel Options: .
Peer Info: .
.
TCP recv EOF
Transport Error: Transport error on ‘ ‘: NETWORK _EOF_ERROR
Client terminated, restarting in 2.
EVENT: RECONNECTING
—-
Authentifcation mode is set to TLS with KEY CERT and CA generated by the easy-rsa utility. Except for changing auth-mode to something else I I tried (nearly) every possible mix of client-configration setting, without any success. My client-conf is based on sample-file, provided in windows openvpn package and works well with linux, windows and android openvpn clients.
Can’t tell you exactly which version of the openvpn server I use, it is included in an alternative firmware for Linksys’ WRT54G/GL routers, please see: http://tomatovpn.keithmoyer.com/
Best regards,
christian
Re: Connection Timeout: NETWORK_EOF_ERROR
Post by mtrussa » Fri Mar 22, 2013 1:42 pm
Exactly thesame problem here!
Having a look on the server side it seems the connection never reach the server!
Dns resolution is fine (I see it in logs) but Connection Timeout: NETWORK_EOF_ERROR suddenly appears.
Are we missing something?
The same configuration works fine on Openvpn Connect on android.
Re: Connection Timeout: NETWORK_EOF_ERROR
Post by jbove » Thu May 02, 2013 12:23 pm
Re: Connection Timeout: NETWORK_EOF_ERROR
Post by jbove » Fri May 03, 2013 7:33 am
Re: Connection Timeout: NETWORK_EOF_ERROR
Post by guru431 » Wed Oct 23, 2013 8:39 am
Re: Connection Timeout: NETWORK_EOF_ERROR
Post by boostpt » Sun Dec 08, 2013 12:33 am
I made a reset to my primary router and
now the ddwrt have the same problem.
I don’t know why, I didn’t touch the ddwrt
configs at all. But I’m facing this problem.
When I use the internal connection (192.168.x.x)
I can connect to the server , but when I use
The Internet with my external ip, it doesn’t work.
I have all configured: noip; port forward on my
primary router. All worked fine before the router reset.
You fix the error just by adding the keysize
text on the server config, or you made
something else?
Did you creat other CRT or key file or something Else?
Re: Connection Timeout: NETWORK_EOF_ERROR
Post by boostpt » Mon Dec 09, 2013 9:24 pm
I’ve figured it out.
In my case it has nothing to do with keysize
My primary router was not properly configured.
It has several options for port forwarding.
And it wasn’t correctly configured.
Work like a charm now.
Re: Connection Timeout: NETWORK_EOF_ERROR
Post by plopes1960 » Thu Mar 13, 2014 11:45 am
I have exactly the same log problem when I try to conect from my iPad (openvpn client) to my router (openvpn server).
Источник
Transport error network eof error openvpn
09:22:44.403 — —— OpenVPN Start ——
09:22:44.404 — EVENT: CORE_THREAD_ACTIVE
09:22:44.418 — Frame=512/2048/512 mssfix-ctrl=1250
09:22:44.435 — UNUSED OPTIONS
5 [resolv-retry] [infinite]
6 [nobind]
7 [persist-key]
8 [persist-tun]
10 [verb] [3]
09:22:44.436 — EVENT: RESOLVE
09:22:44.443 — Contacting ххх.ххх.ххх.ххх:1194 via TCP
09:22:44.444 — EVENT: WAIT
09:22:44.560 — Connecting to [ххх.ххх.ххх.ххх]:1194 (ххх.ххх.ххх.ххх) via TCPv4
09:22:44.719 — EVENT: CONNECTING
09:22:44.832 — Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
09:22:44.837 — Creds: Username/Password
09:22:44.842 — Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.2
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
09:22:46.600 — VERIFY OK : depth=0
cert. version : 3
serial number : 01
issuer name : C=RU, ST=STA, L=Stavropol, O=Company, OU=server, CN=server, ??=server, emailAddress=mail@mail.ru
subject name : C=RU, ST=STA, L=Stavropol, O=Company, OU=server, CN=server, ??=server, emailAddress=mail@mail.ru
issued on : 2018-07-10 11:48:50
expires on : 2028-07-07 11:48:50
signed using : RSA with SHA-256
RSA key size : 4096 bits
basic constraints : CA=false
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication
09:22:47.910 — TCP recv EOF
09:22:47.917 — Transport Error: Transport error on ‘ххх.ххх.ххх.ххх: NETWORK_EOF_ERROR
09:22:47.926 — EVENT: TRANSPORT_ERROR info=’Transport error on ‘ххх.ххх.ххх.ххх: NETWORK_EOF_ERROR’
09:22:47.935 — Client terminated, restarting in 5000 ms..
Источник
OpenVPN Support Forum
Community Support Forum
Unknown openvpn error occured transport error on x.x.x.x via HTTP proxy x.x.x.x:80 NETWORK_EOF_ERROR
Unknown openvpn error occured transport error on x.x.x.x via HTTP proxy x.x.x.x:80 NETWORK_EOF_ERROR
Post by gelo » Thu May 04, 2017 5:21 pm
this is my server.conf
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# «C:\Program Files\OpenVPN\config\foo.key» #
# #
# Comments are preceded with ‘#’ or ‘;’ #
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 443
# TCP or UDP server?
proto tcp
;proto udp
# «dev tun» will create a routed IP
# Use «dev tap0» if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use «dev-node» for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don’t need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the «easy-rsa» directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see «pkcs12» directive in man page).
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh dh2048.pem
# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
;topology subnet
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
# Maintain a record of client virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS’s bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses. You must first use
# your OS’s bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push «route 192.168.10.0 255.255.255.0»
;push «route 192.168.20.0 255.255.255.0»
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory «ccd» for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name «Thelonious»
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious’ private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using «dev tun» and «server» directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push «redirect-gateway def1 bypass-dhcp»
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push «dhcp-option DNS 8.8.8.8»
push «dhcp-option DNS 8.8.4.4»
# Uncomment this directive to allow different
# clients to be able to «see» each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server’s TUN/TAP interface.
;client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE «COMMON NAME»,
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an «HMAC firewall»
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn —genkey —secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be ‘0’
# on the server and ‘1’ on the clients.
;tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It’s a good idea to reduce the OpenVPN
# daemon’s privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the «Program FilesOpenVPNlog» directory).
# Use log or log-append to override this default.
# «log» will truncate the log file on OpenVPN startup,
# while «log-append» will append to it. Use one
# or the other (but not both).
;log openvpn.log
;log-append openvpn.log
#enable log
log-append /var/log/myvpn/openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
this is my iptables
# Generated by iptables-save v1.4.21 on Wed May 3 15:45:37 2017
*nat
REROUTING ACCEPT [46:2820]
:INPUT ACCEPT [46:2820]
:OUTPUT ACCEPT [14:1030]
OSTROUTING ACCEPT [14:1030]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed May 3 15:45:37 2017
# Generated by iptables-save v1.4.21 on Wed May 3 15:45:37 2017
*filter
:INPUT ACCEPT [42:4130]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [42:4830]
-A INPUT -i eth0 -p tcp -m state —state NEW -m tcp —dport 443 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -p tcp -m tcp —dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state —state ESTABLISHED -m tcp —sport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state —state ESTABLISHED -m tcp —sport 443 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth0 -m state —state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state —state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state —state NEW,ESTABLISHED -m tcp —dport 443 -j ACCEPT
COMMIT
# Completed on Wed May 3 15:45:37 2017
this is my squid.conf
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on «localhost» is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access allow all
# Squid normally listens to port 3128
http_port 80
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320
Источник
Здравствуйте.
Можно с разрешения ТС подобный вопрос задать, чтоб темы не плодить.
Подскажите пожалуйста. Поднял сервер openvpn на ubuntu server 18.04, на микрот установил сертификат и ключ. Пробую соединиться — не получается.
Лог сервера:
Код: Выделить всё
Thu Nov 14 01:32:07 2019 TCP connection established with [AF_INET]***.***.***.***:53340
Thu Nov 14 01:32:07 2019 185.184.233.160:53340 TLS: Initial packet from [AF_INET]***.***.***.***:53340, sid=53ffafd8 2edccd19
Thu Nov 14 01:32:07 2019 185.184.233.160:53340 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]***.***.***.***:53340
Thu Nov 14 01:32:07 2019 185.184.233.160:53340 Fatal TLS error (check_tls_errors_co), restarting
Thu Nov 14 01:32:07 2019 185.184.233.160:53340 SIGUSR1[soft,tls-error] received, client-instance restarting
конфигурация сервера:
Код: Выделить всё
port 1194
# Протокол может быть UDP или TCP, я выбрал 1-й вариант.
proto tcp
# Если вы выберите протокол TCP, здесь должно быть устройство tap. Однако, это вариант я не проверял, поэтому ищите информацию отдельно. FIXME
dev tun
# Указываем где искать ключи
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh2048.pem
# Для 12.04 dh1024.pem
# Задаем IP и маску виртуальной сети. Произвольно, но если не уверены лучше делайте как показано здесь
server 10.8.0.0 255.255.255.0
# Указыем, где хранятся файлы с настройками IP-адресов клиентов (создадим ниже)
client-config-dir ccd
# Запоминать динамически выданные адреса для VPN-клиентов и при последующих подключениях назначать те же значения.
ifconfig-pool-persist ipp.txt
# Указываем сети, в которые нужно идти через туннель (сеть-клиента).
route 192.168.0.0 255.255.255.0
# Включаем TLS
tls-server
tls-auth /etc/openvpn/keys/ta.key 0
tls-timeout 120
auth SHA1
cipher AES-256-CBC
# Если нужно, чтобы клиенты видели друг друга раскомментируйте
;client-to-client
keepalive 10 120
# Сжатие трафика
;comp-lzo
# Максимум клиентов
max-clients 10
user nobody
group nogroup
# Не перечитывать ключи, не закрывать и переоткрывать TUNTAP устройство, после получения SIGUSR1 или ping-restart
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
# Детальность логирования
verb 3
# Защита от повторов (максимум 20 одинаковых сообщений подряд)
mute 20
# Файл отозванных сертификатов. Разремить, когда такие сертификаты появятся.
;crl-verify /etc/openvpn/crl.pem
лог с микрота:
Настраивал по мануалу с вики ubuntu.ru
Где может быть ошибка?
благодарю
Клиентские подключения перебивают друг друга. Как можно поправить?
Доброго времени суток!
Есть такой момент, на CentOS8 установлены OpenVPN+easy-rsa, отконфигурировал центральный свитч на проброс порта с внешнего адреса на сервер. В целом соединения стартуют без проблем, но толи в меру своей криворукости, толи еще по каким причинам, когда идет одно соединение, все идет без проблем, стоит подключиться кому-то еще, соединения начинают рвать друг друга. Читал маны не смог понять в чем может быть прикол, т.к. в целом по конфигу вроде все верно. хоть и более чем уверен, что напартачил в них.
server.conf
local 192.168.88.202
port 65000
proto tcp4
dev tun
ca /etc/openvpn/server/keys/ca.crt
cert /etc/openvpn/server/keys/ovp.crt
key /etc/openvpn/server/keys/ovp.key
dh /etc/openvpn/server/keys/dh.pem
tls-auth /etc/openvpn/server/keys/ta.key 0
crl-verify /etc/openvpn/server/keys/crl.pem
server 174.25.67.0 255.255.255.0
push «route 192.168.0.0 255.255.255.0»
push «route 192.168.1.0 255.255.255.0»
push «route 192.168.5.0 255.255.255.0»
push «route 192.168.7.0 255.255.255.0»
push «route 192.168.8.0 255.255.255.0»
push «route 192.168.42.0 255.255.255.0»
push «route 192.168.88.0 255.255.255.0»
push «route 192.168.113.0 255.255.255.0»
push «route 192.168.203.0 255.255.255.0»
ifconfig-pool-persist /etc/openvpn/server/ipp.txt
keepalive 10 120
max-clients 100
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
daemon
mode server
tls-server
comp-lzo yes
sndbuf 524288
rcvbuf 524288
push «sndbuf 524288»
push «rcvbuf 524288»
tcp-nodelay
client.ovpn
client
dev tun
proto tcp4
remote xxx.xxx.xxx.xxx 65000
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
dh dh.pem
tls-client
tls-auth ta.key 1
float
keepalive 10 120
comp-lzo
verb 0
cert d_shavaleev.crt
key d_shavaleev.key
-
Вопрос заданболее двух лет назад
-
563 просмотра
Если для всех клиентов используется один и тот же клиентский ключ/сертификат, то это нормальное поведение OpenVPN сервера. Чтобы позволить нескольким клиентам использовать один ключ/сертификат, надо в конфиг сервера добавить строку duplicate-cn
.
Но это не сильно хорошо для контроля и безопасности, поэтому лучше каждому клиенту выдать свой сертификат.
Пригласить эксперта
Что бы пользоваться одним ключом на многих устройствах одновременно, нужна настроить сервер на протокол UDP. На протоколе TCP ключи будут вырубать друг друга.
-
Показать ещё
Загружается…
10 февр. 2023, в 01:33
1500 руб./за проект
10 февр. 2023, в 00:54
2000 руб./в час
10 февр. 2023, в 00:15
1000 руб./в час
Минуточку внимания
Guide
2018-11-19
02:57 PM
OpenVPN Not connecting in Orbi system
Hi, i have a brandnew ORBI RBK23 system (1 router, 2 satellites), router connected to cable modem. The ORBI router as replacement for a Nighthawk R7000, on which a VPN service worked flawlessly. Connection with Samsung Android smart phone as well as iPad without problems, but Windows Notebook problems with certificates.
But not on the new ORBI: nothing at all works as far as VPN is concerned.
I did all the settings as prescribed, downloaded the right client .ovpn file, but to no avail.
Any suggestions?
HELP PLEASE!
(Firmware: v2.2.1.210; service type TUN mode: TCP; service type TAP mode: UDP; clients access VPN: all internet sites as well as home network)
Model: RBK22| Orbi AC2200 Tri-band WiFi System
Message 1 of 19
Guide
2018-11-20
01:22 AM
Re: OpenVPN Not connecting in Orbi system
FOUND IT! Thanks to you. I changed the settings of TUN back to UDP and now it is working all right! I forgot that I initially tested it over the home network and as you said, that does not work (but it did on my previous router, so that caused my confusion). When I set the wifi on my iPad to my smart phone 4G hotspot, it works fine now!!
The only thing that is still bothering me is the lg in the windows client (notebook with windows 10). Connection is achieved all right, but in the log I see this:
Tue Nov 20 10:03:33 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Nov 20 10:03:44 2018 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
Should I start a new topic on this, or may I ask your opinion about this too? (I tried to understand what is explained in the provided openvpn.net link, but can’t get a grip on the contents; seems that I have to do a lot of programming, which seems very difficult).
But anyhow, by this conversation with you, my problems with the connection, anyway on my iPad as well as my android smart phone, are completely solved! Thank you very much!
Message 8 of 19
Master
2018-11-19
03:45 PM
Re: OpenVPN Not connecting in Orbi system
I have VPN working well on iPhone and iPad.
— What happens when it does not work for you?
— Do you see any event in Logs when VPN is tried? This can show if the VPN connection request arrives to Orbi.
— Is DDNS configured correctly and working? Do you get the correct status when clicking “Status” in the DDNS tab?
— Please note that you can’t try VPN connection while connected to your own wifi or another network using the same IP range as your own LAN.
My Setup | Internet Fiber ONT 250↓/250↑ | ISP Telenor | Wifi Router Orbi RBR850 + RBS850 + 2x RBS750 + 3xRBS350, Wired/Wireless BH / Orbi RBR50 + 6x RBS50 + RBS40V + RBS50Y, Wired/Wireless BH | Switches NG GS208 | Time Zone CET (Sweden)
Message 2 of 19
Guide
2018-11-19
04:19 PM
Re: OpenVPN Not connecting in Orbi system
Thanks for responding!
what happens is that i get time outs. In the log files i see each time the same error: «TCP rcv EOF» followed by «TRANSPORT_ERROR Transport error on ‘(my name).mynetgear.com: NETWORK_EOF_ERROR [ERR]»
in the DDNS, with clicking on «show status» i get the message, after a few seconde of waiting, that an update was performed a few days ago (correct, that was when i tried to setup my VPN first time) on (my name).mynetgear.com.
does this give you any clues?
Model: RBK22| Orbi AC2200 Tri-band WiFi System
Message 3 of 19
Master
2018-11-19
04:33 PM
Re: OpenVPN Not connecting in Orbi system
Before starting “deeper” troubleshooting, can you please first untick “Enable VPN Service” option under VPN and click Apply, then tick it again and click Apply. Anything changes?
My Setup | Internet Fiber ONT 250↓/250↑ | ISP Telenor | Wifi Router Orbi RBR850 + RBS850 + 2x RBS750 + 3xRBS350, Wired/Wireless BH / Orbi RBR50 + 6x RBS50 + RBS40V + RBS50Y, Wired/Wireless BH | Switches NG GS208 | Time Zone CET (Sweden)
Message 4 of 19
Guide
2018-11-19
11:29 PM
Re: OpenVPN Not connecting in Orbi system
Did what you suggested, nothing changed, i keep the logged error (EOF error).
Also rebooted several times, but again, same problem.
Should i perform a total reset and renew installation? (Don’t like the idea, but on the other hand, it can be done if you think that’s wise).
Or should i delete my mynetgear address and start from scratch there, with a new address on mynetgear.com?
Model: RBK22| Orbi AC2200 Tri-band WiFi System
Message 5 of 19
Master
2018-11-19
11:38 PM
Re: OpenVPN Not connecting in Orbi system
— You mentioned that your TUN Mode is set to TCP. Any reason for that? The default (which I have working) is UDP.
My Setup | Internet Fiber ONT 250↓/250↑ | ISP Telenor | Wifi Router Orbi RBR850 + RBS850 + 2x RBS750 + 3xRBS350, Wired/Wireless BH / Orbi RBR50 + 6x RBS50 + RBS40V + RBS50Y, Wired/Wireless BH | Switches NG GS208 | Time Zone CET (Sweden)
Message 6 of 19
Guide
2018-11-19
11:46 PM
Re: OpenVPN Not connecting in Orbi system
Did that after the initial udp option did not work (same problem), and on the former router Nighthawk R7000, this was the working setting…
Model: RBK22| Orbi AC2200 Tri-band WiFi System
Message 7 of 19
Guide
2018-11-20
01:22 AM
Re: OpenVPN Not connecting in Orbi system
FOUND IT! Thanks to you. I changed the settings of TUN back to UDP and now it is working all right! I forgot that I initially tested it over the home network and as you said, that does not work (but it did on my previous router, so that caused my confusion). When I set the wifi on my iPad to my smart phone 4G hotspot, it works fine now!!
The only thing that is still bothering me is the lg in the windows client (notebook with windows 10). Connection is achieved all right, but in the log I see this:
Tue Nov 20 10:03:33 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Nov 20 10:03:44 2018 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
Should I start a new topic on this, or may I ask your opinion about this too? (I tried to understand what is explained in the provided openvpn.net link, but can’t get a grip on the contents; seems that I have to do a lot of programming, which seems very difficult).
But anyhow, by this conversation with you, my problems with the connection, anyway on my iPad as well as my android smart phone, are completely solved! Thank you very much!
Message 8 of 19
Master
2018-11-20
01:30 AM
Re: OpenVPN Not connecting in Orbi system
Glad that this helped. Good luck
My Setup | Internet Fiber ONT 250↓/250↑ | ISP Telenor | Wifi Router Orbi RBR850 + RBS850 + 2x RBS750 + 3xRBS350, Wired/Wireless BH / Orbi RBR50 + 6x RBS50 + RBS40V + RBS50Y, Wired/Wireless BH | Switches NG GS208 | Time Zone CET (Sweden)
Message 9 of 19
Guide
2018-11-20
01:54 AM
Re: OpenVPN Not connecting in Orbi system
and to be complete for all readers of this topic, about the added questions concerning the log file of the windows client connection:
the line about the warning of certificates vanishes if one adds the line «remote-cert-tls server» to the .OVPN config file
the second warning, about the passwords cache, is of no real siginificance and can be ignored.
again many thanks to ekhalil!
Model: RBK22| Orbi AC2200 Tri-band WiFi System
Message 10 of 19
Aspirant
2018-11-20
11:59 AM
Re: OpenVPN Not connecting in Orbi system
I’m having the same issue…I cant seem to connect to my VPN on windows 10. I am able to connect to it no problem on my iphone and ipad. But on windows 10, I’m getting this in the log file:
Enter Management Password:
Tue Nov 20 14:47:48 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Nov 20 14:48:53 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Nov 20 14:49:58 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Nov 20 14:51:05 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Nov 20 14:52:11 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Any help would be appreciated. Thanks in advance
_______________________________________________________________________________________________________________
UPDATE: I was trying to connect while on my home network (not sure if that matters). I tried while on my iphone hotspot and his is what i get:
Enter Management Password:
Tue Nov 20 15:02:04 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Nov 20 15:02:06 2018 TAP-Windows adapter ‘NETGEAR-VPN’ not found
Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 11 of 19
Aspirant
2018-11-20
12:21 PM
Re: OpenVPN Not connecting in Orbi system
Ok, UPDATE #2: After researching the last log file entry, I renamed the TAP Windows Adapter to «NETGEAR-VPN». Now I’m getting:
Enter Management Password:
Tue Nov 20 15:12:08 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Nov 20 15:12:08 2018 Could not determine IPv4/IPv6 protocol
Tue Nov 20 15:12:13 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
I just cant win!! I already researched that as well and cant seem to find info on it. Now any help would be appreciated. Sorry, and thanks in advance
Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 12 of 19
Guide
2018-11-20
01:18 PM
Re: OpenVPN Not connecting in Orbi system
Well, since I got it running, you should be able to run it too, especially with your equipment!
I suppose you have the newest ORBI firmware, and you have a valid mynetgear.com account. And you downloaded the right files (those for Windows) from the router.
In VPN settings, leave the TUN service mode and TAP service mode as it is (so leave TUN to UPD and do not change it, like I tried to no avail, to TCP)
You already renamed the TAP adapter to NETGEAR-VPN, that is necessary too.
Did you also add the line «remote-cert-tls server» to your client.ovpn file? Because when you did, the warning about the certificates should not appear. Are you sure that the (in this way edited) client.ovpn is in the C:program filesopenvpnconfig subdirectory?
And indeed, it matters that you test your VPN from a different network than your ORBI network.
Please check the above issues and let us know if this helps?
Model: RBK22| Orbi AC2200 Tri-band WiFi System
Message 13 of 19
Aspirant
2018-11-20
01:53 PM
Re: OpenVPN Not connecting in Orbi system
Thanks for the fast reply…
- Yes the router and satellites are on the current firmwares
- Yes my mynetgear account is valid
- Yes I downloaded the correct config files for windows
- Both TUN and TAP are default and havnet been changed
- Yes I renamed the adapter to NETGEAR-VPN as you stated
- No, I did not add that line to my config file. Is that simply added that to the send line? My config file is 1 line long…very long and nothing else. Do I add it with quotes or without?
Here is my current config file:
Only 1 line
client
dev tap
proto udp
dev-node NETGEAR-VPN
remote (removed for privacy) 12974
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
comp-lzo
verb 0
sndbuf 393216
rcvbuf 393216
Not sure why it pasted as being multiple lines, that’s why i included the image.
- Lastly, yes, the config file is in the correct directory
I actually gave up until i saw your reply. I will keep at it, but its very frustrating and shouldn’t be this hard.
Message 14 of 19
Aspirant
2018-11-20
02:01 PM
Re: OpenVPN Not connecting in Orbi system
Also, opening the config file in notepad:
I added remote-cert-tls server without the quotes at the very end and when i go to save it, it says i dont have permission and need to seek file owner or administrator. I am the administrator on the machine, only 1 user.
Message 15 of 19
Guide
2018-11-20
02:25 PM
Re: OpenVPN Not connecting in Orbi system
Yes, that is what i saw too. So what i did was editing the ovpn file in the download directory and then copied the new / edited file to the config subdir. Here too the system complained about my rights, but there was the option to continue as administrator. And that worked.
The line is indeed to be placed at the end of the file, i put it right at the end, two spaces after the last character.
And indeed without he quotation marks!
Please inform about the result!
Model: RBK22| Orbi AC2200 Tri-band WiFi System
Message 16 of 19
Aspirant
2018-11-20
03:01 PM
Re: OpenVPN Not connecting in Orbi system
Thanks again for your help…i really appreciate it.
New Errors — New Logs…so maybe a step in the right direction. BUT, you’re right, i’m not geting the «certificate» warning anymore
Message 17 of 19
Guide
2018-11-21
03:08 AM
Re: OpenVPN Not connecting in Orbi system
I am very sorry your problem still exists…
Btw, your client.ovpn contains exactly the same lines as mine, only mine is one long line without hard returns (in notepad), and no spaces between the lines as compared to yours (where there are hard returns). I wonder why you apparently downloaded another format…
What exactly are the «new ERRORs» you write about in your last post?
Model: RBK22| Orbi AC2200 Tri-band WiFi System
Message 18 of 19
Guide
2018-11-22
08:18 AM
Re: OpenVPN Not connecting in Orbi system
Ah, now i can see the errors, but i do not understand them…
You have the exact lines in your (as compared to my) client.ovpn, and i also tried what would happen if i make it a file with neat 18 lines (the 18th being the added line remote-cert-tls server). No difference, works equal flawlessly.
The only possible difference (but i do not know its significance) is that you keep also a client file in the C:users(user)openvpnconfig? Because i have not (the only place is the C:program filesopenvpnconfig, along with the 3 other files of course (ca.crt, client.crt and client.key).
If the problem still exists, you might try the good old reboot of your system and / or try the whole operation without the protection of firewalls etc.
I am afraid i can’t be of further assistance (being kind of a novice myself!)
Good luck, and please post again if you have (hopefully good) news flashes!
Model: RBK22| Orbi AC2200 Tri-band WiFi System
Message 19 of 19
Thank you for your response and sorry for confusion, I’ve done the steps that you’ve listed and I’m attaching the information that I’ve managed to gather.
Using the profile imported by openvpn3-as:
~$ openvpn3 log --log-level 6 --config AS:OUR.VPN.DOMAIN
Waiting for session to start ... Done
Attaching to session /net/openvpn/v3/sessions/a89a9872s0abas47d0s993cs8e500a0234ae
2021-07-12 13:00:21 >> Connection, Configuration OK: config_path=/net/openvpn/v3/configuration/1ed8be73x659ax40bbxa90cxe40fd4615bce
2021-07-12 13:00:21 Client INFO: Starting connection
2021-07-12 13:00:21 Client VERB1: Username/password provided successfully for 'myvpn.username'
2021-07-12 13:00:21 Client DEBUG: Using DNS resolver scope: global
2021-07-12 13:00:21 Client DEBUG: [Connect] DCO flag: disabled
2021-07-12 13:00:21 >> Connection, Client connecting
2021-07-12 13:00:21 Client DEBUG: OpenVPN core 3.git:HEAD:fce979ec linux x86_64 64-bit OVPN-DCO
2021-07-12 13:00:21 Client DEBUG: Frame=512/2048/512 mssfix-ctrl=1250
2021-07-12 13:00:21 Client DEBUG: UNUSED OPTIONS
12 [verb] [3]
2021-07-12 13:00:21 Client VERB2: Resolving
2021-07-12 13:00:21 Client DEBUG: Contacting OUR.VPN.IP.ADDRESS:443 via TCP
2021-07-12 13:00:21 Client VERB1: Waiting for server response
2021-07-12 13:00:21 Client DEBUG: Connecting to [OUR.VPN.DOMAIN]:443 (OUR.VPN.IP.ADDRESS) via TCP
2021-07-12 13:00:21 Client DEBUG: TCP recv EOF
2021-07-12 13:00:21 Client DEBUG: Transport Error: Transport error on 'OUR.VPN.DOMAIN: NETWORK_EOF_ERROR
2021-07-12 13:00:21 Client DEBUG: Client terminated, restarting in 5000 ms...
2021-07-12 13:00:26 Client INFO: Reconnecting
2021-07-12 13:00:26 >> Connection, Client reconnect
2021-07-12 13:00:26 Client VERB2: Resolving
2021-07-12 13:00:26 Client DEBUG: Contacting OUR.VPN.IP.ADDRESS:443 via TCP
2021-07-12 13:00:26 Client VERB1: Waiting for server response
2021-07-12 13:00:26 Client DEBUG: Connecting to [OUR.VPN.DOMAIN]:443 (OUR.VPN.IP.ADDRESS) via TCP
2021-07-12 13:00:26 Client DEBUG: TCP recv EOF
2021-07-12 13:00:26 Client DEBUG: Transport Error: Transport error on 'OUR.VPN.DOMAIN: NETWORK_EOF_ERROR
2021-07-12 13:00:26 Client DEBUG: Client terminated, restarting in 5000 ms...
2021-07-12 13:00:31 Client INFO: Reconnecting
2021-07-12 13:00:31 >> Connection, Client reconnect
2021-07-12 13:00:31 Client VERB2: Resolving
2021-07-12 13:00:31 Client DEBUG: Contacting OUR.VPN.IP.ADDRESS:443 via TCP
2021-07-12 13:00:31 Client VERB1: Waiting for server response
2021-07-12 13:00:31 Client DEBUG: Connecting to [OUR.VPN.DOMAIN]:443 (OUR.VPN.IP.ADDRESS) via TCP
2021-07-12 13:00:31 Client DEBUG: TCP recv EOF
2021-07-12 13:00:31 Client DEBUG: Transport Error: Transport error on 'OUR.VPN.DOMAIN: NETWORK_EOF_ERROR
2021-07-12 13:00:31 Client DEBUG: Client terminated, restarting in 5000 ms...
2021-07-12 13:00:36 Client INFO: Reconnecting
2021-07-12 13:00:36 >> Connection, Client reconnect
2021-07-12 13:00:36 Client VERB2: Resolving
2021-07-12 13:00:36 Client DEBUG: Contacting OUR.VPN.IP.ADDRESS:443 via TCP
2021-07-12 13:00:36 Client VERB1: Waiting for server response
2021-07-12 13:00:36 Client DEBUG: Connecting to [OUR.VPN.DOMAIN]:443 (OUR.VPN.IP.ADDRESS) via TCP
2021-07-12 13:00:36 Client DEBUG: TCP recv EOF
2021-07-12 13:00:36 Client DEBUG: Transport Error: Transport error on 'OUR.VPN.DOMAIN: NETWORK_EOF_ERROR
2021-07-12 13:00:36 Client DEBUG: Client terminated, restarting in 5000 ms...
2021-07-12 13:00:41 Client INFO: Reconnecting
2021-07-12 13:00:41 >> Connection, Client reconnect
2021-07-12 13:00:41 Client VERB2: Resolving
2021-07-12 13:00:41 Client DEBUG: Contacting OUR.VPN.IP.ADDRESS:443 via TCP
2021-07-12 13:00:41 Client VERB1: Waiting for server response
2021-07-12 13:00:41 Client DEBUG: Connecting to [OUR.VPN.DOMAIN]:443 (OUR.VPN.IP.ADDRESS) via TCP
2021-07-12 13:00:41 Client DEBUG: TCP recv EOF
2021-07-12 13:00:41 Client DEBUG: Transport Error: Transport error on 'OUR.VPN.DOMAIN: NETWORK_EOF_ERROR
2021-07-12 13:00:41 Client DEBUG: Client terminated, restarting in 5000 ms...
2021-07-12 13:00:46 Client INFO: Reconnecting
2021-07-12 13:00:46 >> Connection, Client reconnect
2021-07-12 13:00:46 Client VERB2: Resolving
2021-07-12 13:00:46 Client DEBUG: Contacting OUR.VPN.IP.ADDRESS:443 via TCP
2021-07-12 13:00:46 Client VERB1: Waiting for server response
2021-07-12 13:00:46 Client DEBUG: Connecting to [OUR.VPN.DOMAIN]:443 (OUR.VPN.IP.ADDRESS) via TCP
2021-07-12 13:00:46 Client DEBUG: TCP recv EOF
2021-07-12 13:00:46 Client DEBUG: Transport Error: Transport error on 'OUR.VPN.DOMAIN: NETWORK_EOF_ERROR
2021-07-12 13:00:46 Client DEBUG: Client terminated, restarting in 5000 ms...
Session closed
In client window: (it doesn’t ask me for 2FA)
~$ openvpn3 session-start --config AS:OUR.VPN.DOMAIN
Using pre-loaded configuration profile 'AS:OUR.VPN.DOMAIN'
Session path: /net/openvpn/v3/sessions/a89a9872s0abas47d0s993cs8e500a0234ae
Auth User name: myvpn.username
Auth Password:
session-start: ** ERROR ** Failed to connect: Connection, Client reconnect
Using the profile file downloaded from OpenVPN AS WEB UI: (the one that works correctly in openvpn v2.x clients)
~$ openvpn3 log --log-level 6 --config ./profile-53.ovpn
Waiting for session to start ... Done
Attaching to session /net/openvpn/v3/sessions/10235fc0s3bbfs45cdsbaacs1640a3e3c353
2021-07-12 13:10:57 >> Connection, Configuration OK: config_path=/net/openvpn/v3/configuration/fd972649xc7fax4a74xb50exe658f4ab8120
2021-07-12 13:10:57 Client INFO: Starting connection
2021-07-12 13:10:57 Client VERB1: Username/password provided successfully for 'myvpn.username'
2021-07-12 13:10:57 Client DEBUG: Using DNS resolver scope: global
2021-07-12 13:10:57 Client DEBUG: [Connect] DCO flag: disabled
2021-07-12 13:10:57 >> Connection, Client connecting
2021-07-12 13:10:57 Client DEBUG: OpenVPN core 3.git:HEAD:fce979ec linux x86_64 64-bit OVPN-DCO
2021-07-12 13:10:57 Client DEBUG: Frame=512/2048/512 mssfix-ctrl=1250
2021-07-12 13:10:57 Client DEBUG: UNUSED OPTIONS
1 [up] [/etc/openvpn/scripts/update-systemd-resolved]
2 [down] [/etc/openvpn/scripts/update-systemd-resolved]
3 [down-pre]
15 [verb] [3]
2021-07-12 13:10:57 Client VERB2: Resolving
2021-07-12 13:10:57 Client DEBUG: Contacting OUR.VPN.IP.ADDRESS:443 via TCP
2021-07-12 13:10:57 Client VERB1: Waiting for server response
2021-07-12 13:10:57 Client DEBUG: Connecting to [OUR.VPN.DOMAIN]:443 (OUR.VPN.IP.ADDRESS) via TCP
2021-07-12 13:10:57 Client INFO: Connecting
2021-07-12 13:10:57 >> Connection, Client connecting
2021-07-12 13:10:57 Client DEBUG: Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCP_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
2021-07-12 13:10:57 Client DEBUG: Creds: Username/Password
2021-07-12 13:10:57 Client DEBUG: Peer Info:
IV_VER=3.git:HEAD:fce979ec
IV_PLAT=linux
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
IV_GUI_VER=OpenVPN 3/Linux v14_beta/3.git:HEAD:fce979ec linux x86_64 64-bit
IV_SSO=openurl
IV_HWADDR=9067504b559a35f2905a039185daa2b37bd73637ca213885c7d5d2d5c6e9c5b8
IV_SSL=OpenSSL 1.1.1j 16 Feb 2021
2021-07-12 13:10:57 Client DEBUG: VERIFY OK: depth=1, /CN=OpenVPN CA, signature: RSA-SHA256
2021-07-12 13:10:57 Client DEBUG: VERIFY OK: depth=0, /CN=OpenVPN Server, signature: RSA-SHA256
2021-07-12 13:10:57 Client DEBUG: SSL Handshake: peer certificate: CN=OpenVPN Server, 2048 bit RSA, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
2021-07-12 13:10:57 Client DEBUG: Session is ACTIVE
2021-07-12 13:10:57 Client VERB2: Retrieving configuration from server
2021-07-12 13:10:57 Client DEBUG: Sending PUSH_REQUEST to server...
2021-07-12 13:10:57 Client DEBUG: AUTH_FAILED
2021-07-12 13:10:57 Client DEBUG: DYNAMIC_CHALLENGE: |CRV1:R,E:PG_CKWCm1HMLEEir/P7:bWF0ZXVzei5wcnp5Ynlsb3dpY3o=:Enter Authenticator Code|
2021-07-12 13:10:57 >> Connection, Configuration requires user input: Dynamic Challenge
2021-07-12 13:10:57 Client DEBUG: Client exception in transport_recv: std::exception
2021-07-12 13:11:27 >> Connection, Configuration OK: config_path=/net/openvpn/v3/configuration/fd972649xc7fax4a74xb50exe658f4ab8120
2021-07-12 13:11:27 Client INFO: Starting connection
2021-07-12 13:11:27 Client VERB1: Username/password provided successfully for 'myvpn.username'
2021-07-12 13:11:27 Client VERB1: Dynamic challenge provided successfully for 'myvpn.username'
2021-07-12 13:11:27 Client DEBUG: Using DNS resolver scope: global
In client window (asks for 2FA, but hangs):
$ openvpn3 session-start --config ./profile-53.ovpn
Using pre-loaded configuration profile './profile-53.ovpn'
Session path: /net/openvpn/v3/sessions/10235fc0s3bbfs45cdsbaacs1640a3e3c353
Auth User name: myvpn.username
Auth Password:
Enter Authenticator Code: 085074
session-start: ** ERROR ** Failed to start new session: Failed calling D-Bus method Connect: Timeout was reached
-
-
Alexandr1047
just joined
- Posts: 2
- Joined: Sun Jun 25, 2017 11:09 pm
Openvpn does not work on the iphone.
- #1
Sun Jun 25, 2017 11:25 pm
Good afternoon. At me the following problem — openvpn does not work on devices with operating system IOS. In doing so, everything works on other operating systems including (MacOS). In this case, this situation is observed only if the certificates were generated in Mikrotik. If you import keys created into linux into it, everything works fine. First he gave such a mistake.
2017-06-25 01:43:04 EVENT: CORE_ERROR PolarSSL: error parsing config private key : PKCS5 — Requested encryption or digest alg not available [ERR]
How I figured this out was because the microphone encrypts the private key with a format that does not support iOS.
[root@ip-172-31-14-92 centos]# openssl asn1parse -in 1_cert_export_test-client-ovpn-12.key
0:d=0 hl=4 l=1311 cons: SEQUENCE
4:d=1 hl=2 l= 73 cons: SEQUENCE
6:d=2 hl=2 l= 9 prim: OBJECT BES2
17:d=2 hl=2 l= 60 cons: SEQUENCE
19:d=3 hl=2 l= 27 cons: SEQUENCE
21:d=4 hl=2 l= 9 prim: OBJECT BKDF2
32:d=4 hl=2 l= 14 cons: SEQUENCE
34:d=5 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:249CA7FCEC409541
44:d=5 hl=2 l= 2 prim: INTEGER :0800
48:d=3 hl=2 l= 29 cons: SEQUENCE
50:d=4 hl=2 l= 9 prim: OBJECT :aes-256-cbc
61:d=4 hl=2 l= 16 prim: OCTET STRING [HEX DUMP]:0A3C812B3F915210ADB830EC58C43845
On Linux such a conclusion.
[root@ip-172-31-14-92 centos]# openssl asn1parse -in client_07.key
0:d=0 hl=4 l=1294 cons: SEQUENCE
4:d=1 hl=2 l= 64 cons: SEQUENCE
6:d=2 hl=2 l= 9 prim: OBJECT BES2
17:d=2 hl=2 l= 51 cons: SEQUENCE
19:d=3 hl=2 l= 27 cons: SEQUENCE
21:d=4 hl=2 l= 9 prim: OBJECT BKDF2
32:d=4 hl=2 l= 14 cons: SEQUENCE
34:d=5 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:12700371E88C41C2
44:d=5 hl=2 l= 2 prim: INTEGER :0800
48:d=3 hl=2 l= 20 cons: SEQUENCE
50:d=4 hl=2 l= 8 prim: OBJECT :des-ede3-cbc
After my manipulations, the algorithms coincided. But there was another mistake.
2017-06-25 23:01:56 Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL — Processing of the Certificate handshake message failed
I ask to help with the decision of the given problem.
-
-
Steveocee
Forum Guru
- Posts: 1120
- Joined: Tue Jul 21, 2015 10:09 pm
- Location: UK
- Contact:
Re: Openvpn does not work on the iphone.
- #2
Mon Jun 26, 2017 3:38 pm
I was under the impression iOS only used L2TP&IPSEC ?
-
-
Alexandr1047
just joined
- Posts: 2
- Joined: Sun Jun 25, 2017 11:09 pm
Topic Author
Re: Openvpn does not work on the iphone.
- #3
Mon Jun 26, 2017 9:45 pm
Openvpn on ios can work too. But only with the certificates that were generated using the utility easyrsa. Staff means mikrotik do not get it. But if you import third-party certificates then certificate revocation does not work. Can anyone tell me with which keys to generate a certificate on the router that it would be compatible with the IPhone.
-
-
MikroTikFan
Member Candidate
- Posts: 203
- Joined: Sat Aug 02, 2014 1:13 am
Re: Openvpn does not work on the iphone.
- #4
Thu Apr 05, 2018 12:18 am
Hi,
I tried to find solution for the same problem Mikrotik OpenVPN with iPhone.
I can’t find out how to fix problem — PKCS5 — Requested encryption or digest alg not available [ERR]
I found only one post on MikroTik forum.
I’m trying to connect to the vpn from my iPhone, but I still can’t get working solution for this.
Same time I’m using same OpenVpn from my MacOS without any problems.
From OpenVpn iPhone app I’m getting following messages :
2018-04-04 22:04:33 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit built on Feb 22 2018 12:39:28
2018-04-04 22:04:33 Frame=512/2048/512 mssfix-ctrl=1250
2018-04-04 22:04:33 EVENT: CORE_ERROR mbed TLS: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
2018-04-04 22:04:33 Raw stats on disconnect:
2018-04-04 22:04:33 Performance stats on disconnect:
CPU usage (microseconds): 24407
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
Maybe somebody is using Mikrotik OpenVpn with iPhone sucessfully or can help me to find solution ?
-
-
MikroTikFan
Member Candidate
- Posts: 203
- Joined: Sat Aug 02, 2014 1:13 am
Re: Openvpn does not work on the iphone.
- #5
Sun Apr 15, 2018 10:26 pm
Openvpn on ios can work too. But only with the certificates that were generated using the utility easyrsa. Staff means mikrotik do not get it. But if you import third-party certificates then certificate revocation does not work. Can anyone tell me with which keys to generate a certificate on the router that it would be compatible with the IPhone.
Hi,
I’m raising @Alexandr1047 post to @MikroTik_Team.
I hope that somebody from @MikroTik_Team is also using iPhone and can explain or fix that for us
Thanks in advance !
-
-
merlinogio
just joined
- Posts: 2
- Joined: Mon Sep 12, 2016 9:12 am
Re: Openvpn does not work on the iphone.
- #6
Mon Sep 17, 2018 10:31 am
hi all
same problem
have anyone solved?
thanks
f
-
-
HJV
just joined
- Posts: 2
- Joined: Fri Sep 28, 2018 2:38 pm
Re: Openvpn does not work on Android
- #7
Fri Sep 28, 2018 3:12 pm
I see the same on my Android device.
Connecting to my Mikrotik hAP ac2 does not work any more (firmware 6.43.2) from my Samsung Galaxy S6 phone (Android 7.0, using the official ‘OpenVPN Connect — Fast & Safe SSL VPN Client’ from the Google Store). Connecting from a Windows10 computer works fine.
No error messages, just a lot of ‘TCP connection established’ messages in the Mikrotik logfile.
It did work in the past (about a month ago, so before the update to 6.43.x)
Modification 2018-10-22:
I found another Android OpenVPN app, which gave me much more, and much more detailed, errorlogging («OpenVPN Client Free»). Using this app I could pinpoint a certificate error. Now I can connect using both Windows 10 and Android 7.0.
So looking back it was not a MikroTik software problem, although the absence of detailed error logging on the MikroTik hAP ac2 made solving this problem rather complex.
-
-
sigmasquared
just joined
- Posts: 24
- Joined: Tue Sep 04, 2012 2:55 pm
- Location: South Africa
Re: Openvpn does not work on the iphone.
- #8
Sun Dec 30, 2018 4:07 pm
Been trying to get this working most of the afternoon, have made some progress but getting a different error.
How I made progress:
Export the client certificate from the Mikrotik as a PKCS12 cert instead of PEM. In your .ovpn file, instead of the
cert cert_export_client1.crt
key cert_export_client1.key
directives, you replace them with:
pkcs12 cert_export_client1.p12
I have left the <ca> block in my ovpn with the cert in there.
The problem I’m having now is I have a connection on the Mikrotik from the iOS device, but in the OVPN client on the phone it states
TCP recv EOF
Transport Error: Transport error on ‘[my host]’ NETWORK_EOF_ERROR
If a fresh pair of eyes can help here it’d be great.
-
-
sigmasquared
just joined
- Posts: 24
- Joined: Tue Sep 04, 2012 2:55 pm
- Location: South Africa
Re: Openvpn does not work on the iphone.
- #10
Sun Dec 30, 2018 4:53 pm
And after a whole afternoon of battling it would appear that I accidentally disabled the secret on the Mikrotik which was the cause of my connection resets.
OpenVPN now working. Steps taken:
1. Export client certificate as PKCS on Mikrotik, CA certificate as PEM.
2. Create .ovpn file with CA cert embedded inline — example of mine below
dev tun
proto tcp-client
remote my.domain.com
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
ping 15
ping-restart 45
ping-timer-rem
auth-user-pass auth.cfg
auth-nocache
<ca>
-----BEGIN CERTIFICATE-----
[your CA cert here]
-----END CERTIFICATE-----
</ca>
pkcs12 cert_export_client1.ovpn12
3. Import .p12 certificate via Mail app into iPhone Keychain (as per iOS article posted above — though I don’t feel this is necessary as even without this step the VPN works)
4. Copy the .p12 to a .ovpn12 file as per the article again.
5. Import certs (.ovpn12), auth.cfg and ovpn file in iTunes for OpenVPN
6. Import certificate in OpenVPN app
7. Import profile in OpenVPN app and assign certificate (ovpn12)
8. Connect