I am ripping my hair out with this

CC box running self sign ca's

Open vpn client

Tue Sep 29 12:55:43 2009: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Sep 29 12:55:43 2009: LZO compression initialized
Tue Sep 29 12:55:43 2009: UDPv4 link local: [undef]
Tue Sep 29 12:55:43 2009: UDPv4 link remote: xxx,xxx,xxx,xxx:1194
Tue Sep 29 12:56:44 2009: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Sep 29 12:56:44 2009: TLS Error: TLS handshake failed

Port forwarding has been setup on the router forwarding 1194 udp to the server @ 192.168.0.10

Any idea what key negotiation fails or do I need to pull the ta.key (TLS auth key) from somewhere and drop it into the xtra's config

I can ping the external address but I have disabled telenet but added vpn passthrough.

Anyone?

Try port forwarding both TCP & UDP maybe?

yeah you need 1194/tcp as well

Forward both still as they put it (Beached as bro)

pm me your external IP and I'll nmap it if you like
i could also try and connect with a fake account + tcpdump the traffic

there's no point forwarding tcp if you're running a udp server, and vice versa if you're running tcp - it'll only listen on whichever of the two you specify

netstat -lnp |grep 1194 to confirm


can you run a packet sniffer on the router and look at what's going on? what's tcpdump on the server show?

zenmap is reporting the port as closed, mother f***er I swear that the port was open. So looks like the issue lies with the modem port forwarding not working. Going to stick with udp forward only. I have however noticed an open proxy running on the cc which I am sure the client is unaware of

Is your CC box allowing those UDP connections? If you have a shell do this;

lsof -i udp:1194
iptables -L

And paste results back.

ticman pm sent of ssh dump looks like chains is has 1194 droped in the policy

Also Can't for the life of me figure out how to create a tls.auth cert and produce the the server config via ssh its late and I am really f***ing tired

last edited by HerbalLizard at 20:20:58 29/Sep/09

Came across this error recently

The fix was downloading and adding the ca cert into the open vpn config

ca ca.crt

EDIT: on the client obviously.

last edited by $ack at 23:21:46 29/Sep/09

Fixed, the issue was with DNS so manually specifying the ip in the client

The issue was the the rsa easy script was spitting out the wrong dns name but had the correct name on the openvpn conf file. Changed the conf file to manual ip and hey presto

Going to change the internal subnets to something other than the common range to make road warrior use easier