newbie at openvpn

[bigcid10]

Hello,
I trying to finagle my way through this Openvpn server setup in my router(RT-AC88U 380.65-merlin)
I did the default general way of setting it up
I exported my config file to the openvpn 2.4 config directory
I'm just getting my feet wet with this stuff
when openvpn starts up it won't connect
system log says this

Feb 5 10:01:00 openvpn[991]: 192.168.1.238 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.238:61930, sid=ded775b6 b02a6b06
Feb 5 10:02:00 openvpn[991]: 192.168.1.238 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 5 10:02:00 openvpn[991]: 192.168.1.238 TLS Error: TLS handshake failed

I need some help ,can someone assist me ?
also do I have to setup the openvpn client tab in the router as well ?
Thank you

oh,1 more thing
I can connect to it with my phone for some odd reason

 

[martinr]

OpenVPN Client is something else. So, no, forget about OpenVPN Client; it has no relevance here.

You can connect with your 'phone. That shows (well, I think it does) that everything is working correctly on your router. By the way, Android 'phone or iOS?

Now, the fact that you said it works ok on your 'phone, leads me to ask which device is failing to connect properly? Is it a Windows device? If it is, did you open OpenVPN on it as an administrator?

 

[martinr]

By the way, you've probably seen this thread running simultaneously:

https://www.snbforums.com/threads/what-is-best-secure-setup-for-openvpn.37342/

There may well be the odd bit of information in it that might also be of use to you.

 

[martinr]

And see this:

https://www.snbforums.com/threads/what-is-best-secure-setup-for-openvpn.37342/#post-306678

regarding admin rights in OpenVPN Client 2.4.

 

[bigcid10]

OpenVPN Client is something else. So, no, forget about OpenVPN Client; it has no relevance here.

You can connect with your 'phone. That shows (well, I think it does) that everything is working correctly on your router. By the way, Android 'phone or iOS?

Now, the fact that you said it works ok on your 'phone, leads me to ask which device is failing to connect properly? Is it a Windows device? If it is, did you open OpenVPN on it as an administrator?

android phone
the problem is on the windows side
yes ,I opened it as administrator

 

[martinr]

Could it be a problem with Windows firewall? Might it be worth turning Windows firewall off temporarily to see if that is the problem?

 

[bigcid10]

Could it be a problem with Windows firewall? Might it be worth turning Windows firewall off temporarily to see if that is the problem?

when I try and connect with the windows client ,the router see's the network address in the running list
of clients but doesn't give it a virtual address
it also says disconnected
in the log it says tls handshake error

Ok,I turned off the windows firewall
and it connected.

 

[bigcid10]

I have a ddns address ,Is there a way to connect to my PC from outside the local network?
BTW,Thank you for all your help with this

 

[martinr]

So the Windows firewall was responsible for the failure to connect; is that an easy fix then, eg allowing OpenVPN in an outbound rule? (And why didn't that happen automatically, unless you blocjed it at some stage?)

As to your question:

I have a ddns address ,Is there a way to connect to my PC from outside the local network?
BTW,Thank you for all your help with this

when you say connect to your PC, could you be more specific ie what do you want to do? But that aside for the moment, couldn't you use a remote access program such as Teamviewer or GoToMyPC to do whatever it is you want to do?

 

[bigcid10]

So the Windows firewall was responsible for the failure to connect; is that an easy fix then, eg allowing OpenVPN in an outbound rule? (And why didn't that happen automatically, unless you blocjed it at some stage?)

I don't know why it was blocked but I just made a rule allowing it so that solved that problem
Thank you

As to your question:



when you say connect to your PC, could you be more specific ie what do you want to do? But that aside for the moment, couldn't you use a remote access program such as Teamviewer or GoToMyPC to do whatever it is you want to do?

realistically I don't need this vpn connection for me
I was learning how to set one up for someone else and figured I would do it on my own router/PC
first,and yes I agree things like teamviewer are simpler to use
but he asked me for help but I hadn't done this before,so I figure no
better time to learn is now
but I would like to know how to remotely connect as well though
with this type of connection

one last question :
wouldn't it be better to use tap instead of tunnel as far as simplifying the networking
1 instead of 2 networks ? I don't know I'm asking you
thank you for all your help !

 

[martinr]

.. one last question :
wouldn't it be better to use tap instead of tunnel as far as simplifying the networking
1 instead of 2 networks ? I don't know I'm asking you
thank you for all your help !

I'm pleased I was of some help to you. I'm no expert in this field, but I do remember Merlin replying once to a similar question and it went something like: if you don't know the difference between tap and tun, then you need tun. Tap is for a fairly specific networking situation, and for most people, tun is what is required. (Time I refreshed my memory on the specific difference between the two!)


As for your other general question regarding remote connections, I have used ssh to connect remotely to my router, my digital video recorder and a Raspberry Pi; like you, I was doing it to learn about such things, but since the recent scare with a couple (6?) hacked routers, I learned that it wasn't such a good idea to have ssh exposed to the WAN on my router, so I clossed it down. Nevertheless, ssh is possibly another way of doing it (for which your DDNS address would come in handy).

 

[bigcid10]

ok,thank you so much

 

[bigcid10]

OK,
I figured out how to access my Pc remotely using the vpn via ddns
now I just have to see about getting ipv6 enabled if possible
I feel better now for the moment
Thank you

 

[martinr]

OK,
I figured out how to access my Pc remotely using the vpn via ddns
now I just have to see about getting ipv6 enabled if possible
I feel better now for the moment
Thank you

Out of pure interest, could you explain, as an overview, what you did? And when you say you can access your PC, have you got full control of it (through enabling Remote Access)?

 

[bigcid10]

Out of pure interest, could you explain, as an overview, what you did? And when you say you can access your PC, have you got full control of it (through enabling Remote Access)?

I haven't tried getting full control yet ,just file and folder stuff(like ftp)
but full control is next
as far as how,
I changed the port to 1197 from 1194
for some odd reason 1194 wouldn't let me connect
once I connected to it with my ddns (on cellular)
then on my phone(htc 10) I used a file manager
and used the vpn IP(10.8.xx) with U/P and it connected
Thanks ,I will let you know when I can get full remote access

 

[martinr]

I'm impressed, but you'll have to forgive me for sounding a bit dim i.e. being a bit dim, but I'm not sure where your DDNS address fits in: if you connect remotely to your home network via OpenVPN from your cellular 'phone, is it not then identical to being back inside your house on your home network, ftp'ing into your PC from another device in the house.? How does the DDNS address fit into the picture?

EDIT: yes, I was being dim: the DDNS address is required otherwise the client has no way of knowing where home is. That's what happens when you set things up and, thereafter. just click: you forget about what's really going on "under the hood".

 

[elorimer]

wouldn't it be better to use tap instead of tunnel as far as simplifying the networking
1 instead of 2 networks ? I don't know I'm asking you
thank you for all your help !

Tunnel is better unless you need tap.

Tap gives you an address on the same network as the server and Layer2 networking; it acts like a switch. Tun gives you an address on a different network from the server and Layer3 networking; it acts like a router. So:

Lots of traffic at Layer2, generally, that probably generates unnecessary traffic over the vpn tunnel. Some devices need that layer2 traffic to talk to one another, specifically bonjour stuff like two TIVOs sending stuff to one another. (and, I've found, they need TCP not UDP, which slows it down more).

Android phones can't do TAP without root; they need Tun. RDP can do either. But if you are on a cellular connection (metered), you don't want TAP.

And as you've seen, the point of DDNS is that your openvpn cfg works even if your ISP changes your routable IP address.

 

[bigcid10]

I'm impressed, but you'll have to forgive me for sounding a bit dim i.e. being a bit dim, but I'm not sure where your DDNS address fits in: if you connect remotely to your home network via OpenVPN from your cellular 'phone, is it not then identical to being back inside your house on your home network, ftp'ing into your PC from another device in the house.? How does the DDNS address fit into the picture?

EDIT: yes, I was being dim: the DDNS address is required otherwise the client has no way of knowing where home is. That's what happens when you set things up and, thereafter. just click: you forget about what's really going on "under the hood".

Thank you ,I'm happy and will continue with this

 

[bigcid10]

Ok,I'm excited now!
I was able to rdc into my desktop PC from my phone through my vpn today
using the MS rdc app using cellular as my connection
then achieved the same thing on a laptop using the same program and having the
internet connection set as xfinity hotspot instead of my home network
worked like a champ.just had to change the rdc gateway to my ddns address
not that difficult

 

[elorimer]

Ok,I'm excited now!
I was able to rdc into my desktop PC from my phone through my vpn today
using the MS rdc app using cellular as my connection
then achieved the same thing on a laptop using the same program and having the
internet connection set as xfinity hotspot instead of my home network
worked like a champ.just had to change the rdc gateway to my ddns address
not that difficult

Good. So do two more things. First, be sure you set the TUN to redirect internet traffic. That way, with public wifi your traffic goes down the tunnel and out from your home router, and can't be sniffed by others in the area. Second, set your home PC to sleep, and your router to WOL it, and put a shortcut on the laptop's desktop to the WOL page and save the RDC to your laptop's desktop. That way, you can form the VPN connection, wake up the desktop from the WOL page, and then RDC to the desktop. You save a lot on electricity, and your laptop can be a wimpy little thing you get for $129.

Not sure the point of doing RDC over cellular from your phone, but if you are away from a hotspot, you can tether the phone to the laptop and connect the laptop over cellular. If you are on a metered connection, change the RDC settings to scale way back on the color depth and save that as a second RDC file on your laptop's desktop. That will cut a yuge amount of data use.