R9000 with Voxel's Custom firmware Unable to connect via TUN

[peteyg82]

I'm continuing on from over here -> https://www.snbforums.com/threads/custom-firmware-build-for-r9000-r8900-v-1-0-4-74hf.90228/

I downgraded back to firmware version 1.0.2.44HF checked the scripts and they were the older ones.
To have a clean slate I went back and updated firmware back to 1.0.4.74HF.

root@R9000:/$ ps | grep openvpn
7972 root 3176 S /usr/sbin/openvpn /tmp/openvpn/server_tap.conf
7973 root 3216 S /usr/sbin/openvpn /tmp/openvpn/server_tun.conf
17906 root 360 S grep openvpn

The server config file:
root@R9000:/$ cat /tmp/openvpn/server_tun.conf
dh /tmp/openvpn/dh1024.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/server.crt
key /tmp/openvpn/server.key
server 10.0.1.0 255.255.255.0
dev tun0
proto tcp4
port 12973
keepalive 10 120
verb 3
mute 5
log-append /tmp/openvpn_tun_log
writepid /tmp/openvpnd_tun.pid
status /tmp/openvpnd_tun.status
mtu-disc yes
topology subnet
script-security 2
cipher CHACHA20-POLY1305
data-ciphers CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
auth sha1
client-to-client
duplicate-cn
compress lz4-v2
push "compress lz4-v2"
# fast-io
push "dhcp-option DNS 10.0.0.1"
client-connect "/tmp/openvpn/push_routing_rule tun"
sndbuf 0
rcvbuf 0
push "sndbuf 0"
push "rcvbuf 0"

I'm not getting the TLS handshake error. Now the connection is just purely timing out. Port scan of the 12973 port that is tun0 device on the router is showing filtered. Port 12974 tap device showing open. I have no problem connecting to the VPN via tap from my laptop. But phone will not connect via tun and the new updated tun version of OPENVPN for windows will not connect either.

 

[Voxel]

dev tun0
proto tcp4
port 12973

All of the past server and client configs you have posted have indicated the use of the UDP protocol. Now you have switched the server to the TCP protocol. You haven't posted the client config, but I'm guessing your client config continues to use the UDP protocol....

If the server and client protocols are different, there will be no connection, obviously. Therefore there won't even be any handshake.

P.S. Add more care and accuracy to your activity. I've already wasted a lot of time because of basic carelessness on your part.

Voxel.

 

[peteyg82]

I understand your frustration, undoubtedly. I certainly downloaded the new config. The certificates have been regenerated.

This is the config downloaded.

client
dev tun
proto tcp4
remote fudgie.myvnc.com 12973
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
cipher CHACHA20-POLY1305
data-ciphers CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
compress lz4-v2
verb 5

Nothing has been touched in the custom scripts after resetting and downgrading and upgrading the firmware. Purely back to square one as when the problem first presented itself.

 

[Ripshod]

Are you testing over LAN or over the internet? You've previously mentioned the laptop, which would usually imply LAN.

 

[Voxel]

Ok, your configs look fine now.

I don't really understand what you have going on, but I do know that I can connect both UDP and TCP to my R9000 remotely via TUN (on port 12973). Both: from my iPhone and from my laptop. I have tested this repeatedly. So I believe all is well with the OpenVPN server in my firmware. This is some local problem of yours, not related to the firmware but to your environment.

That said, I see that for my R9000 TCP port 12973 is available for external connection. You have in your router/server fudgie.myvnc.com TCP port 12973 completely closed to outside access. I verified this by telnetting to your address with that port.

Are you using any custom iptables rules? Do you have Port Forwarding set for 12973 in your router settings? Is your ISP blocking access to your router/server? Do you have any additional firewall devices on your network? Are you even able to log into your router from the outside using SSH or RemoteAccess or anything else? You need to clarify this and make it clear.

Run two commands in your router:

iptables -L -n -v | grep 12973
iptables -L -n -n -v -t nat| grep 12973

The result should look like this:

That is, port 12973 is open to outside access and there are no iptables rules for forwarding it or so.

And it is preferably to answer @Ripshod who wanted to help.

Voxel.

 

[R. Gerrits]

Did you check that dynamic dns is still working?

I.e does fudgie.myvnc.com still resolve to the actual public IP-address that your router has?